Product Overview Guide

IBM Security Identity Manager Version 6.0 Product Oeriew Guide GC14-7692-01

IBM Security Identity Manager Version 6.0 Product Oeriew Guide GC14-7692-01

Note Before using this information and the product it supports, read the information in Notices on page 71. Edition notice Note: This edition applies to ersion 6.0 of IBM Security Identity Manager (product number 5724-C34) and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright IBM Corporation 2012, 2013. US Goernment Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Table of contents Table list.............. About this publication........ ii Access to publications and terminology..... ii Accessibility.............. iii Technical training............ iii Support information........... iii Statement of Good Security Practices...... ix Chapter 1. How to obtain software images............... 1 Chapter 2. Hardware and software requirements............ 3 Hardware requirements........... 3 Operating system support.......... 3 Virtualization support........... 4 Jaa Runtime Enironment support....... 5 WebSphere Application Serer support..... 5 Database serer support.......... 5 Directory serer support.......... 6 Directory Integrator support......... 7 Report serer support........... 7 Prerequisites for IBM Cognos report serer.... 8 Browser requirements for client connections.... 9 Adapter leel support........... 9 Chapter 3. What's new in this release 11 Account ownership type.......... 11 Identity Serice Center user interface...... 11 Shared access module........... 12 Role management............ 14 Extended role attributes......... 14 Role assignment attributes........ 14 Serice management and proisioning..... 15 Serice leel form........... 16 Serice connection mode......... 16 Serice status and failure retry....... 17 Serice tagging............ 17 Enhanced adapter testing......... 17 Account and access management....... 18 Multiple leel access types........ 18 Account search in the self serice console... 18 Authentication with an external user registry configured with WebSphere......... 18 Vertical cluster support.......... 19 Application programming interfaces...... 19 Web Serices API........... 20 Extensions to the Recertification Policy API... 20 Enhanced logging APIs for use in custom JaaScript.............. 20 Report data synchronization enhancements.... 21 Health monitoring............ 22 IBM Cognos reporting framework....... 22 Chapter 4. Known limitations, problems, and workarounds..... 23 Chapter 5. Features oeriew..... 25 Access management........... 25 Shared access.............. 26 Shared access documentation....... 27 Roadmap for configuring shared access for a managed resource........... 30 Support for corporate regulatory compliance... 34 Identity goernance........... 39 Triple user interface........... 40 Administratie console user interface..... 40 Self-care user interface.......... 40 Identity Serice Center user interface..... 41 Recertification............. 42 Reporting............... 42 Static and dynamic roles.......... 43 Self-access management.......... 43 Proisioning features........... 43 Resource proisioning........... 47 Request-based access to resources...... 47 Roles and access control......... 48 Hybrid proisioning model........ 48 Chapter 6. Technical oeriew..... 49 Users, authorization, and resources...... 49 Main components............ 50 People oeriew............. 53 Users............... 53 Identities.............. 53 Accounts.............. 54 Access............... 54 Passwords.............. 55 Resources oeriew........... 55 Serices.............. 56 Adapters.............. 57 Adapter communication with managed resources 58 System security oeriew.......... 58 Security model characteristics....... 59 Business requirements.......... 59 Resource access from a user's perspectie... 59 Organization tree oeriew......... 62 Nodes in an organization tree....... 63 Entity types associated with a business unit.. 63 Entity searches of the organization tree.... 64 Policies oeriew............ 64 Workflow oeriew............ 66 Copyright IBM Corp. 2012, 2013 iii

Chapter 7. Initial login and password information............. 69 Notices.............. 71 Index............... 75 i IBM Security Identity Manager Version 6.0: Product Oeriew Guide

Table list 1. Hardware requirements for IBM Security Identity Manager........... 3 2. Operating system support........ 3 3. Virtualization support......... 4 4. Database serer support......... 6 5. Directory serer support........ 6 6. Supported ersions of IBM Tioli Directory Integrator............. 7 7. Software requirements for IBM Cognos report serer............... 8 8. Prerequisites to run the UNIX and Linux adapter.............. 10 9. More information on role assignment attributes 15 10. Shared access features......... 27 11. Installation and upgrade........ 27 12. System configuration......... 28 13. Shared access administration....... 28 14. Data references........... 29 15. Shared access troubleshooting...... 29 16. Shared access application programming interfaces............. 29 17. Shared access for users......... 30 18. Configuring managed resources that are supported by the IBM Security Identity Manager............. 33 19. Defining roles and proisioning policies to grant ownership of sponsored accounts... 33 20. Adding credentials with a connection to an account to the ault.......... 34 21. Adding credentials without a connection to an account to the ault.......... 34 22. Configuring a shared access policy to grant access to the credentials........ 34 23. Summary of reports.......... 39 24. Policy types and naigation....... 65 25. Initial user ID and password for IBM Security Identity Manager........... 69 Copyright IBM Corp. 2012, 2013

i IBM Security Identity Manager Version 6.0: Product Oeriew Guide

About this publication IBM Security Identity Manager Product Oeriew Guide proides the general information about IBM Security Identity Manager. It includes the information about: The product release, such as new or deprecated product features and functions The open standards, technologies, and architecture on which the product is based The user model and roles underlying the product features The graphical interfaces and tools proided to support arious user roles Access to publications and terminology This section proides: A list of publications in the IBM Security Identity Manager library. Links to Online publications. A link to the IBM Terminology website on page iii. IBM Security Identity Manager library The following documents are aailable in the IBM Security Identity Manager library: IBM Security Identity Manager Quick Start Guide, CF3L2ML IBM Security Identity Manager Product Oeriew Guide, GC14-7692-01 IBM Security Identity Manager Scenarios Guide, SC14-7693-01 IBM Security Identity Manager Planning Guide, GC14-7694-01 IBM Security Identity Manager Installation Guide, GC14-7695-01 IBM Security Identity Manager Configuration Guide, SC14-7696-01 IBM Security Identity Manager Security Guide, SC14-7699-01 IBM Security Identity Manager Administration Guide, SC14-7701-01 IBM Security Identity Manager Troubleshooting Guide, GC14-7702-01 IBM Security Identity Manager Error Message Reference, GC14-7393-01 IBM Security Identity Manager Reference Guide, SC14-7394-01 IBM Security Identity Manager Database and Directory Serer Schema Reference, SC14-7395-01 IBM Security Identity Manager Glossary, SC14-7397-01 Online publications IBM posts product publications when the product is released and when the publications are updated at the following locations: IBM Security Identity Manager library The product documentation site displays the welcome page and naigation for the library. http://pic.dhe.ibm.com/infocenter/tiihelp/2r1/index.jsp?topic=/ com.ibm.isim.doc_6.0.0.2/kc-homepage.htm Copyright IBM Corp. 2012, 2013 ii

IBM Security Systems Documentation Central IBM Security Systems Documentation Central proides an alphabetical list of all IBM Security Systems product libraries and links to the online documentation for specific ersions of each product. IBM Publications Center The IBM Publications Center site http://www-05.ibm.com/e-business/ linkweb/publications/serlet/pbi.wss offers customized search functions to help you find all the IBM publications you need. IBM Terminology website The IBM Terminology website consolidates terminology for product libraries in one location. You can access the Terminology website at http://www.ibm.com/ software/globalization/terminology. Accessibility Accessibility features help users with a physical disability, such as restricted mobility or limited ision, to use software products successfully. With this product, you can use assistie technologies to hear and naigate the interface. You can also use the keyboard instead of the mouse to operate all features of the graphical user interface. Technical training Support information For additional information, see the topic "Accessibility features for IBM Security Identity Manager" in the IBM Security Identity Manager Reference Guide. For technical training information, see the following IBM Education website at http://www.ibm.com/software/tioli/education. If you hae a problem with your IBM software, you want to resole it quickly. IBM proides the following ways for you to obtain the support you need: Online Go to the IBM Software Support site at http://www.ibm.com/software/ support/probsub.html and follow the instructions. IBM Support Assistant The IBM Support Assistant (ISA) is a free local software sericeability workbench that helps you resole questions and problems with IBM software products. The ISA proides quick access to support-related information and sericeability tools for problem determination. To install the ISA software, see the IBM Security Identity Manager Installation Guide. Also see: http://www.ibm.com/software/support/isa. Troubleshooting Guide For more information about resoling problems, see the IBM Security Identity Manager Troubleshooting Guide. iii IBM Security Identity Manager Version 6.0: Product Oeriew Guide

Statement of Good Security Practices IT system security inoles protecting systems and information through preention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, serice or security measure can be completely effectie in preenting improper use or access. IBM systems, products and serices are designed to be part of a comprehensie security approach, which will necessarily inole additional operational procedures, and may require other systems, products or serices to be most effectie. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. About this publication ix

x IBM Security Identity Manager Version 6.0: Product Oeriew Guide

Chapter 1. How to obtain software images IBM Security Identity Manager installation files and fix packs can be obtained with the IBM Passport Adantage website, or from a DVD distribution. The Passport Adantage website proides packages, called eassemblies, for IBM products. To obtain eassemblies for IBM Security Identity Manager, follow the instructions in the IBM Security Identity Manager Download Document. The IBM Security Identity Manager Installation Guide proides full instructions for installing IBM Security Identity Manager and the prerequisite middleware products. The procedure that is appropriate for your organization depends on the following conditions: Operating system used by IBM Security Identity Manager Language requirements for using the product Type of installation you need to do: eassembly for the product and all prerequisites The IBM Security Identity Manager installation program enables you to install IBM Security Identity Manager, prerequisite products, and required fix packs as described in the IBM Security Identity Manager Installation Guide. Use this type of installation if your organization does not currently use one or more of the products required by IBM Security Identity Manager. eassembly for a manual installation You can install IBM Security Identity Manager separately from the prerequisites, and you can install separately any of the prerequisite products that are not installed. In addition, you must erify that each prerequisite product is operating at the required fix or patch leel. Copyright IBM Corp. 2012, 2013 1

2 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

Chapter 2. Hardware and software requirements Hardware requirements IBM Security Identity Manager has specific hardware requirements and supports specific ersions of operating systems, middleware, and browsers. The topics in this section list the hardware requirements and the supported ersions for each of the software products. The information lists the supported ersions when the product release was released. Note: Support for prerequisite software is continuously updated. To reiew the latest updates to this information, see the Software Product Compatibility Reports page at http://pic.dhe.ibm.com/infocenter/prodguid/1r0/clarity/index.html. IBM Security Identity Manager has these hardware requirements: Table 1. Hardware requirements for IBM Security Identity Manager System components Minimum alues* Suggested alues** System memory (RAM) 2 gigabytes 4 gigabytes Processor speed Single 2.0 gigahertz Intel or pseries processor Dual 3.2 gigahertz Intel or pseries processors Disk space for product and 20 gigabytes 25 gigabytes prerequisite products * Minimum alues: These alues enable a basic use of IBM Security Identity Manager. ** Suggested alues: You might need to use larger alues that are appropriate for your production enironment. Operating system support IBM Security Identity Manager supports multiple operating systems. The IBM Security Identity Manager installation program checks to ensure that specific operating systems and leels are present before it starts the installation process. Table 2. Operating system support Operating system Platform Patch or maintenance leel AIX Version 6.1 System p None AIX Version 7.1 System p None Oracle Solaris 10 SPARC None Windows Serer 2008 Standard Edition x86-32 None x86-64 Windows Serer 2008 Enterprise Edition Windows Serer 2008 Release 2 Standard Edition x86-32 x86-64 None x86-64 None Copyright IBM Corp. 2012, 2013 3

Table 2. Operating system support (continued) Operating system Platform Patch or maintenance leel Windows Serer 2008 Release 2 x86-64 None Enterprise Edition Windows Serer 2012 Standard x86-64 None Edition Red Hat Enterprise Linux 5.0 x86-32, x86-64, For 5.0, Update 6. System p, System z Red Hat Enterprise Linux 6.0 For 6.0, Update 5. x86-32, x86-64, System p, System z For both 5.0 and 6.0, Security Enhanced Linux must be disabled. See the topic "Red Hat Linux Serer Configuration" in the IBM Security Identity Manager Installation Guide. SUSE Linux Enterprise Serer 10.0 SUSE Linux Enterprise Serer 11.0 System p, System z, x86-32, x86-64 System p, System z, x86-32, x86-64 For 10, SP3 For 11, SP1 Virtualization support IBM Security Identity Manager supports irtualization enironments. See Table 3 for a list of the irtualization products that IBM Security Identity Manager supports at the time of product release. Table 3. Virtualization support Product IBM AIX Workload Partitioning (WPAR) and Logical Partitioning (LPAR) 6.1 and 7.1 and future fix packs IBM PowerVM Hyperisor (LPAR, DPAR, Micro-Partition), any supported ersion and future fix packs IBM PR/SM, any ersion, and future fix packs IBM z/vm Hyperisor 5.4 and any future fix packs IBM z/vm Hyperisor 6.1 and any future fix packs KVM in SUSE Linux Enterprise Serer (SLES) 11 Red Hat KVM as deliered with Red Hat Enterprise Linux (RHEL) 5.4 and future fix packs Red Hat KVM as deliered with Red Hat Enterprise Linux (RHEL) 6.0 and future fix packs Sun Solaris 10 Global/Local Zones (SPARC) 10 and future fix packs Applicable operating systems All supported operating system ersions automatically applied AIX All supported operating system ersions automatically applied All supported operating system ersions automatically applied Linux All supported operating system ersions automatically applied Linux, Windows All supported operating system ersions automatically applied All supported operating system ersions automatically applied 4 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

Table 3. Virtualization support (continued) Product Sun/Oracle Logical Domains (LDoms) any ersion and future fix packs VMware ESXi 4.0 and future fix packs VMware ESXi 5.0 and future fix packs Applicable operating systems Solaris All supported operating system ersions automatically applied All supported operating system ersions automatically applied Jaa Runtime Enironment support IBM Security Identity Manager requires the Jaa Runtime Enironment (JRE). When a required ersion of the WebSphere Application Serer is installed, the required ersion or a later ersion of the JRE is installed in the WAS_HOME/jaa directory. For information about the required ersions of the WebSphere Application Serer, see WebSphere Application Serer support. Use of an independently installed deelopment kit for Jaa, from IBM or other endors, is not supported. The Jaa Runtime Enironment requirements for using a browser to create a client connection to the IBM Security Identity Manager serer are different than the JRE requirements for running the WebSphere Application Serer. WebSphere Application Serer support Database serer support IBM Security Identity Manager runs as an enterprise application in a WebSphere Application Serer enironment. IBM Security Identity Manager requires one of the following ersions of WebSphere Application Serer: WebSphere Application Serer, Version 8.5 with WebSphere Application Serer V8.5 Fix Pack 2. WebSphere Application Serer, Version 8.5, Network Deployment, with the Identity Serice Center user interface. WebSphere Application Serer V8.5 Fix Pack 2 is required for support of all platforms. WebSphere Application Serer, Version 7.0, with the WebSphere Fix Pack 29. WebSphere supports each of the operating systems that IBM Security Identity Manager supports. Reiew the WebSphere website for WebSphere requirements for each operating system: http://www.ibm.com/support/dociew.wss?rs=180 &uid=swg27012369 IBM Security Identity Manager supports multiple database serer products. Chapter 2. Hardware and software requirements 5

Note: The Identity Serice Center and Cognos reporting do not support Microsoft SQL Serer database. Use DB2 database or Oracle database instead. Table 4. Database serer support Database serer Fix pack Notes IBM DB2 Enterprise Version 9.5.0.3 IBM DB2 Enterprise Version 9.7.0.7 IBM DB2 Enterprise Version 10.1.0.2 Oracle 10g Standard Edition and Enterprise Edition Release 2 Oracle 11g Standard and Enterprise Edition Release 2 Microsoft SQL Serer Enterprise Edition 2008 Microsoft SQL Serer Enterprise Edition 2008 Release 2 Fix Pack 3 IBM DB2 Workgroup Edition is required for Linux 32 bit operating system. Fix Pack 7 IBM DB2 Workgroup Edition is required for Linux 32 bit operating system. Red Hat Linux 6.0 requires Fix Pack 4. Windows 2012 requires Fix Pack 7. Fix Pack 2 IBM DB2 Enterprise 10.1 is only supported on 64 bit operating systems. Using IBM DB2 10.1 with IBM Tioli Directory Serer 6.3 requires Fix Pack 21. none none none none The Oracle 11.1.0.7 database drier is required for both Oracle 10g Release 2 and 11g databases. The Oracle 11.1.0.7 database drier is required for both Oracle 10g Release 2 and 11g databases. Directory serer support IBM Security Identity Manager supports multiple directory serers. Table 5. Directory serer support Directory serer IBM Tioli Directory Serer, Version 6.2 IBM Tioli Directory Serer, Version 6.3 Fix packs Fix Pack 29 Fix Pack 21 Notes IBM Tioli Directory Serer supports the operating system releases that IBM Security Identity Manager supports. IBM Tioli Directory Serer, Version 6.3 Fix Pack 21 is required for IBM Tioli Directory Serer V6.3 to work with IBM DB2 10.1. A fix pack can hae requirements for a specific leel of Global Security ToolKit (GSKit). For more information, see documentation that the directory serer product proides. For example, access this website: http://www-947.ibm.com/ support/entry/portal/ documentation_expanded_list/software/ security_systems/tioli_directory_serer 6 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

Table 5. Directory serer support (continued) Directory serer Sun Directory Serer Enterprise Edition 6.3.1 and 7.0 Oracle Directory Serer Enterprise Edition 11.1.1 Fix packs none none Notes See Oracle documentation to erify operating system support. Directory Integrator support IBM Security Identity Manager supports IBM Tioli Directory Integrator. You can optionally install IBM Tioli Directory Integrator for use with IBM Security Identity Manager. IBM Tioli Directory Integrator is used to enable communication between the installed agentless adapters and IBM Security Identity Manager. See the IBM Security Identity Manager Installation Guide. Table 6. Supported ersions of IBM Tioli Directory Integrator Release Fix pack IBM Tioli Directory Integrator, Version 7.1 Fix Pack 3 IBM Tioli Directory Integrator, Version 7.1.1 Fix Pack 2 Report serer support IBM Tioli Directory Integrator supports each of the operating system ersions that IBM Security Identity Manager supports. IBM Security Identity Manager supports IBM Tioli Common Reporting Version 2.1.1. Note: Though IBM Tioli Common Reporting is currently supported, it is being deprecated. It is the best practice to use IBM Cognos Business Intelligence Serer ersion 10.2.1 to generate IBM Security Identity Manager reports. The following fix packs and interim fixes are required. Install the fixes in the following order: 1. IBM Tioli Common Reporting, Version 2.1.1, interim fix 2 2. IBM Tioli Common Reporting, Version 2.1.1, interim fix 5 3. IBM Tioli Integrated Portal Fix Pack 2.2.0.7 4. IBM Tioli Common Reporting, Version 2.1.1, interim fix 6 To obtain fixes: Download the latest fixes for IBM Tioli Common Reporting Serer from the Fix Central website at http://www.ibm.com/support/fixcentral/. Obtain and install the IBM Tioli Integrated Portal Fix Pack 2.2.0.7 before you install IBM Tioli Common Reporting, Version 2.1.1, interim fix 6. For instructions for obtaining IBM Tioli Integrated Portal Fix Pack 2.2.0.7, see the IBM deeloperworks topic: Tioli Common Reporting 2.1.1 Interim Fix 6. Chapter 2. Hardware and software requirements 7

Prerequisites for IBM Cognos report serer IBM Security Identity Manager supports IBM Cognos Business Intelligence Serer ersion 10.2.1. You must install the software in the following table to work with IBM Security Identity Manager Cognos reports. Table 7. Software requirements for IBM Cognos report serer Software For more information, see IBM Cognos Business Intelligence Serer, ersion 10.2.1. Web serer Data sources 1. Access the IBM Cognos Business Intelligence documentation at http://pic.dhe.ibm.com/infocenter/cbi/ 10r2m1/index.jsp. 2. Search for Business Intelligence Installation and Configuration Guide 10.2.1. 3. Search for the installation information and follow the procedure. 1. Access the IBM Cognos Business Intelligence documentation at http://pic.dhe.ibm.com/infocenter/cbi/ 10r2m1/index.jsp. 2. In the right pane of the home page, under Supported hardware and software section, click IBM Cognos Business Intelligence 10.2.1 Supported Software Enironments. 3. Click 10.2.1 tab. 4. Click Software in the Requirements by type column under the section IBM Cognos Business Intelligence 10.2.1. 5. Search for Web Serers section. 1. Access the IBM Cognos Business Intelligence documentation at http://pic.dhe.ibm.com/infocenter/cbi/ 10r2m1/index.jsp. 2. In the right pane of the home page, under Supported hardware and software section, click IBM Cognos Business Intelligence 10.2.1 Supported Software Enironments. 3. Click 10.2.1 tab. 4. Click Software in the Requirements by type column under the section IBM Cognos Business Intelligence 10.2.1. 5. Search for Data Sources section. Note: Optionally, you can install IBM Framework Manager, ersion 10.2.1 if you want to customize the reports or models. 8 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

Browser requirements for client connections IBM Security Identity Manager has browser requirements for client connections. IBM Security Identity Manager supports the following browser ersions: Microsoft Internet Explorer 9.0 Microsoft Internet Explorer 10.0 Mozilla Firefox 3.6 (supported on AIX only) Note: 1. Microsoft Internet Explorer 10.0 Metro mode is not supported. 2. Firefox 3.6 requires the Next-Generation Jaa plug-in, which is included in Jaa 6 Update 10 and newer ersion. 3. The Identity Serice Center user interface is not supported in Firefox 3.6. Mozilla Firefox 10 Extended Support Release (not supported on AIX) Note: The Identity Serice Center user interface is not supported in Firefox 10 Extended Support Release. Mozilla Firefox 17 Extended Support Release (not supported on AIX) Mozilla Firefox 24 Extended Support Release (not supported on AIX) IBM Security Identity Manager software distribution does not include the supported browsers. The IBM Security Identity Manager administratie user interface uses applets that require a Jaa plug-in that is proided by Sun Microsystems JRE Version 1.6 or higher. When the browser requests a page that contains an applet, it attempts to load the applet with the Jaa plug-in. If the required JRE is not present on the system, the browser prompts the user for the correct Jaa plug-in, or fails to complete the presentation of the items in the window. The IBM Security Identity Manager user interface is displayed correctly for all pages that do not contain a Jaa applet, regardless of JRE installation. You must enable cookies in the browser to establish a session with IBM Security Identity Manager. Do not start two or more separate browser sessions from the same client computer. The two sessions are regarded as one session ID, which causes problems with the data. Adapter leel support The IBM Security Identity Manager installation program always installs a number of adapter profiles. The installation program installs these profiles: AIX profile (UNIX and Linux adapter) Solaris profile (UNIX and Linux adapter) HP-UX profile (UNIX and Linux adapter) Linux profile (UNIX and Linux adapter) LDAP profiles (LDAP adapter) The IBM Security Identity Manager installation program optionally installs the IBM Security Identity Manager LDAP adapter and IBM Security Identity Manager Chapter 2. Hardware and software requirements 9

UNIX and Linux adapter. Newer ersions of the adapters might be aailable as separate downloads. Install the latest ersions before you use the adapters. You must take additional steps to install adapters if you choose not to install them during the IBM Security Identity Manager installation. The following table lists the UNIX and Linux systems and ersions that are supported by the UNIX and Linux adapter. Table 8. Prerequisites to run the UNIX and Linux adapter Operating system Version AIX AIX 6.1, AIX 7.1 HP-UX HP-UX 11i1, HP-UX 11i1 trusted, HP-UX 11i2, HP-UX 11i2 trusted, HP-UX 11i3, HP-UX 11i3 trusted Red Hat Linux Red Hat Enterprise Linux Enterprise Serer 6.0, Red Hat Enterprise Linux Enterprise Serer 6.1, Red Hat Enterprise Linux Enterprise Serer 6.2 Oracle Solaris Oracle Solaris 10 SUSE Linux SLES 10.0, SLES 11.0 The following directory serer ersions are supported by the LDAP adapter: IBM Tioli Directory Serer 6.1, IBM Tioli Directory Serer 6.2, IBM Tioli Directory Serer 6.3 Sun Directory Serer Enterprise Edition 6.3, Sun Directory Serer Enterprise Edition 6.3.1 The LDAP adapter supports an LDAP directory that uses the RFC 2798 scheme. This scheme supports communication between the IBM Security Identity Manager and systems that run IBM Tioli Directory Serer or Sun Directory Serer Enterprise Edition. The IBM Security Identity Manager LDAP Adapter Installation Guide describes how to configure the LDAP adapter. Adapters are aailable at the following IBM Passport Adantage website: http://www.ibm.com/software/sw-lotus/serices/cwepassport.nsf/wdocs/ passporthome Installation and configuration guides for adapters can be found in the IBM Security Identity Manager product documentation website at http://pic.dhe.ibm.com/ infocenter/tiihelp/2r1/index.jsp?topic=/com.ibm.isim.doc_6.0.0.2/kchomepage.htm. 10 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

Chapter 3. What's new in this release Account ownership type IBM Security Identity Manager Version 6.0 proides new infrastructure, processes, and controls to support priileged identity management. In addition, it proides enhanced support for operational role management and integration with other identity and access management solutions. Note: The documentation updates in this library are added in the context of the IBM Security Identity Manager, ersion 6.0.0, Fix Pack 2. The Identity Serice Center, Cognos Reporting, and selected Shared Access features can only be aailable in your system after you install the fix pack. See the following README files for installation, configuration, and remoal details. ISIM6.0.0FP2_InstallAndConfig_README.pdf ISIM6.0.0FP2_UnInstallAndManualRemoal_README.pdf ISPIM1.0.1FP2_InstallandConfig_README.pdf See the topics that follow for detailed descriptions of new features and function. New account ownership types separate personal accounts from custodial accounts. Accounts that represent a user identity for personal use are indiidual accounts. All other accounts are sponsored accounts. Examples of sponsored accounts include the root account on a UNIX system, application accounts, and deice accounts. The owner of a sponsored account typically configures the account and completes maintenance tasks such as password reset. Password synchronization applies only to indiidual accounts. Account entitlements in a proisioning policy are specified differently for each account type. The type of ownership affects the password management process and proisioning policy ealuation. For example, password synchronization synchronizes passwords only for accounts of ownership type "Indiidual". For proisioning policies, entitlement to a particular serice can be based on the specific ownership type on the serice. You can filter accounts by ownership type when doing account management tasks. You can specify the ownership type when completing account request and account adoption tasks. See "Ownership type management" in the IBM Security Identity Manager Configuration Guide. Identity Serice Center user interface IBM Security Identity Manager introduces the Identity Serice Center, a new user interface, which proides the capability for managers or indiiduals to request access for indiiduals. Copyright IBM Corp. 2012, 2013 11

Shared access module Note: The Identity Serice Center does not support Microsoft SQL Serer database. Use DB2 Uniersal Database or Oracle database instead. Unified access catalog The Identity Serice Center user interface contains a unified access catalog that proides sets of tasks, each tailored for the needs of the default user types: System administrator Manager Employee Auditor Enhanced user experience The Identity Serice Center gies you an enhanced user experience that is tailored to your business goals: Request access to applications View your requests Modern, intuitie, and efficient user interface You can model your business goals and user interface with a dedicated flow. The Identity Serice Center has: Type ahead search Guided tasks Usable layout Work flow and tasks that are applicable to your business goals Context-sensitie help Customizable user interface System administrators can easily customize the Identity Serice Center user interface either by copying and modifying the customizable files that are installed with IBM Security Identity Manager. They can also customize the new user interface by replacing the icons and graphics. See the Identity Serice Center user interface customization section of the IBM Security Identity Manager Configuration Guide for details. IBM Security Identity Manager proides a shared access module that extends the identity and access management goernance capabilities by supporting priileged identity management. The shared access module is used by an IBM product called IBM Security Priileged Identity Manager. When you purchase IBM Security Priileged Identity Manager, you obtain a license to use the IBM Security Identity Manager shared access module. You can then install the optional shared access module component as part of the IBM Security Identity Manager installation. The shared access module proides the following support for priileged identity management: Credential ault management for shared credentials, which can be connected or not connected to accounts. Lifecycle management of shared credentials. This management includes role-based access requests, role membership, and shared credential access. 12 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

Auditing of shared credential actiity to monitor accountability and compliance. Single sign-on with automated checkin and checkout of shared IDs. Automation of checkout and checkin is achieed when IBM Security Identity Manager is deployed as part of the IBM Security Priileged Identity Manager product solution. Management of shared credentials that are not connected to accounts. Ability to connect credentials to an account so that the password can be changed at checkin; ability to disconnect credentials from an account. The following items are deprecated: Adding credentials to the ault through Manage Users, Manage Serices > Accounts, ormanage Groups > Manage Members. Instead, use Manage Shared Access > Manage Credential Vault. The #Credentials type identifier is deprecated and is proided for users with existing CSV files from a preious release. If you use this type identifier, read the column header descriptions because some of them hae changed. It is suggested, howeer, that you use the #Credentials_2 type identifier instead of the #Credentials type identifier in your CSV files for shared access bulk load. The USE_GLOBAL_SETTINGS column header in the CSV file is changed to USE_DEFAULT_SETTINGS. The following access control items (ACIs) are added: Protection category Name Type Principal Credential Default ACI for Credential: Grant All to Domain Admin ercredential Domain Admin Credential Lease Default ACI for Credential Lease: Grant All to Domain Admin ercredentiallease Domain Admin Account Default ACI for Account: Grant Connect to Domain Admin and Account Owner eraccountitem Domain Admin Account Owner Credential Serice Default ACI for Credential Serice: Grant All to Domain Admin ercvserice Domain Admin Person Default ACI for Person: Grant Search and role assignment to Priileged Administrator Group erpersonitem Priileged Admin The following ACIs are remoed: Protection category Name Type Principal Identity Manager User Default ACI for ITIM User: Grant Delegate to Priileged Administrator Group ersystemuser Priileged Admin Identity Manager User Default ACI for ITIM User: Grant Add to Priileged Administrator Group ersystemuser Priileged Admin Recertification Policy Default ACI for Recertification Policy: Grant All to Priileged Administrator Group errecertificationpolicy Priileged Admin Report Default ACI for Pending Recertification Report: Grant Run to Priileged Administrator Group Pending Recertification Report Priileged Admin Chapter 3. What's new in this release 13

Protection category Name Type Principal Report Static Organizational Role Default ACI for Recertification Policies Report: Grant Run to Priileged Administrator Group Default ACI for Role: Grant All to Priileged Administrator Group Recertification Policies Report errole Priileged Admin Priileged Admin Role management For more information, see: Shared access on page 26 IBM Security Priileged Identity Manager product documentation website. Role management now includes management of extended role attributes and role assignment attributes. Extended role attributes The IBM Security Identity Manager administrator can define, set, and modify extended role attributes when creating or modifying a role. These actions are achieed by using a new form template introduced in the form designer for role customization. Both static and dynamic roles support extended role attributes. Note: Before you can use extended role attributes, you must first set the extended role attributes in LDAP by extending the role definition schema. After you add the extended role attributes in LDAP, use the form designer to customize and sae form templates for roles in the IBM Security Identity Manager administratie console. Role assignment attributes The role administration component is enhanced to include the ability to define role assignment attributes, which are associated with the person-role relationship. Only static roles support assignment attributes. Only the string type and text widget of assignment attributes are supported. Optional role assignment attributes tasks include: Defining role assignment attributes when creating or modifying a static role. Associating a custom label with each assignment attribute. Specifying assignment attribute alues when adding user members to the role. Specifying assignment attribute alues to the existing user members of the role. ACI capabilities for role assignment attributes Both the default and new ACIs supports attribute-leel permissions for role assignment attributes like other attributes in the role definition. You can now modify or create ACIs. You can set attribute-leel permissions for granting or denying usage of these role assignment attributes within the role definition. Only authorized users can read or write assignment attributes. Additionally, you can: Set ACIs to read or write assignment attribute alues when adding a user to the role. Set assignment attribute alues to the existing user members. 14 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

ACI works the same way as it does for other entities. There is not ACI on specific role assignment attributes. The following attributes are aailable: erroleassignmentkey is on the role that dictates the permission to define role assignment attributes on the role and an attribute. erroleassignments is on the person that dictates the permission to assign alues for the assignment attributes. You cannot define ACI on the assignment attribute that you defined on the role. JaaScript capabilities for role assignment attributes You can access these capabilities for role assignment attributes within the JaaScript interface: The role assignment attributes of the role schema. The role assignment attributes and their alues for users in role membership. New JaaScript APIs include: Person Role RoleAssignmentAttribute RoleAssignmentObject For more information, see the reference pages in the IBM Security Identity Manager Reference Guide. Role assignment attributes and the self-serice console For more information about adding or modifying role assignment attributes for a user profile in the self-serice console, see the IBM Security Identity Manager Technotes. Additional information For more information on role assignment attributes, see the following topics: Table 9. More information on role assignment attributes Topic title Role assignment attributes Role assignment attribute tables Person Role RoleAssignmentAttribute RoleAssignmentObject IBM Security Identity Manager documentation Administration Guide Database and Directory Serer Schema Reference Reference Guide Serice management and proisioning Serice management and proisioning now supports a new account form, an adanced connection mode, new serice status information, and serice tagging. See: Serice leel form on page 16 Chapter 3. What's new in this release 15

Serice connection mode Serice status and failure retry on page 17 Serice tagging on page 17 Serice leel form You can specify different account forms for each serice instance of a particular serice type. You can define an account form for a serice in the console. For example, you can customize the form for the account type, such as Windows Local Account Form. This feature can specify different account forms for each serice instance of a particular serice type. This feature remoes the restriction of needing to use the same form for eery serice instance of a particular type. You can use your new form to request a new account or modify an existing account. You can also use your new form for proisioning policy parameters. If you hae an account form customized for a serice, and you select serice specific entitlements for that serice in the proisioning policy, the specific widget for that attribute that you customized is displayed. You can also use the new form for repeat account creation or modification in the administration console or the self serice console. See "Customizing account form templates for a serice instance" in the IBM Security Identity Manager Configuration Guide. Serice connection mode This release introduces a new serice form attribute for connection mode. Use this attribute to create a serice that can function like either an automated or a manual serice. You can now specify a serice connection mode of manual or automated. The connection mode setting dictates the IBM Security Identity Manager behaior for account management, and minimizes the configuration required for transition between different connection modes to end points. The new attribute for connection mode is erconnectionmode. This attribute enables you to create a serice and to specify a manual account request route before installing the adapter for the managed resource. The adantage of using connection mode is that you do not need to create and later remoe a manual serice. After installing the adapter, you can change the serice so that the managed resource handles the account requests. Use the change serice task to change connection mode from manual to automatic. After changing the serice type to automatic, it is the default setting for any serices of that serice type. Connection mode is not supported on ITIM serice or any type of identity feed serice, hosted serice, or manual serice types. Do not add the erconnectionmode attribute to the forms for those serice types. See the following topics in the "Serices administration" chapter of the IBM Security Identity Manager Administration Guide: "Enabling connection mode" 16 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

"Creating a serice that has manual connection mode" "Changing connection mode from manual to automatic" Serice status and failure retry The IBM Security Identity Manager administratie console is enhanced to display status information for each serice, to search for serices with a specific status, and to proide an option to retry blocked requests. The alues in the serice status reflect the ability of the IBM Security Identity Manager serer to contact the managed resource for the serice for proisioning actions. The user interface also allows searching for serices with a specific status alue. You can use the alue to locate serices that failed or are recoering from a failure. This release proides a new action, Retry Blocked Requests, that you can use to immediately restart the blocked requests from the Manage Serices panel. This action tests a serice to see whether the problem is corrected. If the test is successful, it restarts any blocked requests for a failed serice. For more information, see the topic "Serice status" in the IBM Security Identity Manager Administration Guide. Serice tagging You can define multiple tags for a serice in the serice form. You can use serice tags to fine-tune proisioning policy entitlement for a serice type. You can specify that entitlement is only applicable for serices with matching tags. On the administration console, you can trigger automated proisioning of new accounts and policy enforcements on all accounts of a serice. Use the Manage Serices console entry point, select Search, and then open the twistie for a serice and click Enforce Policy. See the topic "Serice tagging" in the "Serices administration" chapter of the IBM Security Identity Manager Administration Guide. Enhanced adapter testing Serice management and proisioning now support enhanced adapter testing. Enhanced adapter testing proides more information and more status information of the adapter that is configured for the resource. To start the adapter test, click Test Connection in the serice form. Some examples about more information are adapter ersion, adapter installation platform, profile ersion, and other information. Some examples about status information are time stamp of preious test, memory usage, other information. For more information, see the Adapter documentation section in the IBM Security Identity Manager product documentation. Chapter 3. What's new in this release 17

Account and access management IBM Security Identity Manager extends account and access management to support multiple access leels, and to support account search in the self serice console. See: Multiple leel access types Account search in the self serice console Multiple leel access types IBM Security Identity Manager supports multiple leel of access types that simulate a hierarchical tree structure with a set of linked nodes. A hierarchy represents access leels. The access types are categorized in the form of parent-child access types. This structure aids in the administration of large deployments. An administrator can do these actions: Manage access types in a hierarchical tree structure. Search an access type by categories during an access request by using the tree structure. Specify an access type from any leel to associate with a group or role. Translate organizational access types into system-defined access types in a hierarchical tree structure. Categorize multiple access types in an organization for a particular access category. For example, access to all financial applications can be categorized under Application > Finance. A user can search, filter, or request for an access based upon the access types. See the topic Access type management in the IBM Security Identity Manager Configuration Guide, and the topic Creating an access type based on role in the IBM Security Identity Manager Administration Guide. Account search in the self serice console Account search function is now aailable in the self serice console You can now search accounts when using the following features in the self serice console: Viewing or changing accounts Deleting accounts Changing passwords You can base the account search on ownership type, account ID, serice type (account profile), serice (account type), or organizational container. Authentication with an external user registry configured with WebSphere The IBM Security Identity Manager authentication mechanism is integrated with the container-based security capabilities of WebSphere Application Serer. 18 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

Vertical cluster support IBM Security Identity Manager users can authenticate against a WebSphere Application Serer user registry, and then be mapped to an IBM Security Identity Manager user. The login support includes: Forgotten password, with challenge response Password expiration Account suspension with maximum logon attempts You can use an external user registry when doing an initial installation of IBM Security Identity Manager. Alternatiely, you can install IBM Security Identity Manager with the custom registry, and then later reconfigure to use an external user registry. Use of an external user registry requires configuration of the WebSphere security domain. IBM Security Identity Manager proides documentation of an example configuration of how to configure an external user registry. The example documentation is in the extensions directory in the product distribution. If you want to use an external user registry during an initial installation of IBM Security Identity Manager, you must do configuration steps before the installation. If you want to configure an external user registry after the IBM Security Identity Manager installation, you must finish the installation with the default custom user registry and then manually configure the external user registry. For more information, see the topic "Using an external user registry for authentication" in the IBM Security Identity Manager Security Guide. You can now install IBM Security Identity Manager in a WebSphere deployment that uses ertical clusters. A ertical cluster has cluster members on the same node, or physical machine. A horizontal cluster has cluster members on multiple nodes across many machines in a cell. You can now install an IBM Security Identity Manager into both horizontal and ertical cluster topologies. For more information, see the following topics in the IBM Security Identity Manager Installation Guide: "Clustered configuration" "Creating the WebSphere clusters for the IBM Security Identity Manager application" Application programming interfaces IBM Security Identity Manager supports additional application programming interfaces. New additions include Web Serices API, new APIs to manage recertification policies, and new logging APIs for use in JaaScript. See: Web Serices API on page 20 Extensions to the Recertification Policy API on page 20 Chapter 3. What's new in this release 19

Enhanced logging APIs for use in custom JaaScript Web Serices API The IBM Security Identity Manager Web Serices wrappers proide a lightweight communication channel to the IBM Security Identity Manager serer. You can use the Web Serices API to add user functions into your custom built applications. The Web Serices client does not depend on installation of either IBM Security Identity Manager or WebSphere Application Serer. For more information, see the topic "Web Serices API" in the IBM Security Identity Manager Reference Guide. Extensions to the Recertification Policy API IBM Security Identity Manager uses recertification policies to automate the realidation of entitlements granted to a user. The introduction of new APIs proides capabilities to search, add, modify, delete, and run recertification policies in IBM Security Identity Manager from a remote application. The recertification policy API consists of a set of Jaa classes. The classes abstract the more commonly used concepts of the recertification policies, such as recertification policy targets, participants, recertification action, and policy schedules. For more information, see: "Recertification Policy API" in the IBM Security Identity Manager Reference Guide "Recertification policies" in the IBM Security Identity Manager Administration Guide Enhanced logging APIs for use in custom JaaScript The introduction of enhanced logging APIs proides new methods for use in custom JaaScript extensions. The new methods proide the following increased flexibility in IBM Security Identity Manager: Ability to selectiely log messages to the IBM Security Identity Manager trace log or message log. Ability to log message at specified seerity like ERROR, WARN, or INFO for msg.log, and DEBUG_MIN, DEBUG_MID, or DEBUG_MAX for trace.log. Allows runtime configuration of which messages are written to the log file by specifying the component-logging leel in the enrolelogging.properties file. Before the IBM Security Identity Manager Version 6.0 release, the logging option from JaaScript was only to write to the msg.log at ERROR leel. With the new logging APIs in Version 6.0, you can define custom-logging or tracing messages at different logging leels. You can also control the statements that are logged through runtime configuration. The log statements that are written to the log or trace files is controlled by configuring the logging leels in the enrolelogging.properties file. The logging leel configuration is the same as the 20 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

other IBM Security Identity Manager components. The component in the file is defined by the user in their log and trace methods. This configuration proides the following capabilities: Fine-grained control of custom-generated trace messages. Flexibility to indicate which custom JaaScript piece generated the log or trace message by iewing the component and method in the resulting log record. The new methods are on the Enrole JaaScript extension. For writing to the msg.log: loginfo(string component, String method, String message) logwarn(string component, String method, String message) logerror(string component, String method, String message) For writing to the trace.log: tracemax(string component, String method, String message) tracemid(string component, String method, String message) tracemin(string component, String method, String message) For more information, see the following topics in the IBM Security Identity Manager Reference Guide: "Enrole" "enrolelogging.properties" Report data synchronization enhancements Report data synchronization was redesigned to improe performance, and a new utility proides remote data synchronization capability. Note: Though IBM Tioli Common Reporting is currently supported, it is being deprecated. It is the best practice to use IBM Cognos Business Intelligence Serer ersion 10.2.1 to generate IBM Security Identity Manager reports. The report data synchronization enhancements are: Redesign to improe the performance of data synchronization of the following entity types: Accounts Authorization Owners Groups Organizational Containers People Roles Serices See the file ISIM_HOME/data/ReportDataSynchronization.properties for more details about the following properties: accountsynchronizationstrategy authorizationownersynchronizationstrategy groupsynchronizationstrategy organizationalcontainersynchronizationstrategy personsynchronizationstrategy rolesynchronizationstrategy Chapter 3. What's new in this release 21

sericesynchronizationstrategy IBM Security Identity Manager report data synchronization utility: A self contained utility that can be used to run the report data synchronization process outside of the IBM Security Identity Manager operational enironment. Health monitoring See the topic Data synchronization in the IBM Security Identity Manager Administration Guide. The IBM Security Identity Manager serer is enhanced to proide deployment health monitoring features. These features include monitoring of performance and aailability of arious requests in the key components. The proisioning and workflow components add instrumentation, which tracks eents in the WebSphere Performance Monitoring Infrastructure (PMI) system. Additionally, the serer includes new APIs to better integrate with monitoring products, such as IBM Tioli Monitoring. For more information, see the topic "IBM Security Identity Manager deployment health monitoring" in the IBM Security Identity Manager Performance Tuning Guide. IBM Cognos reporting framework IBM Security Identity Manager ersion 6.0 proides the Cognos reporting framework to create and analyze reports. You can modify the schema and generate reports in different formats. Note: Cognos reporting does not support Microsoft SQL Serer database. Use DB2 database or Oracle database instead. The IBM Cognos reporting framework includes the following items: Reporting model Represents the business iew of IBM Security Identity Manager data. You can use the models to customize and generate different types of reports that suit your requirements. Static reports Ready-to-use reports that are bundled with the IBM Security Identity Manager reporting packages. 22 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

Chapter 4. Known limitations, problems, and workarounds You can iew the known software limitations, problems, and workarounds on the IBM Security Identity Manager Support site. The Support site describes not only the limitations and problems that exist when the product is released, but also any additional items that are found after product release. As limitations and problems are discoered and resoled, the IBM Software Support team updates the online knowledge base. By searching the knowledge base, you can find workarounds or solutions to problems that you experience. The following link launches a customized query of the lie Support knowledge base for items specific to ersion 6.0: IBM Security Identity Manager Version 6.0 technical notes To create your own query, go to the Adanced search page on the IBM Software Support website. Copyright IBM Corp. 2012, 2013 23

24 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

Chapter 5. Features oeriew Access management IBM Security Identity Manager deliers simplified identity management capabilities in a solution that is easy to install, deploy, and manage. IBM Security Identity Manager proides essential password management, user proisioning, and auditing capabilities. In a security lifecycle, IBM Security Identity Manager and seeral other products proide access management. You can determine who can enter your protected systems. You can also determine what can they access, and ensure that users access only what they need for their business tasks. Access management addresses three questions from the business point of iew: Who can come into my systems? What can they do? Can I easily proe what they did with that access? These products alidate the authenticity of all users with access to resources, and ensure that access controls are in place and consistently enforced: IBM Security Identity Manager Proides a secure, automated, and policy-based user management solution that helps effectiely manage user identities throughout their lifecycle across both legacy and e-business enironments. IBM Security Identity Manager proides centralized user access to disparate resources in an organization, with policies and features that streamline operations associated with user-resource access. As a result, your organization realizes numerous benefits, including: Web self-serice and password reset and synchronization; users can self-administer their passwords with the rules of a password management policy to control access to multiple applications. Password synchronization enables a user to use one password for all accounts that IBM Security Identity Manager manages. Quick response to audits and regulatory mandates Automation of business processes related to changes in user identities by proiding lifecycle management Centralized control and local autonomy Enhanced integration with the use of extensie APIs Choices to manage target systems either with an agent or agentless approach Reduced help desk costs Increased access security through the reduction of orphaned accounts Reduced administratie costs through the proisioning of users with software automation Reduced costs and delays associated with approing resource access to new and changed users IBM Security Access Manager Enables your organization to use centralized security policies for specified user groups to manage access authorization throughout the network, including the Copyright IBM Corp. 2012, 2013 25

ulnerable, internet-facing web serers. IBM Security Access Manager can be tightly coupled with IBM Security Identity Manager to reconcile user groups and accounts managed by IBM Security Access Manager with the identities managed by IBM Security Identity Manager to proide an integrated solution for resource access control. IBM Security Access Manager deliers: Unified authentication and authorization access to dierse web-based applications within the entire enterprise Flexible single sign-on to web, Microsoft, telnet and mainframe application enironments Rapid and scalable deployment of web applications, with standards-based support for Jaa Platform, Enterprise Edition (Jaa EE) applications Design flexibility through a highly scalable proxy architecture and easy-to-install web serer plug-ins, rule- and role-based access control, support for leading user registries and platforms, and adanced APIs for customized security IBM Security Federated Identity Manager Handles all the configuration information for a federation across organizational boundaries, including the partner relationships, identity mapping, and identity token management. IBM Security Federated Identity Manager enables your organization to share serices with business partner organizations and obtain trusted information about third-party identities such as customers, suppliers, and client employees. You can obtain user information without creating, enrolling, or managing identity accounts with the organizations that proide access to serices that are used by your organization. So, users are spared from registering at a partner site, and from remembering additional logins and passwords. The result is improed integration and communication between your organization and your suppliers, business partners, and customers. For more information about how access management products fit in larger solutions for a security lifecycle, see the IBM Security Management website: http://www.ibm.com/software/tioli/solutions/security/ IBM Redbooks and Redpapers also describe implementing IBM Security Identity Manager within a portfolio of IBM security products. Shared access IBM Security Identity Manager supports shared access by proiding a shared access module. Installation and use of the shared access module is required for the IBM priileged identity management solution. The shared access module is licensed as part of the IBM Security Priileged Identity Manager product. When you purchase IBM Security Priileged Identity Manager, you obtain a license that enables you to use the IBM Security Identity Manager shared access module. The shared access module extends the IBM Security Identity Manager support for account proisioning, and also extends the identity and goernance framework. Highlights: Credential ault management for shared credentials, which can be connected or not connected to accounts. 26 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

Shared access uses secure check in, check out, and logging of credentials from a credential ault serer. Administratie control of shared credential access ensures indiidual accountability. Jaa APIs and Web Serices APIs make it possible for application clients to programmatically access shared credentials. There is role-based access control for shared credential access and shared account ownership. Lifecycle management of shared credentials. This management includes role-based access requests, role membership, and shared credential access. There is end-to-end auditing for administration and shared credential access actiities. There are web applications for shared credential administration and manual check out and checkin. Automation of checkout and checkin is achieed when IBM Security Identity Manager is deployed as part of the IBM Security Priileged Identity Manager product solution. Shared access documentation The shared access documentation includes topics that describe installation, configuration, administration, and troubleshooting of the shared access module. The documentation also describes shared access programming APIs, database schema, directory serer schema, and user scenarios. Features Table 10. Shared access features Description Link to documentation Shared access module features Shared access on page 26 Roadmap for deploying shared access for a managed resource Priileged administrator iew and default access control items Priileged user iew and default access control items Roadmap for configuring shared access for a managed resource on page 30 See the topic "Scope of the priileged administrator group" in the IBM Security Identity Manager Planning Guide See the topic "Scope of the priileged user group" in the IBM Security Identity Manager Planning Guide Installation and upgrade Table 11. Installation and upgrade Description Installation of the shared access module Addition of the shared access module during an upgrade on a WebSphere single serer Addition of the shared access module during an upgrade on a WebSphere cluster See the following topics in the IBM Security Identity Manager Installation Guide "Shared access module configuration" "Configuring the shared access module during upgrade on a WebSphere single serer" "Configuring the shared access module during upgrade on a WebSphere cluster" Chapter 5. Features oeriew 27

Table 11. Installation and upgrade (continued) Description Update of the shared access module after reconfiguration of a database or directory serer See the following topics in the IBM Security Identity Manager Installation Guide "Reconfiguring the shared access module" System configuration Table 12. System configuration Description Shared access configuration, including configuration of an external credential ault serer Adanced shared access configuration, including customization of operations See the following topics in the IBM Security Identity Manager Configuration Guide "Shared access configuration" "Shared access adanced configuration" Administration Table 13. Shared access administration Description Shared access administration Managing the credential ault. Includes adding, modifying, connecting, disconnecting, remoing, and checking in credentials. Also coers registering credential passwords, and iewing password history. Creating, modifying, and deleting credential pools. Creating, modifying, and deleting shared access policies. Shared access bulk load. Default access control items for Shared Access Module Reporting Shared access objects you can use to customize reports Examples: Creating custom report to iew all shared access credentials checked out Creating check in audit report Creating role and shared access entitlement report Shared access IBM Cognos reporting framework reports See the following topics in the IBM Security Identity Manager Administration Guide "Shared access administration" "Default access control items". "Shared Access objects for custom reports" "Shared access history report" "Shared access entitlement by owner" "Shared access entitlement by role" 28 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

Data references Table 14. Data references Description Shared access database tables reference Shared access classes for IBM Tioli Directory Serer schema and class reference Auditing schema for shared access policy management See the following topics in the IBM Security Identity Manager Database and Directory Serer Schema Reference "Shared access tables" in the "Database tables reference" section "Shared access classes" in the "IBM Tioli Directory Serer schema and class reference" section In the "Auditing schema tables" section, see: "Shared Access Policy Management" "Credential Lease management" "Credential pool management" "Credential management" Troubleshooting Table 15. Shared access troubleshooting Description Troubleshooting Shared access configuration must be updated when LDAP schema or database tables are updated. Requests to add credentials to the credential ault can fail because of incorrectly configured properties files Incorrect configuration of credential attributes can preent users from accessing the shared credential. See the following topic: "Troubleshooting Shared Access Module problems" in the IBM Security Identity Manager Troubleshooting Guide Application programming interfaces Table 16. Shared access application programming interfaces Description Shared Access Application APIs Shared Access Web Serices APIs Shared Access Authorization Extension APIs Shared Access JaaScript APIs See the following topics in the IBM Security Identity Manager Reference Guide "Shared Access Application APIs" "Shared Access Web Serices APIs" "Shared Access Authorization Extension APIs" "CredentialModelExtension" Chapter 5. Features oeriew 29

User scenarios for shared access Table 17. Shared access for users Description User scenario for checking out a credential or credential pool User scenario for iewing the password of a shared credential Priileged user iew and default access control items See the following topics in the IBM Security Identity Manager Scenarios Guide "Checking out a credential or a credential pool" "Viewing the password for a shared credential" "Scope of the priileged user group" Roadmap for configuring shared access for a managed resource This roadmap proides high-leel steps for configuring shared access for a new managed resource in IBM Security Priileged Identity Manager. The IBM Security Priileged Identity Manager product solution includes the IBM Security Identity Manager shared access capability that is proided by the shared access module. IBM Security Priileged Identity Manager also includes the IBM Security Access Manager for Enterprise Single Sign-on support for automated checkout and checkin of shared credentials. This roadmap describes how to configure shared access in a deployment that also supports automated checkout and checkin of shared credentials. Prerequisites Requirement Install the Shared Access Module on the IBM Security Identity Manager serer. Install the AccessAgent component on client computers that require credential check-in and check-out automation. Installation instructions See the topic "Shared access module configuration" in the IBM Security Identity Manager Installation Guide. See the IBM Security Priileged Identity Manager Deployment Guide in the IBM Security Priileged Identity Manager product documentation website. 30 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

Flowchart for configuring shared access for a managed resource Ensure that all prerequisites are met. ( Perform these steps when a new serice type or application is required. ) Import or configure serice types in IBM Security Identity Manager for the managed resource. Import or configure the application for IBM Security Access Manager for Enterprise Single Sign-on. Configure the managed resource that is supported by IBM Security Identity Manager Install and configure the adapter for the managed resource (does not apply to agentless adapters). Create the serice instance for the managed resource. Set the serice unique identifier. Yes Is password reset required on credential checkin for the managed resource? Define roles and proisioning policies to grant ownership of sponsored accounts Reconcile groups and accounts. Define roles and proisioning policies to grant ownership of sponsored accounts. Identify or create groups for priileged access to managed resources. Proision or adopt priileged accounts to authorized owners. No Add credentials with a connection to an account to the ault. Add credentials from accounts. Add the credential pool from the serice group. Add credentials without a connection to an account to the ault. Configure Shared Access Policy to grant access to the credentials or credentials in the pool: Define roles for the group of users who can access the credentials or credentials in the pool. Define Shared Access Policy to allow role members to access credentials or credentials in the pool. Note: Only the credentials with the connection to the account can be in the credential pool Figure 1. Flowchart for configuring shared access for a managed resource Import or configure serice types in IBM Security Identity Manager for the managed resource Note: This process is needed only when you want the password to be reset when the credential for the managed resource is checked in. Chapter 5. Features oeriew 31

For each resource type, you must configure the profile information in IBM Security Identity Manager either by importing the serice type or by creating the serice type for a manual serice. For information about importing serice types, see Importing serice types in the Configuration Guide in the IBM Security Identity Manager product documentation website at http://publib.boulder.ibm.com/infocenter/tiihelp/2r1/ index.jsp?topic=/com.ibm.isim.doc_6.0.0.2/kc-homepage.htm. For information about creating manual serice types, see Creating serice types in the Configuration Guide in the IBM Security Identity Manager product documentation website at http://publib.boulder.ibm.com/infocenter/tiihelp/ 2r1/index.jsp?topic=/com.ibm.isim.doc_6.0.0.2/kc-homepage.htm. Import or configure the application for IBM Security Access Manager for Enterprise Single Sign-on Perform these steps for each application that is supported in IBM Security Access Manager for Enterprise Single Sign-on. Step Prepare the priileged identity policies and AccessProfiles on the IMS Serer. See Preparing priileged identity policies and AccessProfiles on the IMS Serer in the IBM Security Priileged Identity Manager Deployment Guide in the IBM Security Priileged Identity Manager product documentation website Is password reset required on credential checkin for the managed resource You can add a credential with or without a connection to an account. If the credential is connected to an account, you can optionally configure the credential so that the password can be changed when you check in the credential. The password for both the credential and account are changed at checkin if this option is enabled. Is Password Reset required on credential checkin for managed resource? Yes No You must add the credential with a connection to an account. You can add the credential without a connection to an account. Configure the managed resource that is supported by IBM Security Identity Manager Note: You must follow these steps eery time there is a new managed resource on your system. 32 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

Table 18. Configuring managed resources that are supported by the IBM Security Identity Manager Steps See Install and configure the IBM Security Identity Manager adapter for the managed resource. Note: This step does not apply to agentless adapters. Create the IBM Security Identity Manager serice instance for the managed resource. Set the serice unique identifier in the managed resource serice definition in IBM Security Identity Manager (using the administratie console) with the unique identifier that you use to connect to the managed resource on the AccessAgent. For example, the unique identifier might be an IP address or host name of the serer. Adapter documentation in the IBM Security Identity Manager product documentation website at http://publib.boulder.ibm.com/ infocenter/tiihelp/2r1/index.jsp?topic=/ com.ibm.isim.doc_6.0.0.2/kc-homepage.htm Creating serices in the Administration Guide Setting the serice unique identifier in the Administration Guide Define roles and proisioning policies to grant ownership of sponsored accounts Perform these tasks in IBM Security Identity Manager. Table 19. Defining roles and proisioning policies to grant ownership of sponsored accounts Steps Reconcile groups and accounts. Define roles and proisioning policies to grant ownership of sponsored accounts. Identify or create groups for priileged access to managed resources. Proision or adopt priileged accounts to authorized owners. The account that is used for shared access must be a sponsored account. The ownership type for the account can be anything other than Indiidual. See the following topics in the Administration Guide Managing reconciliation schedules Creating a proisioning policy Creating roles Specifying owners of a role Creating groups Defining access on a group If an account does not exist on the serice, see Requesting accounts on a serice. If an account exists on the serice, see Assigning an account to a user. For general information about sponsored accounts, see Managing accounts. Add credentials with a connection to an account to the ault If you want the password on the credential and on the managed resource to be changed when you check in the credential, you must add the credential from the account. To add credentials with a connection to an account, you must either add the credential from an account or create a credential pool from the serice group. Chapter 5. Features oeriew 33

Table 20. Adding credentials with a connection to an account to the ault Step Add credentials from accounts Add the credential pool from the serice group See the following topics in the Administration Guide Adding credentials that are connected to an account through Manage Credential Vault Creating credential pools Add credentials without a connection to an account to the ault If you do not want the password on the credential and on the managed resource to be changed when you check in the credential, you can add the credential without a connection to an account. Table 21. Adding credentials without a connection to an account to the ault Step Add credentials that are not connected to accounts See the following topics in the Administration Guide Adding credentials that are not connected to an account through Manage Credential Vault Configure a shared access policy to grant access to the credentials or credentials in the pool After you add the credentials or credential pool, you must configure the shared access policy to allow users to check out or check in the credentials or credential pools. Note: Only credentials with a connection to an account can be in the credential pool. Table 22. Configuring a shared access policy to grant access to the credentials Steps Define roles for the group of users who can access the credentials or credentials in the pool. Define a shared access policy to allow role members to access credentials or credentials in the pool. See the following topics in the Administration Guide Creating roles Creating shared access policies Support for corporate regulatory compliance IBM Security Identity Manager proides support for corporate regulatory compliance. Compliance areas IBM Security Identity Manager addresses corporate regulatory compliance in the following key areas: Proisioning and the approal workflow process 34 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

Audit trail tracking Enhanced compliance status Password policy and password compliance Account and access proisioning authorization and enforcement Recertification policy and process Reports Proisioning and the approal workflow process IBM Security Identity Manager proides support for proisioning, for user accounts and for access to arious resources. Implemented within a suite of security products, IBM Security Identity Manager plays a key role to ensure that resources are proisioned only to authorized persons. IBM Security Identity Manager safeguards the accuracy and completeness of information processing methods and granting authorized users access to information and associated assets. IBM Security Identity Manager proides an integrated software solution for managing the proisioning of serices, applications, and controls to employees, business partners, suppliers, and others associated with your organization across platforms, organizations, and geographies. You can use its proisioning features to control the setup and maintenance of user access to system and account creation on a managed resource. At its highest leel, an identity management solution automates and centralizes the process of proisioning resources. The solution includes operating systems and applications, and people in, or affiliated with, an organization. Organizational structure can be altered to accommodate the proisioning policies and procedures. Howeer, the organization tree used for proisioning resources does not necessarily reflect the managerial structure of an organization. Administrators at all leels can use standardized procedures for managing user credentials. Some leels of administration can be reduced or eliminated, depending on the breadth of the proisioning management solution. Furthermore, you can securely distribute administration capabilities, manually or automatically, among arious organizations. The approal process can be associated with different types of proisioning requests, including account and access proisioning requests. Lifecycle operations can also be customized to incorporate the approal process. Models for proisioning Depending on business needs, IBM Security Identity Manager proides alternaties to proision resources to authorized users on request-based, role-based, or hybrid models. Approal workflows Account and access request workflows are started during account and access proisioning. You typically use account and access request workflows to define approal workflows for account and access proisioning. Account request workflows proide a decision-based process to determine whether the entitlement proided by a proisioning policy is granted. The entitlement proided by a proisioning policy specifies the account request workflow that applies to the set of users in the proisioning policy membership. Multiple proisioning policies might apply to the same user for the same serice target. Chapter 5. Features oeriew 35

There might also be different account request workflows in each proisioning policy. The account request workflow for the user is based on the priority of the proisioning policy. If a proisioning policy has no associated workflow and the policy grants an account entitlement, the operations that are related to the request run immediately. For example, an operation might add an account. Howeer, if a proisioning policy has an associated workflow, that workflow runs before the policy grants the entitlement. If the workflow returns a result of Approed, the policy grants the entitlement. If the workflow has a result of Rejected, the entitlement is not granted. For example, a workflow might require a manager's approal. Until the approal is submitted and the workflow completes, the account is not proisioned. When you design a workflow, consider the intent of the proisioning policy and the purpose of the entitlement itself. Tracking IBM Security Identity Manager proides audit trail information about how and why a user has access. On a request basis, IBM Security Identity Manager proides a process to grant, modify, and remoe access to resources throughout a business. The process proides an effectie audit trail with automated reports. The steps inoled in the process, including approal and proisioning of accounts, are logged in the request audit trail. Corresponding audit eents are generated in the database for audit reports. User and Account lifecycle management eents, including account and access changes, recertification, and compliance iolation alerts, are also logged in the audit trail. Enhanced compliance status IBM Security Identity Manager proides enhanced compliance status on items such as dormant and orphan accounts, proisioning policy compliance status, recertification status, and arious reports. Dormant accounts. You can iew a list of dormant accounts with the Reports feature. IBM Security Identity Manager includes a dormant account attribute to serice types that you can use to find and manage unused accounts on serices. Orphan accounts. Accounts on the managed resource whose owner in the Security Identity Manager Serer cannot be determined are orphan accounts. These accounts are identified during reconciliation when the applicable adoption rule cannot successfully determine the owner of an account. Proisioning policy compliance status. The compliance status based on the specification of proisioning policy is aailable for accounts and access. An account can be either compliant, non-compliant with attribute alue iolations, or disallowed. An access is either compliant or disallowed. Recertification status. The recertification status is aailable for user, account, and access target types, which indicates whether the target type is certified, rejected, or neer certified. The timestamp of the recertification is also aailable. Password policy and password compliance Use IBM Security Identity Manager to create and manage password policies. password policy defines the password strength rules that are used to determine whether a new password is alid. A password strength rule is a rule to which a password must conform. For example, password strength rules might specify that the minimum number of characters of a password must be fie. The rule might specify that the maximum number of characters must be 10. 36 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

The IBM Security Identity Manager administrator can also create new rules to be used in password policies. If password synchronization is enabled, the administrator must ensure that password policies do not hae any conflicting password strength rules. When password synchronization is enabled, IBM Security Identity Manager combines policies for all accounts that are owned by the user to determine the password to be used. If conflicts between password policies occur, the password might not be set. Proisioning policy and policy enforcement A proisioning policy grants access to many types of managed resources, such as IBM Security Identity Manager serer, Windows NT serers, and Solaris serers. Proisioning policy parameters help system administrators define the attribute alues that are required and the alues that are allowed. Policy enforcement is the manner in which IBM Security Identity Manager allows or disallows accounts that iolate proisioning policies. You can specify one of the following policy enforcement actions to occur for an account that has a noncompliant attribute. Mark Sets a mark on an account that has a noncompliant attribute. Suspend Suspends an account that has a noncompliant attribute. Correct Replaces a noncompliant attribute on an account with the correct attribute. Alert Issues an alert for an account that has a noncompliant attribute. Recertification policy and process A recertification policy includes actiities to ensure that users proide confirmation that they hae a alid, ongoing need for the target type specified (user, account, and access). The policy defines how frequently users must alidate an ongoing need. Additionally, the policy defines the operation that occurs if the recipient declines or does not respond to the recertification request. IBM Security Identity Manager supports recertification policies that use a set of notifications to initiate the workflow actiities that are inoled in the recertification process. Depending on the user response, a recertification policy can mark a user's roles, accounts, groups, or accesses as recertified. The policy can suspend or delete an account, or delete a role, group, or access. Audits that are specific to recertification are created for use by seeral reports that are related to recertification: Accounts, access, or users pending recertification Proides a list of recertifications that are not completed. Recertification history Proides a historical list of recertifications for the target type specified. Recertification policies Proides a list of all recertification policies. Chapter 5. Features oeriew 37

User recertification history Proides history of user recertification. User recertification policy Proides a list of all user recertification policies. Reports Security administrators, auditors, managers, and serice owners in your organization can use one or more of the following reports to control and support corporate regulatory compliance: Accesses Report, which lists all access definitions in the system. Approals and Rejections Report, which shows request actiities that were either approed or rejected. Dormant Accounts Report, which lists the accounts that were not used recently. Entitlements Granted to an Indiidual Report, which lists all users with the proisioning policies for which they are entitled. Noncompliant Accounts Report, which lists all noncompliant accounts. Orphan Accounts Report, which lists all accounts not haing an owner. Pending Recertification Report, which highlights recertification eents that can occur if the recertification person does not act on an account or access. This report supports filtering data by a specific serice type or a specific serice instance. Recertification Change History Report, which shows a history of accesses (including accounts) and when they were last recertified. This report seres as eidence of past recertifications. Recertification Policies Report, which shows the current recertification configuration for a specific access or serice. Separation of Duty Policy Definition Report, which lists the separation of duty policy definitions. Separation of Duty Policy Violation Report, which contains the person, policy, rules iolated, approal, and justification (if any), and who requested the iolating change. Serices Report, which lists serices currently defined in the system. Summary of Accounts on a Serice Report, which lists a summary of accounts on a specified serice defined in the system. Suspended Accounts Report, which lists the suspended accounts. User Recertification History Report, which lists the history of user recertifications done manually (by specific recertifiers), or automatically (due to timeout action). User Recertification Policy Definition Report, which lists the user recertification policy definitions. All reports are aailable to all users when the appropriate access controls are configured. Howeer, certain reports are designed specifically for certain types of users. 38 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

Table 23. Summary of reports Designed for Aailable reports Security administrators Dormant Accounts Orphan Accounts Pending Recertification Recertification History Recertification Policies User Recertification History User Recertification Policies Managers Pending Recertification Recertification History Recertification Policies User Recertification History User Recertification Policies Serice owners Dormant Accounts Orphan Accounts Pending Recertification Recertification History Recertification Policies User Recertification History User Recertification Policies Auditors Dormant Accounts End users, help desk, and deelopers Orphan Accounts Pending Recertification Recertification History Recertification Policies User Recertification History User Recertification Policies None Identity goernance IBM Security Identity Manager extends the identity management goernance capabilities with a focus on operational role management. Using roles simplifies the management of access to IT resources. Identity goernance includes these IBM Security Identity Manager features: Role management Manages user access to resources, but unlike user proisioning, role management does not grant or remoe user access. Instead, it sets up a role structure to do it more efficiently. Entitlement management Simplifies access control by administering and enforcing fine-grained authorizations. Chapter 5. Features oeriew 39

Triple user interface Access certification Proides ongoing reiew and alidation of access to resources at role or entitlement leel. Priileged user management Proides enhanced user administration and monitoring of system or administrator accounts that hae eleated priileges. Separation of duties Preents and detects business-specific conflicts at role or entitlement leel. IBM Security Identity Manager has three user interfaces that shows users only the tasks they need to complete, based on their user role. The interfaces are separate, and users access them through different web addresses. IBM Security Identity Manager has three types of user interfaces: the Administratie console interface, the Self-care interface, and the Identity Serice Center interface. Administratie console user interface The administratie console user interface proides an adanced set of administratie tasks, and has new multitasking capabilities. Persona-based console customization The administratie console user interface contains the entire set of administratie tasks, such as managing roles, policies, and reports. This persona-based console proides sets of tasks, each tailored for the needs of the default administratie user types: System administrator Priileged administrator Serice owner Help desk assistant Auditor Manager System administrators can easily customize which tasks the different types of users can do. To control user access to accounts and tasks, for example, use a default set of user groups, access control items, and iews. You can also customize user access by defining additional user groups, iews, and access control items. Multitasking control Wizards within the administratie console user interface expedite the administratie tasks of adding users, requesting accounts, and creating new serices. The administrator can concurrently manage seeral tasks. Adanced search capability The administratie console user interface also proides a powerful adanced search feature. Self-care user interface The self-care user interface proides a simpler subset of personal tasks that apply only to the user. With the IBM Security Identity Manager self-care interface, users 40 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

can update their personal information and passwords. Users can iew requests, complete and delegate actiities, and request and manage their own accounts and access. The self-care user interface proides a central location for users to do arious simple, intuitie tasks. From the self-care home page, the following task panels are aailable, depending on the authority the system administrator granted. Action Needed A list of tasks that require completion. My Password A list of tasks to change passwords. If password synchronization is enabled, users can enter one password that is synchronized for all of their accounts. A user can reset a forgotten password by successfully responding to forgotten password questions, if forgotten password information is configured in the system. My Access A list of tasks to request and manage access to folders, applications, roles, and other resources. My Profile A list of tasks to iew or update personal information. My Requests A list of tasks to iew requests that a user submitted. My Actiities A list of actiities that require user action. Users can also delegate actiities. Priileged users can also check out and check in credentials from the self-care user interface. Identity Serice Center user interface The Identity Serice Center user interface proides a unified catalog that makes manager request access tasks simple and straight-forward. Request Access wizard The Identity Serice Center has a Request Access wizard where users can process new accesses such as role membership, accounts, and access entitlements. It also supports batch requests by allowing the users to build up a list of items that are requested at the same time. For example, a member moes into a new role from one department to another, and the manager wants to gie access to certain systems or applications. The user can follow the basic steps to use the wizard effectiely: 1. Select a person for whom you want to request access. 2. Select one or more accesses to request for that person. 3. Proide the required information, such as justification, account details, or passwords. 4. Submit the request. 5. View a submission confirmation and status page. Chapter 5. Features oeriew 41

Configurable and extensible You can use the Identity Serice Center to hae a tailored user experience: Use the default Identity Serice Center features and add to it Edit the custom tasks Add your own custom tasks See the Identity Serice Center user interface customization section of the IBM Security Identity Manager Configuration Guide for details. Recertification IBM Security Identity Manager Serer recertification simplifies and automates the process of periodically realidating users, accounts, and accesses. The recertification process automates alidating that users, accounts, and accesses are still required for a alid business purpose. The process sends recertification notification and approal eents to the participants that you specify. Reporting IBM Security Identity Manager reports reduce the time to prepare for audits and proide a consolidated iew of access rights and account proisioning actiity for all managed people and systems. A report is a summary of IBM Security Identity Manager actiities and resources. You can generate reports based on requests, user and accounts, serices, or audit and security. Report data is staged through a data synchronization process. The process gathers data from the IBM Security Identity Manager directory information store and prepares it for the reporting engine. Data synchronization can be run on demand, or it can be scheduled to occur regularly. Report accessibility The IBM Security Identity Manager reports are accessible in the PDF format. The following categories of reports are aailable: Requests Reports that proide workflow process data, such as account operations, approals, and rejections. User and Accounts Reports that proide data about users and accounts. For example: indiidual access rights, account actiity, pending recertifications, and suspended indiiduals. Serices Reports that proide serice data, such as reconciliation statistics, list of serices, and summary of accounts on a serice. Audit and Security Reports that proide audit and security data, such as access control information, audit eents, and noncompliant accounts. 42 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

Static and dynamic roles Self-access management Proisioning features Shared Access Reports that proide a history of shared access, a listing of shared entitlements by role, and a listing of shared access entitlements by owner. IBM Security Identity Manager proides static and dynamic roles. In static organizational roles, assigning a person to a static role is a manual process. In the case of a dynamic role, the scope of access can be to an organizational unit only or to the organizational unit and its subunits. Dynamic organizational roles use alid LDAP filters to set a user's membership in a specific role. For example, a dynamic role might use an LDAP filter to proide access to specific resources to users who are members of an auditing department named audit123. For example, type: (departmentnumber=audit123) Dynamic organizational roles are ealuated at the following times: When a new user is created in the IBM Security Identity Manager system When a user's information, such as title or department membership, changes When a new dynamic organizational role is created IBM Security Identity Manager allows users and administrators the ability to request and manage access to resources such as shared folders, email groups, or applications. Access differs from an account. An account exists as an object on a managed serice. An access is an entitlement to use a resource, such as a shared folder, on the managed serice. The ability to access a resource is based on the attributes of the group to which the user account belongs. The user's access to a resource is therefore dependent on the account and its group mapping. When an account is suspended, their access becomes inactie; similarly, when an account is restored, their access becomes actie again. When an account is deleted, access to the resource for that user is deleted. When a group is remoed from the serice, the user access that maps to that group is also remoed. An administrator typically configures the access to resources on a serice based on the need for a particular user group. Users can request or delete access. They can manage access to the resources they use without the need to understand the underlying technology such as account attributes. IBM Security Identity Manager proides support for proisioning, the process of proiding, deploying, and tracking a serice or component in your enterprise. In a suite of security products, IBM Security Identity Manager plays a key role to ensure that resources are accessible only to authorized persons. IBM Security Identity Manager safeguards the accuracy and completeness of information processing methods and granting authorized users access to information and associated assets. Chapter 5. Features oeriew 43

Oeriew IBM Security Identity Manager proides an integrated software solution for managing the proisioning of serices, applications, and controls to employees, business partners, suppliers, and others associated with your organization across platforms, organizations, and geographies. You can use its proisioning features to control the setup and maintenance of user access to system and account creation on a managed resource. The two main types of information are person data and account data. Person data represents the people whose accounts are being managed. Account data represents the credentials of the persons and the managed resources to which the persons were granted access. At its highest leel, an identity management solution automates and centralizes the process of proisioning resources. Resources range from operating systems and applications to people in, or affiliated with, an organization. Organizational structure can be altered to accommodate the proisioning policies and procedures. Howeer, the organization tree used for proisioning resources does not necessarily reflect the managerial structure of an organization. Administrators at all leels can use standardized procedures for managing user credentials. Some leels of administration can be reduced or eliminated, depending on the breadth of the proisioning management solution. Furthermore, you can securely distribute administration capabilities, manually or automatically, among arious organizations. For example, a domain administrator can sere only the people and resources in that domain. This user can do administratie and proisioning tasks, but is not authorized to do configuration tasks, such as creating workflows. IBM Security Identity Manager supports distributed administration capabilities, which include the secure distribution of proisioning tasks, whether manual or automatic, among arious organizations. Distributing administratie tasks in your organization improes the accuracy and effectieness of administration and improes the balance of the work load of an organization. IBM Security Identity Manager addresses proisioning of enterprise serices and components in the following areas: Account access management Workflow and lifecycle automation Proisioning policies Role-based access control Separation of duty capabilities Self-regulating user administration Customization Account access management and the proisioning system With an effectie account access management solution, your organization can track precisely who has access to what information across the organization. Access control is a critical function of a centralized, single-point proisioning system. Besides protecting sensitie information, access controls expose existing accounts that hae unapproed authorizations or are no longer necessary. Orphan accounts are actie accounts that cannot be associated with alid users. For orphan accounts on a managed resource, the account owner cannot be automatically determined by the proisioning system. To control orphan accounts, the proisioning system links 44 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

together account information with authoritatie information about the users who own the accounts. Authoritatie user identity information is typically maintained in the databases and directories of human resources. Improperly configured accounts are actie accounts that are associated with alid users but were granted improper authorization because the organization allowed local administrators to add or modify users outside of IBM Security Identity Manager. The ability to control improper accounts is much more difficult, and requires a comparison of what should be with what is at the account authority leel. The existence of an account does not necessarily expose its capabilities. Accounts in sophisticated IT systems include hundreds of parameters that define the authorities, and these details can be controlled by your proisioning system. New users can be readily identified with the data feed that you establish from the human resources directory. The access request approal capability initiates the processes that approe (or reject) resource proisioning for them. Workflow and lifecycle automation When a user becomes affiliated or employed with an organization, the lifecycle of the user begins. Your business policies and processes, whether manual or semi-automated, proision the user with access to certain resources based on role and responsibilities. Oer time, when the role and functions of a user change, your business policies and processes can proision the resources that are aailable to the user. Eentually, the user becomes unaffiliated with the organization, associated accounts are suspended and later deleted, and the lifecycle of the user in the organization is finished. You can use workflows to customize how accounts are proisioned. You can customize the lifecycle management of users and accounts, such as adding, remoing, and modifying users and accounts. A complete proisioning workflow system automatically routes requests to the appropriate approers and preemptiely escalates to other approers if actions are not taken on the requests. You can define two types of workflows in IBM Security Identity Manager: entitlement workflows that apply to proisioning actiities, and operational workflows that apply to entity types. An entitlement workflow defines the business logic that is tied specifically to the proisioning actions of proisioning policies. A proisioning policy entitlement ties the proisioning actions to entitlement workflows. For example, an entitlement workflow is used to define approals for managing accounts. An operational workflow defines the business logic for the lifecycle processes for entity types and entities. You can use workflow programming tools to automate key aspects of the proisioning lifecycle, specifically the approal processes that your organization uses. A workflow object in the organization tree can contain one or more participants and escalation participants. A participant is a signature authority that approes or rejects a proisioning request. Proisioning policies and auditing An organizational role entity is assigned to one or more identities when you implement role-based access control for the resources that are managed by IBM Security Identity Manager. An organizational role is controlled by a proisioning policy. The policy represents a set of organizational rules and the logic that the Security Identity Manager Serer uses to manage resources such as applications or operating systems. Chapter 5. Features oeriew 45

If a role is a member of another organizational role in a proisioning policy, then that role member also inherits the permissions of proisioning policy. A proisioning policy maps the people in organizational roles to serices that represent corresponding resources in IBM Security Identity Manager. The policy sets the entitlements that people hae when accessing the serices. The proisioning policies you implement must reflect your organizational identity management policies in your security plan. To implement effectie proisioning policies, you must analyze and document existing business approal processes in your organization. You must determine what adjustments to make those processes to implement an automated identity management solution. A proisioning policy proides a key part of the framework for the automation of identity lifecycle management. IBM Security Identity Manager proides APIs that interface to information about proisioning policies defined in IBM Security Identity Manager, and interface to the access granted to an indiidual task. These APIs can be used effectiely to generate audit data. When a proisioning policy is defined, the reconciliation function enables the enforcement of the policy rules. The reconciliation function keeps the participating systems (both the Security Identity Manager Serer and the repositories of the managed resources) from potentially becoming a single point of failure. When two or more proisioning policies are applied, a join directie defines how to handle attributes. Two or more policies might hae oerlapping scope, and the join directie specifies what actions to take when this oerlap occurs. Proisioning policies can be mapped to a distinct portion or leel of the organizational hierarchy. For example, policies can be defined at a specific organization unit that affects organization roles for that unit only. Serice selection policies extend the function of a proisioning policy by enabling the proisioning of accounts based on person attributes. A serice selection policy is enforced when it is defined as a target of a proisioning policy. Using a JaaScript script to determine which serice to use, the serice selection policy defines proisioning based on the instructions in the script. The logic in the JaaScript typically uses person object attributes to determine which serice to use. The attribute is often the location of the person in the organization tree. Role-based access control Role-based access control (RBAC) uses roles and proisioning policies to ealuate, test, and enforce your business processes and rules for granting access to users. Key administrators create proisioning policies and assign users to roles and that define sets of entitlements to resources for these roles. RBAC tasks establish role-based access control to resource. RBAC extends the identity management solution to use software-based processes and reduce user manual interaction in the proisioning process. Role-based access control ealuates changes to user information to determine whether the changes alter the role membership for the user. If a change is needed, policies are reiewed and changes to entitlements are put in place immediately. Similarly, a change in the definition of the set of resources in a policy can also trigger a change to associated entitlements. Role-based access control includes the following features: Mandatory and optional entitlements, where optional entitlements are not automatically proisioned but can be requested by a user in a group 46 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

Resource proisioning Prerequisite serices, where specific serices must be granted before certain access rights are set Entitlement defaults and constraints, where each characteristic of an entitlement can be set to a default alue. The entitlement range can be constrained, depending on the capabilities of the entitlement to be granted A single account with multiple authorities goerned by different policies Priate, filtered iews of information about users and aailable resources User authentication approaches that are consistent with internal security policies Distribution of proisioning system components securely oer WAN and Internet enironments, including the crossing of firewalls User IDs that use consistent, user-defined algorithms Self-regulating user administration When your organization starts to proision resources across all internal organizations, you implement the self-regulating user administration capability. You can realize the adantages and benefits of proisioning users across organizational boundaries. In this enironment, a change in a user's status is automatically reflected in access rights across organization boundaries and geographies. You can reduce proisioning costs and streamline the access and approal processes. The implementation realizes the full potential of implementing role-based access control for end-to-end access management in your organization. You can reduce administratie costs through automated procedures for goerning user proisioning. You can improe security by automating security policy enforcement, and streamline and centralize user lifecycle management and resource proisioning for large user populations. Incremental proisioning and other customization options Your team can use business plans and requirements to decide how much to customize IBM Security Identity Manager. For example, a large enterprise might require a phased roll-out plan for workflows and custom adapters that is based on a time line for incrementally proisioning applications that are widely used across geographies. Another customization plan might proide for two or more applications to be proisioned across an entire organization, after successful testing. User-application interaction can be customized, and procedures for proisioning resources might be changed to accommodate automated proisioning. You can deproision to remoe a serice or component. For example, deproisioning an account means that the account is deleted from a resource. Depending on business needs, IBM Security Identity Manager proides alternaties you can use to proision resources to authorized users. Alternaties are based on requests, roles, or a combination of requests and roles. Request-based access to resources On a request basis, IBM Security Identity Manager proides a process to grant, modify, and remoe access to resources throughout a business. The process establishes an effectie audit trail with automated reports. Chapter 5. Features oeriew 47

In request-based proisioning, users and their managers search for and request access to specific applications, priilege leels, or resources with a system. The requests are alidated by workflow-drien approals and audited for reporting and compliance purposes. For example, users, or their managers, can request access to new accounts. Additionally, managers or other administrators are alerted to unused accounts and gien the option to delete the accounts through a recertification process. These periodic reiews of user access rights ensure that access with preious approal is remoed, if it is no longer needed. Roles and access control An organizational role supports different access control and access proisioning models in a customer deployment. An organizational role can map to IBM Security Identity Manager access entitlements in a proisioning policy. Specific IBM Security Identity Manager groups can be authorized or automatically proisioned for users that are members of the role. If a role is a member of another organizational role in a proisioning policy, then that role member also inherits the permissions of the proisioning policy. IBM Security Identity Manager groups can be used to define iews and access control for different types of entities that are managed in IBM Security Identity Manager. Hybrid proisioning model The hybrid model of proisioning resources combines request and role-based approaches, which are both supported by IBM Security Identity Manager. For a subset of employees or managed systems, a business might want to automate access with role-based assignment. A business might also handle all other access requests or exceptions through a request-based model. Some businesses might start with manual assignment, and eole toward a hybrid model, with an intention of a fully role-based deployment at a future time. Other companies might find it impractical for business reasons to achiee complete role-based proisioning, and target a hybrid approach as a wanted goal. Still other companies might be satisfied with only request-based proisioning, and not want to inest additional effort to define and manage role-based, automated proisioning policies. 48 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

Chapter 6. Technical oeriew You can use IBM Security Identity Manager to manage the identity records that represent people in a business organization. This section introduces the product architecture and main components. IBM Security Identity Manager is an identity management solution that centralizes the process of proisioning resources, such as proisioning accounts on operating systems and applications to users. IBM Security Identity Manager gies you the ability to add business processes and security policies to basic user management. The ability includes adding approals for user requests to access resources. In addition, IBM Security Identity Manager proides a uniform way to manage user accounts and to delegate administration, including self-serice and a help desk user interface. Users, authorization, and resources An administrator uses the entities that IBM Security Identity Manager proides for users, authorization, and resources to proide both initial and ongoing access in a changing organization. Accounts Access control item Identity policy Adapter Identities Password policy Serice Users Other policies Group Workflow People Authorization Workflows/policies Resources Figure 2. Users, authorization, and resources Identities An identity is the subset of profile data that uniquely represents a person in one or more repositories, and includes additional information related to the person. Accounts An account is the set of parameters for a managed resource that defines your identity, user profile, and credentials. Users A user is an indiidual who uses IBM Security Identity Manager to manage their accounts. Access control items An access control item is data that identifies the permissions that users Copyright IBM Corp. 2012, 2013 49

Main components hae for a specific type of resource. You create an access control item to specify a set of operations and permissions. You then identify which groups use the access control item. Groups A group is used to control user access to functions and data in IBM Security Identity Manager. Membership in a IBM Security Identity Manager group proides a set of default permissions and operations, as well as iews, that group members need. Policies A policy is a set of considerations that influence the behaior of a managed resource (called a serice in IBM Security Identity Manager) or a user. A policy represents a set of organizational rules and the logic that IBM Security Identity Manager uses to manage other entities, such as user IDs, and applies to a specific managed resource as a serice-specific policy. Adapters An adapter is a software component that proides an interface between a managed resource and the IBM Security Identity Manager Serer. Serices A serice represents a managed resource, such as an operating system, a database application, or another application that IBM Security Identity Manager manages. For example, a managed resource might be a Lotus Notes application. Users access these serices by using an account on the serice. Main components in the IBM Security Identity Manager solution include the IBM Security Identity Manager Serer and required and optional middleware components, including adapters that proide an interface to managed resources. In a cluster configuration, main components include: 50 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

WebSphere Application Serer Network Deployment IBM Security Identity Manager cell IBM HTTP Serer WebSphere Web Serer plug-in IBM Security Identity Manager cluster } } } Application Serer IBM Security Identity Manager Serer JDBC drier IBM Security Identity Manager database Deployment Manager JDBC drier } LDAP data store Figure 3. Main components For more information about configuration alternaties, see the IBM Security Identity Manager Installation Guide. Components include: Database serer products IBM Security Identity Manager stores transactional and historical data in a database serer, a relational database that maintains the current and historical states of data. Computers that communicate with the database require a Jaa Database Connectiity drier (JDBC drier). For example, a JDBC drier enables a IBM Security Identity Manager Serer to communicate with the data source. IBM Security Identity Manager supports a JDBC type 4 drier to connect a Jaa-based application to a database. The supported database products are IBM DB2 Database, Oracle DB, and MS SQL Serer database. The information about type 4 JDBC driers for each database product are as follows: IBM DB2 Database DB2 supports a Type 4 JDBC drier. The DB2 type 4 JDBC drier is bundled with the IBM Security Identity Manager installation program. Oracle database The Oracle database supports a Type 4 JDBC drier. The IBM Security Identity Manager installation program prompts for the location and name of this JDBC drier. Before you install the IBM Security Identity Manager Serer, obtain this JDBC drier from your Oracle Database Serer installation in the ORACLE_HOME\jdbc\lib\ directory. Alternatiely, you can download the drier from this website: http://www.oracle.com/ technology/software/tech/jaa/sqlj_jdbc/index.html Chapter 6. Technical oeriew 51

For WebSphere Application Serer ersion 7.0, the JDBC drier is ojdbc6.jar. Microsoft SQL Serer database Note: The Identity Serice Center does not support Microsoft SQL Serer database. Use DB2 database or Oracle database instead. The SQL Serer database supports a Type 4 JDBC drier. The IBM Security Identity Manager installation program prompts for the location and name of this JDBC drier. You can download the drier from this website: http://msdn.microsoft.com/en-us/data/aa937724.aspx For more information about supported database serer products, see Database serer support on page 5. Directory serer products IBM Security Identity Manager stores the current state of the managed identities in an LDAP directory, including user account and organizational data. IBM Security Identity Manager supports the following products: IBM Tioli Directory Serer Sun Enterprise Directory Serer IBM Tioli Directory Integrator IBM Tioli Directory Integrator synchronizes identity data in different directories, databases, and applications. IBM Tioli Directory Integrator synchronizes and manages information exchanges between applications or directory sources. WebSphere Application Serer WebSphere Application Serer is the primary component of the WebSphere enironment. WebSphere Application Serer runs a Jaa irtual machine, proiding the runtime enironment for the application code. The application serer proides communication security, logging, messaging, and Web serices. The IBM Security Identity Manager application can run on a single-serer configuration with the WebSphere Application Serer base serer. IBM Security Identity Manager can also run in a larger cluster configuration. The configuration can hae one or more WebSphere Application Serers and a deployment manager that manages the cluster. HTTP serer and WebSphere Web Serer plug-in An HTTP serer proides administration of IBM Security Identity Manager through a client interface in a web browser. IBM Security Identity Manager requires the installation of a WebSphere Web Serer plug-in with the HTTP serer. The WebSphere Application Serer installation program can separately install both the IBM HTTP Serer and WebSphere Web Serer plug-in. IBM Security Identity Manager adapters An adapter is a program that proides an interface between a managed resource and the IBM Security Identity Manager Serer. Adapters function as trusted irtual administrators on the target platform for account management. For example, adapters do such tasks as creating accounts, suspending accounts, and modifying account attributes. 52 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

People oeriew A IBM Security Identity Manager adapter can be either agent-based or agentless: Agent-based adapter You install adapter code directly onto the managed resource with which it is designed to communicate. Agentless adapter Deploys its adapter code onto the IBM Security Identity Manager Serer and the system that hosts IBM Tioli Directory Integrator. The adapter code is separate from the managed resource with which it is designed to communicate. Note: For agentless adapters, the SSH process or daemon must be actie on the managed resource. People, such as employees and contractors, need to use the resources that an organization proides. A person who has a IBM Security Identity Manager account is a IBM Security Identity Manager user. Users need different degrees of access to resources for their work. Some users need to use a specific application. Other users need to administer the system that links users to the resources that their work requires. IBM Security Identity Manager manages users' identities (user IDs), accounts, access entitlements on those accounts, and user credentials such as passwords. Users A person who is managed by IBM Security Identity Manager is a user. A user who has a IBM Security Identity Manager account is called a IBM Security Identity Manager user. This user can use IBM Security Identity Manager to manage accounts or do other administratie tasks. Users need different degrees of access to resources for their work. Some users need to use a specific application. Other users need to administer the system that links users to the resources that their work requires. A IBM Security Identity Manager user is assigned to a specific group that proides access to specific iews and allows the user to do specific tasks in IBM Security Identity Manager. As an administrator, you create users either by importing identity records or by using IBM Security Identity Manager. Identities An identity is the subset of profile data that uniquely represents a person or entity. The data is stored in one or more repositories. For example, an identity might be represented by the unique combination of a person's first, last (family) name, and full (gien) name, and employee number. An identity profile might also contain additional information such as phone numbers, manager, and email address. Chapter 6. Technical oeriew 53

Accounts An account is the set of parameters for a managed resource that defines an identity, user profile, and credentials. An account defines login information (your user ID and password, for example) and access to the specific resource with which it is associated. In IBM Security Identity Manager, accounts are created on serices, which represent the managed resources. Such resources might be operating systems (UNIX), applications (Lotus Notes), or other resources. Accounts, when owned, are either indiidual or sponsored. Indiidual accounts are for use by a single owner and hae an ownership type of Indiidual. Sponsored accounts are assigned to owners who are responsible for the accounts, but might not actually use them to access resources. Sponsored accounts can hae arious types of non-indiidual ownership types. IBM Security Identity Manager supplies three ownership types for sponsored accounts Deice, System, and Vendor. You can use the Configure System utility to create additional ownership types for sponsored accounts. Accounts are either actie or inactie. Accounts must be actie to log in to the system. An account becomes inactie when it is suspended. Suspension can occur if a request to recertify your account usage is declined and the recertification action is suspend. Suspended accounts still exist, but they cannot be used to access the system. System administrators can restore and reactiate a suspended account if the account is not deleted. Access Access is your ability to use a specific resource, such as a shared folder or an application. In IBM Security Identity Manager, access can be created to represent access to access types. Such access types might be shared folders, applications (such as Lotus Notes), email groups, or other managed resources. An access differs from an account in that an account is a form of access; an account is access to the resource itself. Access is the permission to use the resource. The access entitlement defines the condition that grants access to a user with a set of attribute alues of a user account on the managed resource. In IBM Security Identity Manager, an access is defined on an existing group on the managed serice. In this case, the access is granted to a user by creating an account on the serice and assigning the user to the group. Access entitlement can also be defined as a set of parameters on a serice account that uses a proisioning policy. When a user requests new access, by default an account is created on that serice. If an account exists, the account is modified to fulfill the access entitlement. For example, the account is assigned to the group that grants access to an access type. If one account exists, the account is associated with the access. If multiple accounts exist, you must select the user ID of the account to which you want to associate your access. An access is often described in terms that can be easily understood by business users. 54 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

Passwords A password is a string of characters that is used to authenticate a user's access to a system. A user ID and password are the two elements that grant access to a system. Resources oeriew As an administrator, you can manage user passwords and the passwords that are set for the users that are used by IBM Security Identity Manager. Forgotten password administration You can administer and define forgotten password information so users can reset forgotten IBM Security Identity Manager passwords. The information is in the format of questions and answers. Password synchronization Password synchronization is the process of assigning and maintaining one password for all indiidual accounts that a user owns. Password synchronization reduces the number of passwords that a user must remember. You can configure the system to automatically synchronize passwords for all indiidual accounts owned by a user. Then, the user must remember only one password. For example, a user has two indiidual accounts: a IBM Security Identity Manager account and a Lotus Notes account. If the user changes or resets the password for the IBM Security Identity Manager account, the Lotus Notes password is automatically changed to the same password as the IBM Security Identity Manager password. Passwords might also be synchronized when you proision an account or restore a suspended account. If password synchronization is enabled, a user cannot specify different passwords for other indiidual accounts owned by the user. Note: When you proision an account or restore an account that was suspended, you must specify a password for the account. If password synchronization is enabled, you are not prompted for a password. Instead the indiidual account is automatically gien the same password as the existing indiidual accounts of the user. Password strength rules A password strength rule is a rule or requirement to which a password must conform. For example, password strength rules might specify that the minimum number of characters of a password must be fie. The rules might specify that the maximum number of characters must be 10. You can define password strength rules in a password policy. Resources are the applications, components, processes, and other functions that users need to complete their work assignments. IBM Security Identity Manager uses a serice to manage user accounts and access to resources by using adapters to proide trusted communication of data between the resources and IBM Security Identity Manager. Chapter 6. Technical oeriew 55

Serices A serice represents a managed resource, such as an operating system, a database application, or another application that IBM Security Identity Manager manages. For example, a managed resource might be a Lotus Notes application. Users access these serices by using an account on the serice. Serices are created from serice types, which represent a set of managed resources that share similar attributes. For example, there is a default serice type that represents Linux machines. These serice types are installed by default when IBM Security Identity Manager is installed. Alternatiely, they are installed when you import the serice definition files for the adapters for those managed resources. Accounts on serices identify the users of the serice. Accounts contain the login and access information of the user and allow the use of specific resources. Most serices use IBM Security Identity Manager to proision accounts, which usually inoles some workflow processes that must be completed successfully. Howeer, manual serices generate a work order actiity that defines the manual interention that is required to complete the request or to proision the account for the user. A serice owner owns and maintains a particular serice in IBM Security Identity Manager. A serice owner is either a person or a static organizational role. For a static organizational role, all the members of the organizational role are considered serice owners. If that static organizational role contains other roles, then all members of those roles are also considered serice owners. Serice types A serice type is a category of related serices that share schemas. It defines the schema attributes that are common across a set of similar managed resources. Serice types are used to create serices for specific instances of managed resources. For example, you might hae seeral Lotus Domino serers that users need access to. You might create one serice for each Lotus Domino serer with the Lotus Domino serice type. Serice prerequisite A serice might hae another serice defined as a serice prerequisite. A user can receie a new account only if they hae an existing account on the serice prerequisite. For example, Serice B has a serice prerequisite, Serice A. If a user requests an account on Serice B, in order to receie an account, the user must first hae an account on Serice A. Serice definition file A serice definition file, which is also known as an adapter profile, defines the type of managed resource that IBM Security Identity Manager can manage. The serice definition file creates the serice types on the IBM Security Identity Manager Serer. The serice definition file is a JAR file that contains the following information: Serice information, including definitions of the user proisioning operations that can be done for the serice, such as add, delete, suspend, or restore. 56 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

Serice proider information, which defines the underlying implementation of how the IBM Security Identity Manager Serer communicates with the managed resource. Valid serice proiders are Tioli Directory Integrator and DSML2. Schema information, including the LDAP classes and attributes. Account forms and serice forms. A properties file for accounts and supporting data such as serice groups defines the labels for the attributes on these forms. The labels are displayed in the user interface for creating serices and requesting accounts on those serices. Manual serices A manual serice is a type of serice that requires manual interention to complete the request. For example, a manual serice might be defined for setting up oice mail for a user. Manual serices generate a work order actiity that defines the manual interention that is required. You might create a manual serice when IBM Security Identity Manager does not proide an adapter for a managed resource for which you want to proision accounts. When you create a manual serice, you add new schema classes and attributes for the manual serice to your LDAP directory. See the following topics: "Manual serices and serice type" in the IBM Security Identity Manager Configuration Guide "Enabling connection mode" in the IBM Security Identity Manager Administration Guide Adapters An adapter is a software component that proides an interface between a managed resource and IBM Security Identity Manager. An adapter functions as a trusted irtual administrator for the managed resource. An adapter does such tasks as creating accounts, suspending accounts, and other functions that administrators typically do. An adapter consists of the serice definition file and the executable code for managing accounts. Adapters are deployed in one of two ways: Agent-based adapter An agent-based adapter must be on the managed resource, in order to administer accounts. For example, the Lotus Notes adapter for AIX is an agent-based adapter. Agentless adapter An agentless adapter can be on a remote serer, in order to administer accounts. For example, the UNIX/Linux adapter is an agentless adapter. Adapters are created from one of two technologies: Adapter Deelopment Kit (ADK) Adapters that are created with the ADK are either agent-based adapters or Chapter 6. Technical oeriew 57

agentless adapters. The ADK is the base component of the adapters and contains the runtime library, filtering and eent notification functionality, protocol settings, and logging information. The ADK is the same across the adapters. IBM Tioli Directory Integrator Adapters that are created with IBM Tioli Directory Integrator are either agent-based or agentless adapters. These adapters are implemented as assembly lines, each of which is a single path of data transfer and transformation. IBM Tioli Directory Integrator can pass data from one assembly line to the next assembly line. Seeral agentless adapters are automatically installed when you install IBM Security Identity Manager. You can install additional agentless or agent-based adapters. Adapter communication with managed resources Communication between IBM Security Identity Manager and managed resources has seeral solutions. Linux and UNIX managed resources use agentless adapters that are created with IBM Tioli Directory Integrator. Other managed resources use ADK adapters. Figure 4 illustrates how communication links between software products and components can be configured. IBM Security Identity Manager Serer WebSphere Application Serer SSL Web browser S S L S S L Other adapters Tioli Directory Integrator A da p t e r SSH SSL UNIX managed resource LDAP managed resource KEY: SSL = One-way or two-way SSL SSH System security oeriew = Secure Shell protocol Figure 4. Secure communication in the IBM Security Identity Manager enironment An organization has critical needs to control user access, and to protect sensitie information. First, an organization agrees on security requirements for business needs. Then, a system administrator configures the groups, iews, access control items, and forms that IBM Security Identity Manager proides for security of its data. 58 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

Security model characteristics An organization defines a security model to meet its business needs. The model seres as a basis to define the requirements and actual implementation of a security system. Some characteristic objecties of a security model include: Verifying the identity of users, proided by authentication systems that include password strength and other factors. Enabling authorized users to access resources, proided by authorization systems that define request or role-based processes, and related proisioning. Resources, for example, include accounts, serices, user information, and IBM Security Identity Manager functions. A security model also requires additional proisioning processes to select the resources that users are permitted to access. Administering which operations and permissions are granted for accounts and users. Delegating a user's list of actiities to other users, on a request or assignment basis. Protecting sensitie information, such as user lists or account attributes. Ensuring the integrity of communications and data. Business requirements A business needs agreement on its security requirements before implementing the processes that IBM Security Identity Manager proides. For example, requirement definitions might answer these questions: What groups of IBM Security Identity Manager users are there? What information does each user group need to see? What tasks do the users in each group need to do? What roles do users perform in the organization? Which access rights need definition? What working relationships exist that require some users to hae different authority leels? How can preention and auditing proide remedies for actiity that does not comply with established policies? To meet common business needs, a business might frequently hae seeral groups, such as a manager, a help desk assistant, an auditor group. The business might hae customized groups that do a more expanded or limited set of tasks. Resource access from a user's perspectie To proide security of data for a user who works within a range of tasks on specific business resources, IBM Security Identity Manager might proide one or more roles, and membership in one or more groups. For example, a user in a business unit often has a title, or role that has a responsibility, such as buyer. The user might also be a member of a group that proides a iew of tasks that the user can do, such as regional purchasing. The relationships are illustrated in Figure 5 on page 60: Chapter 6. Technical oeriew 59

Figure 5. Securing data for user access to resources Each role has a related proisioning policy and workflow to grant the user to access one or more resources, such as accounts. Each group has a iew of specific tasks, and one or more access control items that grant specific operations and permissions to do the tasks. By using a form designer applet, you can also modify the user interface that a user sees. You might remoe unnecessary fields for account, serice, or user attributes. Groups A group is used to control user access to functions and data in IBM Security Identity Manager. Group members hae an account on the IBM Security Identity Manager serice. Membership in an IBM Security Identity Manager group proides a set of default permissions and operations, as well as iews, that group members need. Your site might also create customized groups. Additionally, some users might be members of a serice group that grants specific access to a certain application or other functions. For example, a serice group might hae members that work directly with data in an accounting application. Predefined groups, iews, and access control items IBM Security Identity Manager proides predefined groups. The groups are associated with iews and access control items. Two user interfaces, or consoles, are aailable: Self-serice console for all users, for self-care actiities such as changing personal profile information, such as a telephone number. Administratie console, for selected users who belong to one or more groups that enable a range of administratie tasks. A IBM Security Identity Manager user with no other group membership has a basic priilege to use IBM Security Identity Manager. 60 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

This set of users needs only a self-serice console for self-care capabilities. The users are not in a labeled "group" such as a Help Desk Assistant group. The predefined groups are associated with predefined iews and access control items, to control what members can see and do, as illustrated in Figure 6 Figure 6. Predefined groups, iews, and access control items The predefined groups are: Administrator The administrator group has no limits set by default iews or access control items and can access all iews and do all operations in IBM Security Identity Manager. The first system administrator user is named "itim manager". Auditor Members of the auditor group can request reports for audit purposes. Help Desk Assistant Members of the Help Desk Assistant group can request, change, suspend, restore, and delete accounts. Members can request, change, and delete access, and also can reset passwords, profiles, and accounts of others. Additionally, members can delegate actiities for a user. Manager Members of the Manager group are users who manage the accounts, profiles, and passwords of their direct subordinates. Serice Owner Members of the Serice Owner group manage a serice, including the user accounts and requests for that serice. Views A iew is a set of tasks that a particular type of user can see, but not necessarily do, on the graphical user interface. For example, it is a task portfolio of the eeryday actiities that a user needs to use IBM Security Identity Manager. Chapter 6. Technical oeriew 61

Organization tree oeriew On both the self-serice console and the administratie console, you can specify the iew that a user sees. Access control items An access control item (ACI) is data that identifies the permissions that users hae for a specific type of resource. You create an access control item to specify a set of operations and permissions. You also identify which groups use the access control item. An access control item defines these items: The entity types to which the access control item applies Operations that users might do on entity types Attributes of the entity types that users might read or write The set of users that is goerned by the access control item IBM Security Identity Manager proides default access control items. You can also create a customized access control item. For example, a customized access control item might limit the ability of a specific Help Desk Assistant group to change information for other users. Access control items can also specify relationships such as Manager or Serice Owner. When you create customized reports, you must also manually create report access control items and entity access control items for the new report. These ACIs permit users who are not administrators, such as auditors, to run the custom report and iew data in the custom report. After you create an access control item or change an existing access control item, run a data synchronization to ensure that other IBM Security Identity Manager processes, such as the reporting engine, use the new or changed access control item. Forms A form is a user interface window that is used to collect and display alues for account, serice, or user attributes. IBM Security Identity Manager includes a form designer, which runs as a Jaa applet, that you use to modify existing user, serice and account forms. For example, you might add the fax number attribute and an associated entry field to capture that number for a particular account. You might remoe an account attribute that your organization does not want a user to see. If you remoe an attribute from a form, it is completely remoed; that is, een system administrators cannot see the attribute. You can see only those attributes that are on the form and that you hae read or write access to (as granted by access control items). Using the form designer, you can also customize forms for other elements in the organization tree, such as location or organization unit. Business organizations hae arious configurations that contain their subordinate units, including serices and employees. 62 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

For a specific set of business needs, you can configure IBM Security Identity Manager to proide a hierarchy of serices. You can configure organizations, users, and other elements in a tree that corresponds to the needs of a user population. Note: This release proides enhanced menus to search for a specific user, but not a graphic organization tree for that purpose. In this release, you cannot browse and create entities by naigating the organization tree. The association to a business unit within the organization tree is specified during the creation of the entity. Nodes in an organization tree An organization tree has nodes that include organizations and subordinate business units, as well as other elements. An organization tree can hae these nodes: Organization Identifies the top of an organizational hierarchy, which might contain subsidiary entities such as organization units, business partner organization units, and locations. The organization is the parent node at the top of the node tree. Organization Unit Identifies a subsidiary part of an organization, such as a diision or department. An organization unit can be subordinate to any other container, such as organization, organization unit, location, and business partner organization. Business Partner Organization Unit Identifies a business partner organization, which is typically a company outside your organization that has an affiliation, such as a supplier, customer, or contractor. Location Identifies a container that is different geographically, but contained within an organization entity. Admin Domain Identifies a subsidiary part of an organization as a separate entity with its own policies, serices, and access control items, including an administrator whose actions and iews are restricted to that domain. Entity types associated with a business unit Different types of entities can be associated with a business unit in an organization tree. The association to a business unit is specified when the entity is created. Normally, an entity cannot change the business unit association after it is created. The only exception is the User entity. IBM Security Identity Manager supports the transfer of users between different business units. The following entity types can be associated to a business unit in the organization tree: User ITIM group Serice Chapter 6. Technical oeriew 63

Role Identity policy Password policy Proisioning policy Serice selection policy Recertification policy Account and access request workflow Access control item Entity searches of the organization tree This release proides menus to search for a specific user, but not a graphic organization tree to naigate to locate a specific user. Policies oeriew To locate a specific user with search menus, use the adanced search filter to search by user type such as Person or Business Partner Person. In the search, you can also select a business unit and its subunits, and the status of the user, such as Actie. Additionally, you can add other fields to qualify the search, including an LDAP filter statement. A policy is a set of considerations that influence the behaior of a managed resource (called a serice in IBM Security Identity Manager) or a user. A policy represents a set of organizational rules and the logic that IBM Security Identity Manager uses to manage other entities, such as user IDs, and applies to a specific managed resource as a serice-specific policy. IBM Security Identity Manager enables your organization to use centralized security policies for specified user groups. You can use IBM Security Identity Manager policies to centralize user access for disparate resources in an organization. You can implement additional policies and features that streamline operations associated with access to resources for users. IBM Security Identity Manager supports the following types of policies: Adoption policies Identity policies Password policies Proisioning policies Recertification policies Separation of duty policies Serice selection policies A policy can apply to one or multiple serice targets, which can be identified either by a serice type or by listing the serices explicitly. These policies do not apply to serices that represent identity feeds. Adoption policies apply to serices. A global adoption policy applies to all serices of a serice type. Identity policies, password policies, and proisioning policies can apply to all serice types, all serices of a serice type, or specific serices. 64 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

Recertification policies cannot act on all serice types, but you can add all the different serices for a specific recertification policy. Separation of duty policies does not apply directly to serice types, and apply only to role membership for users. Serice selection policies apply to only one serice type. Policy types and naigation Table 24. Policy types and naigation Type of policy Adoption Identity Password Proisioning Recertification Separation of duty Serice selection Naigation Manage Policies > Manage Adoption Policies Manage Policies > Manage Identity Policies Manage Policies > Manage Password Policies Manage Policies > Manage Proisioning Policies Manage Policies > Manage Recertification Policies Manage Policies > Manage Separation of Duty Policies Manage Policies > Manage Serice Selection Policies Account defaults Account defaults define default alues for an account during new account creation. The default can be defined at the serice type leel that applies to all serices of that type. Alternatiely, the default can be defined at the serice leel, which applies only to the serice. Policy enforcement Global policy enforcement is the manner in which IBM Security Identity Manager globally allows or disallows accounts that iolate proisioning policies. When a policy enforcement action is global, the policy enforcement for any serice is defined by the default configuration setting. You can specify one of the following policy enforcement actions to occur for an account that has a noncompliant attribute. Note: If a serice has a specific policy enforcement setting, that setting is applied to the noncompliant accounts. The global enforcement setting does not apply. Policy enforcement can also be set for a specific serice. Mark The existing user account on the old serice is marked as disallowed, and a new account is not created on the new serice. Suspend The existing user account on the old serice instance is suspended, and a new account is not created on the new serice. Alert An alert is sent to the recipient administrator to confirm remoal of the old Chapter 6. Technical oeriew 65

Correct Workflow oeriew account on old serices. A new account is created on new serice if the user does not hae account on new serice, and entitlement is automatic. Existing accounts are remoed on the old serice. A new account is created on new serice if the user does not hae account on new serice and entitlement is automatic. To work with global policy enforcement, go to the naigation tree and select Configure System > Configure Global Policy Enforcement. Note: To set serice policy enforcement, go to the naigation tree and select Manage Serices. A workflow defines a sequence of actiities that represent a business process. You can use workflows to customize account proisioning and access proisioning, and lifecycle management. A workflow is a set of steps or actiities that define a business process. You can use the IBM Security Identity Manager workflows to customize account proisioning and lifecycle management. For example, you can add approals and information requests to account or access proisioning processes. You can integrate lifecycle management processes (such as adding, remoing, and modifying people and accounts in IBM Security Identity Manager) with external systems. IBM Security Identity Manager proides these major types of workflows: Operation workflows Use operation workflows to customize the lifecycle management of accounts and people, or a specific serice type, such as all Linux systems. Operation workflows add, delete, modify, restore, and suspend system entities, such as accounts and people. You can also add new operations that your business process requires, such as approal for new accounts. For example, you might specify an operation workflow that defines actiities to approe the account, including notifications and manager approals. Account request and access request workflows Use account request and access request workflows to ensure that resources such as accounts or serices are proisioned to users according to the business policies of your organization. Note: The term entitlement workflow was preiously used for this workflow type in IBM Security Identity Manager Version 4.6. An account request workflow can be bound to an entitlement for an access or an account. In proisioning policies, an entitlement workflow for accounts adds decision points to account requests, such as adding or modifying an account. If the request is approed, the processing continues; if the request is rejected, the request is canceled. The account request workflow is started during account proisioning requests, including adding and modifying an account, made by a IBM Security Identity Manager user or made during account auto proisioning. An account request workflow can be also started during an access request if there is no access request workflow defined. 66 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

An access request workflow is bound to an access by the access definition, rather than by a proisioning policy. This workflow can specify the steps and approals that authorize access to resources in a request. The access request workflow is started only for access requests that are made by a IBM Security Identity Manager user. The workflow is not started if the access is proisioned for the user as a result of an external or internal account request. An external account request is an account request made by a IBM Security Identity Manager user. An internal account request is an account request made by the IBM Security Identity Manager system. For example, an auto account proisioning gies the user a default or mandatory group that maps to an access. Chapter 6. Technical oeriew 67

68 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

Chapter 7. Initial login and password information To get started after installing IBM Security Identity Manager, you need to know the login URL and the initial user ID and password. Login URL The login URL enables you to access the IBM Security Identity Manager web interface. The login URL for the IBM Security Identity Manager administratie console is: http://ip-address:port/itim/console/main/ Where ip-address is the IP address or DNS address of the IBM Security Identity Manager serer, and port is the port number. The default port for new installations of IBM Security Identity Manager is 9080. The login URL for the IBM Security Identity Manager self-serice console is: http://ip-address:port/itim/self Where ip-address is the IP address or DNS address of the IBM Security Identity Manager serer, and port is the port number. The default port for new installations of IBM Security Identity Manager is 9080. Initial user ID and password The initial user ID and password to authenticate to IBM Security Identity Manager is: Table 25. Initial user ID and password for IBM Security Identity Manager User ID Password itim manager secret Copyright IBM Corp. 2012, 2013 69

70 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

Notices This information was deeloped for products and serices offered in the U.S.A. IBM may not offer the products, serices, or features discussed in this document in other countries. Consult your local IBM representatie for information on the products and serices currently aailable in your area. Any reference to an IBM product, program, or serice is not intended to state or imply that only that IBM product, program, or serice may be used. Any functionally equialent product, program, or serice that does not infringe any IBM intellectual property right may be used instead. Howeer, it is the user's responsibility to ealuate and erify the operation of any non-ibm product, program, or serice. IBM may hae patents or pending patent applications coering subject matter described in this document. The furnishing of this document does not gie you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drie Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan, Ltd. 19-21, Nihonbashi-Hakozakicho, Chuo-ku Tokyo 103-8510, Japan The following paragraph does not apply to the United Kingdom or any other country where such proisions are inconsistent with local law : INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement might not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-ibm Web sites are proided for conenience only and do not in any manner sere as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. Copyright IBM Corp. 2012, 2013 71

IBM may use or distribute any of the information you supply in any way it beliees appropriate without incurring any obligation to you. Licensees of this program who wish to hae information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation 2Z4A/101 11400 Burnet Road Austin, TX 78758 U.S.A. Such information may be aailable, subject to appropriate terms and conditions, including in some cases payment of a fee. The licensed program described in this document and all licensed material aailable for it are proided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equialent agreement between us. Any performance data contained herein was determined in a controlled enironment. Therefore, the results obtained in other operating enironments may ary significantly. Some measurements may hae been made on deelopment-leel systems and there is no guarantee that these measurements will be the same on generally aailable systems. Furthermore, some measurement may hae been estimated through extrapolation. Actual results may ary. Users of this document should erify the applicable data for their specific enironment. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly aailable sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objecties only. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of indiiduals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrate programming techniques on arious operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of deeloping, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples hae not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, sericeability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to 72 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

IBM for the purposes of deeloping, using, marketing, or distributing application programs conforming to IBM's application programming interfaces. Each copy or any portion of these sample programs or any deriatie work, must include a copyright notice as follows: If you are iewing this information softcopy, the photographs and color illustrations might not appear. (your company name) (year). Portions of this code are deried from IBM Corp. Sample Programs. Copyright IBM Corp. _enter the year or years_. All rights resered. If you are iewing this information in softcopy form, the photographs and color illustrations might not be displayed. Trademarks IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and serice names might be trademarks of IBM or other companies. A current list of IBM trademarks is aailable on the Web at "Copyright and trademark information" at http://www.ibm.com/legal/copytrade.shtml. Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Goernment Commerce. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Linux is a trademark of Linus Toralds in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. ITIL is a registered trademark, and a registered community trademark of the Office of Goernment Commerce, and is registered in the U.S. Patent and Trademark Office. UNIX is a registered trademark of The Open Group in the United States and other countries. Cell Broadband Engine and Cell/B.E. are trademarks of Sony Computer Entertainment, Inc., in the United States, other countries, or both and is used under license therefrom. Notices 73

Jaa and all Jaa-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. Priacy Policy Considerations This information was deeloped for products and serices that are offered in the US and the European Union. IBM Software products, including software as a serice solutions, (Software Offerings ) may use cookies or other technologies to collect product usage information, to help improe the end user experience, to tailor interactions with the end user or for other purposes. In many cases no personally identifiable information is collected by the Software Offerings. Some of our Software Offerings can help enable you to collect personally identifiable information. If this Software Offering uses cookies to collect personally identifiable information, specific information about this offeringqs use of cookies is set forth below. This Software Offering does not use cookies or other technologies to collect personally identifiable information. If the configurations deployed for this Software Offering proide you as customer the ability to collect personally identifiable information from end users ia cookies and other technologies, you should seek your own legal adice about any laws applicable to such data collection, including any requirements for notice and consent. For more information about the use of arious technologies, including cookies, for these purposes, See IBMQs Priacy Policy at http://www.ibm.com/priacy and IBMQs Online Priacy Statement at http://www.ibm.com/priacy/details/us/en sections entitled Cookies, Web Beacons and Other Technologies and Software Products and Software-as-a Serice. 74 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

Index A access 49, 54 entitlement 54 management 25, 48 access control 48, 62 accessibility iii accounts 54 actie, inactie 54 and access management 18 created on account types 54 form 15 ownership type 11 search, self serice console 18 ACI 62 adapters 57, 58 profile 56 supported leels 9 administratie console 40 adoption policies 64 agent-based adapter 57 agentless adapter 57 application programming interface (API) 19 approal workflow process 34 audit trail tracking 34 authorization ACI 62 B browser requirements 9 business requirements 59 C client connections browser requirements 9 compliance, corporate 34 D database serer support 6 directory serer requirements 6 dynamic role 43 E education iii enhanced adapter testing 17 enhanced logging APIs 20 entities 49 entitlement workflow 66 entity search 64 extended role attributes 14 F features 11 oeriew 25 fix packs 1 form designer 62 forms 62 G groups 60 members 60 planning 60 H hardware requirements 3 health monitoring 22 WebSphere Performance Monitoring Infrastructure 22 hybrid proisioning model 48 I IBM Cognos report serer, software requirements 8 reporting framework 22 IBM Software Support iii IBM Support Assistant iii IBM Tioli Directory Integrator support 7 identity 53 goernance 39 policies 64 Identity Serice Center user interface 12, 41 installation images 1 K known limitations 23 known problems 23 L login initial user ID and password 69 URL 69 M main components 50 managed resources 30, 56, 58 manual serices 57 message log 20 middleware components 50 multiple access leels 18 N new features 11 account ownership type 11 api for recertification policies 20 external user registry 19 multiple leel access types 18 report data synchronization 21 role assignment attributes 14 serice connection mode 16 serice management 16 serice tagging 17 shared access module 12, 26 web serices api 20 node 63 notices 71 O online publications ii terminology ii operating system support 3 operation workflow 66 operational role management 39 organization entity types 63 oeriew 63 role 48 tree 63, 64 oeriew organization 63 entity types 63 self-access management 43 P passwords forgotten 55 policies 64 policy and compliance 34 reset 55 strength rules 55 synchronization 55 people 53 persona-based console 40 policies adoption 64 identity 64 password 64 proisioning 64 recertification 64 recertification, API 19 recertification, compliance 34 separation of duty 64 serice selection 64 policy enforcement 34 priileged identity management 12 problem determination, support information iii Copyright IBM Corp. 2012, 2013 75

proisioning accounts 49 oeriew 44 policies 64 policy 34 resources 48, 49 publications accessing online ii list of for this product ii R recertification 42 report data 42 synchronization 21 reporting 42 reporting framework reporting model 22 static reports 22 request-based access 48 request-based proisioning 48 requirements browser 9 database serer 6 definitions 59 directory integrator 7 directory serer 6 hardware 3 Jaa Runtime Enironment 5 JRE 5 operating system 3 report serer 7 software 3 supported adapter leels 9 Tioli Reporting Serer 7 web application serer 5 resources access 59 oeriew 55 proisioning 47 retry serice 17 roadmap 30 role assignment attributes 14 customization 14 management 14 S schema 56 security lifecycle 25 model 59 system 59 self-care user interface 41 separation of duty policies 64 serice definition file 56 serice failure retry 17 serice form 17 serice management and proisioning 15, 17 serices 56 manual 57 prerequisite 56 selection policies 64 serices (continued) status 17 tagging 15 types 56 shared access configuration 30 documentation 27 features 27 module 12 software requirements IBM Cognos report serer 8 Jaa Runtime Enironment 5 JRE 5 operating system 3 static role 43 system security 58 T terminology ii three user interfaces 40 Tioli Reporting Serer requirements 7 training iii troubleshooting iii known limitations 23 U user access 59 user interface Identity Serice Center 12, 41 new 12, 41 users 53 V ertical clusters 19 iews, default 62 irtualization, supported products 4 W workarounds 23 workflows entitlement 66 operation 66 76 IBM Security Identity Manager Version 6.0: Product Oeriew Guide

Printed in USA GC14-7692-01