ibm security identity manager version 6.0: configuration guide · accessibility. technical training

IBM Security Identity ManagerVersion 6.0

Configuration Guide

SC14-7696-00

��

NoteBefore using this information and the product it supports, read the information in “Notices” on page 251.

Edition notice

Note: This edition applies to version 6.0 of IBM Security Identity Manager (product number 5724-C34) and toall subsequent releases and modifications until otherwise indicated in new editions.

© Copyright IBM Corporation 2012.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Table of contents

Table list . . . . . . . . . . . . . . vii

About this publication . . . . . . . . ixAccess to publications and terminology . . . . . ixAccessibility . . . . . . . . . . . . . . xTechnical training. . . . . . . . . . . . . xSupport information . . . . . . . . . . . . x

Chapter 1. User interface customizationoverview . . . . . . . . . . . . . . 1Self-service user interface customization . . . . . 1

Configuration files and descriptions . . . . . 1User interface elements affected by viewdefinitions . . . . . . . . . . . . . . 4Customizing labels, description, and other screentext . . . . . . . . . . . . . . . . 6Customizing website layout . . . . . . . . 8Customizing banner, footer, toolbar, andnavigation bar content . . . . . . . . . . 10Customizing the self-service home page . . . . 13Customizing style sheets . . . . . . . . . 15Merging style sheet customizations from aprevious version. . . . . . . . . . . . 21Redirecting help content . . . . . . . . . 29Configuring direct access to self-service tasks . . 30Customizing person search capability. . . . . 31

Administrative console user interface customization 32Configuration files and descriptions . . . . . 33Customizing banner content . . . . . . . . 34Customizing footer content . . . . . . . . 36Customizing the administrative console homepage. . . . . . . . . . . . . . . . 37Customizing the title bar . . . . . . . . . 40Redirecting help content . . . . . . . . . 40Customizing the number of items displayed onpages . . . . . . . . . . . . . . . 41

Chapter 2. Service type management 43Manual services and service types . . . . . . . 45

Creating manual services . . . . . . . . . 45Changing a manual service . . . . . . . . 47Configuring a manual service type to supportgroups . . . . . . . . . . . . . . . 48Reconciliation for manual services . . . . . . 49

Service definition file or adapter profile . . . . . 50Creating service types . . . . . . . . . . . 50Changing service types . . . . . . . . . . 52Importing service types . . . . . . . . . . 53Deleting service types . . . . . . . . . . . 53Managing account defaults on a service type . . . 54

Adding account defaults to a service type . . . 55Changing account defaults for a service type . . 56Removing account defaults from a service type 56

Chapter 3. Access type management 59Creating access types . . . . . . . . . . . 59Changing access types . . . . . . . . . . . 60Deleting access types . . . . . . . . . . . 61

Chapter 4. Shared access configuration 63Configuring the credential default settings . . . . 63Customizing the service form template to includethe unique identifier (eruri) attribute . . . . . . 65Configuring an external credential vault server . . 66Advanced configuration for shared access . . . . 69

Customization of the checkout operation . . . 69Shared access approval and recertification . . . 69Customizing the checkout form. . . . . . . 70

Chapter 5. Global adoption policies . . 73Creating a global adoption policy . . . . . . . 73Changing a global adoption policy . . . . . . 74Deleting a global adoption policy . . . . . . . 74

Chapter 6. Post office configuration . . 77Customizing the post office email template . . . . 78Post office dynamic content custom tags. . . . . 79Post office label and messages properties . . . . 80Post office template extensions . . . . . . . . 80Post office JavaScript extensions . . . . . . . 81Testing and troubleshooting the post office emailtemplate . . . . . . . . . . . . . . . 82Modifying the sample email content . . . . . . 82Enabling the post office for workflow activities . . 84

Chapter 7. Form customization . . . . 85Customizing form templates. . . . . . . . . 85

Adding tabs to form templates . . . . . . . 86Renaming tabs on form templates . . . . . . 87Arranging tabs on form templates . . . . . . 87Deleting tabs from form templates. . . . . . 88Adding attributes to form templates . . . . . 89Modifying attribute properties . . . . . . . 89Changing attribute control types . . . . . . 90Arranging attributes on form templates . . . . 91Deleting attributes from form templates . . . . 92

Customizing account form templates for a serviceinstance . . . . . . . . . . . . . . . 92

Adding tabs to form templates for a serviceinstance . . . . . . . . . . . . . . 94Renaming tabs on form templates for a serviceinstance . . . . . . . . . . . . . . 95Arranging tabs on form templates for a serviceinstance . . . . . . . . . . . . . . 95Deleting tabs from form templates for a serviceinstance . . . . . . . . . . . . . . 96Adding attributes to form templates for a serviceinstance . . . . . . . . . . . . . . 97

© Copyright IBM Corp. 2012 iii

Modifying attribute properties . . . . . . . 98Changing attribute control types . . . . . . 100Arranging attributes on form templates for aservice instance. . . . . . . . . . . . 101Deleting attributes from form templates for aservice instance. . . . . . . . . . . . 102Removing a customized form template from aservice instance. . . . . . . . . . . . 102

Resetting form templates . . . . . . . . . 103Form designer interface . . . . . . . . . . 104Control types used by the form designer . . . . 106Properties used by the form designer . . . . . 113Properties that change the form designer userinterface . . . . . . . . . . . . . . . 117

Chapter 8. Managing manualnotification templates . . . . . . . . 119

Chapter 9. Entities management . . . 121Adding system entities . . . . . . . . . . 121Changing system entities . . . . . . . . . 122Deleting system entities . . . . . . . . . . 123Customizing role schema . . . . . . . . . 124

Chapter 10. Ownership typemanagement. . . . . . . . . . . . 125Creating ownership types . . . . . . . . . 125Deleting ownership types . . . . . . . . . 126

Chapter 11. Operations management 127Add operation . . . . . . . . . . . . . 127changePassword operation . . . . . . . . . 128Delete operation . . . . . . . . . . . . 128Modify operation . . . . . . . . . . . . 128Restore operation . . . . . . . . . . . . 129selfRegister operation. . . . . . . . . . . 129Suspend operation . . . . . . . . . . . 130Transfer operation . . . . . . . . . . . . 130Adding operations for entities . . . . . . . . 130Changing operations for entities . . . . . . . 131Deleting operations for entities . . . . . . . 132

Chapter 12. Lifecycle rulesmanagement. . . . . . . . . . . . 135Lifecycle rule filters and schedules . . . . . . 136Lifecycle rule processing. . . . . . . . . . 137Lifecycle rule modification . . . . . . . . . 138Lifecycle event schema information . . . . . . 138Adding lifecycle rules for entities. . . . . . . 139Changing lifecycle rules for entities . . . . . . 140Deleting lifecycle rules for entities . . . . . . 140Running lifecycle rules for entities . . . . . . 141LDAP filter expressions . . . . . . . . . . 142

Relationship expressions. . . . . . . . . 142System expressions . . . . . . . . . . 144

Chapter 13. Policy join directivesconfiguration . . . . . . . . . . . 147Customizing policy join behavior. . . . . . . 148

Account validation logic. . . . . . . . . . 151Join directives examples . . . . . . . . . . 153Join logic examples . . . . . . . . . . . 154

Chapter 14. Global policy enforcement 157Configuring a global enforcement policy . . . . 157

Setting a mark on an account . . . . . . . 157Suspending an account . . . . . . . . . 158Replacing a noncompliant attribute with acompliant attribute . . . . . . . . . . 159Creating an alert on an account . . . . . . 160

Chapter 15. Data import and export 163Object dependencies for data migration . . . . 164Performing a full export . . . . . . . . . . 166Performing a partial export. . . . . . . . . 166Downloading the JAR file . . . . . . . . . 168Deleting export records . . . . . . . . . . 168Uploading the JAR file . . . . . . . . . . 169Resolving conflicts. . . . . . . . . . . . 170Deleting imports . . . . . . . . . . . . 171Making import and export JAR files portable . . . 171

Chapter 16. Configuring andadministering IBM Tivoli CommonReporting . . . . . . . . . . . . . 173Installing or upgrading to Tivoli CommonReporting Version 2.1.1 . . . . . . . . . . 173Importing the report package into Tivoli CommonReporting . . . . . . . . . . . . . . 174Configuring embedded WebSphere ApplicationServer . . . . . . . . . . . . . . . . 174

Configuring embedded WebSphere ApplicationServer with a Jython script . . . . . . . . 175Configuring embedded WebSphere ApplicationServer with wsadmin commands . . . . . . 176

Configuring the data source in Tivoli CommonReporting . . . . . . . . . . . . . . 186Running a report . . . . . . . . . . . . 186Creating new reports with the Eclipse BusinessIntelligence Reporting Tool designer . . . . . . 187Report descriptions and parameters . . . . . . 187

Audit and security: accesses . . . . . . . 187Dormant accounts . . . . . . . . . . . 188Entitlements granted to an individual . . . . 188Noncompliant accounts . . . . . . . . . 189Orphan accounts . . . . . . . . . . . 189Requests: approvals and rejections . . . . . 189Separation of duty policies reports . . . . . 189Separation of duty violation report . . . . . 190Services . . . . . . . . . . . . . . 190Summary of accounts on a service . . . . . 190Suspended accounts . . . . . . . . . . 191User recertification history report. . . . . . 191User recertification policy definition report . . 192Shared access audit history report . . . . . 192Shared access entitlements by owner . . . . 192Shared access entitlements by role . . . . . 193

Reports maintenance . . . . . . . . . . . 193Changing the JAAS authentication alias . . . 193

iv IBM Security Identity Manager Version 6.0: Configuration Guide

Changing the JDBC provider . . . . . . . 194Changing the data source . . . . . . . . 194Saving the configuration changes . . . . . . 195

Debugging . . . . . . . . . . . . . . 195Errors in report generation and formatting . . 195Logs . . . . . . . . . . . . . . . 196

Known problems and solutions . . . . . . . 196Bar chart does not display the smaller value . . 197Eclipse Business Intelligence Reporting Toolcharting engine does not display all X-axiscategories . . . . . . . . . . . . . 197Chart legend keeps disallowed series visible . . 197Firefox version 1.5 displays a prior reportgeneration when running a PDF report . . . . 197Graph chart displays the legend with all definedseries . . . . . . . . . . . . . . . 198Hyperlink within report is always displayed 198Last record in table row is split between twopages . . . . . . . . . . . . . . . 198OutOfMemoryException error occurs with largeresult sets . . . . . . . . . . . . . 198Parameter lists display duplicate names . . . 199PDF of large report does not load . . . . . 199Pie chart values overlap . . . . . . . . . 199Report parameter lists do not include all values 200Reports cannot include Business Partner Persons 200Running large reports cause memoryfragmentation . . . . . . . . . . . . 200Service parameters display invalid values . . . 201Snapshot parameters do not display normal text 201Snapshot report is empty in Excel format . . . 201Text in reports is displayed incorrectly whenusing Asian languages . . . . . . . . . 201User Dn report parameter scale issue . . . . 202

Chapter 17. Identity feed management 203Comma-Separated Value (CSV) identity feed . . . 205Directory Services Markup Language (DSML)identity feed. . . . . . . . . . . . . . 207

JavaScript code within DSML identity feeds . . 208Using the JNDI service provider for DAML . . 208Event notifications of HR data. . . . . . . 209Importing HR data with reconciliation . . . . 214

AD Organizational identity feed . . . . . . . 217inetOrgPerson identity feed . . . . . . . . 218IBM Tivoli Directory Integrator (IDI) data feed . . 220

Managing identity information with IBM TivoliDirectory Integrator . . . . . . . . . . 221Scenario: bulk loading identity data . . . . . 221

Identity feeds that retain group membership . . . 222Map of inetOrgPerson to Windows Server ActiveDirectory attributes . . . . . . . . . . . 223User passwords provided by an identity feed . . 224Attributes in an identity feed that are not in aschema . . . . . . . . . . . . . . . 225

Supported formats and special processing ofattributes . . . . . . . . . . . . . . . 225Modifiable schema classes and attributes . . . . 227Person naming and organization placement . . . 227

Determining the placement of the person . . . 228Creating an identity feed service . . . . . . . 229Performing an immediate reconciliation on anidentity feed service . . . . . . . . . . . 230Creating a reconciliation schedule for an identityfeed service . . . . . . . . . . . . . . 231

Chapter 18. IBM Security IdentityManager utilities . . . . . . . . . . 233System configuration tool (runConfig) . . . . . 233runConfig command . . . . . . . . . . . 233Database configuration tool (DBConfig) . . . . 233DBConfig command . . . . . . . . . . . 234Directory server configuration tool (ldapConfig) 234ldapConfig command . . . . . . . . . . 234SAConfig: shared access module utility. . . . . 235

Chapter 19. IBM Security IdentityManager integration for IBMSmartCloud Control Desk . . . . . . 237Introduction to the IBM Security Identity Managerintegration for IBM SmartCloud Control Desk . . 237

IBM SmartCloud Control Desk . . . . . . 237Integration between IBM Security IdentityManager and IBM SmartCloud Control Desk . . 238

Prerequisite software . . . . . . . . . . . 238Components of the IBM Security Identity Managerintegration for IBM SmartCloud Control Desk . . 239Installation road map. . . . . . . . . . . 239Obtaining the installation package . . . . . . 239Configuring IBM SmartCloud Control Desk . . . 240Configuring the Maximo Enterprise Adapter . . . 241

Running updatedb.bat . . . . . . . . . 241Configuring WebSphere . . . . . . . . . . 242

Enabling IBM SmartCloud Control Desk userdeletion (optional) . . . . . . . . . . . 242Adding password link to IBM SmartCloudControl Desk (optional) . . . . . . . . . 242Building IBM SmartCloud Control Desk . . . 243Deploying IBM SmartCloud Control Desk onWebSphere Application Server. . . . . . . 244

Configuring IBM Security Identity Manager . . . 244Configuring WebSphere . . . . . . . . . 245Configuring IBM Security Identity Manager 6.0 245

Adapter attributes . . . . . . . . . . . . 247

Notices . . . . . . . . . . . . . . 251

Index . . . . . . . . . . . . . . . 255

Table of contents v

vi IBM Security Identity Manager Version 6.0: Configuration Guide

Table list

1. Properties configuration files and descriptions 22. Java server pages (JSP) configuration files and

descriptions . . . . . . . . . . . . . 23. Cascading style sheet (CSS) configuration files

and descriptions . . . . . . . . . . . 34. Layout properties and details . . . . . . . 95. Layout elements and file names. . . . . . 106. Request parameters, values, and descriptions 117. Home page request parameters, values, and

descriptions . . . . . . . . . . . . 148. Section Java bean request parameters, values,

and descriptions . . . . . . . . . . . 149. Task Java bean request parameters, values, and

descriptions . . . . . . . . . . . . 1410. Cascading Style Sheet file names . . . . . 1511. CSS styles reference . . . . . . . . . . 1812. Self-service help properties and description 2913. Direct-access tasks and URLs. . . . . . . 3014. Properties configuration files and descriptions 3315. Banner property keys . . . . . . . . . 3516. Footer property keys . . . . . . . . . 3617. Direct access tasks and links . . . . . . . 3718. Self-service help properties and description 4119. Panel parameters, default values, and

descriptions . . . . . . . . . . . . 4220. Example CVClient.properties file . . . . . 6621. Optional properties in cvserver.properties 6722. Example KMIP properties file . . . . . . 6723. Configuration settings to enable SSL and

specify the port . . . . . . . . . . . 6924. Form designer applet menu and toolbar

buttons . . . . . . . . . . . . . 10425. SubForm parameters . . . . . . . . . 11326. Sample filter relationship expressions 14427. Join directives . . . . . . . . . . . 14728. Service attributes . . . . . . . . . . 14829. Two provisioning policies . . . . . . . 15430. Example provisioning policies . . . . . . 15531. Dependencies and parent objects . . . . . 16532. Required data for JAAS authentication alias 17733. Required data for a JDBC provider . . . . 17834. Example classpath values for the JDBC

providers supported by IBM Security IdentityManager . . . . . . . . . . . . . 178

35. Implementation class name for the JDBCproviders supported by IBM Security IdentityManager . . . . . . . . . . . . . 179

36. Properties for DB2 and Microsoft SQL Serverdatabases . . . . . . . . . . . . . 182

37. Data source helper class names . . . . . 18238. Filters for accesses report . . . . . . . 18839. Filters for dormant accounts report . . . . 18840. Filters for entitlements granted to an

individual report . . . . . . . . . . 18841. Filters for noncompliant accounts . . . . . 18942. Filters for orphan accounts report . . . . . 18943. Filters for approvals and rejections report 18944. Filters for separation of duty policy definition

report . . . . . . . . . . . . . . 19045. Separation of duty violation report . . . . 19046. Filters for services report. . . . . . . . 19047. Filters for summary of accounts on a service

report . . . . . . . . . . . . . . 19048. Filters for suspended accounts report 19149. Filters for user recertification history report 19150. Filters for user recertification policy definition

report . . . . . . . . . . . . . . 19251. Filters for shared access audit history report 19252. Filters for shared access entitlements by user

report . . . . . . . . . . . . . . 19353. Filters for shared access entitlements by role

report . . . . . . . . . . . . . . 19354. Group membership after initial identity feed 22255. Map of inetOrgPerson and Windows Server

Active Directory organizationalPersonattributes . . . . . . . . . . . . . 223

56. Running SAConfig . . . . . . . . . . 23557. Installation and configuration tasks . . . . 23958. IBM Security Identity Manager integration for

IBM SmartCloud Control Desk installationpackage . . . . . . . . . . . . . 240

59. Steps for configuring IBM SmartCloudControl Desk. . . . . . . . . . . . 240

60. Steps for configuring IBM Security IdentityManager . . . . . . . . . . . . . 244

61. Attributes, descriptions, and correspondingdata types . . . . . . . . . . . . 247

62. Add request attributes . . . . . . . . 24863. Change request attributes . . . . . . . 24864. Delete request attributes . . . . . . . . 24965. Suspend request attributes . . . . . . . 24966. Restore request attributes . . . . . . . 24967. Restore request attributes . . . . . . . 249

© Copyright IBM Corp. 2012 vii

viii IBM Security Identity Manager Version 6.0: Configuration Guide

About this publication

IBM Security Identity Manager Configuration Guide provides information aboutinitially configuring and customizing IBM Security Identity Manager. The producthas been designed to require minimal setup; it is your decision to modify thedefault settings whenever you need to.

Access to publications and terminologyThis section provides:v A list of publications in the IBM Security Identity Manager library.v Links to “Online publications.”v A link to the “IBM Terminology website” on page x.

IBM Security Identity Manager library

The following documents are available in the IBM Security Identity Managerlibrary:v IBM Security Identity Manager Quick Start Guide, CF3L2MLv IBM Security Identity Manager Product Overview Guide, GC14-7692v IBM Security Identity Manager Scenarios Guide, SC14-7693v IBM Security Identity Manager Planning Guide, GC14-7694v IBM Security Identity Manager Installation Guide, GC14-7695v IBM Security Identity Manager Configuration Guide, SC14-7696v IBM Security Identity Manager Security Guide, SC14-7699v IBM Security Identity Manager Administration Guide, SC14-7701v IBM Security Identity Manager Troubleshooting Guide, GC14-7702v IBM Security Identity Manager Error Message Reference, GC14-7393v IBM Security Identity Manager Reference Guide, SC14-7394v IBM Security Identity Manager Database and Directory Server Schema Reference,

SC14-7395v IBM Security Identity Manager Glossary, SC14-7397

Online publications

IBM posts product publications when the product is released and when thepublications are updated at the following locations:

IBM Security Identity Manager Information CenterThe http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.isim.doc_6.0/ic-homepage.htm site displays the information centerwelcome page for this product.

IBM Security Information CenterThe http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp sitedisplays an alphabetical list of and general information about all IBMSecurity product documentation.

© Copyright IBM Corp. 2012 ix

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.isim.doc_6.0/ic-homepage.htm

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.isim.doc_6.0/ic-homepage.htm

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp

IBM Publications CenterThe http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss site offers customized search functions to help you find all the IBMpublications you need.

IBM Terminology website

The IBM Terminology website consolidates terminology for product libraries in onelocation. You can access the Terminology website at http://www.ibm.com/software/globalization/terminology.

AccessibilityAccessibility features help users with a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.

For additional information, see the topic "Accessibility features for IBM SecurityIdentity Manager" in the IBM Security Identity Manager Reference Guide.

Technical trainingFor technical training information, see the following IBM Education website athttp://www.ibm.com/software/tivoli/education.

Support informationIBM Support provides assistance with code-related problems and routine, shortduration installation or usage questions. You can directly access the IBM SoftwareSupport site at http://www.ibm.com/software/support/probsub.html.

IBM Security Identity Manager Troubleshooting Guide provides details about:v What information to collect before contacting IBM Support.v The various methods for contacting IBM Support.v How to use IBM Support Assistant.v Instructions and problem-determination resources to isolate and fix the problem

yourself.

Note: The Community and Support tab on the product information center canprovide additional support resources.

x IBM Security Identity Manager Version 6.0: Configuration Guide

http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss

http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss

http://www.ibm.com/software/globalization/terminology

http://www.ibm.com/software/globalization/terminology

http://www.ibm.com/software/tivoli/education

http://www.ibm.com/software/support/probsub.html

Chapter 1. User interface customization overview

Many customers want a simple user interface for their employees to interact withIBM® Security Identity Manager to do basic management and provisioningfunctions. IBM Security Identity Manager provides a dual user interface that iscustomizable and provides the basic IBM Security Identity Manager functionsneeded by both users and administrators.

Interface customization options that IBM Security Identity Manager provides givecustomers the control and flexibility to manage how IBM Security IdentityManager functions are presented to their employees. With these options, customerscan integrate a self-service user interface and administrative console interface intotheir intranet website and maintain a common corporate appearance.

Self-service user interface customizationThis section describes how to customize the self-service user interface

The IBM Security Identity Manager self-service user interface is highlycustomizable. Customers can integrate a common corporate appearance whilemaintaining the flexibility to do self-care identity management tasks integral totheir roles and responsibilities.

You can define and customize the self-service interface in two ways, by using thebuilt-in console framework and by directly modifying files installed within IBMSecurity Identity Manager:v Built-in console features:

– Access control items (ACIs)– Views

v Modifiable files:– Properties files– Cascading style sheet (CSS) files– A subset of Java™ server pages (JSP) files– Image files

Back up any modifiable files for recovery purposes before making customizationchanges to IBM Security Identity Manager.

Configuration files and descriptionsConfiguration files define the appearance of the IBM Security Identity Managerself-service user interface.

The following tables list the file names and describe their roles in thecustomization of IBM Security Identity Manager.

© Copyright IBM Corp. 2012 1

Table 1. Properties configuration files and descriptions

File Name File Description

SelfServiceUI.properties v Controls the layout of the user interface (banner,footer, navigation bar, toolbar), the number ofpages that display, and the number of searchresults returned.

v Configures the items available in the "Search By"box for user search in the self-service interface.

v Enables direct access to the Expired Passwordchange screen and bypass the self-service loginpage under certain conditions. The property keythat allows these actions isui.directExpiredChangePasswordEnabled.

SelfServiceScreenText.properties Provides the text on the self-service user interface.

SelfServiceScreenText_language.properties

Provides the language-specific text on the self-serviceuser interface. By default this file isSelfServiceScreenText_en.properties which containsthe English language bundle.

SelfServiceHomePage.properties Defines the sections of the self-service user interfacehome page and the order in which they occur.

SelfServiceHelp.properties Defines the links to html help pages on theself-service user interface. The html files are in theWAS_PROFILE_HOME\installedApps\node_name\ITIM.ear\itim_self_service_help.war directory. Youcan redirect help by modifying the information inthis file.

SelfServiceScreenTextKeys.properties

Provides label keys on the self-service user interface.This file can be used to assist with customization ofscreen text by providing a template to develop labelsand instructions.

The file contains labels which are set to the keyname. For instance, password_title=password_title.For customization and development purposes. youcan copy this file toSelfServiceScreenText_language.properties, wherelanguage is a language suffix that is not installed. Youcan then switch your browser locale from yourcurrent language to the unused language. Restart theweb application to navigate through the pages andsee the label keys instead of the value text. Byswitching your browser locale you can then togglebetween keys and values. When customization iscomplete, you can then copy and rename the file tothe language suffix you want to use, for exampleSelfServiceScreenText_en.properties, to finalizechanges.

Table 2. Java server pages (JSP) configuration files and descriptions


loginBanner.jsp Contains the content of the banner on the self-service loginpage.

loginFooter.jsp Contains the content of the footer on the self-service loginpage.

2 IBM Security Identity Manager Version 6.0: Configuration Guide

Table 2. Java server pages (JSP) configuration files and descriptions (continued)


loginToolbar.jsp Contains the content of the toolbar on the self-service loginpage.

Home.jsp Contains the content of the self-service home page.

banner.jsp Contains the content of the self-service banner.

footer.jsp Contains the content of the self-service footer.

nav.jsp Contains the content of the self-service navigation bar.

toolbar.jsp Contains the content of the self-service toolbar.

Table 3. Cascading style sheet (CSS) configuration files and descriptions


calendar.css CSS file that contains the styles used for calendar widgets.

customForm.css CSS file that contains the styles used to lay out customforms for left to right language orientation.

customForm_rtl.css CSS file that contains the styles used to lay out customforms for right to left language orientation.

dateWidget_ltr.css CSS file that contains the styles used for date widgets forleft to right language orientation.

dateWidget_rtl.css CSS file that contains the styles used for date widgets forright to left language orientation.

enduser.css CSS file that contains main CSS styles for left to rightlanguage orientation.

enduser_rtl.css CSS file that contains main CSS styles for right to leftlanguage orientation.

time.css CSS file that contains the styles used for time widgets.

widgets.css CSS file that contains the styles used for other widgets forleft to right language orientation.

widgets_rtl.css CSS file that contains the styles used for other widgets forright to left language orientation.

Backing up and restoring self-service user interfaceconfiguration filesBefore you begin customization of the self-service user interface, back up allconfiguration files in IBM Security Identity Manager for later recovery purposes.

Before you begin

Depending on how your system administrator customized your system, you mightnot have access to this task. To obtain access to this task or to have someonecomplete it for you, contact your system administrator.

Log in to each computer that is running IBM Security Identity Manager. Back upthe following files:v In the WAS_PROFILE_HOME\installedApps\node_name\ITIM.ear\

itim_self_service.war\custom directory:– banner.jsp– calendar.css

Chapter 1. User interface customization overview 3

– customForm.css– customForm_rtl.css– dateWidget_ltr.css– dateWidget_rtl.css– enduser.css– enduser_rtl.css– footer.jsp– Home.jsp– loginBanner.jsp– loginFooter.jsp– loginToolbar.jsp– nav.jsp– time.css– toolbar.jsp– widgets.css– widgets_rtl.css

Note: Default files are also available in the ITIM_HOME\data\defaults directory.v In the ITIM_HOME\data directory:

– SelfServiceHelp.properties– SelfServiceHomePage.properties– SelfServiceScreenText.properties– SelfServiceUI.properties– SelfServiceScreenTextKeys.properties

About this task

Any changes made to properties files require you restart the IBM Security IdentityManager application. For instance, upon recovering any properties files, completethese steps:

Procedure1. Using the WebSphere® administration console, click the Applications group in

the left frame, and then click the Enterprise Applications link.2. Select the check box next to the IBM Security Identity Manager application and

click the Stop button.3. After the application stops, select the check box next to the IBM Security

Identity Manager application and click the Start button.4. Verify that the recovery is complete by logging in to the self-service user

interface.

User interface elements affected by view definitionsDefined views affect the visibility of task panels and other elements within theself-service interface.

View definition elements

View definitions can have the following effects on the self-service user interface:


Home pageThe home page adapts to the user’s views by showing only the tasks andtask panels on the home page that the user is granted. If the user is notallowed to view any tasks in a section, then the task panel also does notappear on the home page.

Some task views, such as the Request Account task, have advanced views.To clarify, Request Account is a single task. If the Request AccountAdvanced view is granted, or if both the Request Account and RequestAccount Advanced views are granted, the user has a single RequestAccount task on the home page. The main Request Account page displaysa search page in which the user can search for a service on which they canrequest an account. If only the standard Request Account view is granted,and not the advanced view, then the Request Account task appears on thehome page. The main Request Account page displays a table that lists theservices the user can request an account on, instead of a search page.

If the user can do both Change and View tasks for an account or profile, itcombines them into a single task. For example, the task appears as View orChange Account.

Some tasks might not appear if they are not enabled by the systemadministrator. For example, Change Forgotten PasswordInformationrequires the enablement of challenge response.

The Action Needed task is only available if there are pending to-do itemsor challenge response information is not configured.

Related tasksRelated task sections are displayed in many areas of the self-serviceapplication, for example when a request is submitted. View definitions canfilter some or all of these sections from being shown based upon the view

Figure 1. Home page elements


definition permissions. For example if the user does not have regularaccess to View My Requests, then it is filtered from the Related Tasks taskpanel.

Panel instruction textThe instruction text on certain screens can contain links to the View MyRequests task. A different instruction message is displayed without thetask link if the user is not granted the View My Requests task in a viewdefinition.

Customizing labels, description, and other screen textYou can change the majority of the text displayed in the self-service user interfacevia customization.

Before you begin


Figure 2. Related task panel element

Figure 3. Instruction text panel element


About this task

Not every label can be customized by the user. Only the labels that have an entrypresent in the SelfServiceScreenTextKeys.properties file can be customized.

The following screen text items can be customized:v Titlesv Subsection titlesv Subsection descriptionsv Field labelsv Table column headers and footersv Button text

The following figure shows the visual representation of these screen text items.

Text that cannot be replaced includes error messages and text in the help contentthat you access by clicking on the help link. However, it is possible to redirect helprequests to a different URL.

To customize screen text, complete the following steps:

Procedure1. Make a backup copy of the SelfServiceScreenText.properties and

SelfServiceScreenTextKeys.properties files. If you have installed a languagepack, back up any other language pack files you plan to modify, including theSelfServiceScreenText_en.properties file. SelfServiceScreenText.propertiesis the default file used if no other matching language is found.

2. Edit the properties files. Modify the values of the screen text fields and save thefiles. Note that any changes you make to the

Figure 4. Screen text


SelfServiceScreenText.properties file should also be made to theSelfServiceScreenText_en.properties files to maintain consistency.

3. Restart the IBM Security Identity Manager application to make the changeseffective.

Customizing website layoutYou can change the layout in the self-service user interface with customization.

Before you begin


About this task

High-level layout elements can be enabled and disabled from display in theself-service user interface with settings in the SelfServiceUI.properties file. Thedefault layout contains a banner, toolbar, and footer.

Turning on and off page elements can give various layout options. The onlyrequired page element is the content element, which contains the tasks and taskpages.

To show or hide a page element, change the ui.layout.showname property in theSelfServiceUI.properties file. For instance, ui.layout.showBanner controls thedisplay of the banner section. Setting a property to true indicates that the elementis included in the page. A setting of false indicates that the element is not includedin the page.

Any change to the SelfServiceUI.properties file requires a restart of the IBMSecurity Identity Manager application in WebSphere to make the change effective.

The following figures show a visual representation of different layout elements andoptions.

Page: banner.jspProperty: ui.layout.showBanner

Page: nav.jspProperty: ui.layout.showNav

Page: toolbar.jspProperty: ui.layout.showToolbar

Page: toolbar.jspProperty: ui.layout.showFooter

Banner

Content

Footer

Toolbar

Navigation

Figure 5. Layout elements


The following table displays a list of properties and their details.

Table 4. Layout properties and details

Property Description

ui.layout.showBanner Controls the banner section. The defaultbanner contains IBM and product images.

ui.layout.showFooter Controls the footer section. The defaultfooter contains the product copyright.

ui.layout.showToolbar Controls the toolbar section. The defaulttoolbar contains the welcome message, helplink, logoff link, and breadcrumbs.

ui.layout.showNav Controls the Navigation bar.Note: No default content is included for thenavigation bar.

To customize the layout, complete the following steps:

Procedure1. Make a backup copy of the SelfServiceUI.properties file in the

ITIM_HOME\data directory.2. Edit the SelfServiceUI.properties file. Modify the values of the screen text

fields and save the file.3. Restart the IBM Security Identity Manager application to make the changes

effective.

Turning on and off pageelements can give avariety of layout options.The only required pageelement is the contentelement.

Content only modeprovided so that

content can easily beintegrated into

another portal usingan IFrame or web

clipping

Figure 6. Layout options


Customizing banner, footer, toolbar, and navigation barcontent

You can change the appearance of the self-service user interface by customizing thebanner, footer, toolbar, and navigation bar.

Before you begin


About this task

Content in the WAS_PROFILE_HOME\installedApps\node_name\ITIM.ear\itim_self_service.war\custom directory can be replaced or modified to alter theappearance of the self-service user interface. You can replace or modify the banner,footer, toolbar, and navigation bar.

The layout elements are JSP fragments that are included in the layout of the webpage when the JSP is rendered.

The following table displays a list of layout elements and their corresponding files,which are in the WAS_PROFILE_HOME\installedApps\node_name\ITIM.ear\itim_self_service.war\custom directory.

Table 5. Layout elements and file names

Layout element File name

Banner banner.jsp

Footer footer.jsp

Toolbar toolbar.jsp

Navigation bar nav.jsp

To modify these files, complete these steps:

Procedure1. Make backup copies of the files and store the files you want to modify in a

temporary directory.2. Edit the files in the temporary directory and copy the updated files back into

the deployed WebSphere directory. No restart of the IBM Security IdentityManager application is required for these changes to take effect.

What to do next

The default version of these files is shipped with the product archive. Be sure toback up the custom version of the files you created so that your changes are notlost.

Request parameters and content examples for use incustomizing user interface contentThis section describes the request parameters you can use in JSP files to customizecontent.


Request parameter values

To support dynamic content such as breadcrumbs, help links and user IDs, a fewrequest parameters are available. The following table shows these properties, theirpossible values, and a description.

Table 6. Request parameters, values, and descriptions

Property name Value Description

loggedIn true or false Flag that indicates whether the user iscurrently logged in.

usercn The common name of theowner of the logged inaccount

Note: This value is only set if the useris logged in.

langOrientation ltr or rtl Indicates the language direction of thecurrent locale, either left to right, orright to left.

helpUrl /itim/self/Help.do?helpId=example_url

URL to the help web page with thehelpId parameter set for the currentpage.

helpLink Example: home_help_url The helpId for the current page. Thevalue home_help_url maps to thecorresponding key in theSelfServiceHelp.properties file.

breadcrumbs example_message_key1

example_message_key2

example_message_key3

A list of message keys that correspondto entries in theSelfServiceScreenText.properties file.

breadcrumbLinks pathname1

pathname2

empty_string

A list of links that is the same lengthas the breadcrumbs list.

Examples of request parameters in toolbar.jsp

The default file toolbar.jsp contains the logic to display the welcome message andhelp links. This logic can be moved into the other layout elements; for example,the welcome message might be provided in the banner.

Displaying the welcome message

The following code checks to see whether the user’s common name is set. If so, ittranslates the welcome message and substitutes the name into the message.

Note: The self-service user interface message labels and keys are defined in theSelfServiceScreenText.properties file.<%-- If the Users Common Name is not empty display it. Note this value is not

set until the user is logged in --%>

<c:if test=”${!empty usercn and loggedIn == true}”><%--Translate the Welcome, Common Name message passing in the name --%><fmt:message key=”toolbar_username” >

<fmt:param><c:out value=”${usercn}”/></fmt:param>


</fmt:message></c:if></div><%-- end user info -- %>

Displaying help links

The following code adds the Help link to the page. The helpUrl is retrieved fromhelp attributes, and the help label is translated for display.<%-- Add Help Link to the page --%>

<a id=”helpLink” href=”javascript:launchHelp('<c:out value='${helpUrl}')”><fmt:message key=”toolbar_help”/></a>

Supporting logoff

The Logoff link should only be displayed if the user is currently logged in. Thefollowing code tests to see whether the loggedIn request parameter is true. If so,the code translates the label for the logoff link and includes the link in the page.<%-- If the user is logged in display the logoff link --%><c:if test=”${loggedIn == true}”>

<a id=”logofflink” href=”/itim/self/Login/Logoff.do”><fmt:message key=”toolbar_logoff”/></a>

</c:if>

Displaying breadcrumbs

The following code adds the breadcrumbs to the page. The breadcrumbs attributecontains the list of label keys for the breadcrumbs. The breadcrumbLinks containURL information for each breadcrumb label. A value of null or empty for thebreadcrumbLinks indicates that the breadcrumb is not linkable.<%-- If the breadcrumbs label keys are not empty then display --%>

<c:if test=”${!empty breadcrumbs}”><c:forEach items=”${breadcrumbs}” var=”breadcrumb” varStatus=”status”>

<c:if test=”${status.index > 0}”> >

</c:if>

<c:choose><%-- If the action link is not empty for the current label then

create a link for the breadcrumb --%>

<c:when test=”${!empty breadcrumbLinks{status.index}}”><html:link action=”${breadcrumbLinks{status.index}}”><fmt:message key=”${breadcrumb}”/></html:link>

</c:when><%-- If the action link is empty then just translate the

label for the breadcrumb --%><c:otherwise>

<fmt:message key=”${breadcrumb}”/></c:otherwise>

<c:choose>

</c:forEach>

</c:if>


Customizing the self-service home pageYou can change the home page in the self-service user interface withcustomization.

Before you begin


About this task

The home page refers to the main page that gets loaded in the content layoutelement after a user logs in to the self-service user interface.

Section and task definitions tie defined views to tasks, and group tasks intosections, also called task pages. These section and task definitions are defined inthe SelfServiceHomePage.properties file in the ITIM_HOME\data directory.

The home page layout element is a JSP fragment that is included in the layout ofthe web page. This layout information is stored in the Home.jsp file in theWAS_PROFILE_HOME\installedApps\node_name\ITIM.ear\itim_self_service.war\custom directory.

You can add tasks and sections to the home page by updating theSelfServiceHomePage.properties file. The comments in the file explain the fileformat. You can alter the content without modifying the jsp file.

To customize the home page, complete these steps:

Procedure1. Make a backup copy of the SelfServiceHomePage.properties file in the

ITIM_HOME\data directory.2. Make a backup copy of the Home.jsp file in the WAS_PROFILE_HOME\

installedApps\node_name\ITIM.ear\itim_self_service.war\custom directory.3. Edit the SelfServiceHomePage.properties file. Modify the values and save the

file.4. Copy the Home.jsp file to another directory, then modify the file in that

directory and copy the updated file back into the WAS_PROFILE_HOME\installedApps\node_name\ITIM.ear\itim_self_service.war\custom directory.The default version of these files is shipped with the product archive. Be sureto back up the custom version of the files you created so your customizationsare not lost.

5. Restart the IBM Security Identity Manager application in WebSphere to makethe changes effective.

Request parameters and content examples for use incustomizing the home page contentThis section describes the request parameters you can use in JSP files to customizehome page content.


Home page form parameters

To support dynamic home page content such as sections, action-needed sections,tasks, a Java bean is available as a request parameter called HomePageForm. Thehome page Java bean contains a handful of methods that can be used to accessinformation about sections and tasks

Table 7. Home page request parameters, values, and descriptions


sections List of Section Java beans A list of sections the currentuser can view.

sectionToTaskMap Map of sections to theircorresponding tasks

A map that links a specifiedsection Java bean to a taskJava bean.

actionNeededSection Section Java bean, or null A section Java bean thatcontains the pending actionsfor the current user. A null isused if no pending actionsexist for the current user.

The following properties are available for the section Java bean:

Table 8. Section Java bean request parameters, values, and descriptions


titleKey Title message key for thesection

The message key for thesection title.

iconUrl Icon URL, or null The URL path for the icon tobe used for this section. Anull is used to indicate thatno icon is used.

iconAltTextKey Text key Text key to be used as thealternate text for the icon ofthis section.

tasks List of task Java beans A list of tasks that can bedisplayed in this section

The following properties are available for the task Java bean:

Table 9. Task Java bean request parameters, values, and descriptions


urlPath URL A URL path to this task.

urlKey Text key The text key to be used forthe link to this task.

descriptionKey Text key Text key to be used as thedescription of this task.

Examples of request parameters in home.jsp

The following code obtains the HomePageForm Java bean and iterates through theavailable sections and tasks and creates links to each available task.


<c:set var="pageConfig" value="${HomePageForm}" scope="page" /><c:forEach items="${pageConfig.sections}" var="section">

<%-- Process each section here --%><c:forEach items="${pageConfig.sectionToTaskMap[section]}" var="task"><%-- Process each section here --%>

<a href="/itim/self/<c:out value="${task.urlPath}"/>"title="<fmt:message key="${task.urlKey}" />"><fmt:message key="${task.urlKey}" />

</a><fmt:message key="${task.descriptionKey}" />

</c:forEach></c:forEach>

Customizing style sheetsYou can change the appearance of the self-service user interface by customizingCascading Style Sheets (CSS).

Before you begin


About this task

Cascading Style Sheets (CSS) are used to style the appearance of the self-serviceuser interface. You can edit the style sheets to modify the fonts, colors, and otherstyles associated with the self-service user interface. This section describes thelocation of the style sheets, and key styles to edit to customize the user interface tomatch the look and feel of your website.

The default deployed CSS files are compressed and optimized with bandwidth inmind for scalability. The non-optimized versions (with whitespace/formattingintact) can be found in the ITIM_HOME\defaults\custom directory. The CSS filesstored in the WAS_PROFILE_HOME\installedApps\node_name\ITIM.ear\itim_self_service.war\custom directory are unsuitable for editing. Copy thedefault files stored in the ITIM_HOME\defaults\custom directory to anotherdirectory. Edit the style sheets and then copy your changed files to theWAS_PROFILE_HOME\installedApps\node_name\ITIM.ear\itim_self_service.war\custom directory.

The following table shows the CSS files that can be modified to adjust theself-service user interface.

Table 10. Cascading Style Sheet file names

CSS file name Description

end_user.css CSS file that contains main CSS styles forleft to right language orientation.

end_user_rtl.css CSS file that contains main CSS styles forright to left language orientation.

widgets.css CSS file that contains styles used forwidgets, such as those contained in Profile,Account, and RFI forms, for left to rightlanguage orientation.Note: Editing this file takes more advancedCSS skills.


Table 10. Cascading Style Sheet file names (continued)

CSS file name Description

widgets_rtl.css CSS file that contains styles used forwidgets, such as those contained in Profile,Account, and RFI forms, for right to leftlanguage orientation.Note: Editing this file takes more advancedCSS skills.

dateWidget_ltr.css CSS file that contains styles used for datewidgets, such as those contained in Profile,Account, and RFI forms, for left to rightlanguage orientation.Note: Editing this file takes more advancedCSS skills.

dateWidget_rtl.css CSS file that contains styles used for datewidgets, such as those contained in Profile,Account, and RFI forms, for right to leftlanguage orientation.Note: Editing this file takes more advancedCSS skills.

time.css CSS file that contains styles used for timewidgets, such as those contained in Profile,Account, and RFI forms.Note: Editing this file takes more advancedCSS skills.

customForm.css CSS file that contains styles used for layoutforms, such as those contained in Profile,Account, and RFI forms, for left to rightlanguage orientation.Note: Editing this file takes more advancedCSS skills.

customForms_rtl.css CSS file that contains styles used for layoutforms, such as those contained in Profile,Account, and RFI forms, for right to leftlanguage orientation.Note: Editing this file takes more advancedCSS skills.

The following figures provide a visual representation of page elements for whichstyle changes can apply.


Figure 7. Page elements for style changes

Figure 8. Page elements for style changes (continued)


The following table provides a reference for the main CSS styles.

Table 11. CSS styles reference

Element Example Main style selector Description

Page Title Page Title Type selector: h1 Element usedfor all pagetitles.

Section title Subsection Title Type selector: h2 Section titlesfor pages thatdo not containa twisty.

Section title(twisty)

Twisty Title Type selector: h3 Section titleson pageswhich containtwisty sections.The titles areintended toallow space forthe twistyimage.

Breadcrumbs Type selector:#breadcrumbs

Thebreadcrumbsnavigation trailshown on thetop left abovethe page title.

Button,Button Hover,DisabledButton

Button Button hover

Button disabled

Class selectors:

v .button

v .button_hover

v .button_disabled

These buttonstyles coverthe majority ofbuttons in theuser interface.The hoverstyle is usedwhen a mousehovers overthe button

Figure 9. Page elements for style changes


Table 11. CSS styles reference (continued)


Inline button,Inline buttonhover

Button inline

Button inline hover

Class selectors:

v .button_inline

v .button_inline_hover

Used for asubset ofbuttons withspecial layoutrequirements.

Page/sectiondescriptions

This is a description. Class selector: .description Page andsectiondescriptions.Thedescription iscontained in a<div> block.Therefore, youcould addborders, colors,etc. if desired.

Field labels Field label Type selector: label Field labels onforms.

Text field Text field (white field background default) Class selector:input.textField_std

Standard textfields.

Required textfield

Required text field (yellow field background default) Class selector:input.textField_required

Required textfields.

Error textfield

Error text field (red field border default) Class selector:input.textField_error

Text fields inan error state.

Warning textfield

Warning text field (yellow field border default) Class selector:input.textField_warning

Text fields in awarning state.


Table 11. CSS styles reference (continued)


Field/valuetables

Field Name1 Field value1Field Name2 Field value2Multi-valued Field3 Item 1

Item 2Item 3Item 4

Multi-valued Field3 Item 1Item 2

Class selector:table.nameValueTable

Field valuetables are usedthrough outthe userinterface todisplay a fieldname and oneor morecorrespondingvalues. Forexample, theInformationsection of therequestsubmittedpages usename valuetables. Theselector isshown for thetable.Additionalselectors existthat style therows, cells,multi-valuelists, and namecolumns forthis table.

Passwordrules table

Class selectors:

v .pwRulesTable

v .pwRulesTable.ruleCol

v .pwRulesTable.valueCol

v .pwRulesTable.accountInfoCol

v .button_inline_hover

The passwordrules table isused to stylethe passwordrules sectionsthrough outthe userinterface. Thetable consistsof threecolumns; arule column, avalue column,and an accountinformationcolumn.

Message box div.messageBoxComposite The messagebox compositeis the mainCSS selectorfor themessage box.Additionalselectors existto specify theimage / link /and messagelayout.


To customize the style sheets, complete these steps:

Procedure1. Make a backup copy of the CSS files in the WAS_PROFILE_HOME\installedApps\

node_name\ITIM.ear\itim_self_service.war\custom directory.2. Copy the CSS files from the ITIM_HOME\defaults\custom directory to another

directory, then modify the files in that directory and copy the updated files tothe WAS_PROFILE_HOME\installedApps\node_name\ITIM.ear\itim_self_service.war\custom directory. Be sure to back up the custom versionof the files you created so your customizations are not lost.

Merging style sheet customizations from a previous versionAfter upgrading from a previous version of IBM Tivoli® Identity Manager, youmust reapply any customizations you made to the cascading style sheet for theself-service user interface.

Before you begin


You need access to the file system on which IBM Tivoli Identity Manager isdeployed.

You must have a working knowledge of IBM Security Identity Manager andcascading style sheets (CSS).

About this task

Customizations, including view definitions, that are defined through theadministrative console are preserved during an upgrade. Updates toSelfServiceScreenText.properties are automatically merged as well.

However, after the upgrade program completes, the deployed self-servicecascading style sheet (CSS) is restored to factory defaults. First merge the updatedCSS values into your customized CSS skin created for your previous version of theproduct. Then reapply your customized files to the deployed self-service war.

Note: During the upgrade, ITIM.ear file is backed up from WebSphere applicationserver to ISIM_HOME/data/backup/ITIM.ear directory. You can view theitim_self_service.war/custom directory for a copy of the CSS skin that wasdeployed before the upgrade.

To merge CSS customizations, make the following additions and modifications toyour original IBM Tivoli Identity Manager CSS files.

Note: If modifications for right-to-left (RTL) CSS files (for example,enduser_rtl.css) were made, merge the modifications by using a text comparisontool. Make the equivalent changes to the enduser_rtl.css file as the enduser.cssfile, but adjust for the right-to-left layout.


Procedure1. Open your existing CSS file with an editor.

This file can be found in the directory ITIM_HOME/data/backup/ITIM.ear

Note: For a separate system upgrade, copy the files from the deployedITIM.ear file.

2. Add the appropriate changes based on your migration path. See “CSSupdates.”For migration from Version 5.0 to Version 6.0, add the CSS changes made inboth Version 5.1 and Version 6.0.For migration from Version 5.1 to Version 6.0, add the CSS changes made inVersion 6.0 only.

3. Copy the updated CSS files to the Self Service user interface custom directoryitim_self_service.war/custom.

Results

These modifications take effect immediately, and no restart of the IBM SecurityIdentity Manager application is required.

CSS updates

CSS changes added in 5.1:

enduser.cssDescription: Added twistie for h2 headings.

Add the following text:a.twistie_open h2{margin-left:0px;background-repeat: no-repeat;background-position: left;padding-left: 15px;background-image: url("/itim/self/images/twistie_open.gif");}

a.twistie_closed h2{margin-left:0px;background-repeat: no-repeat;background-position: left;padding-left: 15px;background-image: url("/itim/self/images/twistie_closed.gif");}

Description: Changed Review Activities instructions to be a twistie.

Add the following text:/* Review Activity Styles */#instructionDetailTwistieDiv {white-space: expression("pre"); /* IE */white-space: -moz-pre-wrap; /* Firefox */word-wrap: break-word;}/* End Review Activity Styles */

Description: Added CSS Styles for User Recertification.

Add the following text:


/* Recertification items table styles */table.recertItemsTable {width: auto;}

table.recertItemsTable th {padding: .2em 1em .2em 1em;background-color: #C0C0C0;white-space: nowrap;text-align: left;}

table.recertItemsTable td {padding: .2em 1em .2em 1em;border: 1px solid #C0C0C0;}

table.recertItemsTable tr.recertItemRow td {border-bottom-style: none;}

table.recertItemsTable tr.recertSubItemRow td {border-top-style: none;border-bottom-style: none;}

table.recertItemsTable tr.altRow {background-color: #F6F6F6;}

table.recertItemsTable .selectAllOptions {display: inline;padding: 0 .5em 0 .5em;font-weight: normal;}

table.recertItemsTable .selectAllOptions a {padding: 0 .3em 0 .3em;color:#1375D7;font-weight: normal;}

table.recertItemsTable .recertItemSelectAllOptions {display: inline;padding: 0 .5em 0 .5em;font-weight: normal;font-size: .8em;}

table.recertItemsTable .recertItemSelectAllOptions a {padding: 0 .3em 0 .3em;}

table.recertItemsTable a.recertExpandCollapseLink {margin-right: .2em;}

table.recertItemsTable a.recertExpandCollapseLink img {border: none;vertical-align: bottom;}

table.recertItemsTable div.recertItem {display: inline;margin-bottom: 2px;}


table.recertItemsTable td.recertItemImpact {text-align: center;}

table.recertItemsTable div.recertItemDescription {max-width: 300px;font-size: .8em;}

table.recertItemsTable div.recertItemImpactedBy {display: inline;margin-bottom: 2px;}

table.recertItemsTable td.recertItemActionRecertify {width: expression("0%"); /* IE */width: 1px; /* Firefox */white-space: nowrap;padding-right: 0;border-right: none;}

table.recertItemsTable td.recertItemActionRecertifyErrorNone {width: expression("0%"); /* IE */width: 1px; /* Firefox */white-space: nowrap;padding: .2em 0 .2em 13px;border-right: none;}

table.recertItemsTable td.recertItemActionRecertifyErrorExists {width: expression("0%"); /* IE */width: 1px; /* Firefox */white-space: nowrap;padding: .2em 0 .2em 5px;border-right: none;}

table.recertItemsTable td.recertItemActionReject {width: 0%;white-space: nowrap;padding-left: 0;border-left: none;border-right: none;}

table.recertItemsTable td.recertItemActionBlank {height: 24px;}

table.recertItemsTable label.recertItemAction {display: inline;}

table.recertItemsTable td.recertItemSelectAll {width: 0%;white-space: nowrap;padding-left: 0;border-left: none;}

table.recertItemsTable .recertSubItem {font-size: 1em;margin: 0 0 0 1em;

}

table.recertItemsTable div.recertItemDecision {


display: block;margin-bottom: 2px;margin-top: 5px;}/* End recertification items table styles */

.simpleLink:link, .simpleLink:visited {font-weight: normal;}

.requiredInstruction {font-size: .8em;margin: 1em 0 0 1em;background-image: url("/itim/self/images/required_field.gif");background-repeat: no-repeat;background-position: center left;padding-left: 12px;}

CSS changes added in 6.0:

enduser_extra.cssImport enduser_extra.css

Add the following text:@import "enduser_extra.css";

Description : Background color of self console has been changed towhitesmoke color.

Add the following style in body tag selectorbackground-color: #F5F5F5;

Description : Background color of banner has been changed to light blue.

Update the following style in banner id selector:background-color: black;

tobackground-color: #c8e0f8;

Description : Various changes in login screen.

Update the loginContainer id selector using the following style:#loginContainer{

width:619px;margin:20px auto;margin-left: auto ;margin-right: auto ;

background-position:left top;background-repeat:no-repeat;background-color:#FFF;padding:0;border: solid 1px #bbbbbb;font-family:Arial,Verdana,Helvetica,Tahoma,sans-serif;font-size:12px;color:#555555;overflow: hidden;text-align: left;}


Description : Layout changes for product login image

Add the following style in loginImage id selector:margin-left: 40px;margin-top: -30px;

Description : Layout changes and font size changes for product version

Update content in loginVersion id selector:margin-left: 110px;font-size:10px;

Description : Layout changes and font size changes for login content

Update content in loginContent id selectormargin-left: 40px ;margin-right: 20px ;font-size:14px;

Description : Styling for new help link in login screen

Add the following style:#loginToolbar {

margin-right: 20px ;}

Description : Styling for message box

Add the following style:#messageBox {

margin-right:80px;font-size:14px;}

Description : Add an extra tag selector h2i to the existing group selectordeclaration box for h1, h2, h3. Also, add corresponding style for h2i tagselector.

Add the following style:h2i {

font-size:120%;border-bottom-style: none;border-bottom-width: 2px;margin-bottom: 0px;margin-left: 15px;}

Description : Added hand cursor for anchor.

Add the following style in pseudo class a:LINK, a:VISITED:cursor: hand;

Description : Added a new class descriptioni.

Add the following style:


.descriptioni {display: block;

margin-bottom: 20px;margin-left: 15px;}

Description : Added new style for tables.

Add the following style:span.tableLayout {

display:inline-block;min-width:80%;margin : 10px 10px 10px 0 ;}

Description : Updated width for table column header.

Add the following style in thead th selector:width: auto;

Description : Added a new class dataTable

Add the following style:.dataTable {

width:100%;margin: 0px;}

Description : Added a new class customHeader

Add the following style:customHeader {

text-align: left;border-style: solid;background-color: #E6E6E6;border-width:1px 1px 1px 1px;border-color:#C8C8C8 #C8C8C8 #737373 #C8C8C8;width: auto;}

Description : Added a new class customHeaderTable

Add the following style:.customHeaderTable {

border-top-style:hidden;}

Description : Updated the width of anchors in column header

Add the following style in thead th a:LINK, thead th a:VISITED selector:width: auto;

Description : Added style for account tables

Add the following style:table #global_table_accounttype {

width: 20%;}


table #global_table_userid_10 {width: 10%;}

table #global_table_description_30 {width: 30%;}

Description : Added a new class viewRequestsCustomHeaderStyle

Add the following style:.viewRequestsCustomHeaderStyle{

text-align: left;padding: 5px;vertical-align: middle;}

Description : Added style for custom header labels

Add the following style:div.viewRequestsCustomHeaderStyle label{

display: inline;font-weight:bold;}

Description : Added new style for recertItemOwnershipType

Add the following style:table.recertItemsTable div.recertItemOwnershipType {

max-width: 300px;font-size: 1em;}

Description : Added styles for table cells

Add the following style:div.tableCellContent {

white-space:nowrap;overflow:hidden;width:25em;text-overflow:ellipsis;"}

Add an extra tag class tfootTd to the existing group selector declarationbox for tfoot th selector. Also, add an extra tag class label to the existinggroup selector declaration box for label selector.

Description : Removed following styles that are not used anymore.

Remove the following styles:th.reviewActivitiesCustomHeader {

text-align: left;border-style: solid;border-width:1px 1px 1px 1px;background-color: #E6E6E6;border-color:#FFFFFF #C8C8C8 #737373 #FFFFFF;}

.simpleLink:link, .simpleLink:visited {font-weight: normal;}


.label_accessibility {display: none;}

.requiredInstruction {font-size: .8em;margin: 1em 0 0 1em;background-image: url("/itim/self/images/required_field.gif");background-repeat: no-repeat;background-position: center left;padding-left: 12px;}

What to do next

These modifications take effect immediately. A restart of the IBM Security IdentityManager application is not required.

Redirecting help contentYou can redirect help requests to your own website to deliver custom help content.

Before you begin


About this task

Editing the out-of-the box help content shipped with the self-service user interfaceis not supported. But it is possible to redirect help requests to your own website todeliver custom help content in line with your corporate appearance.

The SelfServiceHelp.properties file specifies the base URL that help requests aresent to. These files are in the ITIM_HOME\data directory.

The following table shows the property and property description for self-servicehelp.

Table 12. Self-service help properties and description


helpBaseUrl Specifies the base URL to send help requeststo. A blank value indicates that help goes tothe default URL for the self-service userinterface.

Help Id mappings: helpId = relative pageURL

The help mappings section maps IDs fromspecific pages to a relative URL sent to thehelp server.

The Help URL is the combination of the helpBaseUrl + locale +relativeHelppageURL

For example:helpBaseUrl=http://myserver:80locale = en_US


Locale is determined by resolving the SelfServiceScreenText.properties resourcebundle for the current logged in user and with the associated locale.loginId/relativeURL = login_help_url=ui/ui_eui_login.html

Therefore, the final URL = http://myserver:80/en_US/ui/ui_eui_login.html.

To redirect help, complete these steps:

Procedure1. Make a backup copy of the SelfServiceHelp.properties file in the

ITIM_HOME\data directory.2. Change the helpBaseUrl property in the SelfServiceHelp.properties file.3. Update helpId mappings to use the relative URLs for your server.4. Add pages to your server for the appropriate locales.5. Restart the IBM Security Identity Manager application in WebSphere to make

the changes effective.

Configuring direct access to self-service tasksThis section describes how to configure direct URL access to tasks in theself-service interface.

Many pages in the interface can be directly accessed from other HTML pages,facilitating integration with a company intranet portal.

The user must first authenticate by either logging in through the Login page orthrough single sign-on. When a user attempts to access a page for which directaccess is supported, the following occur:v If the page the user is attempting to access is defined by a view configured by

the administrator, the page is displayed.v If the page a user is attempting to access is not in a configured view, an error

page is displayed instead of the requested page.

Note: Direct access to the Approve and Review Requests task is supported even ifit is not enabled in a configured view. Also depending on group membership,more than one view configuration might apply. If at least one view configurationthat applies to a user includes the task the user is attempting to access, the page isdisplayed.

The following table displays tasks and URLs which are supported for direct access,and which you can link to from your company intranet portal.

Table 13. Direct-access tasks and URLs

Task URL

Logon Page http://server_name/itim/self

Change Password http://server_name/itim/self/PasswordChange.do

Change Forgotten PasswordInformation

http://server_name/itim/self/changeForgottenPasswordInformation.do

Expired Password (bypassthe Login page)

http://server_name/itim/self/Login/DirectExpiredPasswordChange.do?expiredUserId=userIDNote: This solution works only if single sign-on is notenabled and the ui.directExpiredChangePasswordEnabledproperty is set to true in SelfServiceUI.properties file.


Table 13. Direct-access tasks and URLs (continued)

Task URL

Request Access http://server_name/itim/self/RequestAccess.do

Request Access (for a specificaccess request)

http://server_name/itim/self/RequestAccess.do?accessDN=accessDN

View Access http://server_name/itim/self/ViewAccess.do

Delete Access http://server_name/itim/self/DeleteAccess.do

Delete Access Confirmation(for a specific accessdeletion)

http://server_name/itim/self/DeleteAccess.do?accessDN=accessDN

Request Account http://server_name/itim/self/RequestAccounts.do

Request Account (directlyaccess the request accountform for a specific service)

http://server_name/itim/self/RequestAccounts.do?serviceDN=serviceDN

View Account v http://server_name/itim/self/ViewAccount.do (multipleaccounts view)

v http://server_name/itim/self/ViewAccount.do?userID=userID&serviceDN=serviceDN (specific serviceaccount)

View or Change Account http://server_name/itim/self/ViewChangeAccount.do

Change Account v http://server_name/itim/self/ChangeAccount.do(multiple accounts view)

v http://server_name/itim/self/ChangeAccount.do?userID=userID&serviceDN=serviceDN (specific serviceaccount)

Delete Account http://server_name/itim/self/DeleteAccount.do

Delete Account Confirmation http://server_name/itim/self/DeleteAccount.do?userID=userID&serviceDN=serviceDN (specific serviceaccount)

View Profile http://server_name/itim/self/ViewProfile.do

Change Profile http://server_name/itim/self/ChangeProfile.do

View My Requests v http://server_name/itim/self/ViewRequests.do (multiplerequests view)

v http://server_name/itim/self/ViewRequests.do?request=requestID (specific requestview)

Approve and ReviewRequests

v http://server_name/itim/self/ReviewActivities.do(multiple activity view)

v http://server_name/itim/self/ReviewActivities.do?activity=activityID (specific activityview)

Delegate Activities http://server_name/itim/self/delegateActivities.do

Customizing person search capabilityYou can enable person search capability in the self-service user interface.


Before you begin


About this task

Person search capability is a powerful feature that you can use to select onlypeople that match certain search criteria. Person search filters a wide range ofsearch attributes.

The names of attributes take the form ofui.usersearch.attr.attribute_name=attribute_name in cases where attribute_name iscommon to all person and business partner person profiles. The attribute_name is avalue that maps to that profile attribute. For example, ui.usersearch.attr.cn=cnsearches by common name.

Some single attributes can map to multiple attributes if the profiles vary. In thiscase, the names of attributes take the form ofui.usersearch.attr.attribute_name=profile1.attribute_name1,profile2.attribute_name1

For example,ui.usersearch.attr.telephone=Person.mobile,BPPerson.telephonenumber wouldmap the mobile number for the person profile and the telephone number for thebusiness partner person profile.

The translated value of the attribute name appears in the search by attribute box.

To enable person search capability for the self-service user interface, complete thesetasks:

Procedure1. Make a backup copy of the SelfServiceUI.properties file in the

ITIM_HOME\data directory.2. Add or remove attributes in the SelfServiceUI.properties file under the User

Search configuration section.3. Restart the IBM Security Identity Manager application in WebSphere to make


Administrative console user interface customizationThis section describes how to customize the administrative console user interface.

The IBM Security Identity Manager administrative console user interface iscustomizable. Customers can integrate a common corporate appearance whilemaintaining the flexibility to do administrative identity tasks integral to their rolesand responsibilities.

You can define and customize the administrative console interface in two ways, byusing the built-in console framework and by directly modifying files installedwithin IBM Security Identity Manager:v Built-in console features:

– Access control items (ACIs)


– Viewsv Modifiable files:

– Properties files– Image files

Back up any modifiable files for recovery purposes before making customizationchanges to IBM Security Identity Manager.

Configuration files and descriptionsConfiguration files define the appearance of the IBM Security Identity Manageradministrative console user interface.

The following table lists the file names and describe their roles in thecustomization of IBM Security Identity Manager.

Table 14. Properties configuration files and descriptions


ui.properties Controls the appearance of the header, footer, and homepage, and configures the title, number of pages displayed,and the number of search results returned.

helpmapping.properties Controls the redirection and mapping of administrativeconsole html help.

Backing up and restoring administrative console user interfaceconfiguration filesBefore you begin customization of the administrative console user interface, backup all configuration files in IBM Security Identity Manager for later recoverypurposes.

Before you begin


Create a directory named custom in the WAS_PROFILE_HOME\installedApps\node_name\ITIM.ear\itim_console.war directory and store any new customizationfiles in that custom directory.

Log in to each computer that is running IBM Security Identity Manager and backup the following files:v In the ITIM_HOME\data directory:

– ui.properties

– helpmappings.properties

About this task

Any changes made to properties files require you restart the IBM Security IdentityManager application. For instance, upon recovering any properties files, completethese steps:


Procedure1. Using the WebSphere administration console, click the Applications group in

the left frame, and then click the Enterprise Applications link.2. Select the check box next to the IBM Security Identity Manager application, and

click the Stop button.3. After the application stops, select the check box next to the IBM Security

Identity Manager application, and click the Start button.4. Verify that the recovery has completed by logging in to the self-service user

interface.

Customizing banner contentYou can change the appearance of the administrative console user interface bycustomizing the banner.

Before you begin


About this task

You can add or modify banner content to alter the appearance of theadministrative console user interface.

The default banner area is defined in two files, a JSP file named banner.jsp and aproperties file named ui.properties. The banner area consists of four parts:v Banner launch linkv Banner launch logov Banner logov Banner background image

When customizing the banner, adjust the dimensions (width and height) of thecomponents in the banner.jsp. Adjust these dimensions so that the custom logoimage is sized properly without any distortion. Also ensure that the entire bannerframe is not distorted.

You can change the banner launch link and logo by modifying the ui.propertiesfile. If you want to modify the background image and banner logo, you mustcreate a file to display your banner. This file can be either an HTML or a JSPbanner file.

The following property keys in the ui.properties file define the banner launchlink and banner launch logo. They also define the URL to the banner backgroundimage and logo.


Table 15. Banner property keys

Property key Default value Description

enrole.ui.customerLogo.image ibm_banner.gif Launch link logo, located in theWAS_PROFILE_HOME\installedApps\node_name\ITIM.ear\itim_console.war\html\images directory. You canalso specify a URL pointing to theimage file or put this file in theWAS_PROFILE_HOME\installedApps\node_name\ITIM.ear\itim_console.war\custom directory. If this directorydoes not exist, you must create it.Prefix the path name with/itim/console/custom in theui.properties file. Specifying novalue results in the defaultibm_banner.gif file beingdisplayed.

enrole.ui.customerLogo.url www.ibm.com Launch link URL. This value canbe specified with or without theHTTP prefix. For instance, youcan use www.ibm.com orhttp://www.ibm.com to specifythe launch link URL.

ui.banner.URL This value is left blankby default anddisplays the defaultbanner area.

The HTML or JSP file thatprovides the banner logo,background image, and launchlink and logo. You can entereither a URL or put this file in theWAS_PROFILE_HOME\installedApps\node_name\ITIM.ear\itim_console.war\custom directory If this directorydoes not exist, you must create it.Prefix the path name with/itim/console/custom in theui.properties file.

ui.banner.height 48 Enter the pixel height of thebanner.


Procedure1. Make backup copies of the files and store the files you want to modify in a

temporary directory.2. Edit the files in the temporary directory and copy the updated files back into

the deployed WebSphere directory. You must restart the IBM Security IdentityManager application for these changes to take effect.

What to do next

Be sure to back up the custom version of the files you have created so yourcustomizations are not lost.


Customizing footer contentYou can change the appearance of the administrative console user interface bycustomizing the footer.

Before you begin


About this task

You can add or modify footer content to alter the appearance of the administrativeconsole user interface.

The default footer area is defined in the ui.properties file.

The following property keys in the ui.properties file define the footer and specifyits visibility and height.

Table 16. Footer property keys

Property key Default value Description

ui.footer.isVisible no Specifies whether the footeris visible. By default thefooter is disabled.

ui.footer.URL This value is left blank bydefault.

Specifies the location of theHTML or JSP file thatprovides the footer. You canenter a URL. Alternatively,put this file in theWAS_PROFILE_HOME\installedApps\node_name\ITIM.ear\itim_console.war\custom directory (if thisdirectory does not exist, youmust create it), and prefixthe path name with/itim/console/custom in theui.properties file.

ui.footer.height 50 Enter the pixel height of thefooter.


Procedure1. Make a backup copy of the ui.properties file and store the file in a temporary

directory.2. Edit the file in the temporary directory and copy the updated file back into the

deployed WebSphere directory. You must restart the IBM Security IdentityManager application for these changes to take effect.


What to do next

Be sure to back up the custom version of the file you created so yourcustomizations are not lost.

Customizing the administrative console home pageYou can change the home page in the administrative console user interface withcustomization.

Before you begin


About this task

The home page refers to the main page that gets loaded after a user logs in to theadministrative console user interface.

Section and task definitions tie defined views to tasks, and group tasks intosections, also called task pages. These section and task definitions are defined in aproperties file in the ITIM_HOME\data directory.

You can code direct links to tasks from the home page to administrative functions.Use JSP to generate dynamic HTML so administrative functions are limited tousers with the appropriate authority.

To customize the home page, complete these steps:

Procedure1. Make a backup copy of the ui.properties file in the ITIM_HOME\data directory.2. Edit the ui.properties file. Modify the ui.homepage.path key, and save the file.

Enter a URL of the HTML or JSP file you are using for a home page.Alternatively, put this file in the WAS_PROFILE_HOME\installedApps\node_name\ITIM.ear\itim_console.war\custom directory (if this directory does not exist,you must create it), and prefix the file name with /itim/console/custom.

3. Restart the IBM Security Identity Manager application in WebSphere to makethe changes effective.

Direct access URL links to administrative console tasksThis section provides the direct URL access links to tasks in the administrativeconsole user interface.

The following table displays the links to tasks which are supported for directaccess, and which you can link to from the home page.

Table 17. Direct access tasks and links

Task URL

Change Password <a href="/itim/console/home/task/chopass">ChangePassword</a>

Manage Roles <a href="/itim/console/home/task/manage_orgroles">Manage Roles</a>


Table 17. Direct access tasks and links (continued)

Task URL

Manage OrganizationStructure

<a href="/itim/console/home/task/manage_org_structure">Manage Organization Structure</a>

Manage Users <a href="/itim/console/home/task/manage_people">Manage Users</a>

Manage Services <a href="/itim/console/home/task/manage_services">Manage Services</a>

Manage Identity Policies <a href="/itim/console/home/task/manage_identity_policies">Manage Identity Policies</a>

Manage Password Policies <a href="/itim/console/home/task/manage_password_policies">Manage Password Policies</a>

Manage Adoption Rules <a href="/itim/console/home/task/manage_adoption_rules">Manage Adoption Rules</a>

Manage RecertificationPolicies

<a href="/itim/console/home/task/manage_recertification_policies">Manage RecertificationPolicies</a>

Manage Provisioning Policies <a href="/itim/console/home/task/manageProvisioningPolicyTaskLauncher">ManageProvisioning Policies</a>

Manage Service SelectionPolicies

<a href="/itim/console/home/task/manageServiceSelectionPolicies">Manage Service SelectionPolicies</a>

Manage Account RequestWorkflows

<a href="/itim/console/home/task/manageAccountRequestWorkflows">Manage AccountRequest Workflows</a>

Manage Access RequestWorkflows

<a href="/itim/console/home/task/manageAccessRequestWorkflows">Manage Access RequestWorkflows</a>

Manage Groups <a href="/itim/console/home/task/manage_groups">Manage Groups</a>

Manage Access Control Items <a href="/itim/console/home/task/manage_acis">ManageAccess Control Items</a>

Manage Views <a href="/itim/console/home/task/defineViewFilter">Manage Views</a>

Set Security Properties <a href="/itim/console/home/task/sysprops">Set SecurityProperties</a>

Configure ForgottenPassword Settings

<a href="/itim/console/home/task/set_challenge_response">Configure Forgotten PasswordSettings</a>

Request Reports <a href="/itim/console/home/task/reports_requests">Request Reports</a>

Service Reports <a href="/itim/console/home/task/reports_services">Service Reports</a>

Audit and Security Reports <a href="/itim/console/home/task/reports_audit_and_security">Audit and SecurityReports</a>

Custom Reports <a href="/itim/console/home/task/reports_custom">Custom Reports</a>



Task URL

Report Properties <a href="/itim/console/home/task/reports_properties">Report Properties</a>

Configure ReplicationSchema

<a href="/itim/console/home/task/reports_schema">Configure Replication Schema</a>

Design Reports <a href="/itim/console/home/task/designReports">DesignReports</a>

Manage Service Types <a href="/itim/console/home/task/manservicetype">Manage Service Types</a>

Design Forms <a href="/itim/console/home/task/designfrms">DesignForms</a>

Set Workflow NotificationProperties

<a href="/itim/console/home/task/workflowNotificationProperties">Set Workflow NotificationProperties</a>

Configure Post Office <a href="/itim/console/home/task/post_office_configuration">Configure Post Office</a>

Manage Entities <a href="/itim/console/home/task/manageEntities">Manage Entities</a>

Manage Operations <a href="/itim/console/home/task/manageOperations">Manage Operations</a>

Manage Lifecycle Rules <a href="/itim/console/home/task/manageLifecycleRules">Manage Lifecycle Rules</a>

Manage Access Types <a href="/itim/console/home/task/manageAccessCategory">Manage Access Types</a>

Configure Policy JoinBehaviors

<a href="/itim/console/home/task/config_policy_join">Configure Policy Join Behaviors</a>

Configure Global PolicyEnforcement

<a href="/itim/console/home/task/global_policy_enforcement_configuration">Configure GlobalPolicy Enforcement</a>

Import Data <a href="/itim/console/home/task/import">ImportData</a>

Export Data <a href="/itim/console/home/task/export">ExportData</a>

View Pending Requests byUser

<a href="/itim/console/home/task/viewOthersPendingRequest">View Pending Requests byUser</a>

View All Requests by User <a href="/itim/console/home/task/viewAllOthersRequests">View All Requests by User</a>

View Pending Requests byService

<a href="/itim/console/home/task/viewPendingServiceRequests">View Pending Requests byService</a>

View All Requests by Service <a href="/itim/console/home/task/viewRequestService">View All Requests by Service</a>

View All Requests <a href="/itim/console/home/task/viewAllRequests">ViewAll Requests</a>

View Activities <a href="/itim/console/home/task/view_todo_list">ViewActivities</a>

View Activities by User <a href="/itim/console/home/task/viewtodosforothers">View Activities by User</a>



Task URL

Manage DelegationSchedules

<a href="/itim/console/home/task/multiDelegateMyActivities">Manage DelegationSchedules</a>

About <a href="/itim/console/home/task/about">About</a>

Define Forgotten PasswordQuestions

<a href="/itim/console/home/task/defchallenges">DefineForgotten Password Questions</a>

Customizing the title barYou can change the title bar shown in the web browser when you log in to theIBM Security Identity Manager administrative console.

Before you begin


About this task

To customize the title bar, complete these steps:

Procedure1. Make a backup copy of the ui.properties file and store the file in a temporary

directory.2. Edit the ui.titlebar.text property with the title you want to use, and save the

file. The default value is blank and displays the text IBM Security IdentityManager.

3. Copy the updated file back into the deployed WebSphere directory. You mustrestart the IBM Security Identity Manager application for these changes to takeeffect.

What to do next

Be sure to back up the custom version of the files you created so yourcustomizations are not lost.

Redirecting help contentYou can redirect help requests to your own website to deliver custom help contentfor the administrative console user interface.

Before you begin



About this task

Editing the out-of-the box help content shipped with the administrative consoleuser interface is not supported. But it is possible to redirect help requests to yourown website to deliver custom help content.

The helpmappings.properties file specifies the base URL that help requests aresent to. These files are in the ITIM_HOME\data directory.

The following table shows the property and property description for help.

Table 18. Self-service help properties and description


helpBaseUrl Specifies the base URL to send help requeststo. A blank value indicates that help goes tothe default URL for the administrativeconsole user interface.

Help ID mappings: helpID = relative pageURL

The help mappings section maps IDs fromspecific pages to a relative URL sent to thehelp server.

The Help URL is the combination of the helpBaseUrl + locale +relativeHelppageURL

For example:helpBaseUrl=http://myserver:80locale = en_US

Note: Locale is determined by matching the current logged in user's browsersettings with the currently installed IBM Security Identity Manager languagepacks.loginID/relativeURL = login_help_url=ui/ui_eui_login.html

Therefore, the final URL is http://myserver:80/en_US/ui/ui_eui_login.html.

To redirect help, complete these steps:

Procedure1. Make a backup copy of the helpmappings.properties file in the ITIM_HOME\data

directory.2. Change the helpBaseUrl property in the helpmappings.properties file. It is

important that customers do not change the helpIDs. They are what the IBMSecurity Identity Manager user interface panels use to find the appropriatehelp.

3. Update helpID mappings to use the relative URLs for your server.4. Add pages to your server for the appropriate locales.5. Restart the ITIM application in WebSphere to make the changes effective.

Customizing the number of items displayed on pagesYou can change the number of items displayed on pages.


Before you begin


About this task

The following table shows the properties, default values, and description of thesepage parameters.

Table 19. Panel parameters, default values, and descriptions

Property Default value Description

enrole.ui.pageSize 50 Specifies the number of listitems displayed on a page.

enrole.ui.maxSearchResults 1000 Specifies the maximumnumber of search itemsreturned.

Note: These changes can affect memory usage if set to excessive values.

To change page parameters, complete these steps:

Procedure1. Make a backup copy of the ui.properties file in the ITIM_HOME\data directory.2. Edit the file in a temporary directory and copy the updated file back into the

directory.3. Restart the IBM Security Identity Manager application in WebSphere to make


What to do next

Be sure to back up the custom version of the file so your customizations are notlost.


Chapter 2. Service type management

A service type is a category of related services that share the same schemas. Itdefines the schema attributes that are common across a set of similar managedresources.

Overview

Service types are profiles, or templates, that are used to create services for specificinstances of managed resources. For example, if you have several Lotus® Domino®

servers that users need access to, you might create one service for each LotusDomino server using the Lotus Domino service type. In previous versions of IBMSecurity Identity Manager, a service type is referred to as a service profile.

Some service types are installed by default when IBM Security Identity Manager isinstalled. Other service types can be installed when you import the servicedefinition files for adapters for managed resources. A service type definition isprovided by the IBM Security Identity Manager Adapter for a managed resource.There is a service type for each type of managed resource that IBM SecurityIdentity Manager supports, such as UNIX, Linux, Windows, IBM Security AccessManager, and so on.

A service type is defined in the service definition file of an adapter, which is a JavaArchive (JAR) file that contains the profile. The service type for an adapter iscreated when the adapter profile (JAR file) is imported. For example, a service typeis defined in the WinLocalProfileJAR file. You can also define a service type usingthe interface for IBM Security Identity Manager.

IBM Security Identity Manager supports the following types of service providers:v DAML for Windows Local Adapter, Lotus Notes® Adapter, and so onv IDI (IBM Tivoli Directory Integrator for UNIX and Linux adapters)v Custom Java class for defining your own implementation of a service providerv Manual for managing user-defined “manual” activities

Default service types

The following default service types are provided with IBM Security IdentityManager:

Identity feed service types:

DSMLA Directory Services Markup Language (DSML) Identity Feedservice imports user data, with no account data, from a humanresources database or file and feeds the information into the IBMSecurity Identity Manager directory. The service uses a placementrule to determine where in the organization a user will be placed.The service can receive the information in one of two ways: areconciliation or an event notification. This service is based on theDSML Identity Feed Service Profile.


Note: DSMLv2 is deprecated in IBM Security Identity ManagerVersion 5.0 in favor of the remote method invocation (RMI)-basedIDI adapter framework. The use of DSMLv2 continues to besupported in this release.

AD The AD Identity Feed Service imports user data from WindowsActive Directory. The organizationalPerson objects are fed into IBMSecurity Identity Manager and add or update users to IBM SecurityIdentity Manager. The user profiles selected from this service musthave an objectclass that is derived from the organizationalPersonclass.

CSV The CSV Identity Feed Service imports user data from acomma-separated value (CSV) file and adds or updates users toIBM Security Identity Manager. The CSV file contains a set ofrecords separated by a carriage return/line feed (CR/LF) pair(\r\n). Each record contains a set of fields separated by a comma.If the field contains either a comma or a CR/LF, the comma mustbe escaped with double quotes as the delimiter. The first record inthe CSV source file defines the attributes provided in each of thefollowing records. Attributes must be valid based on the classschema for the selected person profile for this service.

IDI Data FeedThe IDI Data Feed service type uses the Tivoli Directory Integratorto import user data, with no account data, into IBM SecurityIdentity Manager and to manage accounts in the IBM SecurityIdentity Manager data store on external resources. This service isbased on the IDI Data Feed Service Profile.

INetOrgPersonThe INetOrgPerson Identity Feed imports user data from theLDAP directory. The inetOrgPerson objects are loaded and add orupdate users in IBM Security Identity Manager.

Account service types:

Tivoli Directory Integrator-basedThis service type can be optionally installed during the installationof IBM Security Identity Manager. All these are Tivoli DirectoryIntegrator-based adapters; each is a specific service type. TivoliDirectory Integrator is one type of service provider. There can bemultiple service types defined for the same type of serviceprovider.

ITIM ServiceThe ITIM service type is used to create accounts in the IBMSecurity Identity Manager system and represents the IBM SecurityIdentity Manager Server itself. This is a standard service with noconfiguration parameters. All users that need access to the IBMSecurity Identity Manager system must be provisioned with a IBMSecurity Identity Manager account.

Hosted ServiceThe Hosted Service type is used to create a service that is a proxyto the hosting service that is residing in the service providerorganization.

The hosted service connects to the managed resource targetthrough the hosting service indirectly. The configuration details of


the hosting service is invisible and protected from administratorsin the secondary organization where the Hosted Service is defined.Administrators can define policies for the hosted service,specifically, without affecting the hosting service.

The primary usage of a Hosted Service is to allow users inbusiness partner organizations to have accounts and access tointernal IT resources of an organization and to allowadministrators in the secondary organization to define specificservice policies for the user accounts.

Custom Java classThe custom Java class service type allow you to define your ownprofile by defining and implementing a Java class.

Manual services and service typesThe manual service type manages user accounts on a target resource manually.Account requests are routed to a specific user rather than a service provider so thatit can be handled manually or by using other tools outside of IBM SecurityIdentity Manager Server.

These are resources for which at least one of the following statements apply:v There is no adapter currently available to do the provisioning, and it is not

possible or practical to develop a custom adapter.v Some or all of the provisioning activity requires a person to do the necessary

setup process.v You choose to do the task manually.

Examples of resources for manual service types and manual services include:v Voice mail setupv Telephone setupv Personal computer setupv Physical mail setupv Employee badge request

Manual servicesEnabling connection mode

Creating manual servicesCreate a manual service instance when IBM Security Identity Manager does notprovide an adapter for the managed resource.

Before you begin


Before you can create a manual service in IBM Security Identity Manager, youmust create a service type by adding new schema classes and attributes for themanual service to your LDAP directory.

Chapter 2. Service type management 45

About this task

A manual service is a type of service that requires manual intervention to completethe request. For example, a manual service might be defined for setting up voicemail for a user. A manual service generates a work order activity that defines themanual intervention that is required.

If you choose to create a provisioning policy as part of this task, the service isautomatically added to the provisioning policy as an entitlement. In addition, amembership of “All” is defined for the provisioning policy. Also an ownershiptype of "Individual" is defined for the provisioning policy. You can later edit theprovisioning policy and change the membership and ownership types after theservice is created.

The service name and description that you provide for each service are displayedon the console. Therefore, it is important to provide values that make sense to yourusers and administrators.

To create a manual service instance, complete these steps:

Procedure1. From the navigation tree, click Manage Services. The Select a Service page is

displayed.2. On the Select a Service page, click Create. The Create a Service wizard is

displayed.3. On the Select the Type of Service page, click Search to locate a business unit.

The Business Unit page is displayed.4. On the Business Unit page, complete these steps:

a. Type information about the business unit in the Search information field.b. Select a business type from the Search by list, and then click Search. A list

of business units that match the search criteria is displayed.If the table contains multiple pages, you can:v Click the arrow to go to the next page.v Type the number of the page that you want to view and click Go.

c. In the Business Units table, select business unit in which you want tocreate the service, and then click OK. The Select the Type of Service pageis displayed, and the business unit that you specified is displayed in theBusiness unit field.

5. On the Select the Type of Service page, select a manual service type, and thenclick Next.If the table contains multiple pages, you can:v Click the arrow to go to the next page.v Type the number of the page that you want to view and click Go.

6. On the General Information page, specify the appropriate values for themanual service instance, and then click Next. The content of this pagedepends on the type of service that you are creating. The creation of someservices might require additional steps.

7. On the Participants page, specify the users who are involved in completingthe activities for the manual service. Specify the amount of time before theservice is escalated. Click Next.

8. Optional: On the Messages page, complete these steps, and then clickReconciliation:


a. Select the default email message that you want to change, and then clickChange. The Change Message page is displayed.

b. Modify the Subject and Body fields, and then click OK.9. On the Configure Policy page, select a provisioning policy option, and then

click Next or Finish. The provisioning policy determines the ownership typesavailable for accounts. The default provisioning policy enables only Individualownership type accounts. Additional ownership types can be added bycreating entitlements on the provisioning policy.

10. Optional: On the Reconciliation page, click Browse to locate the reconciliationfile, and then click Upload File to load the new reconciliation file. You canalso choose whether to reconcile supporting data only.

Note: The file type supported for the reconciliation file is CSV. For moreinformation, see the topic "Example comma-separated value (CSV) file" in theIBM Security Identity Manager Administration Guide.

11. Click Finish.

Results

A message is displayed, indicating that you successfully created the manual serviceinstance for a specific service type.

What to do next

Select another services task, or click Close. When the Select a Service page isdisplayed, click Refresh to refresh the Services table and display the new serviceinstance.

Changing a manual serviceChange information for a manual service instance.

Before you begin


Before you can change a service in IBM Security Identity Manager, you must createa service instance.

Procedure

To change a manual service instance, complete these steps:1. From the navigation tree, click Manage Services. The Select a Service page is

displayed.2. On the Select a Service page, complete these steps:

a. Type information about the service in the Search information field.b. In the Search by field, specify whether the search must be done against

services or business units.c. Select a service type from the Search type list.d. Select a status from the Status list, and then click Search. A list of services

that matches the search criteria is displayed.If the table contains multiple pages, you can:


v Click the arrow to go to the next page.v Type the number of the page that you want to view and click Go.

3. In the Services table, select the check box next to the manual service that youwant to change, and then click Change.

4. On the General Information page, change the appropriate values for the serviceinstance, and then click Participants.

5. On the Participants page, change the participants type, escalation time in days,or escalation participant type.

6. Optional: On the Messages page, complete these steps, and then clickReconciliation:a. Select the email message that you want to change, and then click Change.

The Change Message page is displayed.b. Modify the Subject and Body fields as wanted, and then click OK.

7. Optional: On the Reconciliation page, click Browse to locate the reconciliationfile, and then click Upload File to load the new reconciliation file. You can alsochoose whether to reconcile supporting data only.

Note: The file type supported for the reconciliation file is CSV. For moreinformation, see the topic "Example comma-separated value (CSV) file" in theIBM Security Identity Manager Planning Guide.

8. Click OK to save the changes and to close the page.

Results

A message is displayed, indicating that you successfully changed the serviceinstance.

What to do next

Select another services task, or click Close. When the Select a Service page isdisplayed, click Refresh to refresh the Services table.

Configuring a manual service type to support groupsTo support group assignment, but not group management for manual services, thegroup profile needs to be set up in the manual service type configuration.

Before you begin


About this task

To set up a manual service type to support group assignment, but not groupmanagement (which includes create, read, update, delete) for manual services,complete these steps:

Procedure1. Define the group schema as an LDAP objectclass in the IBM Security Identity

Manager LDAP server.2. Define a manual service (complete with service and account objectclasses). The

account objectclass should contain an optional multi-valued attribute that will


be used to store the group membership information. This service type shouldreference the group schema created in the previous step.The Manage Service Types page allows the administrator to select an existingLDAP objectclass for use as the group schema class. If you want to create anew objectclass, you must create it manually and load it directly into the LDAPserver.The mapped Group ID, Group name, and Group description attributes can allreference the same group schema attribute, if desired. You cannot definemultiple groups that use the same group ID. The ID must be unique per group.More than one group schema can be defined for a given service type. Thedefinition of the second and subsequent schemas is performed in the samemanner as the first.

3. Modify service and account forms for the service type using the form designer.This step is required to properly display needed information when creating theservice instance as well as creating accounts.

4. Create a manual service instance using the manual service type that youcreated earlier in this process.

Reconciliation for manual servicesInitiate a reconciliation activity on a manual service.

Before you begin


You must have completed the steps for configuring a manual service type tosupport groups. You must also have created a manual service instance before youbegin this task.

About this task

The service instance creation steps allow you to perform a reconciliation of amanual service using a comma-separated value (CSV) file that you provide. Thereconciliation populates IBM Security Identity Manager with accounts and groupsthat exist on the manual service. The CSV file contains group and accountinformation.

You can provide the reconciliation file at service creation time or at any time theservice is modified. There is also a supporting data only option for reconciliation thatis used when you want to pull group information from the CSV file, but you donot want to touch accounts in IBM Security Identity Manager.

To perform a reconciliation on a manual service, complete these steps:



a. Type information about the service in the Search information field.b. In the Search by field, specify whether the search should be performed

against services or business units.


c. Select a service type from the Search type list, and then click Search. A listof services matching the search criteria is displayed.If the table contains multiple pages, you can:v Click the arrow to go to the next page.v Type the number of the page that you want to view and click Go.

3. In the Services table, click the icon ( ) adjacent to the service to show thetasks that can be performed on the service, and then click Change. The tasksthat you can perform are dependent on the type of service. The Select Querypage is displayed.

4. On the Reconciliation page, click Browse to locate the reconciliation file, andthen click Upload File to load the new reconciliation file. You can also choosewhether or not to reconcile only supporting data.

5. Click OK to save the changes and to close the page.

Results

A message is displayed, indicating that you successfully submitted a reconciliationrequest.

What to do next

To view the results of the reconciliation, click View the status of the reconciliationrequest. You can also select another services task, or click Close. When the Select aService page is displayed, click Refresh to refresh the Services table.

Service definition file or adapter profileA service definition file, which is also known as an adapter profile, defines the type ofmanaged resource that IBM Security Identity Manager can manage.

The service definition file creates the service types on the IBM Security IdentityManager Server.

The service definition file is a Java archive (JAR) file that contains the followinginformation:v Service information, including definitions of the account provisioning operations

that can be performed for the service, such as add, delete, suspend, or restore.v Service provider information, which defines the underlying implementation of

how the IBM Security Identity Manager Server communicates with the managedresource.

v Schema information, including the LDAP classes and attributes.v Account forms and service forms, along with the label for the attributes, which

are displayed in the user interface for creating services and requesting accountson those services.

Creating service typesAs an administrator, you can create a service type. For example, you might create aservice type for a manual service that you want to create.


Before you begin


Defining a new service type allows you to define new LDAP attributes andobjectclasses. You can also change the existing LDAP attributes and objectclasses.You must understand the impact of changing the LDAP schema through this task.Do not change the syntax or schema of existing attributes and objectclasses. If anew service type is needed, define one. See your directory documentation forrestrictions and best practices to use for schema extension. For IBM TivoliDirectory Server Version 6.1, see http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.IBMDS.doc/admin_gd13.htm#wq78.

About this task

You can create a service type for a manual service or for a custom service.

To create a service type, complete these steps:

Procedure1. From the navigation tree, select Configure System > Manage Service Types.

The Manage Service Types page is displayed.2. On the Manage Service Types page, click Create. The Manage Service Types

notebook is displayed.3. On the General page of the Manage Service Types notebook, complete these

steps:a. In the Service Type Name field, provide a unique name for your service

type.b. From the Service Provider list, select the protocol that IBM Security Identity

Manager uses to provision accounts for the service type.c. Click the Service tab.

4. On the Service page, specify an LDAP class and attributes to associate with theservice type, and then click the Account tab. The LDAP class and attributesvary, depending on the accounts that the managed resource provides.

5. On the Account page, specify an LDAP class and attributes to associate withthe account schema, and then click either the Group tab or OK.

6. Optional: On the Group page, complete these steps:a. To add a group to the service type, click Add. The Add Group page is

displayed.b. On the Add Group page, specify an LDAP class and schema information. A

group schema must be supported by the adapter for this service type.c. Click either the Miscellaneous tab, or click OK.

7. Optional: On the Miscellaneous page, complete these steps:a. Select the check box if you want the service type to participate in reports for

dormant accounts.b. From the Last access date list, select an attribute of the account schema that

is associated with the service type, and then click OK.


http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.IBMDS.doc/admin_gd13.htm#wq78


Results

A message indicates that you successfully created a service type.

What to do next

Verify the generated service and account forms for the new service type with theform designer, set up account defaults for the service type, or click Close.

Tip: You can also specify values for Service Type Name and Description fields inthe CustomLabels.properties file.

Changing service typesYou can change a service type to select a different service provider. You can alsochange a service type to change the LDAP class or attributes for the service type orthe accounts.

Before you begin


A service type must exist, but no instance of the service type can exist.

Defining a new service type allows you to define new LDAP attributes andobjectclasses. You can also change the existing LDAP attributes and objectclasses.You must understand the impact of changing the LDAP schema through this task.Do not change the syntax or schema of existing attributes and objectclasses. If anew service type is needed, define one. See your directory documentation forrestrictions and best practices to use for schema extension. For IBM TivoliDirectory Server Version 6.1, see http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.IBMDS.doc/admin_gd13.htm#wq78.

About this task

You cannot change a service type if there is a service instance of the service type.Users might actively be working in accounts on that service instance.

To change a service type, complete these steps:


The Manage Service Types page is displayed.2. Manage Service Types page, select the check box next to the service type that

you want to change, and then click Change. The Manage Service Typesnotebook is displayed.

3. On the Manage Service Types notebook, make the wanted changes, and thenclick OK. The name of the service type cannot be changed.

Results

A message indicates that you successfully modified the service type.




What to do next

If necessary, use the form designer to update the service and account forms tomatch any service type attribute changes, or click Close.

Importing service typesAs an administrator, you can import a service definition file, which creates aservice type. Service definition files are also called adapter profile files, which areprovided with the various IBM Security Identity Manager adapters.

Before you begin


The file to be imported must be a Java archive (JAR) file.

About this task

You can create a service type for an adapter that provides a JAR file.

To import a service type, complete these steps:


The Manage Service Types page is displayed.2. On the Manage Service Types page, click Import. The Import Service Type page

is displayed.3. On the Import Service Type page, complete these steps:

a. In the Service Definition File field, type the directory location of the file, orclick Browse to locate the file. For example, if you are installing the IBMSecurity Identity Manager adapter for a Windows server that runs ActiveDirectory, locate and import the ADProfileJAR file.

b. Click OK to import the file.

Results

A message indicates that you successfully imported a service type.

What to do next

The import occurs asynchronously, which means it might take some time tocomplete. On the Manage Service Types page, click Refresh to see the new servicetype. If the service type is not displayed within a reasonable amount of time, checkthe log files to determine why the import failed.

Deleting service typesYou can delete a service type that has no service instances. For example, if yourenterprise replaces an application, you might migrate user records to the newapplication. Then, delete the obsolete service type.


Before you begin


Before you delete a service type, you must remove all of its service instances.

About this task

When you delete a service type, changes made to the LDAP class persist even afterthe service type is deleted.

To delete a service type, complete these steps:


The Manage Service Types page is displayed.2. Manage Service Types page, select the check box next to the service type that

you want to change, and then click Delete. Selecting the check box at the top ofthis column selects all service types. The Manage Service Types notebook isdisplayed.

3. On the Confirm page, click Delete to delete the service type, or click Cancel.

Results

A message indicates that you successfully deleted the service type.

What to do next

Do other service type management tasks, or click Close.

Managing account defaults on a service typeYou can define default values for account attributes either on a service or on aservice type.

Types of account defaults

Service type account defaultsWhen account defaults are defined at the servicetype level, they apply toall services of that type. However, a service type default can be overriddenby defining an account default at the service level.

You can define global account default values in one place, a service type.You do not need to define the same account default values for a service inmultiple places. This single definition reduces the amount of customizationand the chance of omissions or errors.

Service account defaultsThese defaults are initially inherited from the service type account defaults,but they become local to the service as soon as it is being changed. Theybecome local account defaults and can be changed or removed. Changes(including removals) do not affect the service type account defaults.


Options for defining default values for account attributes

Basic Allows you to hard code default values. You can also build a rule toextract information from an attribute on any IBM Security IdentityManager person class object. You can use it to set the value for an accountattribute.

AdvancedAllows you to code JavaScript to retrieve LDAP data from IBM SecurityIdentity Manager objects and set the value for an account attribute. As astarting point, you can create a basic account default and then use theadvanced option to edit the generated JavaScript.

Adding account defaults to a service typeAdd account defaults to a service type.

Before you begin


The wanted the service type must exist. If it does not exist, you must import theprofile for the service type.

About this task

You can add default values for attributes. When you create a service instance fromthis service type, the account defaults for the service type are copied to the service.

To add account defaults to a service type, complete these steps:


The Manage Service Types page is displayed.2. In the Service Types table, click the icon ( ) next to the service type, and then

click Account Defaults. The Select an Account Attribute page is displayed.3. On the Select an Account Attribute page, click Add to add an attribute. The

Select an Attribute to Default page is displayed.4. On the Select an Attribute to Default page, select an account attribute. Click

one of these choices:v Add, which adds a default value for the selected attribute. Complete the

appropriate fields, which vary depending on the type of service, and thenclick OK. The attribute default is added to the list on the Select an Attributeto Default page.

v Add (Advanced), which adds a script that specifies a default value for theselected attribute. Type the wanted JavaScript code in the Script field, andthen click OK. The attribute default is added to the list on the Select anAttribute to Default page.

5. On the Select an Account Attribute page, finish adding attribute defaults to theservice type. Then, click OK to save the changes and to close the page.


Results

A message indicates that you successfully saved the account defaults on the servicetype.

Changing account defaults for a service typeChange the account defaults for a service type.

Before you begin


About this task

To change account defaults for a service type, complete these steps:



click Account Defaults. The Select an Account Attribute page is displayed.3. On the Select an Account Attribute page, select the check box next to the

attribute that you want to modify, and then click one of these choices:v Change, which changes the default value for the selected attribute. Complete

the appropriate fields, which vary depending on the service type, and thenclick OK. The template value for the attribute is updated in the list on theSelect an Attribute to Default page.

Note: If you select this option when an attribute currently has a scripteddefault value, the existing script is overwritten with the template value thatyou specify.

v Change (Advanced), which adds or changes the script that specifies a defaultvalue for the selected attribute. Type the wanted JavaScript code in the Scriptfield, and then click OK. The template value for the attribute is updated inthe list on the Select an Attribute to Default page.

4. On the Select an Account Attribute page, finish changing attribute defaults forthe service type. Then, click OK to save the changes and to close the page.

Results

A message indicates that you successfully saved the account defaults on the servicetype.

Removing account defaults from a service typeRemove account defaults from a service type.

Before you begin



About this task

To remove account defaults from a service type, complete these steps:



click Account Defaults. The Select an Account Attribute page is displayed.3. On the Select an Account Attribute page, select the check box next to the

attribute that you want to remove, and then click Remove. Selecting the checkbox at the top of this column selects all attributes. The attribute default isremoved from the list on the Select an Attribute to Default page.

4. On the Select an Account Attribute page, finish removing attributes from theservice type. Then, click OK to save the changes and to close the page.

Results

A message indicates that you successfully removed the account defaults from theservice type.


Chapter 3. Access type management

Access types are a way to classify the kinds of access that users see. Use theManage Access Types task to classify the types of accesses in your organization.

The following access types are included with IBM Security Identity Manager:v AccessRole, which is a role for IT resource accessv Application, which is access to an applicationv SharedFolder, which is access to a shared folderv MailGroup, which is membership in an email group

As an administrator, you can create additional access types, such as for intranetweb applications or Active Directory (AD) application shared folders.

Over time, several accesses might be defined. Classify them into commonlyavailable accesses, or use categories for smarter searches for infrequent accesses.

Creating access typesAs an administrator, you can create additional access types, such as for intranetweb applications or Active Directory (AD) application shared folders.

Before you begin


About this task

Over time, several accesses might be defined. Classify them into commonlyavailable accesses or use categories for searches for infrequent accesses.

To create an access type in the tree structure, complete these steps:

Procedure1. From the navigation tree, click Configure System > Manage Access Types to

display the Manage Access Types page. The Manage Access Types page lists thedefault access types.

2. On the Manage Access Types page, click the icon next to the Access Typesnode.

3. Click Create Type to display the Create Access Type page.4. On the Create Access Type page, complete the following steps:

a. In the Access Type Key field, provide a key name. For example, Payroll.b. In the Description field, provide a description about the access type.

5. Click OK to save the access type.


Results

A message indicates that you successfully created an access type. The ManageAccess Types page displays the new access type in the tree structure.

What to do next

You might need to update the CustomLabels.properties resource bundle toprovide the display label for this access type. See the CustomLabels.propertiestopic in the IBM Security Identity Manager Reference Guide.

Users can request access to the new access type.

Create additional access types, or click Close.

Changing access typesAs an administrator, you can change access types, such as for intranet webapplications or Active Directory (AD) application shared folders.

Before you begin


Ensure that you create at least one access type in the tree structure. See “Creatingaccess types” on page 59.

About this task

Nodes that you can select depends on the position or hyperlink of the node thatyou select within the tree structure.

To change an access type in the tree structure, complete these steps:



2. On the Manage Access Types page, click the icon next to the Access Typesnode and click Change. Alternatively, click an access type. The Change AccessType page is displayed.

3. On the Change Access Type page, modify the description in the Descriptionfield. You can provide a description associated to the access type key.

Note: The Access Type Key field value is read-only.4. Click OK to save the access type.

Results

A message indicates that you successfully changed an access type. The ManageAccess Types page displays the modified access type in the tree structure.


What to do next

Users can request access to the new access type.

Change additional access types, or click Close.

Deleting access typesAs an administrator, you can delete access types that are no longer needed in yourorganization.

Before you begin


You must remove all access definitions for an access type before you can delete anaccess type.

About this task

You cannot delete an access type if any access definitions for that access type exist.

To delete an access type in the tree structure, complete these steps:



2. On the Manage Access Types page, click the icon next to the Access Typesnode that you want to delete. Then, click Delete to display the Confirm page.You cannot delete an access type node that has child items or a group or roleassociation. You must first delete the child items or the group or roleassociation before deleting the access type.

3. On the Confirm page, click Delete to delete the access type, or click Cancel.

Results

A message indicates that you successfully deleted an access type. The ManageAccess Types page no longer displays the deleted access type in the tree structure.

What to do next

Create or change access types, delete additional access types, or click Close.

Chapter 3. Access type management 61

Chapter 4. Shared access configuration

You can specify configuration settings for shared access as needed for yourdeployment. You can specify default settings for credentials, configure an externalcredential vault server, define a unique id for a service, and customize severaldifferent operations.

Configuring the credential default settingsSpecify the default settings for each credential that is added to the credential vault.

About this task

The administration console supports adding user credentials into a credential vault.When you add a credential to the vault, you can apply default values for each ofthe credential settings. Use this task to define the default value for each setting.

Note: Some default settings can be overwritten at the individual credential level,but others can only be changed at a global level.

Procedure

To configure the credential default settings, complete these steps:1. From the navigation tree, select Manage Shared Access > Configure Credential

Default Settings. The Configure Credential Default Settings page is displayed.2. Under Credential Setting, select one of the following options to specify the

checkin and checkout process for the accounts. See the online help for detailsabout individual settings.

Require the checkin and checkout process for the shared IDsSelect this option to specify that by default users must check out ashared credential before using it. When selecting this option, specify thefollowing options:

Change password upon checkinSelect the check box to change the password.

Maximum checkout durationSchedule the maximum number of hours, days, or weeks that acredential can be checked out.

Specify whether the credential is enabled for checkout searchSelect the Enable checkout search check box to enable thecredentials for a checkout search. When you do so, the accountsare searched for the checkout process on the self-service userinterface.

Specify whether the credential password will be visible to the user inSelf Service

Select the Display the password to user check box to displaythe credential password to the user on the self-service userinterface.


Check Out OperationIn the Operation Name field, enter an operation name to definea global lifecycle operation and start the checkout workflowextension.

Lease Expiration Handling

Notify violationSelect this option to send a notification when thesystem finds the expired credentials that are checkedout.

Notify violation and checkinSelect this option when you want the system to notifythe recipients about the expired credentials and checkin those credentials automatically.

Notification TemplateClick this link to view or change the email templatethat is used by the system to construct the expiredcredential notification.

Send notification toSelect a recipient from the list.

Check for expired leases everySchedule a time frequency that you want the system tocheck for the expired credential leases.

Note: The time that you enter must be equal to orgreater than the time specified for checking expiredleases. For example, you might set the interval of everyone hour to check for expired leases. You must set atleast every one hour or more to send notifications tothe recipients who are responsible for the expiredleases.

Send notifications at least everySchedule a time frequency to send out notifications toremind the recipients of the expired leases.

Do not require the checkin and checkout process for shared IDsSelect this option to specify that, by default, users are not required tocheck out a shared credential before using it.

Specify whether the credential password will be visible to the user inSelf Service

Select the Display the password to user check box if you wantto display the credential password to the user on theself-service user interface.

Credential is not sharedSelect this option to specify that, by default, a credential that is addedto the credential vault cannot be accessed through a shared accesspolicy.

3. Click Submit to save the configuration settings.4. On the Success page, click Close.


Customizing the service form template to include the unique identifier(eruri) attribute

Update the managed resource service form template to include a field for theunique identifier that you use to connect to the managed resource.

About this task

You must perform these steps for every service type that you want to configure forshared access. The default forms for services, groups, and accounts are based onthe adapter.

You must be a system administrator to perform this task.

Procedure

To add the eruri attribute to the service form template, complete these steps:1. From the navigation tree, select Configure System > Design Forms. The

Design Forms Java applet is displayed.2. Optional: To open the applet in a separate browser window, click Launch as

separate window.3. In the left pane, double-click the Service category folder to display the object

profiles.4. In the left pane, double-click a profile, such as POSIX Linux profile, to open

the template for that profile. The form template associated with the objectprofile is displayed in the middle pane.

5. In the Attribute List box, select the eruri attribute and then click the Add

Row icon. The $eruri attribute is added to the form template.

6. Select the $eruri attribute and then click the Editable Text List icon.The $eruri attribute is a multivalue attribute.

7. In the Properties box, type a new label name in the Label field. For example,type Unique identifier. The label name that you type here is displayed in theservice form whenever you create or change a service that is based on thisprofile. For example, the label name is displayed in a POSIX Linux servicethat you create or change.

8. Click the Save Form Template icon to save the changes, and then clickOK.

9. Optional: If you opened the Design Forms Java applet into a separatewindow, close the window.

10. Click Close to close the Design Forms applet.

What to do next

Create a service instance from the profile, such as POSIX Linux, and complete thenew Unique identifier field.

Chapter 4. Shared access configuration 65

Related tasks:Setting the service unique identifierCreating services

Configuring an external credential vault serverSpecify the required properties to configure an external credential vault server.

About this task

Configure IBM Security Identity Manager to connect as a credential vault client toan external credential vault server. The external credential vault server providesKey Management Interoperability Protocol (KMIP) services.

You must specify values for settings in several configuration files. You must thenconfigure SSL communication between the client and server.

Procedure

To configure an external credential vault server, complete these steps:1. Register the secret data provider by editing the properties file

ISIM_HOME/data/pim.properties. Specify the name of the provider thatimplements the SecretDataProvider interface:secret.data.provider=com.ibm.itim.pim.credstore.TKLMExternalCredProvider

2. Register the handler that synchronizes credentials between IBM SecurityIdentity Manager and the credential vault server. Edit the properties fileISIM_HOME/data/dataSynchronization.properties to specify or replace thename of the handler class that implements the DirectoryObjectSynch interfacefor credential objects. See the following entry:erCredential=com.ibm.itim.dataservices.synch.CredentialSynchHandler,com.ibm.itim.pim.credstore.CVCredentialSynchHandler

Note: The example is split into multiple lines for readability. In the propertiesfile, enter the values as one continuous line with no space after the comma.

3. Create the CVClient.properties file. Place it in the directory of your choice:a. Set the host parameter to the name of the computer that runs the credential

vault server.b. Set the port parameter to the number of the port on which the credential

vault server runs.

Table 20. Example CVClient.properties file

protocol=sslhost=myCVserver.mySubnet.example.comport=19696path=/cvsvc/kmip.htmldebug=alldebug.output.file=logs/kmip/tklm_debug.logAudit.event.outcome=success,failureAudit.eventQueue.max=0Audit.handler.file.name=logs/kmip/audit/tklm_audit.logAudit.handler.file.size=10000Audit.event.types=runtime,authorization,authorization_terminate,resource_management,key_management

4. Edit the file ISIM_HOME/data/cvserver.properties.


Set the KMIPConfigProperties property to the location where you placed theCVClient.properties file. For example,KMIPConfigProperties=/opt/cvserver/CVClient.properties

You do not have to specify values for other properties in cvserver.properties.See Table 21 for a description of the optional properties.

Table 21. Optional properties in cvserver.properties


javax.net.ssl.trustStore Specifies the name and location of the truststore filefor Secure Socket Layer (SSL) transactions. This valuecorresponds to the clientTrust file that was generatedduring the credential vault server configuration.Example:

javax.net.ssl.trustStore=/opt/cvserver/trustStore.jks

javax.net.ssl.trustStorePassword Specifies the password for accessing the truststore file.Example:

javax.net.ssl.trustStorePassword=password

javax.net.ssl.keyStore Specifies the name and location of the keystore file forSecure Socket Layer (SSL) transactions. This valuecorresponds to the clientStore file that was generatedduring the credential vault server configuration.Example:

javax.net.ssl.keyStore=/opt/cvserver/keyStore.jks

javax.net.ssl.keyStorePassword Specifies the password for the keystore file. Example:

javax.net.ssl.keyStorePassword=password

javax.net.ssl.keyStoreType Specifies the type of truststore that is specified forjavax.net.ssl.trustStore. Example:

javax.net.ssl.trustStoreType=jks

See Table 22 for an example of the cvserver.properties file with optionalproperties specified.

Table 22. Example KMIP properties file

KMIPConfigProperties=/opt/cvserver/CVClient.propertiesjavax.net.ssl.trustStore=/newcerts/clientTrustjavax.net.ssl.trustStorePassword=myPassw0rdjavax.net.ssl.keyStore=/newcerts/clientStorejavax.net.ssl.keyStorePassword=myPassw0rdjavax.net.ssl.keyStoreType=jksjavax.net.ssl.trustStoreType=jks

5. Configure SSL on the computer that hosts the credential vault client, and on thecomputer that hosts the credential vault server.The WebSphere Application Server servers on each computer must trust eachother.Configure SSL on the computer where the credential vault client is deployed.For example, you can have IBM Security Identity Manager server that isdeployed as a credential vault client on one computer, and have the credentialvault server that is deployed on a second computer. In this example, completethe following steps on the computer that hosts the IBM Security IdentityManager server:a. Log in to the WebSphere Application Server administrative console.


b. Select Security > SSL certificate and key management > Key stores andcertificates > NodeDefaultTrustStore > Signer certificates.

c. Click Retrieve from Port.d. In the Host and Port fields, enter information for the external credential

server.e. In the Alias field, enter an alias name.f. Click Retrieve signer information and then click OK.g. Save the configuration changes and restart WebSphere Application Server.

6. Configure SSL on the computer where the external credential vault server isdeployed.In a WebSphere Application Server cluster environment, each of the nodes canbe scoped to different SSL settings. Therefore, you must update the truststorefor each of the nodes. Repeat the following steps for each node:a. Log in to the WebSphere Application Server administrative console.b. Select Security > SSL certificate and key management > Key stores and

certificates > NodeDefaultTrustStore > Signer certificates.c. Click Retrieve from Port.d. In the Host and Port fields, enter the values for the credential vault server.e. In the Alias field, enter an alias name.f. Click Retrieve signer information and then click OK.g. Update trustStorePath in ISIM_HOME/data/KMIPServer.properties.

Edit KMIPServer.properties to set the value for trustStorePath to matchthe path of NodeDefaultTrustStore.The value of trustStorePath must match the value for the truststore for thenode on which the credential vault server is run. The value ofNodeDefaultTrustStore is typically the default truststore value, butadministrators can change this value. Ensure that you specify the correctpath.In a cluster environment, each node has a credential vault server installed.However, when your deployment includes an IBM Security IdentityManager server that is outside of the cluster, you configure that IBMSecurity Identity Manager server to use the credential vault server on onlyone node within the cluster. To enable use of the credential vault server ona specific node, you must specify trustStorePath to match the value forNodeDefaultTrustStore.

h. Edit ISIM_HOME/data/KMIPServer.properties to enable the credential vaultserver to use SSL.1) Set KMIPEnableSSL=true.

The default value is false.2) Set the port to use for SSL communications. For example:

KMIPSSLServerPort=19696.

Note: On the computer that hosts the external credential vault server, thevalue for the KMIP SSL Server port must match the value that youconfigured on the computer that hosts the credential vault client.

The following values must match:


Table 23. Configuration settings to enable SSL and specify the port

Computer Server (example) Configuration file Setting

1 The credential vaultclient. For example, anIBM Security IdentityManager server thatacts as client to thecredential vault server

The KMIP configuration propertiesfile.The file ISIM_HOME/data/cvserver.properties specifies thelocation of KMIPConfigProperties.For example:

KMIPConfigProperties=/opt/cvserver/CVClient.properties

In this example, the fileCVClient.properties specifies the port:

port=19696

2 External credentialvault server. Forexample, a separateinstallation of IBMSecurity IdentityManager that isdeployed solely to actas the externalcredential vault server.

ISIM_HOME/data/KMIPServer.properties

KMIPEnableSSL=trueKMIPSSLServerPort=19696

i. Save the configuration changes and restart WebSphere Application Server.

Advanced configuration for shared accessYou can use advanced configuration tasks to customize shared access as needed tosupport the use cases in your deployment

See the following topics:v “Customization of the checkout operation”v “Shared access approval and recertification”v “Customizing the checkout form” on page 70

Customization of the checkout operationThe shared access module supports both synchronous and asynchronous checkoutof shared accounts. Synchronous checkout is enabled by default. If you want to useasynchronous checkout, you must enable and configure it.

To enable asynchronous checkout, you must define a global lifecycle operation tostart the checkout workflow extension. You must also configure the operationname in the global settings for the shared access module.

IBM Security Identity Manager provides example code that shows you how tocomplete the configuration. The example shows how to define a checkoutoperation with or without RFI node followed checkout extension.

For more information, see the “Shared Access Asynchronous Checkout” example inISIM_HOME\extensions\6.0\examples\workflow\sa_checkout.

Shared access approval and recertificationYou can add an approval process to the default operation for adding credentials tothe vault. You can also define a custom workflow to recertify credentials in thevault.


Approval for adding credentials to the vault

The shared access module uses the existing lifecycle operation module to addcredentials to the vault. The default operation addCredentialToVault does notinclude approval, but can be customized to incorporate approval activity.

IBM Security Identity Manager supports a single global operation that is used byall credentials, regardless of the services, service type, or the organizational unit towhich the account belongs.

IBM Security Identity Manager provides an example that shows how to add theapproval process. For more information, see the “Shared Access Add Credential toVault Approval” example in ISIM_HOME\extensions\6.0\examples\workflow\sa_addToVault.

Recertification of shared credentials

You can use the shared access module to manage credentials in the vault.Periodically you might want to revalidate the credentials in the vault. By default,credential recertification is not configured. You can configure recertification bydefining a lifecycle rule for the account entity type. The rule filters accounts in thevault and starts a custom workflow operation as triggered by schedules.

IBM Security Identity Manager provides an example that shows how to addrecertification. The example shows you how to:v Define a custom workflow to recertify the credentials in the vaultv Define a lifecycle rule to filter the accounts in the vaultv Associate the rule with the custom workflow

In the example custom workflow, the credential is deleted from the vault if therecertification approval activity is rejected by the participant.

For more information, see the example ISIM_HOME\extensions\6.0\examples\workflow\sa_recertifyCerdential.

Customizing the checkout formYou can customize the form that is used for checkout of shared accounts. You canadd more attributes to be filled out during checkout. This customization increasesindividual accountability when credentials are shared.

About this task

You must be a system administrator to complete this task. The checkout form isglobal for all shared access. When you customize the checkout form, your changesaffect checkout for all shared access. Use this procedure to add or removeattributes from the checkout form template.

Procedure1. Log in to the administration console and select Configure System > Design

Forms.The Design Forms Java applet is displayed.

2. Optional: To open the applet in a separate browser window, click Launch asseparate window.


3. In the left pane, double-click the “Credential Lease” category folder to selectthe “Credential Lease” form. Double-click the form to open it in the formdesigner.

4. Select custom attribute and then click the Add Row icon to add it to the form.5. Click the correct icon to select the widget. Specify required attributes for each

widget. Also, specify the format and constraints for each attribute.6. Repeat the previous two steps to add all custom attributes.7. Click the Save Form Template icon to save the changes. Click OK.8. Optional: If you opened the Design Forms Java applet in a separate window,

close the window.9. Click Close to close the Design Forms applet.


Chapter 5. Global adoption policies

An adoption policy is used during reconciliation to determine the owner of anaccount. A global adoption policy is defined for a service type or all service types, forthe entire system. Global adoption policies are applicable to all service instances ifno adoption policy is defined for the specific service.

The default global adoption policy assigns an account to a user if the account userID attribute matches the IBM Security Identity Manager user UID attribute. Aservice-specific adoption policy takes precedence over the global adoption policy.

For information about migration considerations, see Known issues for migrating toTivoli Identity Manager Version 5.1.

Creating a global adoption policyYou can add a customized rule for generating passwords with the IBM SecurityIdentity Manager Server.

Before you begin


About this task

To create a global adoption policy, complete these steps:

Procedure1. From the navigation tree, select Configure System > Global Adoption Policies.2. On the Global Adoption Policies page, in the Adoption Policies table, click

Create.3. On the Global Adoption Policies page, on the General page, type a name for

your adoption policy. You can add a description also.4. Click the Service Type tab, and select a specific service type to associate with

the policy. You must specify at least one service type for the global adoptionpolicy. You cannot associate more than one global adoption policy with aservice type.

5. Click the Rule tab, and specify a custom rule to govern the attributes that theadoption policy uses to match accounts to users. If you choose to definematches, click Add a match field to select the account and user attributes thatmust match during reconciliation. The user attribute drop-down list provides afew commonly used attribute combinations that can be used when defining thematch. For example, a combination is the first letter of the given name plus thefamily name or the given name plus the first letter of the family name. If youradoption rule is more complex, you can choose the more advanced path byselecting Providing a Script. If you defined matches, the associated scripts arepopulated for you in the script definition field.


http://itmdev47.tivlab.austin.ibm.com:8301/help/topic/com.ibm.itim.doc/mig510_install67.htm

http://itmdev47.tivlab.austin.ibm.com:8301/help/topic/com.ibm.itim.doc/mig510_install67.htm

Important: If you choose to provide a script, the Security Identity ManagerServer does not verify that the JavaScript is correct. Verify the JavaScript beforeusing it to define the policy.

6. Click OK to save the changes.7. On the Success page, click Close. The new global adoption policy is displayed

on the Global Adoption Policies page. This Global Adoption policy can bechanged and deleted.

Changing a global adoption policyAn administrator can change a global adoption policy that is defined for a servicetype.

Before you begin


About this task

The effect of changes to an adoption policy can be seen when the nextreconciliation is run. Changing an existing adoption policy does not affect existingaccounts of the specific service or service type. Changes do not affect accounts thatare already adopted. Only new and existing orphan accounts are adopted based onthe new policy.

To change a global adoption policy, complete these steps:

Procedure1. From the navigation tree, select Configure System > Global Adoption Policies.2. In the Global Adoption Policies table, locate and select an adoption policy that

you want to change, and then click Change.3. On the Global Adoption Policies page, modify the information on the General,

Service, or Rule pages4. Click OK to save the changes.5. On the Success page, click Close.

Deleting a global adoption policyAn administrator can delete a global adoption policy that is defined for a servicetype.

Before you begin


About this task

Deleting an existing adoption policy does not affect existing accounts of thespecific service type.


To delete a global adoption policy, complete these steps:

Procedure1. From the navigation tree, select Configure System > Global Adoption Policies.2. In the Global Adoption Policiestable, locate and select an adoption policy that

you want to delete, and click Delete.3. On the Confirmation page, review the adoption policy to be deleted, and click

Delete.4. On the Success page, click Close.

Chapter 5. Global adoption policies 75

Chapter 6. Post office configuration

The post office provides a mechanism for reducing the number of emailnotifications a user receives regarding similar tasks in IBM Security IdentityManager.

Overview

You can configure the post office to collect similar notifications over an interval oftime. The configuration combines those multiple emails into one notification that isthen sent to a user. In the workflow designer, you use the Group E-mail Topicfield in each manual activity definition to determine similar tasks to group emailnotifications.

Assume that the post office is enabled. If the manual activities that generatenotifications have the Use Group E-mail Topic option enabled, the post officeintercepts email notifications that the system generates for those manual activities.The post office holds the notifications for a specified interval. When that intervalexpires, the post office uses the aggregate email template to aggregate allnotifications that have the same Group E-mail Topic value into one email messagefor each email recipient. The preferred locate of the recipient, which is specified inthe Person object, is honored. This process reduces the volume of individual emailmessages for notifications of the same Group E-mail Topic value that a userreceives.

The post office uses the Group E-mail Topic value on the Notification tab of themanual activity configuration page, to determine which messages to aggregatetogether. All notifications that are generated with the same Group E-mail Topicvalue are aggregated together for the collection interval specified. This field can beany string, but the default is the Activity ID. This field accepts JavaScript anddynamic content tags, if it results in the execution of a string.

Assume that the collection interval expires and notifications are aggregated. Ifthere is only one notification for a specified Group E-mail Topic value and emailaddress, that message is sent in its original form. The post office email template isnot applied. Although the notification is sent in its original form, the notification isdelayed until the post office collection interval expires.

There might be errors while attempting to aggregate the individual emails. Themessages are sent in their original form and an error message is written to the log.The process means that notifications might be delayed in getting sent, but notresult in the loss of any notifications. The Test button on the Post Office page isuseful for troubleshooting template errors.

Example email notification

The default template generates an email notification similar to this message:Subject: You have 3 work items requiring your attention.

Body:You have 3 work items requiring your attention.

Here are the email subjects:This is subject 1


This is subject 2This is subject 3

Here are the email message bodies:This is the text body 1This is the text body 2This is the text body 3

The template can consist of any valid dynamic content tag and JavaScript code. Inaddition, the post office has a set of custom dynamic content tags and JavaScriptextensions.

Customizing the post office email templateYou can enable or disable the post office and set the time interval that the postoffice uses to collect messages to aggregate. You can also customize the emailtemplate that is used to generate the aggregate message that is sent to therecipients.

Before you begin


About this task

When you enable the post office, all email notifications are stored until the timeinterval that you specify. At that time, the notifications are aggregated into oneemail message that is sent to the recipients.

The post office email template can use dynamic content. Dynamic content includesdynamic content message tags and JavaScript code. Dynamic content also includestags that replace variables with other values, or reference a property that allowstranslation with the use of a CustomLabels.properties file.

The template is applied to the collection of notification messages that the systemholds for a specified Group E-mail Topic value and message recipient. Thistemplate can be as simple or as complex as required. The Group E-mail Topicvalue is set in the workflow designer.

To enable the post office and configure a post office aggregation email template,complete these steps:

Procedure1. From the navigation tree, click Configure System > Post Office. The Post

Office page is displayed.2. On the Post Office page, select the Enable store forwarding check box.3. In the Collection interval field, type the number of minutes that you want to

pass before the post office aggregates the stored email messages and sendsthem to the recipients. The value of the collection interval must be an integer 5- 10080.

4. In the Subject field, type the text to specify the subject of the email notificationthat is sent as the aggregate message instead of being sent as an individualemail message. The subject can consist of plain text and dynamic content tags.


5. In the Plaintext body field, type the text to be displayed in the body of theaggregate message. The content can consist of plain text, dynamic content tags,and JavaScript code. These contents are shown to email recipients that do notsee HTML email notifications.

6. In the XHTML body field, type the text to be displayed in the body of theemail notification as HTML. The content can consist of plain text, dynamiccontent tags, and JavaScript code. These contents are shown to email recipientsthat see HTML email notifications. For the correct aggregation of XHTMLbodies of individual email templates with the post office email aggregationtemplate, use an optional attribute ‘escapeentities'. This attribute is in the <JS>tag of Post Office XHTML body template. Set the value to false. See Samplepost office email aggregation template for more details.

7. Click OK to save the changes and then click Close.

Results

After the next interval expires, the combined notifications are aggregated and sentas one email notification.

What to do next

Test the post office email aggregation template that you created before with it toaggregate email notifications that are sent to activity participants.

Post office dynamic content custom tagsThe post office defines a set of custom tags to simplify the creation of theaggregate message template. The aggregate message template is a user interfacetemplate for defining how multiple email notifications are displayed in a singleemail notification for a user.

The following post office dynamic content custom tags can be used to get data:

<POGetAllBodies/>Returns a string that contains the text body of each of the originalnotifications separated by a newline. For example:You have the following ToDo items in Identity Manager.Here are the notification bodies <POGetAllBodies/>

<POGetAllSubjects/>Returns all subjects from the notifications associated with the aggregateemail notification as a string that is separated by a newline. For example:You have the following ToDo items in Identity Manager.Here are the notification subjects. <POGetAllSubjects/>

<POGetEmailAddress/>Returns the email address that is the destination for the aggregate emailnotification as a string with no newline. For example:This collection of notifications was sent to <POGetEmailAddress/>.

<POGetNumOfEmails/>Returns the number of emails associated with the aggregate emailnotifications as a string with no newline. For example:You have <POGetNumOfEmails/> ToDo items in Identity Manager.

Chapter 6. Post office configuration 79

Post office label and messages properties

Custom labels for interface elements

The labels for post office configuration GUI elements can be customized by editingthe following properties contained in the Labels.properties file:v POST_OFFICE_CONFIG=Post Office Configurationv POST_OFFICE_PROPERTIES_CUE=Modify Post Office Propertiesv POST_OFFICE_PATH=Post Officev GENERAL_TAB=Generalv AGGREGATE_MESSAGE_TAB=Aggregate Messagev ENABLE_STORE_FORWARDING_LABEL=Enable Store Forwardingv COLLECTION_INTERVAL_LABEL=Collection Intervalv SUBJECT=Subjectv TEXT_BODY=Text Bodyv HTML_BODY=XHTML Bodyv POST_OFFICE_DONE_ALT=Save post office propertiesv POST_OFFICE_CANCEL_ALT=Cancel changes

Custom properties for notification messages

The following properties can be customized for post office notification messages.These properties are the message keys for the dynamic content tags (<RE>) that areincluded in the default post office template configuration.v postoffice_subject=You have {0} work items that require your attention.v postoffice_subject_list=Here are the email subjects:v postoffice_body_list=Here are the email message bodies:

Post office template extensionsReview usage examples of dynamic content and JavaScript code that can beentered on the Post Office page.

SubjectIdentity Manager: You have <POGetNumOfEmails/> work items requiring your attention.

Plaintext bodyYou have <POGetNumOfEmails/> work items requiring your attention.The emails are all addressed to: <POGetEmailAddress/>Here are the email Subjects:<POGetAllSubjects/>Here are the email bodies:<POGetAllBodies/>Here is the topic fetched using the JavaScript extension:<JS>

return PostOffice.getTopic();</JS>Here is the recipient’s email address fetched using the JavaScript extension:<JS>

return PostOffice.getEmailAddress();</JS>Here are the email text bodies fetched using the JavaScript extension:<JS>

var msgListIterator = PostOffice.getAllEmailMessages().iterator();var returnString = "\n";while (msgListIterator.hasNext()) {

returnString = returnString + msgListIterator.next().getMessage() + "\n"; }


return returnString;</JS>Here is the recipient’s surname taken from the Person fetched using the JavaScript extension:<JS>

var person = PostOffice.getPersonByEmailAddress(PostOffice.getEmailAddress());return "Last: " + person.getProperty("sn")[0] + "\n";

</JS>

XHTML body<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title>You have <POGetNumOfEmails/> work items requiring your attention.</title></head><body><POGetNumOfEmails/> notifications have been collected by Identity Manager Post Officeand aggregated below. These indicate you can have up to <POGetNumOfEmails/> work itemsrequiring your attention.<br />The notifications were all addressed to: <POGetEmailAddress/><br /><hr />Here are the notification Subjects:<br /><POGetAllSubjects/><br /><hr />Here are the notification bodies: <br /><POGetAllBodies/><br /><hr />

Here is the topic fetched using the JavaScript extension:<JS>

return PostOffice.getTopic();</JS><br />Here is the email address fetched using the JavaScript extension:<JS>

return PostOffice.getEmailAddress();</JS><br />Here are the email text bodies fetched using the JavaScript extension:<JS>

var msgListIterator = PostOffice.getAllEmailMessages().iterator();var returnString = "<br />";while (msgListIterator.hasNext()) {

returnString = returnString + msgListIterator.next().getMessage() + "<br />"; }return returnString;

</JS><br />Here is the recipient’s surname taken from the Person fetched using the JavaScript extension:<JS>

var person = PostOffice.getPersonByEmailAddress(PostOffice.getEmailAddress());return "<br />Last: " + person.getProperty("sn")[0] + "<br />";

</JS><hr />Please take care of these right away. Have a nice day !<br />

IT Dept</body>

</html>

Post office JavaScript extensionsUse the Mail Application Programming Interface (API) to customize mail content,format, and notification recipients.

Clients who use this API can make notification requests and extend construction ofnotification messages. The Mail API contains the Mail Client API, which makesnotification requests, and the Mail Provider API, which implements notificationrequests.


The Mail API also contains a post office function that prevents workflowparticipants from receiving multiple email notifications that have similar content.Similar email messages are stored, combined into a single email notification, andforwarded to a user.

Testing and troubleshooting the post office email templateTest and validate the post office email aggregation template that you created beforesending it to an activity participant.

Before you begin


A post office email aggregation template must already be configured.

About this task

To test the email aggregation template, complete these steps:

Procedure1. From the navigation tree, click Configure System > Post Office.2. Click Test. The Test email page is displayed.3. On the Test email page, specify an email address to receive the test message,

and then click Test. The email aggregation template is validated, and ifsuccessful, a sample email notification is sent to the email address youspecified. The email message contains simulated system information, which issupplied by default in the properties file. The message is presented in the postoffice email template that you created.

4. Click OK to save the changes, and then click Close.

What to do next

If an error message is displayed, correct the content of the field that is indicated inthe error, and then click Test again.

The error message describes the problem and includes an approximate line andcolumn number where the error occurred in the message. The value returned ismeant to serve as a general pointer to where the problem exists, but it is not anexact location. You cannot include the XHTML body content of the originalnotifications directly in your aggregation template XHTML body. By default, thepost office has no XHTML body aggregation template.

View the sample email notification that you sent to the email address youspecified. If necessary, you can make additional changes to the template and test itagain.

Modifying the sample email contentYou can modify the content of the sample email notifications that are used fortesting.


Before you begin


A post office email aggregation template must already be configured.

About this task

To modify the content of the sample email notification, complete these steps:

Procedure1. Edit the enRole.properties file.2. Specify the new enrole.postoffice values, and then save the

enRole.properties file. enRole.properties is the name of the properties file,and enrole.postoffice is the name of the key for which you specify a value.This key-value pair resides in the properties file.

3. Restart your application server for the new values to take effect.

Results

The results of this task can be seen only after you test the aggregation templatethat you created or modified. The new sample email notifications are aggregatedand sent to the test email address.

Example

The enRole.properties file contains the following default values:############################################################### Post Office Template Test Configuration############################################################## These are the contents of the emails that will be used# when the "test" button is used on the Post Office# configuration page. These 3 emails will be used as the# content to which the template will be applied.enrole.postoffice.test.subject1=This is subject 1enrole.postoffice.test.textbody1=This is the text body 1enrole.postoffice.test.xhtmlbody1=This is the xhtml body 1

enrole.postoffice.test.subject2=This is subject 2enrole.postoffice.test.textbody2=This is the text body 2enrole.postoffice.test.xhtmlbody2=This is the xhtml body 2

enrole.postoffice.test.subject3=This is subject 3enrole.postoffice.test.textbody3=This is the text body 3enrole.postoffice.test.xhtmlbody3=This is the xhtml body 3

# The topic to use for the test emails aboveenrole.postoffice.test.topic=topic1

# The locale to use for the test emails aboveenrole.postoffice.test.locale=en_US

What to do next

Test the new aggregate template by sending it to a test email address.


Enabling the post office for workflow activitiesUse the workflow designer to enable the post office notifications for workflowactivities.

Before you begin


A workflow activity must exist.

About this task

All email notifications that have the same Group Email Topic are aggregatedtogether with the template and sent to each recipient.

To enable the post office for a workflow activity, complete these steps:

Procedure1. From the workflow designer, double-click an existing activity to access its

Properties page.2. From the Properties page, click the Notification tab.3. Select the Use Group Email Topic check box.4. In the Group Email Topic field, type a value to use to aggregate similar

messages.5. Click OK to save the workflow activity, then click OK to save and exit the

workflow designer.

Results

The workflow activity is saved. The next time this workflow is triggered, thischange is in effect.


Chapter 7. Form customization

You can create and modify forms for the attributes on the IBM Security IdentityManager interface.

Only individuals who are part of the administrator group can access this feature.

IBM Security Identity Manager provides default forms to create, view, and modifysystem entities. The form designer allows system administrators to manage allentity forms from one location.

System administrators can customize forms for the following system entities withthe form designer:v Accountv Admin Domainv Business Partner Organizationv Business Partner Personsv Credential Leasev Identity Manager Userv Locationv Organizationv Organizational Unitv Personv Rolev Service

Each form category folder has object profiles that represent system entities. Eachobject profile is associated with a form template.

Default form templates are generated from the configuration of an entity. Formtemplates have at least one tab and one form element. A tab is a container forgrouping form elements. A form element is a system entity attribute. Each tabconsists of a label that describes the group and at least one form element. Eachform element consists of a label that describes its data and the data input format.Form elements are listed in the order the elements are presented on the form.

Customizing form templatesYou can use the form designer applet to open form templates, which displayrequired form elements, form element organization, and form element control type.

Before you begin




About this task

The form designer Java applet does not automatically close and clear from memoryafter starting. Complete and save any changes to a form template. Close thebrowser and reopen it before beginning a new procedure if you encounter browseror system performance issues.

To open a form template, complete these steps:

Procedure1. From the navigation tree, click Configure System > Design Forms. The form

designer applet is displayed.2. In the left pane, double-click the wanted category folder to display the object

profiles for the entity type. Double-click the wanted object profile to open thetemplate for that profile. The form template associated with the object profile isdisplayed in the middle pane.

Results

The form template associated with the object profile is displayed in the middlepane.

What to do next

You can select a form element and right-click to do various actions. Mouse overthe icons on the top of the form to get hints about the function of the icon.

Adding tabs to form templatesUse these instructions to add tabs to form templates.

Before you begin



About this task


To add a tab to a form template, complete these steps:





3. Click Tab > Add Tab. A new tab is displayed in the form template.4. To name the new tab, click Tab > Rename Tab.5. Type a name for the new tab in the entry field, and then click OK. The name of

the new tab is displayed in the form template.6. Click Form > Save Form Template, and then click OK when a message is

displayed, indicating that the form template is saved successfully.

Renaming tabs on form templatesUse these instructions to rename tabs on form templates.

Before you begin



About this task


To rename a tab on a form template, complete these steps:




3. Click Tab > Rename Tab.4. Type a new name for the tab in the entry field, and then click OK. The new

name of the tab is displayed in the form template.5. Click Form > Save Form Template, and then click OK when a message is


Arranging tabs on form templatesUse these instructions to arrange tabs on form templates.

Before you begin



Chapter 7. Form customization 87

About this task


To move a tab to a different position on a form template, complete these steps:




3. In the middle pane, select the tab that you want to move.4. Select one of the following options:

v Click Tab > Shift Tab Left to move the tab one position to the left.v Click Tab > Shift Tab Right to move the tab one position to the right.

5. Click Form > Save Form Template, and then click OK when a message isdisplayed, indicating that the form template is saved successfully.

Deleting tabs from form templatesUse these instructions to delete tabs from form templates.

Before you begin


If a tab contains required attributes, you cannot delete the tab.

About this task


To delete a tab from a form template, complete these steps:




3. In the middle pane, select the tab that you want to delete.4. Click Tab > Delete Tab. The tab is removed from the form template.



Adding attributes to form templatesUse these instructions to add attributes to form templates.

Before you begin



About this task


To add an attribute to a form template, complete these steps:



profiles for the entity type. Then double-click the wanted object profile to openthe template for that profile. The form template associated with the objectprofile is displayed in the middle pane.

3. Select the tab to which you want to add the attribute.4. In the Attribute List pane, double-click the attribute name that you want to add

to the form. The attribute is added to the form.5. Click Form > Save Form Template, and then click OK when a message

indicates that the form template is saved successfully.

What to do next

Continue adding attributes as needed.

Modifying attribute propertiesThe form element properties section consists of two tabs, Format and Constraint.The Format tab lists all the formatting properties that might or might not beapplicable, depending on the input control type defined for the element. Similarly,the Constraint tab lists all available constraints that might or might not beapplicable to the input control type defined. If a property or constraint is notapplicable, you cannot select or set a value.

Before you begin




About this task


It is possible to combine custom constraints on a single field in a way that makesinput impossible. The form designer applet checks for constraint conflicts so thatinvalid combinations do not occur on a single field.

As a rule, use only one syntax constraint per field, and use only one data typeconstraint per field.

For example, if the Minimum Value exceeds the Maximum Value, and if bothconstraints are placed on the same field, then a conflict exists. If a conflict exists,you must change the values or remove one of the constraints.

To modify the properties of an attribute, complete these steps:




3. In the middle pane, select the attribute for which you want to modifyproperties. The properties of the attribute are displayed in the Properties pane.

4. In the Format tab, change the property to the wanted value. The new propertyvalue is displayed, and the changes are reflected in the attribute.

5. In the Constraint tab, select the check box next to the constraint that you wantto modify.

6. Enter parameters for any value constraint types.7. Type a sample value in the field at the bottom of the list of constraint types.8. Click the Validate and Update Constraints button.

The form designer applet notifies you if a conflict between constraints exists.Alternatively, a Pass message is displayed if the value entered is validaccording to the constraints used, and if none of the constraints conflict witheach other.


Changing attribute control typesControl types define the interface for users to input data for that form element.Currently supported control types are CheckBox, Date, DropDown Box, EditableText List, ListBox, LoginHours, Password, Password Popup, Search Control, SearchMatch, SubForm, TextField, TextArea, and Umask.


Before you begin



About this task


To change the control type of an attribute, complete these steps:




3. In the middle pane, select the attribute for which you want to change thecontrol type.

4. Click Attribute > Change To. A list of control types is displayed.5. Select the wanted control type. For some control types, an editor is displayed.6. If a control type editor is displayed, enter the wanted parameters, and click

OK.7. Click Form > Save Form Template, and then click OK when a message is


Arranging attributes on form templatesUse these instructions to arrange attributes on form templates.

Before you begin



About this task

The form designer Java applet does not automatically close and clear from memoryafter starting. After completing and saving any changes to a form template, closethe browser. Reopen it before beginning a new procedure if you encounter browseror system performance issues.

To move an attribute to a different position on a form template, complete thesesteps:





3. In the middle pane, select the attribute that you want to move.4. Select one of the following options:

v Click Attribute > Move Up Attribute to move the attribute up one position.v Click Attribute > Move Down Attribute to move the attribute down one

position.5. Click Form > Save Form Template, and then click OK when a message is


Deleting attributes from form templatesUse these instructions to delete attributes from form templates.

Before you begin



About this task


To delete an attribute from a form template, complete these steps:




3. In the middle pane, select the attribute that you want to delete.4. Click Attribute > Delete Attribute. The attribute is removed from the form

template.5. Click Form > Save Form Template, and then click OK when a message is


Customizing account form templates for a service instanceYou can open a customized account form directly from the service instance.


Before you begin



About this task

You can customize the account form for each service instance. When the formdesigner applet is launched for customizing the account form at the serviceinstance level, the navigation tree panel is not shown. This session is only forcustomizing the account form for the specific service instance. For instructions onhow to customize the form, see Customizing form templates sections.


Note: The custom form for the actual ITIM service is not supported because thereis only one ITIM service instance. This account form can be configured at thesystem level. However, the custom account form is supported for the hosted ITIMservice instance because there can be one or more hosted ITIM service instances.

Procedure

To open a form template, complete these steps:1. From the navigation tree, click Manage Services. The Select a Service page is


a. Type information about the service in the Search information field.b. In the Search by field, specify whether to search against services or

business units.c. Select a service type from the Search type list.d. Select a status from the Status list, and then click Search. A list of services

that matches the search criteria is displayed.If the table contains multiple pages, you can:v Click the arrow to go to the next page.v Type the number of the page that you want to view and click Go.

3. In the Services table, click the icon ( ) next to the service to show the tasksthat can be done on the service, and then click Customize Account Form. Theform designer applet is started.

Results

The customized account form associated with the service instance is displayed. Ifthere is no customized account form for the service instance then the formtemplate is displayed.


What to do next

You can select a form element and right-click to do various actions. Mouse overthe icons on the top of the form to get hints about the function.

Adding tabs to form templates for a service instanceUse these instructions to add tabs to form templates.

Before you begin



About this task


Procedure

To add a tab to a form template, complete these steps:1. From the navigation tree, click Manage Services. The Select a Service page is





3. In the Services table, click the icon ( ) next to the service to show the tasksthat can be done on the service. Click Customize Account Form. The formdesigner applet is started. The form template associated with the serviceinstance is displayed.

4. Click Tab > Add Tab. A new tab is displayed in the form template.5. To name the new tab, click Tab > Rename Tab.6. Type a name for the new tab in the entry field, and then click OK. The name of

the new tab is displayed in the form template.7. Click Form > Save Form Template, and then click OK when a message is


What to do next

Continue adding tabs as needed.


Renaming tabs on form templates for a service instanceUse these instructions to rename tabs on form templates.

Before you begin



About this task


Procedure

To rename a tab to a form template, complete these steps:1. From the navigation tree, click Manage Services. The Select a Service page is






4. Click Tab > Rename Tab.5. Type a new name for the tab in the entry field, and then click OK. The new

name of the tab is displayed in the form template.6. Click Form > Save Form Template, and then click OK when a message is


What to do next

Continue renaming tabs as needed.

Arranging tabs on form templates for a service instanceUse these instructions to arrange tabs on form templates for a service instance.


Before you begin



About this task


Procedure

To arrange a tab to a form template, complete these steps:1. From the navigation tree, click Manage Services. The Select a Service page is






4. Select the tab that you want to move.5. Select one of the following options:

v Click Tab > Shift Tab Left to move the tab one position to the left.v Click Tab > Shift Tab Right to move the tab one position to the right.


What to do next

Continue arranging tabs as needed.

Deleting tabs from form templates for a service instanceUse these instructions to delete tabs from form templates.


Before you begin



About this task


Procedure

To delete a tab to a form template, complete these steps:1. From the navigation tree, click Manage Services. The Select a Service page is





3. In the Services table, click the icon ( ) next to the service to show the tasksthat can be performed on the service. Click Customize Account Form. Theform designer applet is started. The form template associated with the serviceinstance is displayed.

4. Select the tab that you want to delete.5. Click Tab > Delete Tab. The tab is removed from the form template.6. Click Form > Save Form Template, and then click OK when a message is


What to do next

Continue deleting tabs as needed.

Adding attributes to form templates for a service instanceUse these instructions to add attributes to form templates.

Before you begin




About this task


Procedure

To add an attribute to a form template, complete these steps:1. From the navigation tree, click Manage Services. The Select a Service page is






4. Select the tab to which you want to add the attribute.5. In the Attribute List pane, double-click the attribute name that you want to add

to the form. The attribute is added to the form.6. Click Form > Save Form Template, and then click OK when a message is


What to do next

Continue adding attributes as needed.

Modifying attribute propertiesThe form element properties section consists of two tabs, Format and Constraint.The Format tab lists all the formatting properties that might or might not beapplicable, depending on the input control type defined for the element. Similarly,the Constraint tab lists all available constraints that might or might not beapplicable to the input control type defined. If a property or constraint is notapplicable, you cannot select or set a value.

Before you begin




About this task


Procedure

To modify the properties of an attribute, complete these steps:1. From the navigation tree, click Manage Services. The Select a Service page is






4. Select the attribute for which you want to modify properties. The properties ofthe attribute are displayed in the Properties pane.

5. In the Format tab, change the property to the wanted value. The new propertyvalue is displayed, and the changes are reflected in the attribute.

6. In the Constraint tab, select the check box next to the constraint that you wantto modify.

7. Enter parameters for any value constraint types.8. Type a sample value in the field at the bottom of the list of constraint types.9. Click the Validate and Update Constraints button.

The form designer applet notifies you if a conflict between constraints exists.Alternatively, a Pass message is displayed if the value entered is validaccording to the constraints used, and if none of the constraints conflict witheach other.


What to do next

Continue modifying attributes as needed.


Changing attribute control typesControl types define the interface for users to enter data for that form element.Currently supported control types are CheckBox, Date, DropDown Box, EditableText List, ListBox, LoginHours, Password, Password Popup, Search Control, SearchMatch, SubForm, TextArea, TextField, and Umask.

Before you begin



About this task


Procedure

To change the control type of an attribute, complete these steps:1. From the navigation tree, click Manage Services. The Select a Service page is





3. In the Services table, click the icon ( ) next to the service to show the tasksthat can be performed on the service. Click Customize Account Form. Theform designer applet is started. The form template associated with the serviceinstance is displayed.

4. Select the attribute for which you want to change the control type.5. Click Attribute > Change To. A list of control types is displayed.6. Select the control type. For some control types, an editor is displayed.7. If a control type editor is displayed, enter the parameters, and click OK.8. Click Form > Save Form Template, and then click OK when a message is


What to do next

Continue changing the control types of attributes as needed.


Arranging attributes on form templates for a service instanceUse these instructions to arrange attributes on form templates.

Before you begin



About this task


Procedure

To move an attribute to a different position on a form template, complete thesesteps:1. From the navigation tree, click Manage Services. The Select a Service page is






4. Select the attribute that you want to move.5. Select one of the following options:

v Click Attribute > Move Up Attribute to move the attribute up one position.v Click Attribute > Move Down Attribute to move the attribute down one

position.6. Click Form > Save Form Template, and then click OK when a message is


What to do next

Continue to arrange attributes as needed.


Deleting attributes from form templates for a service instanceUse these instructions to delete attributes from form templates.

Before you begin



About this task


Procedure

To delete an attribute to a form template, complete these steps:1. From the navigation tree, click Manage Services. The Select a Service page is






4. In the middle pane, select the attribute that you want to delete.5. Click Attribute > Delete Attribute. The attribute is removed from the form

template.6. Click Form > Save Form Template, and then click OK when a message is


What to do next

Continue deleting attributes as needed.

Removing a customized form template from a service instanceYou can remove a customized account form template from a service instance andrestore the system account form.


Before you begin



Procedure

To remove a customized account form template, complete these steps:1. From the navigation tree, click Manage Services. The Select a Service page is





3. In the Services table, click the icon ( ) next to the service to show the tasksthat can be done on the service. Click Delete Custom Account Form. Aconfirmation page is displayed.

4.

v Click Delete to remove the customized form from the service instance.v Click Cancel to return to the Select Service page without removing the

customized form.

A message is displayed to indicate whether the account form was successfullydeleted.

5. Click Close to return to the Select Service page.

What to do next

Perform additional service actions.

Resetting form templatesBefore saving changes to the form template, you can reset the form template to itsoriginal configuration.

Before you begin




About this task


To reset the form template to its original configuration, complete these steps:

Procedure1. In the form designer applet, click Form > Reset Form Template.2. Click Yes when you are prompted that the changes to the form template will be

lost.

Form designer interfaceUse the work areas in the form designer applet to design custom forms by doingactions on form templates, tabs, and attributes.

The form designer interface has these work areas:

Menu and toolbar buttonsUse the menu bar and toolbar buttons to do actions on form templates,tabs, and attributes. Place the mouse cursor over a toolbar button to viewits function. The following menu items and toolbar buttons are available:

Table 24. Form designer applet menu and toolbar buttons

Menu bar Menu item Toolbar button Action

Click Form to open,save, or reset a formtemplate to the lastsaved design.

Open Form Template Opens the formtemplate that isselected from theform categoryfolders.

Save Form Template Saves the formtemplate that iscurrently open.

Reset Form Template None Resets the formtemplate to the lastsaved design.

Click Tab to add,rename, delete, orshift a tab left orright in the interface.Tabs are displayed inthe TemplateAttributes work areaof the form designerapplet. The tabnames in the formdesigner correspondto the tab names inthe resultingnotebook forms inthe IBM SecurityIdentity Managerinterface.

Add Tab Adds a container forgrouping formelements.

Rename Tab None Renames an existingtab container.

Shift Tab Left Shifts an existing tabcontainer to the left.

Shift Tab Right Shifts an existing tabcontainer to the right.

Delete Tab Deletes an existingtab from the formtemplate.


Table 24. Form designer applet menu and toolbar buttons (continued)

Menu bar Menu item Toolbar button Action

Click Attribute toedit, delete, move anattribute up or downin the interface, orchange the controltype of an attribute.Attributes aredisplayed in theTemplate Attributeswork area of theform designer applet.

Edit Attribute None Edit and configure anattribute.

Delete Attribute Removes an attributefrom a formtemplate.

Move Up Attribute Repositions theattribute up 1 spacein the attribute list ofthe form template.

Move DownAttribute

Repositions theattribute down 1space in the attributelist of the formtemplate.

Change To None Change the selectedattribute control typeto a newly selectedcontrol type.

Click View to selectvarious interfaceviewing options,such as floating workareas or viewing thesource of the formtemplate.

Float Attribute List Moves the attributelist from the formdesigner to a floatingpop-up window.

Float Property Moves the propertylist from the formdesigner to a floatingpop-up window.

View Source Opens a pop-upwindow that displaysthe XML source forthe form template.

Click Menu.theme toselect an interfacetheme for the formdesigner applet.

Default Theme None Applies the defaultmenu theme to theform designerinterface.

High Contrast, BigFont Theme

None Applies a large fontand high contrastcolors to the formdesigner interface.

High ContrastTheme

None Applies high contrastcolors to the formdesigner interface.

CategoriesUse the left pane of the form designer to select a category, such asAccount, Organization, or Service. Each form category is associated withobject profiles that represent system entities. Each object profile isassociated with a form template.

Double-click a category folder to expand the list of available formtemplates for that category. Loading the list of form templates might takesome time. The list of form templates for some categories varies,depending on which service types exist.


Double-click a form template to open it.

Template AttributesUse the middle pane of the form designer to view and change the activeattributes for a selected form template. Right-click the attribute to displaythe available actions for that attribute.

For example, a Service form template has a $servicename attribute. Tochange the control type that is associated with an attribute, right-click theattribute and click Change to on the list.

Attribute ListUse this list to view all of the attributes for the selected object that are notcurrently included on the form. You can sort the list in ascending ordescending order, and you can add attributes from this list to the list ofactive template attributes. For example, an Organization object hasadditional attributes, such as $postalcode, that you might add to the list ofactive template attributes.

PropertiesContains Format and Constraint tabs, which specify data type and otherparameters for a specific attribute. For example, the data type for a$servicename attribute is Directory String, and it is a required attribute.

Control types used by the form designerUse control types in the form designer applet to specify how users enter a valuefor an attribute.

CheckBox

Assigns a single check box as the data gathering field. This control type istypically used for attributes that are Boolean in nature.

Date

Provides a calendar pop-up window that allows users to select the desireddate. This control type has additional attributes that can be used toconfigure the date.

When you select this control type in the form designer applet, the DateEditor page is displayed. You can use the fields in the editor to configurethe control type. The Date Editor contains the following fields:

DateInput TypeSelect the type of date input for the calendar pop-up window.

DefaultProvides a calendar pop-up window and a Never checkbox. If the user selects the check box, then the attributevalue never expires.

Alternative DateProvides a calendar pop-up window without a Nevercheck box. Use this type if the attribute value must expireat some point in time.


Show TimeSelect this check box to include a pop-up window that you can useto view and specify a time.

DropDown Box

Creates a list for an attribute. You must populate the attributes to becontained in the list by with one of the following options:

Custom ValuesLimits the information that is available in the list on the resultingform. When you select this option, the Select Editor page isdisplayed. You can use the fields in the editor to configure thecontrol type. The Select Editor contains the following fields andtoolbar buttons:

Number of RowsType the number of rows to include in the list and pressEnter. Use this field to specify the number of rows in thelist. If the original list contains more rows than the numberthat you enter, then the extra rows are removed.

Data ValueType a data value.

Display ValueType a display value to display in the list.

Use Blank RowSelect this check box to insert a blank entry into the list.

Add RowClick to add a row to display in the list.

Delete RowClick to delete a row from the list.

Use Display Value as Data ValueClick to use the same value that is entered in the DisplayValue column for the Data Value column.

Use Index as Data ValueClick to use the same value that is in the index for theData Value column.

Search FilterProvides a broader range from which to gather information whenpopulating the box. Use an LDAP search filter that assigns a valueto an attribute through the use of a search control. When you selectthis option, the SearchFilter Editor page is displayed. You can usethe fields in the editor to configure the control type. TheSearchFilter Editor contains the following fields:

Search BaseSelect the scope of the search from these options:

org searches the organization of the selected containerin the organization tree.contextual searches the selected organizational unit inthe organization tree.


Object ClassType the name of the LDAP class to search for, such aserNTGlobalGroup. The value for the group field on theresulting form must be erroles.

AttributeType the attribute to search for, such as erNTLocalName.

Source AttributeType the attribute value to return after the searchcompletes, such as erNTGlobalGroupId.

Filter Type any additional filter that needs to be applied to thesearch, such as (objectclass=erNTLocalGroup). The valuefor the group field on the resulting form must beobjectclass=erroles.

DelimiterType the delimiter to use to separate attribute values in theresulting form.

Multiple ValueSelect this check box to change a dropdown box to a listbox in the resulting form. The list box allows users toselect more than one value.

Show Query UISelect this check box to display a search page in theresulting form. When this option is not selected, onlysearch results are displayed in a separate page.

Paginate ResultsSelect this check box to display the search results acrossmultiple pages.

Editable Text List

Enables the display of multi-value attributes on the user interface. Thiscontrol type is a list box that displays user-provided information. Users canenter information into the text field and add it to the list box by clickingAdd, and they can delete information from the list box by selecting theentry and clicking Delete.

ListBox

Provides a list box for an attribute. The list box contains user-selected data.Users can add one or more items to a list box, and they can delete one ormore items from the list box.

Custom ValuesLimits the information that is available in the list on the resultingform. When you select this option, the Select Editor page isdisplayed. You can use the fields in the editor to configure thecontrol type. The Select Editor contains the following fields andtoolbar buttons:

Number of RowsType the number of rows to include in the list and press


Enter. Use this field to specify the number of rows in thelist. If the original list contains more rows than the numberthat you enter, then the extra rows are removed.

Data ValueType a data value.

Display ValueType a display value to display in the list.

Use Blank RowSelect this check box to insert a blank entry into the list.

Add RowClick to add a row to display in the list.

Delete RowClick to delete a row from the list.

Use Display Value as Data ValueUse the same value that is entered in the Display Valuecolumn for the Data Value column.

Use Index as Data ValueUse the same value that is in the index for the Data Valuecolumn.

Search FilterProvides a broader range from which to gather information whenpopulating the box. Use an LDAP search filter to assign a value toan attribute through the use of a search control. When you selectthis option, the SearchFilter Editor page is displayed. You can usethe fields in the editor to configure the control type. TheSearchFilter Editor contains the following fields:

Search BaseSelect the scope of the search from these options:

org searches the organization of the selected containerin the organization tree.contextual searches the selected organizational unit inthe organization tree.

Object ClassType the name of the LDAP class to search for, such aserNTGlobalGroup. The value for the group field on theresulting form must be erroles.

AttributeType the attribute to search for, such as erNTLocalName.

Source AttributeType the attribute value to return after the searchcompletes, such as erNTGlobalGroupId.

Filter Type any additional filter that needs to be applied to thesearch, such as (objectclass=erNTLocalGroup). The valuefor the group field on the resulting form must beobjectclass=erroles.

DelimiterType the delimiter to use to separate attribute values in theresulting form.


Multiple ValueSelect this check box to change a dropdown box to a listbox in the resulting form. The list box allows users toselect more than one value.

Show Query UISelect this check box to display a search page in theresulting form. When this option is not selected, onlysearch results are displayed in a separate page.

Paginate ResultsSelect this check box to display the search results acrossmultiple pages.

LoginHours

Defines the hours that a service is available for users to log in to it. Usethis control type only on forms for services that support restricted logintimes, such as a Windows 2000 service.

When you select this control type in the form designer applet, theLoginHours Editor page is displayed. You can use the fields in the editorto configure the control type to default to a specific type of search. TheLoginHours Editor contains the following fields:

Time IntervalSelect the time interval to be displayed in the resulting form:

One Hour sets the time interval to one-hour blocks.Mid Hour sets the time interval to half-hour blocks.

OrientationSelect the orientation for the editor that is used to define logintimes on the resulting form:

Portrait places the days of the week along the X-axis and thetime (in half-hour or one-hour blocks) along the Y-axis.Landscape places the time (in half-hour or one-hour blocks)along the X-axis and the days of the week along the Y-axis.

Password

Provides a text box for an attribute that does not display the informationthat a user provides. The information is masked on the screen for security.

Password Popup

Opens a window for the user to enter secure information. The informationis masked on the screen and provides two text fields to enter theinformation. This control type is typically used for the shared secret of anindividual.


Search Control

Provides a text field search page for the selected attribute, and includesSearch and Clear buttons. Users populate the text field by selecting thewanted search result. In the resulting form in the user interface, the Searchbutton opens a search page with the search type already selected, and theClear button clears the text field.

When you select this control type in the form designer applet, the SearchControl Editor page is displayed. You can use the fields in the editor toconfigure the control type to default to a specific type of search. The SearchControl Editor contains the following fields:

CategorySelect the category for the search.

ProfileSelect the profile to use for the search.

AttributeSelect the attribute to use for the search.

OperatorSelect the operator, such as Contains or Equals, that links theAttribute and Value fields together.

Value Type the value for the attribute.

Type Select the type of attributes to be returned. A single-value typeprovides a text field for the user to populate. A multi-value typeprovides a list box of attributes. In this scenario, users can identifywhich attributes to search by selecting the attributes that they donot want to include in the search and clicking the Delete button.Deletion removes the selected attributes from the list of searchableattributes.

Search entire organization (current container only if not checked)Select this check box if you want the search to include the entireorganization.

A related control type is the Search Match control type. This type is theSearch Control control type with an additional feature that allowsautomatic searching and populating the list box of an attribute.

Search Match

Similar to the Search Control control type, with an additional feature thatallows automatic searching and populating of the list box of an attribute.Users can use the automatic searching feature by typing in the first fewletters of the wanted value in the text field and clicking Add. If one resultis found, the result is automatically added to the list box. If more than oneresult is found, a Search Results page is displayed. A user can then selectwhich items to add to the list box.

Provides a text field search page for the selected attribute. Users populatethe text field by selecting the wanted search result. In the resulting form,the Search button opens a search page with the search type already


selected. The Clear button clears the text field. The Delete button is usedto remove a selected item from the list box.

When you select this control type in the form designer applet, the SearchControl Editor page is displayed. You can use the fields in the editor toconfigure the control type to default to a specific type of search. The SearchControl Editor contains the following fields:

CategorySelect the category for the search.

ProfileSelect the profile to use for the search.

AttributeSelect the attribute to use for the search.

OperatorSelect the operator, such as Contains or Equals, that links theAttribute and Value fields together.

Value Type the value for the attribute.

Type Select the type of attributes to be returned. A single-value typeprovides a text field for the user to populate. A multi-value typeprovides a list box of attributes. In this scenario, users can identifywhich attributes to search by selecting the attributes that they donot want to include in the search and clicking the Delete button.Deletion removes the selected attributes from the list of searchableattributes.

Search entire organization (current container only if not checked)Select this check box if you want the search to include the entireorganization.

A related control type is Search Control.

SubForm

The SubForm control type provides a means to use custom user interfacesfor complex multi-valued attributes. Some IBM Security Identity Manageradapters use this control type infrequently.

SubForm is a special control type used to start a Servlet, JSP, or staticHTML page from a popup window that opens from a custom IBM SecurityIdentity Manager form. Subforms provide a means to submit an arbitrarynumber of parameter names and values to a custom Servlet or JSP.Subforms are used to create custom user interfaces for complexmulti-valued attributes.


Table 25. SubForm parameters

Parameter Description Value

customServletURI The URI to the Servlet, JSP, or static HTML page tobe started from the main form. If a Servlet isimplemented and deployed in the default webapplication for IBM Security Identity Manager, thevalue for this parameter is the same as theURL-pattern value defined in web.xml in theservlet-mapping tag, without the slash (/). If a JSP isimplemented, the value for this parameter is theJSP file name that includes the jsp file extension.This parameter is required on all subforms.

Servlet name orJSP file name,such assample.jsp

Parameter Name Arbitrary parameter name and value that isincluded in the HTTP request that starts theresource at customServletURI.

Parameter Value,such asracfconnectgroupservlet

TextArea

Places a text area next to the attribute. A text area is a multiline text fieldused to gather user input and display data previously gathered.

TextField

Places a text field next to the attribute. A text field is a single-line areaused to gather user input or display data previously gathered.

UMask

Allows a user to define UNIX access rights to files and directories.

Properties used by the form designerUse the Properties page to configure attribute format and constraints.

The Properties page includes the following tabs:

FormatUse this tab to change the format of a form. Available fields in this tab are:

Name Use this field to add or modify the name of an attribute. This valueis the identifier that the form uses to process LDAP attributes.

Data TypeUse this field to add or modify the data type of an attribute, suchas Directory String, Distinguished Name, binary code, or anotherdata type

Label Use this field to add or modify a user-readable label for theattribute. For example, $homepostaladdress, where the $ (dollar)symbol indicates a key to look up a string in a resource bundle.

Size Use this field to add or modify the visible width in units of pixels


for the following control type: TextField, Password, Search Control,and Search Match. Size represents the number of visible items forthe following control type: ListBox and Editable TextList.

Rows Use this field to add or modify the value used by the TextAreacontrol type to represent the number of visible text lines.

Cols Use this field to add or modify the value used by the TextAreacontrol type to represent the visible width in average characterwidths.

Width Use this field to add or modify the value used by the SubFormcontrol type to represent the width of a pop-up window in units ofpixels.

This property is also used by the DropDownBox, EditableTextList,ListBox, SearchControl, and SearchMatch controls to represent thewidth of their associated combo boxes, in pixels. ForEditableTextList and SearchMatch controls, width also determinesthe width of associated text boxes in pixels.

If width is not specified, it is assumed to be a default of 300 pixels.If the width for these controls is set to 0, the associated comboboxes are not a fixed size and resize dynamically. The size dependson the options added.

HeightUse this field to add or modify the value used by the SubFormcontrol type to represent the height of a pop-up window in unitsof pixels

Read-Only on ModifySelect this check box to set an attribute to read-only. Only the labelis displayed in the form, and users cannot modify the attributevalue.

DirectionSelect the direction of text:

inherit displays text in the same direction as the form categoryto which the attribute belongsltr displays text from left to rightrtl displays text from right to left

Hide on ModifySelect this check box to hide the attribute field in the form whenthe form is in modify state. For example, if you select this checkbox for the Owner field within a service form, the Owner field isdisplayed when users create a service. The field is not displayedwhen users change a service.

ConstraintsUse this tab to enter values for constraint fields to guarantee the type ofdata and the syntax of the data users are allowed to enter in form fields.Custom constraints are field-level data restrictions of various types. Whenyou select a control type of Search Control, Search Match, ListBox, orDropDownBox, all of the constraint fields are disabled, except for theRequired constraint.


RequiredSelect this check box to prevent the form from being submittedunless some value is typed into the field where this constraint isplaced.

Validate and Update Constraints

In the field next to the Validate and Update Constraints button,which is at the bottom of the constraint type list, type a samplevalue for the attribute you selected from the form template layoutarea and click the Validate and Update Constraints button. Thistests the value entered against the constraints activated for theattribute. If the test value you enter complies with all constraints, amessage indicates success after you click the Validate and UpdateConstraints button.

Constraints fall into one of these general categories:

Syntactic constraintsAllow only values that conform to rules that define sequences ofcharacters and structured parts.

E-mail addressSelect this check box to guarantee that the syntax of thevalue supplied on the field where this constraint is placedcomplies with the following rules:v Has one @ signv Invalid characters, such as < > ( ) . ; " \ [ ] do not

occur before the @ signv The @ sign must be followed by a valid domain name or

IP Address

IP address (IPV4)Select this check box to guarantee that the value entered inthe field where this constraint is placed is a valid IPV4address of the form 127.0.0.1. The four octets areseparated by a dot and none of the octets exceeds 255.

IP address (IPV6)Select this check box to guarantee that the value entered inthe field conforms with the text representation of IPaddresses defined in RFC 2373. For example,0:0:0:0:0:0:0:1 is the loopback IPV6 address. See RFC2373 for more details.

Domain nameSelect this check box to ensure that the value entered in thefield where this constraint is placed is compliant with theWindows NT Domain Name syntax. The name must havetwo leading back-slashes (\\) and can contain up to 15characters, except for these characters: " / \ [ ] : ; | =, + * ? < >

The name cannot consist solely of periods or spaces.

Invalid charactersType characters in this field to define characters that is notvalid when entered for the field.


DN Select this check box to guarantee that the value entered inthis field conforms with the distinguished name structure.For example, cn=common name, ou=organizational name,o=organization.

Data type constraintsAllow values that occur within a range of characters or numbers.

ASCII-OnlySelect this check box to constrain the characters allowed inthe field to ASCII.

ASCII7Select this check box to constrain the characters allowed inthe field to ASCII-7.

ASCII8Select this check box to constrain the characters allowed inthe field to ASCII-8.

Integer onlySelect this check box to allow only integers in the field.

NumericSelect this check box to allow only numbers in the field.

Date rangeType a date range to force an ending date to be after abeginning date.

Value constraintsRequire a parameter, such as Max Length = 10, where 10 is theparameter to constrain the value by.

Invalid charactersType characters that are disallowed.

Maximum lengthType a numeric value that constrains the length of thevalue entered for the field to the number of charactersspecified.

Minimum lengthType a numeric value that prevents the form from beingsubmitted unless the value entered has at least as manycharacters specified by this constraint.

Maximum valueType a numeric value to set a high end point on the valueentered (is at most n).

Minimum valueType a numeric value to set a low end point on the valueentered (is at least n).

Maximum linesType a numeric value to guarantee that the value enteredon the form does not exceed the maximum number of linesspecified (in a multi-line field).

No white spaceSelect this check box to disallow any white space frombeing entered on the form.


Properties that change the form designer user interfaceIBM Security Identity Manager has properties that determine the interfaceappearance of the form designer.

In the ui.properties file, these properties change the appearance of the formdesigner user interface:

express.java.formDesignHeightIEHeight in pixels of the form designer applet for Internet Explorer

express.java.formDesignWidthIEWidth in pixels of the form designer applet for Internet Explorer

express.java.formDesignHeightMZHeight in pixels of the form designer applet for Mozilla

express.java.formDesignWidthMZWidth in pixels of the form designer applet for Mozilla


Chapter 8. Managing manual notification templates

Use this task to modify the default email messages displayed for manual services.

Before you begin


About this task

You can modify the default messages that are displayed for manual services. Bymodifying the templates you can apply the changes to any manual service that youcreate. You do not need to modify the messages each time you create a manualservice, unless the service requires a specific message change.

Note: Changes to the notification templates do not affect the messages for existingmanual services.

Procedure1. From the navigation tree, click Configure System > Configure Manual

Notification Templates. The Templates page is displayed.2. Select the operation and click Change. The Template Modify page is displayed.3. In the Subject field, modify the text to specify the subject of the email

notification that is sent. The subject can consist of plain text and dynamiccontent tags.

4. In the Plaintext body field, modify the text to be displayed in the body of themessage. The content can consist of plain text, dynamic content tags, andJavaScript code. These contents are shown to email recipients that do not seeHTML email notifications.

5. In the XHTML body field, type the text to be displayed in the body of theemail notification as HTML. The content can consist of plain text, dynamiccontent tags, and JavaScript code. These contents are shown to email recipientsthat see HTML email notifications.

6. Click OK to save the changes. You are returned to the Templates page.

What to do next

Change the notification template for another operation or click Close to exit.


Chapter 9. Entities management

An entity is a person or object for which information is stored.

While there are many types of system entities, such as policy and workflow, onlythe following entity types are provided for customization:v Accountv BPPerson (Business Partner Person)v BusinessPartnerOrganizationv Organizationv Personv Service

System administrators can customize existing system entities by selectivelymapping entity attributes to custom LDAP class attributes. System administratorscan also create new Person and BPPerson (Business Partner Person) customentities. The administrator associates unique entity names with the standard IBMSecurity Identity Manager entity types.

Adding system entitiesCreate new Person and BPPerson entities to associate with a new custom LDAPclass.

Before you begin


When you add a Person or BPPerson type entity, the actual LDAP class that storesthe entity must be created before you use this task to add entities.

Custom LDAP classes and their attributes must be created directly within yourdata store with tools compatible with your LDAP data repository software. Createthe classes before associating them with a custom IBM Security Identity Managerentity. After it is created, the class can be associated with a custom IBM SecurityIdentity Manager entity. Map its attributes to IBM Security Identity Managerattributes.

About this task

All LDAP classes, auxiliary, and structural, that begin with er are considered IBMSecurity Identity Manager-managed classes. They are excluded from the list ofLDAP classes within the Manage Entities task.

When adding a custom entity, you need to examine the default control type ofeach attribute. Change it to an appropriate control type from the formcustomization page. Refer to a standard IBM Security Identity Manager entity ofthe same entity type as the custom entity to view the control types assigned to theattributes of a standard entity.


To add a custom system entity, complete these steps:

Procedure1. From the navigation tree, click Configure System > Manage Entities. The

Manage Entities page is displayed.2. On the Manage Entities page, click Add. The Create Entity wizard is displayed.3. On the Select Type page, select the entity type that you want to create, and

then click Next.4. On the Entity Detail Information page, complete the following steps:

a. In the Entity name field, type a unique name for the entity.b. Click Search to find and specify an LDAP class that stores the entity.c. On the Select LDAP Class page, click Search to display a list of LDAP

classes.d. Select the object class name, and then click OK. The LDAP class field is

populated with the object class name that you specified.e. Click Browse name attributes to find and specify Valid entries for the

Name attributes field depend on which LDAP class is selected. The SelectAttribute page is displayed, which lists the name attributes of the LDAPclass that you selected.

f. On the Select Attribute page, select the name attribute that you want toassociate with the new entity, and then click OK. The Name attribute field ispopulated with the name attribute that you selected.

g. In the Default search attributes list, select the search attributes that youwant to add to the entity, and then click Add. Select attributes that aresearchable, such as string or numeric type.

h. When you are finished specifying entity information, click Next.5. On the Attribute Mapping page, map an attribute by completing these steps:

a. Select an attribute in the Identity Manager attribute list.b. Select an attribute in the Custom LDAP attribute list.c. Click Map.d. Optional: To obtain the default mapping, select an attribute pair in the table,

and click Reset.e. When the mapping is complete, click Finish.

Results

A message is displayed, indicating that you successfully created an entity.

What to do next

Perform additional entity management tasks, or click Close.

Changing system entitiesView and change the mapping that specifies how a IBM Security Identity Managerentity relates to a custom LDAP class.

Before you begin

Depending on how your system administrator customized your system, you mightnot have access to this task. To obtain access to this task or to have someone


complete it for you, contact your system administrator.

About this task

You cannot change the entity type due to the associated schema definition. Instead,you must delete the entity and create an entity with the wanted type.

To change an existing entity, complete these steps:


Manage Entities page is displayed.2. On the Manage Entities page, select the check box next to the entity that you

want to modify, and then click Change. The Change Entity notebook isdisplayed.

3. Click the Entity Detail Information tab or the Attribute Mapping tab.4. Change the entity and then click OK.

What to do next

A message indicates that you successfully updated the entity.


Deleting system entitiesDelete system entities from the IBM Security Identity Manager system.

Before you begin


About this task

You cannot delete a system entity if there are dependent units that exist in thatentity.

To delete a system entity, complete these steps:


Manage Entities page is displayed.2. On the Manage Entities page, select the check box next to the entity that you

want to delete, and then click Delete. Selecting the check box at the top of thiscolumn selects all system entities.

3. On the Confirm page, click Delete to delete the entity, or click Cancel.

Results

A message indicates that you successfully deleted the entity.

Chapter 9. Entities management 123

What to do next


Customizing role schemaAdministrators customize a role schema by adding optional attributes to the IBMSecurity Identity Manager LDAP and then to the role definition schema (erRoleobjectclass).

About this task

Procedure1. Access the IBM Security Identity Manager LDAP.2. Add new optional type attributes. For example, add the attribute designation.

For more information, see LDAP Installation and Configuration Guide.3. Update the erRole objectclass in theIBM Security Identity Manager LDAP to

associate the new attributes. For example, update the erRole objectclass in IBMTivoli Directory Server by using the Tivoli Directory Server web administrativeconsole and associate the designation attribute with the erRole objectclass. Formore information about Tivoli Directory Server, see the IBM Security IdentityManager Information Center.

4. Ensure that the role schema is customized correctly.5. Ensure that IBM Security Identity Manager and IBM Security Identity Manager

LDAP are running.6. Launch the IBM Security Identity Manager administrative console.7. Select Configure System > Design Forms.8. Update the role form template to display the new attribute.

Results

You can view the new attributes on the IBM Security Identity Manageradministrative console when viewing the role definitions.

What to do next

You can define, set, modify, save, and restore custom attributes when creating ormodifying a role.


Chapter 10. Ownership type management

Ownership types classify the accounts. Use the Manage Ownership Types task toclassify ownership types in your organization. If you configure multiple accountownership types, IBM Security Identity Manager prompts users to select theownership type when requesting a new account or assigning accounts to users.

IBM Security Identity Manager includes the following :v Devicev Individualv Systemv Vendor

As an administrator, you can create additional ownership types.

An account can have only one type of ownership. The ownership type depends onthe intended use of the account. The type of ownership affects the passwordmanagement process. For example, password synchronization provides change ofpassword for accounts that have the ownership type, "Individual".

Creating ownership typesAs an administrator, you can create additional ownership types.

Before you begin

Depending on how your system administrator customized your system, you mightnot have access to this task. To get access to this task, or to have someone completethis task for you, contact your system administrator.

About this task

To create an ownership type, complete these steps:

Procedure1. From the navigation tree, click Manage Ownership Types. The Manage

Ownership Types page displays the default ownership types.The default ownership types are:v Devicev Individualv Systemv Vendor

2. Click Create. The Create Ownership Type page is displayed.3. Complete the following steps:

a. At Ownership Type Key, type a custom name for the ownership type.b. (Optional) At Description, type a description for the ownership type.

4. Click OK to save the new ownership type.


Results

A message indicates that you successfully created an ownership type. The newownership type is displayed on the Manage Ownership Types page.

What to do next

Create or modify additional ownership types, or click Close.

Deleting ownership typesWhen ownership types are no longer valid, administrators can delete all ownershiptypes, except Individual.

Before you begin

Depending on how your system administrator customized your system, you mightnot have access to this task. To get access to this task, or to have someone completethis task for you, contact your system administrator. An ownership type can bedeleted only if it is not associated with any account.

About this task

You cannot delete an ownership type if it is associated with an account.

Procedure1. From the navigation tree, click Manage Ownership Types to display the page

that lists the currently defined ownership types.2. Select the ownership type you want to delete:

a. To select a specific one, select the check box next to it.b. To select all, click the box at the top of the column.

3. Click Delete. A confirmation page is displayed.4. On the Confirm page, take one of the following actions:

a. Click Delete to delete the ownership type.b. Click Cancel to stop the deletion process.

Results

A message indicates that you successfully deleted the ownership type. The ManageOwnership Types page no longer displays the deleted ownership type.

What to do next

You can create or delete an ownership type.


Chapter 11. Operations management

You can configure operational workflows for IBM Security Identity Managersystem entities and entity types. The out-of-box entity type operations can becustomized to implement the security requirements of your organization.

An operation is an action that can be done on an entity. Operations that are definedfor a specific entity type are used by all entities of the specified type. However, ifan operation is defined for a specific entity, the operation takes precedence overthe entity type operation.

System administrators can create new or modify existing operations for entitiesand entity types.

Operations for the following entity types can be customized:v Accountv Personv Business Partner Person

A Person, Business Partner Person, or Account operation applies to any user,business partner user, or account entity unless a customized operation is defined atthe entity level.

Add operationThe add operation is initiated any time an add request is submitted for a specifiedtype of entity. For example, an add operation for the person entity type is initiatedwhen a new user is added to the system.

The default workflow for the add operation depends on the type of entity that isadded.

The default workflow for Person and Business Partner Person entity addoperations use the createPerson and enforcePolicyForPerson workflowextensions.

The default workflow for the account entity add operation uses the createAccountworkflow extension.

Figure 10. Person and Business Partner Person add operation workflow

Figure 11. Account add operation workflow


changePassword operationThe changePassword operation is initiated any time a password change request issubmitted for an account entity.

The default workflow for the changePassword operation uses the changePasswordworkflow extension.

Delete operationThe delete operation is initiated any time a delete request is submitted for aspecified type of entity.

The default workflow for the delete operation uses the deletePerson ordeleteAccount workflow extension.

Modify operationThe modify operation is initiated any time a request to modify an entity issubmitted.

The default workflow for the modify operation depends on the type of entity thatis modified.

The default workflow for the account entity uses the modifyAccount workflowextension.

Figure 12. Identity Manager User add operation workflow

Figure 13. changePassword operation workflow

Figure 14. Account delete operation workflow

Figure 15. Person and Business Partner Person delete operation workflow


The default workflow for Person and Business Partner Person use themodifyPerson and enforcePolicyForPerson workflow extensions.

Restore operationThe restore operation is initiated any time a restore request is submitted for aspecified type of entity.

The default workflow for the restore operation uses the restorePerson orrestoreAccount workflow extension.

selfRegister operationThe selfRegister operation is used when individuals attempt to add themselves inIBM Security Identity Manager. This operation is available only for a User orBusiness Partner Person entity.

The default selfRegister operation has these steps:1. Creating a person entity2. Verifying that the person entity complies with existing policies

Before you use the selfRegister operation, the start element or the transition linebetween the start element and the createPerson extension element must haveJavaScript code that calculates the container to which the person entity is added.The JavaScript code can be a PostScript in the start element or a custom definitionfor the transition line.

This diagram illustrates the default workflow for the selfRegister operation.

Figure 16. Account modify operation workflow

Figure 17. Person and Business Partner Person modify operation workflow

Figure 18. Account restore operation workflow

Figure 19. Person and Business Partner Person restore operation workflow

Chapter 11. Operations management 129

Suspend operationThe suspend operation is initiated any time a suspend request is submitted for aspecified type of entity.

The default workflow for the suspend operation uses the suspendAccount orsuspendPerson workflow extension. This diagram illustrates the basic suspendoperation workflow.

Transfer operationThe transfer operation is initiated any time a transfer request is submitted for aPerson or Business Partner Person entity.

The default workflow for the transfer operation uses the transferPerson andenforcePolicyForPerson workflow extensions.

Adding operations for entitiesSystem administrators add entity operations.

Before you begin


Figure 20. selfRegister operation workflow

Figure 21. Account suspend operation workflow

Figure 22. Person and Business Partner Person suspend operation workflow

Figure 23. Person and Business Partner Person transfer operation workflow


About this task

Defining a new operation, for example, might add an operation to recertify aperson or account entity. You specify an approval workflow that either approves orsuspends the entity.

To add an operation for an entity, complete these steps:

Procedure1. From the navigation tree, click Configure System > Manage Operations. The

Manage Operations page is displayed.2. On the Manage Operations page, select one of the following operation levels:

v Select Global level to define an operation that is applicable to all entities andentity types. Global operations do not implicitly affect any entities unlessthey are explicitly started within entity type or entity level operations. Globaloperations can also be called in a Lifecycle Rule.

v Select Entity type level to define an operation at the entity type level. Selectan entity type from the Entity Type list.

v Select Entity level to override the operations that are defined at the entitytype level. Select an entity type from the Entity Type list, and then select anentity from the Entity list.

3. Click Add. The Add Operation page is displayed.4. In the Operation Name field, Type a name of the workflow operation that you

want to define for the corresponding system entity. To override an operationthat is defined at the entity type level, enter the operation name that you wantto override, and then click Continue. The Define Operation page is displayed,and the workflow designer Java applet is started.

5. In the workflow designer, define the workflow process, and then click OK. Todefine an operation workflow process, drag the design nodes from the nodepalette onto the operation design space. Then, connect them with transitionlines. After you place a design node on the operation design space, double-clickthe node to configure its properties. Make sure that all the nodes are connectedand all the required properties are set for each node. Ensure that the transitioncondition is set for each link.

Results

A message indicates that you successfully created an operation for the specifiedlevel. Click Close.

What to do next

When the Manage Operations page is displayed, click Refresh to refresh theOperations table and display the new operation.

Changing operations for entitiesSystem administrators can change existing entity operations.

Before you begin



About this task

To change operation for an entity, complete these steps:


Manage Operations page is displayed.2. On the Manage Operations page, select Global level, Entity type level, or

Entity level to list the operations that you want to modify.3. Select the check box next to the operation that you want to modify, and then

click Change. Selecting the check box at the top of this column selects alloperations. The Define Operation page is displayed, and the workflow designerJava applet is started.

4. In the workflow designer, modify the operation for the system entity, and thenclick OK. To define an operation workflow process, drag the design nodes fromthe node palette onto the operation design space. Then, connect them withtransition lines. After you place a design node on the operation design space,double-click the node to configure its properties. Make sure that all the nodesare connected and all the required properties are set for each node. Ensure thatthe transition condition is set for each link.

Results

A message indicates that you successfully updated the operation for the entity.Click Close.

What to do next

When the Manage Operations page is displayed, click Refresh to refresh theOperations table.

Deleting operations for entitiesSystem administrators can delete an existing entity operation.

Before you begin


About this task

Only user-defined operations can be deleted.

To delete an operation for an entity, complete these steps:


Manage Operations page is displayed.2. On the Manage Operations page, select Global level, Entity type level, or

Entity level to list the operations that you want to delete.


3. Select the check box next to the operation that you want to delete, and thenclick Delete. Selecting the check box at the top of this column selects alloperations. A confirmation page is displayed.

4. On the Confirm page, click Delete to delete the operation, or click Cancel.

Results

A message indicates that you successfully deleted the operation for the entity. ClickClose.

What to do next

When the Manage Operations page is displayed, click Refresh to refresh theOperations table.


Chapter 12. Lifecycle rules management

Lifecycle rules can be used to automate the large number of manual tasks thatadministrators must make due to common recurring events. Such events can beaccount inactivity, password expiration, or contract expiration, which are driven bybusiness policies. Lifecycle rules can also eliminate the potential of some policies togo unenforced.

Overview

Establishing lifecycle rules enables administrators to define events that can betriggered based on a time interval or based on time and matching criteriaevaluated against an entity. The administrator can then associate lifecycleoperations to run as a result of that event. All lifecycle rules consist of two parts:v The definition of an event that triggers the rulev The identification of the lifecycle operation that runs the actions specified in the

rule

Each rule can be defined in one of these ways:v Globalv Associated with an entity typev Associated with an entity

For global rules, an event is defined by a time interval. For example, once a month,or on every Monday at 8:00 a.m. Global lifecycle rules are independent of anyparticular system entity. The lifecycle operations that can be invoked by a globalrule must also be global in nature because there is no context available to call anentity- or entity type-based operation.

Entity and entity type rules also have an event with a time interval. However, thegoal of these rules is to affect multiple entities at one time.

Matching criteria for events

A separate event is triggered for each lifecycle object. To prevent events fromoccurring for possibly thousands of objects that might not be related to the rule, amatching criteria is available for these events.

Without the matching criteria, every object of the specific entity or entity type hasthe associated lifecycle operation done on it.

With the criteria, only objects that meet the criteria have the operations done. Thecriteria is defined with an LDAP filter syntax. The filter identifies any objects thatmeet the criteria and causes the event to be triggered for only those objects. If noobject matches the filter, the event is not triggered. For example, the criteria mightbe for any accounts where (erAccountStatus=1), which means the accounts aresuspended.


Lifecycle rule filters and schedulesBecause the filter is based on attributes, only the attributes associated with theschema of the entity or entity type are accepted.

There might also be the need to include environment data or external data into thefilter. For example, you might need to include the current time or a value obtainedfrom a customer database. The inclusion of this data is achieved by allowingmacros to be placed in the filter. For example, a filter checking if a passwordchanged within the last 30 days might read as follows:(erPswdLastChanged>=${system.date - 30}).

Note: Leaving the filter blank returns all entities. Entity relationship macros can beused in lifecycle rule filters.

The interval defined for an event can be constructed from the following options:

Daily Triggers the lifecycle event every day. After you select this option, click theclock icon to specify a time in the At this time field.

WeeklyTriggers the lifecycle event once a week. After you select this option, selecta day from the On this day of the week list, and then click the clock iconto specify a time in the At this time field.

MonthlyTriggers the lifecycle event once a month. After you select this option,select a date from the On this day of the month list, and then click theclock icon to specify a time in the At this time field.

HourlyTriggers the lifecycle event once an hour. After you select this option, selecta time from the At this minute list.

AnnuallyTriggers the lifecycle event on a specific date and time of the year. Afteryou select this option, select a month from the Month list. Then select adate from the On this day of the month list, and then click the clock iconto specify a time in the At this time field.

During a specific monthTriggers the lifecycle event on a specific month, day, and time. After youselect this option, select a month from the Month list. Then select a dayfrom the On this day of the week list, and then click the clock icon tospecify a time in the At this time field.

QuarterlyTriggers the lifecycle event four times per year on a specific day and timeof the quarter. The reconciliation will occur on the specified day pastJanuary 1, April 1, July 1, and October 1. After you select this option, selecta day from the On this day list, and then click the clock icon to specify atime in the At this time field.

Semi-AnnuallyTriggers the lifecycle event two times per year on a specific day and timeof the half-year. The reconciliation will occur on the specified day pastJanuary 1 and July 1. After you select this option, select a day from the Onthis day list, and then click the clock icon to specify a time in the At thistime field.


Note: More than one schedule can be specified.

A lifecycle rule evaluation schedule contains only a reference to a correspondingrule definition. If a lifecycle rule definition changes before the scheduled evaluationstarts, the evaluation uses the updated version of the definition. It does not use therule definition that was originally scheduled.

In this example, a lifecycle rule is created. It checks once a day for accounts withno password changes in 90 days. An email notification is sent to owners ofaccounts that meet the lifecycle rule search criteria, informing them that they mustchange their passwords.

First, a lifecycle operation named remindToChangePassword is constructed for theAccount entity type. It is defined as an instance-based (not static) operation, and soit has the account object itself as an input parameter. The business logic of theoperation is defined with one work order activity that sends the reminder messageto the owner of the account. It includes the user ID of the account in the message.

A lifecycle rule is then constructed for the Account Entity Type namedpasswordExpiration that references the remindToChangePassword operation. It hasan event with an evaluation interval of daily at 12:00 A.M.. It also has thefollowing filter: (&(erAccountStatus=0)(erPswdLastChanged<=${system.date -90})).

Lifecycle rule processingLifecycle rule operations can take an extended period to finish for the entire resultset returned from the evaluation of the lifecycle rule filter.

Completion is primarily due to the time it takes to complete manual workflowactivities associated with the operation. A lifecycle rule evaluation might bescheduled or manually initiated to run again before operations that result from thefirst lifecycle rule evaluation are completed for all targets. The second iteration ofthe lifecycle rule evaluation identifies those targets that remain in a working statefrom the original evaluation. The second iteration does not initiate the lifecycleoperation again for those targets. It will, however, initiate for any targets itidentifies during the lifecycle rule evaluation period that are not in a workingstate.

For example, a lifecycle rule might discover 100 entities that match its criteria. Therule proceeds to initiate the operation associated with the rule for those 100entities. Assume that 10 entities are added to the system. Addition occurs after theinitial lifecycle evaluation and while the lifecycle rule operation is being applied tothe original 100 entities. A second iteration of the lifecycle rule might be initiatedbefore the first iteration is complete. The second iteration skips over any entitiesthat have the operation of the lifecycle rule initiated from the first iteration. Thesecond iteration skips entities until it discovers an entity that matches the lifecyclerule filter evaluation but does not currently have this lifecycle rule (matches onrule name) running against it. In this case, the second iteration discovers andinitiates for the 10 new entities that were added.

This behavior is important to understand because there might be occasions wherethe second iteration of a lifecycle rule might complete before the first iteration.Theoretically, the lifecycle rule evaluation you schedule for 10:00 AM mightcomplete before the lifecycle rule evaluation scheduled for 9:00 AM. Do notassume that a lifecycle rule operation is complete for all relevant targets based

Chapter 12. Lifecycle rules management 137

upon the completion of a subsequent iteration of the same lifecycle rule. To verifywhich request items are complete and which items are disregarded, check the auditlog of the completed request.

Lifecycle rule modificationA modification to the filter or operation of a lifecycle rule will not take effect untilthe next time the lifecycle rule is evaluated.

The lifecycle rule might be actively evaluated by the system when the modificationis made. The currently running evaluation continues to use the previous definitionof the lifecycle rule until it completes. The workflow might change for theoperation while the lifecycle rule is actively being evaluated by the system. Thechange affects the currently running evaluation at whatever point the change ismade. For example, if the lifecycle rule filter identifies 50 Persons and theoperation of the lifecycle rule operation is named Recertify. Changing theoperation name to CheckPassword does not affect the current iteration of the rule.The change takes place the next time the rule is initiated. However, changing theworkflow for the Recertify operation while it is active might result in 25 Personsbeing processed under the original workflow. The remaining 25 Persons areprocessed under the new workflow.

Lifecycle rule implementation has a key dependency on having the databasecontain the scheduling information. Removing, dumping, or otherwise purging thetable that contains lifecycle rule scheduling information deactivates the associatedlifecycle rules. If these changes occur, you must reconfigure all lifecycle rules andredefine their schedules.

If the operation associated with a lifecycle rule is deleted or renamed, theoperation cannot be implemented within the lifecycle rule until the rule isreconfigured.

Note: When you add or modify a lifecycle rule for an entity, the updates youmake take effect after the cache times out (10 minutes, by default).

Lifecycle event schema informationIBM Security Identity Manager supplies specific schema attributes that facilitate thecreation of lifecycle events.

These attributes are managed by the IBM Security Identity Manager Server and aremade available through Data Services and from the lifecycle event interface. Thefollowing is the list of additions:v erPersonItem

– erCreateDate – Date the person was added to the system– erLastStatusChangeDate – Date the state of the person was last changed. The

timestamp is updated whenever the person is restored or suspended.– erlastoperation – Available for custom use– erpswdlastchanged – Date the synchronized password of the person was last

changedv erAccountItem

– erCreateDate – Date the account was added to the system– erLastStatusChangeDate – Date the state of the account was last changed. The

timestamp is updated whenever the account is restored or suspended.


– erlastoperation – Available for custom use

Except for the custom use items, these schema items are managed by the system.

Adding lifecycle rules for entitiesUse these instructions to define lifecycle rules for entities.

Before you begin

Only system administrators can perform this task.

About this task

Lifecycle rules trigger operations that are defined in the Manage Operations task.Depending on the type of lifecycle rule, the corresponding operations defined atthe level are available.

Lifecycle rules are different from operations. The lifecycle rule that is defined atentity type or entity level does not override the lifecycle rule defined at a higherlevel. Each level has valid lifecycle events that can run independently based on theschedule that is defined.

To add a lifecycle rule for an entity type, complete these steps:

Procedure1. From the navigation tree, click Configure System > Manage Life Cycle Rules.

The Manage Life Cycle Rules page is displayed.2. On the Manage Life Cycle Rules page, select one of the following lifecycle rule

levels:v Select Global level to define a lifecycle rule that has no entity context.v Select Entity type level to define a lifecycle rule that is applicable to the

entity type. Select an entity type from the Entity Type list.v Select Entity level to define a lifecycle rule that is applicable to a specific

entity instance type. Select an entity type from the Entity Type list, and thenselect an entity from the Entity list.

3. Click Add. The Manage Life Cycle Rules notebook is displayed.4. On the General page of the Manage Life Cycle Rules notebook, complete these

steps:a. In the Name field, type a unique name for the lifecycle rule that you want

to define for the corresponding system entity.b. Optional: In the Description field, type a description for the lifecycle rule.c. From the Operation list, select an operation to be invoked when the event

occurs. Only operations without input parameters are allowed to be run bythe lifecycle rule.

d. Click the Event tab.5. On the Event page of the Manage Life Cycle Rules notebook, complete these

steps:a. In the Search filter field, type an LDAP filter that identifies the objects that

are affected by the event. For example, the following filter captures allactive employees who did not change their passwords in the past 90 days.The capture is calculated from the date that the lifecycle event occurs:(&(employeeType=active)(erPswdLastChanged<=${system.date - 90}))


Note: The Search filter is not applicable to global level lifecycle rulesbecause global level lifecycle rules do not have entity context.

b. Click Add to define a schedule for the lifecycle rule. The Define Schedulepage is displayed.

6. On the Define Schedule page, define a schedule for the lifecycle rule to run,and then click OK. The fields displayed depend on the scheduling option thatis selected. The new schedule is displayed on the Event page of the ManageLife Cycle Rules notebook.

7. Click OK to save the lifecycle rule and close the notebook.

Results

A message is displayed, indicating that you successfully created a lifecycle rule forthe entity. Click Close.

What to do next

When the Manage Life Cycle Rules page is displayed, click Refresh to refresh theLife Cycle Rules table and display the new lifecycle rule.

Changing lifecycle rules for entitiesUse these instructions to change lifecycle rules.

Before you begin


About this task

To change a lifecycle rule for an entity type, complete these steps:


The Manage Life Cycle Rules page is displayed.2. On the Manage Life Cycle Rules page, select the check box next to the lifecycle

rule that you want to modify, and then click Change. The Manage Life CycleRules notebook is displayed.

3. Click the General tab or the Event tab.4. Make the wanted changes, and then click OK.

Results

A message is displayed, indicating that you successfully updated a lifecycle rulefor the entity. Click Close.

What to do next

When the Manage Life Cycle Rules page is displayed, click Refresh to refresh theLife Cycle Rules table.

Deleting lifecycle rules for entitiesUse these instructions to delete lifecycle rules.


Before you begin


About this task

To delete a lifecycle rule for an entity type, complete these steps:


The Manage Life Cycle Rules page is displayed.2. On the Manage Life Cycle Rules page, select the check box next to the lifecycle

rule that you want to delete, and then click Delete. Selecting the check box atthe top of this column selects all lifecycle rules.

3. On the Confirm page, click Delete to delete the lifecycle rule, or click Cancel.

Results

A message is displayed, indicating that you successfully deleted a lifecycle rule forthe entity. Click Close.

What to do next

When the Manage Life Cycle Rules page is displayed, click Refresh to refresh theLife Cycle Rules table.

Running lifecycle rules for entitiesUse these instructions to run lifecycle rules.

Before you begin


About this task

Running a lifecycle rule triggers the event immediately instead of running on adefined schedule.

To run a lifecycle rule for an entity type, complete these steps:

Procedure1. From the navigation tree, click Configure System > Manage lifecycle Rules.

The Manage lifecycle Rules page is displayed.2. On the Manage lifecycle Rules page, select the check box next to the lifecycle

rule that you want to run, and then click Run.3. On the Confirm page, click Run to run the lifecycle rule, or click Cancel.

Results

A message is displayed, indicating that you successfully submitted the lifecyclerule to be run. Click Close.


What to do next

When the Manage lifecycle Rules page is displayed, click Refresh to refresh theLife Cycle Rules table.

LDAP filter expressionsIBM Security Identity Manager provides a built-in interpreter for general RFC 2254LDAP filters and for two custom extensions to the filter syntax defined by theRFC.

The first extension provides a notation for variables in LDAP filters that referenceIBM Security Identity Manager relationships. These variables resolve to related orconnected objects. The second extension provides a notation for variables in LDAPfilters that reference a system object and a date keyword that resolve to the currentdate and time. These two extensions to the LDAP filter syntax are interpreted andevaluated at run time and are known as filter expressions. The filter expressionsenable administrators to define filters with dynamic parts that reference usefulabstractions in IBM Security Identity Manager. The two types of filter expressionssupported are relationship expressions and system expressions.

Relationship expressionsThe connection between IBM Security Identity Manager domain objects is given bya relationship.

The owner of an account, for example, is given by the owner relationship. The hostservice of an account is given by the service relationship. A role of a person isgiven by the role relationship.

In general:

Target Object relationship Related Object

For example:

Person role Role

Where a person is understood to be related to a role through the role relationship.Relationship expressions in filters provide a way to match up domain objects basedon their relationship to other domain objects.

The connection between IBM Security Identity Manager domain objects is given bya relationship.

The filter expression syntax consists of an opening dollar sign ($) followed by a leftcurly brace ({) immediately followed by a relationship name, a dot (.) operator,then an attribute name followed by a right curly brace (}) to close the expression.For example:(${relationship.attribute}=value)

relationship is the name of a relationship in IBM Security Identity Manager andincludes:v Parentv Owner


v Organizationv Supervisorv Sponsorv Administratorv Rolev Accountv Service

attribute is any attribute name that is valid for the related object. References tothese connections or links between domain objects are often useful in searches. Thereferences are useful in matching during authorization (in ACIs) and in lifecyclemanagement (lifecycle rules) during operation execution.

In ACIs, relationship expressions are used to grant access to domain objects basedin part on their relationship to another. For example, an ACI for a person thatgrants modify with the following relationship expression used as the ACI filtergrants permission to all people who have a supervisor with a common name of JenJenkins:(${supervisor.cn}=Jen Jenkins)

Likewise, an ACI for an account that grants search with the following relationshipexpression used as the ACI filter grants permission to all accounts whose service(host) is named SuSE Server. Access is granted based on the relationship of oneobject to another.(${service.erservicename}=SuSE Server)

In lifecycle management, relationship expressions are also used in lifecycle rules tomatch domain objects based on their relationship to other domain objects. Therules can start the same operation on all matches. For example, a lifecycle rule fora person where the operation is set to suspend with the relationship expressionused as the rule, effectively suspends all people in the Brokers role (dynamic orstatic) each time the lifecycle rule runs:(${role.errolename}=Brokers)

Evaluation of relationship expressionsRelationship expression evaluation can be thought of as answering a yes or noquestion in four steps.

The steps are as follows:v What goes in (the expression itself)?v What is being matched (the target object)?v What comes out (the connected or related object)?v Does the related object match the value to the right of the equal sign?

If so, the answer given by the evaluation is yes, and the target object is said tomatch the relationship expression.

The first column in the following table lists relationship expressions used in asample filter. The second column lists the type of objects valid for that expression.The third column shows the type of object to which the relationship points.


Table 26. Sample filter relationship expressions

Relationship Expression Target Object Related Object

(${parent.ou}=Sales) Any (except Account) Any container

(${owner.cn}=John Smith) Account Person

(${organization.o}=Marketing) Any (except Account) Organization

(${supervisor.cn}=Jen Jenkins) Any (except Account) Person

(${sponsor.cn}=Pete West) Any (except Account) Person

(${administrator.cn}=Joe Peterson) Any (except Account) Person

(${role.errolename}=Brokers) Any (except Account) Role

(${account.uid}=JUser) Any (except Account) Account

(${service.erservicename}=SuSE Server) Account Service

The evaluation steps are important to keep in mind while composing relationshipexpressions. Most importantly, the related object type must be known in order torefer to a valid attribute name after the dot (.) operator to ensure that theexpressions are well formed, valid and can produce a match. A view of the LDAPschema is a useful reference here. The system resolves relationship expressions tothe first entity that fulfills the filter criteria. The system then queries for all objectsthat have the relationship specified in the filter for that entity. Be sure to createfilters specific enough to return the entity that you intend to target.

Name keywordOne syntax variation for relationship expressions is the inclusion of the specialname keyword that appears after the dot (.) operator.

Use of the name keyword after the dot (.) operator refers to the name attribute in aprofile. This syntax is a general way to point to an object by name rather thanthrough an explicit attribute name. This generality has the limitation, however, ofbeing useful only in contexts where a profile is known at evaluation time.

For example, assume that you have an ACI for a Lotus Notes account. This ACIgrants the ability to modify accounts and uses the following filter:(${service.name}=SuSE Server)

The name keyword refers to the Lotus Notes service profile name attribute. It isvalid to use name in this context. At authorization time (evaluation time), the LotusNotes service profile is always known, and its name attribute can be resolved. Thename keyword is not valid in lifecycle rules because the reference to the nameattribute in a specific profile is ambiguous when the lifecycle rule is run. Therefore,the name attribute cannot be resolved.

System expressionsSystem expressions are used to target domain objects based on generalized timevalues relative to the current system date.

The system expression syntax has relatively few elements.

System expressions consist of:an attribute namea relational operator (<= or >=)


a dollar sign ($) followed by a curly brace ({)immediately followed by the system.date keywords

a plus or minus arithmetic operator (+/-) followed by a number in daysa right curly brace (}) to close the expression

For example:(gmtattributename[<=|>=]${system.date [ + | - ] days})

System expressions resolve to a concrete LDAP filter that is understood by anLDAP directory server or the built-in IBM Security Identity Manager filterinterpreter. For example, this filter targets accounts with passwords 90 days orolder.(erpswdlastchanged<=${system.date – 90})

That example can be used in an ACI for accounts that grants read and write accessto the password attribute so that users can update their passwords. The same filtercan also be used in a lifecycle rule that suspends accounts if the account passwordwas not changed in the last 90 days. This particular filter expression resolves to thefollowing concrete LDAP filter:(erpswdlastchanged<=200912311200Z)

It is also possible and syntactically valid to express a range of dates as the criteriato match against domain objects. Embed more than one system expression in acomposite filter as in the following example:(&(erpswdlastchanged>=${system.date – 90})(!(erpswdlastchanged>=${system.date – 30})))

The filter matches accounts with passwords that range from 90 to 30 days old.Other combinations and composite filters are useful, depending on how complexthe filter must be and how many objects are targeted for a match.


Chapter 13. Policy join directives configuration

Provisioning policy join directives determine the provisioning parameter values thatgovern when multiple provisioning policies affect the same account. A joindirective defines how to process an attribute when a conflict occurs betweenprovisioning policies. Join directives applicable only to the selected attribute aredisplayed.

The entitlement target type also plays a role in how policy join directives resolvewhich entitlement is granted when conflicts arise between policies. When two ormore policies grant similar entitlements, the more specific entitlement takesprecedence. For example, one provisioning policy might include an entitlementdefined to grant access to a type of service (that is, AIX® named AIX105). Thesecond policy might include an entitlement defined to grant access to a specificinstance of that service (that is, AIX). In this case, the more specific entitlementtakes precedence.

IBM Security Identity Manager provides several types of join directives. Thefollowing table lists and describes each type.

Note: The Union and Intersection types are defined only on multivalued attributes.

Table 27. Join directives

Join Directive Description

Union Combines the attribute values and removes the redundancies.

This join directive is the default parameter for multivalued attributes if noother join directive is specified.

Intersection Only parameter values common to all policies.

Append Appends the textual attribute value defined in one policy to the attribute valuedefined in another policy.

The APPEND join type was designed for single-valued text attributes such ascomment on winlocal service.

When you join provisioning parameters by using the APPEND join type, allindividual values are concatenated into a single string value. Concatenationprovides with a user-defined delimiter between values. The delimiter can bedefined (changed) in enrolepolicies.properties file, where the current line reads:

provisioning.policy.join.Textual.AppendSeparator=<<<>>>

And Specifies the mathematical AND used on a boolean string that represents aboolean value. TRUE & TRUE = TRUE TRUE & FALSE = FALSE FALSE &FALSE = FALSE

Or Specifies the mathematical OR used on a boolean string that represents aboolean value. TRUE || TRUE = TRUE TRUE || FALSE = TRUE FALSE ||FALSE = FALSE

Highest Uses only the highest numeric attribute value from the conflicting policies.

Lowest Uses only the lowest numeric attribute value from the conflicting policies.

Average Averages the numeric attribute values from the conflicting policies and usesthe average value.


Table 27. Join directives (continued)

Join Directive Description

Bitwise_Or Specifies the mathematical Bitwise OR used on an attribute value thatrepresents a bitstring.

Bitwise_And Specifies the mathematical Bitwise AND used on an attribute value thatrepresents a bitstring.

Precedence_Sequence Uses a user-defined ordering precedence to determine which attribute value touse.

Priority Uses the priority of the policy to determine which attribute value to use. If theconflicting policies have the same priority, then the order in which theseconflicting policies are evaluated is random. The evaluation is based on whichpolicy the system retrieves first. For example, two policies have the samepriority and define the same attribute with different values. If the attributeuses the ‘Priority' join directive type, the attribute value returned by the policyvaries based on the system retrieval.

The following table shows each type of service attribute, the corresponding joindirective, and the default join directive.

Table 28. Service attributes

Service attribute type Applicable join directive Default join directive

Multivalued string or number attribute UNION, INTERSECTION.PRIORITY,CUSTOM

UNION

Single-valued string PRECEDENCE_SEQUENCE, PRIORITY,AND, OR, APPEND, BITWISE_AND,BITWISE_OR, HIGHEST, LOWEST,AVERAGE, CUSTOM

PRIORITY

Single-valued boolean string AND, OR, PRIORITY, CUSTOM OR

Single-valued integer HIGHEST, LOWEST, AVERAGE,PRIORITY, PRECEDENCE_SEQUENCE,CUSTOM

HIGHEST

Singled-valued bitstring BITWISE_AND, BITWISE_OR,PRIORITY, CUSTOM

BITWISE_OR

Note: Custom join directives can be defined by using Java. Administrators can usecustom join directives to change the built-in join logic completely.

Customizing policy join behaviorYou can customize join directive behavior for your provisioning policies for eachattribute based on service type.

Before you begin


About this task

IBM Security Identity Manager provides several types of join directives. You canextend existing join directive functions, or you can create your own.


You can define custom join directives by writing a custom Java class, adding it tothe classpath of your application server. Provide the fully qualified Java class namein the policy configuration interface when you set a join directive for an attribute.

If you are extending or replacing one of the existing join directive classes inaddition to the tasks above, you must add the custom property key and value tothe enrolepolicies.properties file. For example, if you developed a new classsuch as com.abc.TextualEx to replace the existing class for textual joins, theregistration line is similar to the following example:provisioning.policy.join.Textual= com.abc.TextualEx

Procedure1. From the navigation tree, select Configure System > Configure Policy Join

Behaviors. The Policy Join Behavior table for configuring provisioning policyjoin directives is displayed as two panes in the window.

2. In the Policy Join Behavior window, click Service Type to select from a list ofavailable services, such as ITIMService.

3. Select one of the attributes for the type. The right pane displays the name,description, and applicable join directives of the selected attribute.

4. Click Join Directive in the right pane to configure provisioning policyprecedence by selecting one of the listed join directives. The following valuescan apply, depending on the attribute you select:

Union Specifies the attribute values and removes the redundancies. This joindirective is the default if no other join directive is specified.

IntersectionSpecifies only parameter values that are common to all policies.

PriorityUses the priority of the policy to determine which attribute value touse. If the conflicting policies have the same priority, the first policyfound by the system is used.

OR Specifies the mathematical OR used on a boolean string that representsa boolean value. TRUE || TRUE = TRUE TRUE || FALSE = TRUEFALSE || FALSE = FALSE

AND Specifies the mathematical AND used on a boolean string thatrepresents a boolean value. TRUE & TRUE = TRUE TRUE & FALSE =FALSE FALSE & FALSE = FALSE

AppendAppends the textual attribute value defined in one policy to theattribute value defined in another policy.

The APPEND join type is used on single-valued text attributes (such ascomment on WinNT service).

When joining provisioning parameters with the APPEND join type, allindividual values are concatenated into a single string value with auser-defined delimiter between them. The delimiter can be defined(changed) in enrolepolicies.properties file, where the current line reads:provisioning.policy.join.Textual.AppendSeparator=<<<>>>

Bitwise ORSpecifies the mathematical Bitwise OR used on a bitstring.

Bitwise ANDSpecifies the mathematical Bitwise AND used on a bitstring.

Chapter 13. Policy join directives configuration 149

HighestUses the highest numeric attribute value from the conflicting policies.

LowestUses the lowest numeric attribute value from the conflicting policies.

AverageAverages the numeric attribute values from the conflicting policies anduses the average value.

Precedence sequenceUses a user-defined ordering precedence to determine which attributevalue to use.

CustomDefines a custom join directive with Java. Custom join directivesprovide administrators with the ability to completely change thebuilt-in join logic. Enter the fully qualified Java class name of thecustom join directive class you created for the attribute.

5. Click Compliance Alert Rule to configure a compliance alert rule that specifieswhen compliance alerts are sent. To configure a compliance alert rule, selectone of the following options:

Numeric Order (higher value generates alert)Select this option if you want to generate a compliance alert beforesending a higher attribute value to the managed resource. Use thisoption if the attribute value was increased as a result of a provisioningpolicy evaluation. If the attribute value was decreased as a result of theevaluation, the attribute value is automatically sent to the managedresource. No alert is generated.

Numeric Order (lower value generates alert)Select this option if you want to generate a compliance alert beforesending a lower attribute value to the managed node. Use this option ifthe attribute value was decreased as a result of a provisioning policyevaluation. If the attribute value was increased as a result of theevaluation, the attribute value is automatically sent to the managedresource and no alert is generated.

Never generate alertSelect this option if you do not want to generate a compliance alertwhen a provisioning policy evaluation leads to a new value for anattribute. Because no compliance alert is generated, the new attributevalue is automatically sent to the managed resource.

Always generate alertSelect this option if you want to generate a compliance alert when aprovisioning policy evaluation leads to a new value for an attribute.The participant must accept the new attribute value before it is sent tothe managed resource. This value is the default for attributes that havea single value.

Precedence sequenceSelect this option if you want higher values in the list to be consideredmore privileged than lower values. When a provisioning policyevaluation leads to assignment of a higher attribute value, the attributevalue is sent to the managed resource. No compliance alert isgenerated. If the attribute value is decreased as a result of theevaluation, a compliance alert is generated. Then, the attribute value issent to the managed resource.


Note: When you select this option, you can select Move Up, MoveDown, Delete, or Add to organize your precedence sequence.

6. Click Save to save the changes.

Account validation logicAccount validation logic provides information about a collection of validation rulesthat affect a joined set of parameter values after the policy join rules are applied.

Allow and deny parameter unionsAn allowing set of parameter values is a union of the following elements:v Mandatory constant parameter values (except null)v Optional constant parameter values (except null)v Non-negated regular expressions with optional enforcementv Excluded null value

A denying set of parameter values is a union of the following elements:v Non-negated regular expressions with excluded enforcementv Excluded constant values (except null)v Null value with optional, mandatory, or default enforcement

Note: Negated regular expressions, for example: Match everything except agiven word, can be difficult to create manually. Optional and excludedparameters complement each other; use these types of parameters wheneverpossible.

Null parameter valuesA null mandatory parameter value means that all values on the correspondingattribute of a new or existing account are disallowed except those values thatany other valid values permit. When any attribute values on an existingaccount are denied by a null mandatory parameter, such values areautomatically removed.

A null default or optional parameter value means that all values on thecorresponding attribute of a new or existing account are disallowed, exceptthose values that any other allowing values permit. Currently set values arenot removed.

A null excluded parameter means that all attribute values are allowed on thecorresponding attribute of a new or existing account except those valuesdenied by any other denying parameter value.

Effects of governing parameter values on a single-valued attributeParameter values for a single-valued attribute can be qualified with mandatoryor default enforcement only.

A mandatory parameter value means that the attribute must always have onlythe indicated value. Any change to the governing mandatory parameter valueis automatically reflected on the attribute of the affected account. Removal of amandatory parameter value from a governing entitlement can cause a value tobe automatically changed on a corresponding attribute if no other mandatoryparameter governs the same attribute.

A default parameter value is used in provisioning of new accounts. Attributevalues governed by a default parameter can be changed at any time to anyother value from the allowing parameter set. Removal of a default parametervalue from a governing parameter does not cause a value to be removed from


a corresponding attribute unless a parameter join rule is used, through anothermandatory parameter now governs the same attribute.

Effects of governing parameter values on a multivalued attributeParameter values for a multivalued attribute can be qualified with mandatory,default, optional, and excluded enforcement types.

A mandatory parameter value means that the corresponding attribute mustalways have this value. The addition of any new mandatory value (except null)causes this value to be added automatically to all existing accounts. Theremoval of an existing mandatory parameter value (except null) automaticallycauses removal of this value from the attribute unless another allowingparameter exists for the same value. Any change to a mandatory parametervalue is equivalent to one remove and one add operation.

A non-null, default parameter value is effective only in provisioning of newaccounts. Corresponding attribute values can be changed later to any othervalue from the allowing set. The addition of any new default parameter value(except null) has no effect on otherwise compliant attribute. The removal of adefault parameter (except null) value does not cause removal of the value fromthe corresponding attribute unless another allowing (non-default) parameterfor the same value exists.

Optional parameter valuesOptional parameter values can be defined as a constant or a regularexpression.

The addition of any new optional constant parameter value (except null) doesnot affect an otherwise compliant attribute. The removal of an optionalconstant parameter value (except null) can cause removal of the value from thecorresponding attribute unless another allowing parameter permits the samevalue. Any change to an optional constant parameter value is equivalent to oneremove and one add operation.

The addition of any new optional regular expression has no effect on anotherwise compliant attribute. The removal or change of an optional regularexpression can cause the removal of attribute values on an otherwise compliantattribute unless another allowing parameter for the same value exists.

Excluded parameter valuesExcluded parameter values can be defined as a constant or a regularexpression. Parameter values with excluded enforcement are enforced only inthe context of an implicit wildcard entitlement.

The addition of any new excluded constant parameter value can cause removalof the value from the corresponding attribute unless another allowingparameter exists for the same value. The removal of an excluded constantparameter value (except null) has no effect on an otherwise compliantattribute. Any change to an excluded constant parameter value is equivalent toone remove and one add operation.

The addition of any new excluded regular expression can cause the removal ofattribute values on an otherwise compliant attribute unless another allowingparameter for the same value exists. Any removal or change of an excludedregular expression has no effect on an otherwise compliant attribute.

Allowed over denied precedence ruleIf an attribute value is allowed and denied at the same time by the presence ofconflicting parameter values, the allowing parameter value takes precedenceover the denying parameter value.


Implicit wildcard attribute entitlementTo help you create default grant-all policies easily, an implicit wildcard attributeentitlement is used. An implicit wildcard for an attribute exists if no singleallowing parameter value defined on the attribute exists, and therefore allvalues are allowed minus any excluded (denying) parameter values. Removalof the last parameter for a given attribute reinstates the implicit wildcard.

Join directives examplesThis topic provides examples that show how to use provisioning policy joindirectives.

The following example examines conflict resolution with policy priority, which is adefault join directive for single-valued attributes. The erMaxStorage attribute on aWindows server is used to give a user limited storage space on the server.

Policy 1

MembershipManagers

Priority1

erMaxStorage1000 (MB), enforcement: mandatory

Policy 2

MembershipEmployees

Priority2

erMaxStorage200 (MB), enforcement: mandatory

When a person belongs to both the Managers and Employees roles, the priority isused to resolve the conflict between the two erMaxStorage parameter values. Aperson who belongs to both groups would receive the erMaxStorage value 1000(MB).

This next example examines conflict resolution with precedence sequence, which isa non-default join directive for a single-valued attribute.

Policy 1

MembershipManagers

Priority2

eraddialincallback4, enforcement: mandatory

Policy 2

MembershipEmployees


Priority1

eraddialincallback2, enforcement: mandatory

custom join directive on eraddialincallback attributePrecedence sequence (most important first)v 4 User callbackv 2 Fixed callbackv 1 No callback

A person might belong to both the Managers and Employees roles. The precedencesequence is used to resolve the conflict between two parameter values, eventhough the priority on policy for Employees is higher. This person would get theeraddialincallback value 4 (user callback).

Join logic examplesThis topic provides examples that show how to use provisioning policy joindirectives.

This section provides additional examples of join logic.

Scenario 1

Multiple applicable entitlements might be joined. If no parameter values areselected for an attribute in one policy (all values are allowed), and one allowedparameter value is entered for an attribute in another policy (only the specifiedvalue is allowed), the parameter value is only allowed to take on the valuespecified by the second policy.

Scenario 2

This example illustrates a priority-based provisioning policy join directive for asingle-valued attribute. The following table identifies two provisioning policies forthis scenario:

Table 29. Two provisioning policies

Policy Description

Policy 1 Priority = 1Attribute: erdivision = divisionA, enforcement = DEFAULT

Policy 2 Priority = 2Attribute: erdivision = divisionB, enforcement = MANDATORY

Because Policy 1 has a higher priority, only Policy 1's definition for the erdivisionattribute is used. Policy 2's value for the erdivision attribute is ignored. All othervalues besides divisionA are disallowed.

Scenario 3

This example illustrates a union-based provisioning policy join directive for amultivalued attribute. The following table identifies two provisioning policies forthis scenario:


Table 30. Example provisioning policies

Policy Description

Policy 1 Priority = 1Attribute: localgroup = groupA, enforcement = DEFAULT

Policy 2 Priority = 2Attribute: localgroup = groupB, enforcement = MANDATORY

Because the join directive is defined as UNION, the resulting policy uses thefollowing definitions for the policies:v During account creation, localgroup attribute is defined with both values

groupA and groupB.v During reconciliations, localgroup is defined as groupB if the attribute is

undefined or incorrectly defined.


Chapter 14. Global policy enforcement

Global policy enforcement is the manner in which the IBM Security Identity Managersystem globally allows or disallows accounts that violate provisioning policies.

When a policy enforcement action is global, the policy enforcement for any serviceis defined by the default configuration setting. You can specify one of the followingpolicy enforcement actions to occur for an account that has a noncompliantattribute.

Mark Sets a mark on an account that has a noncompliant attribute.

SuspendSuspends an account that has a noncompliant attribute.

CorrectReplaces a noncompliant attribute on an account with the correct attribute.

Alert Issues an alert for an account that has a noncompliant attribute.

Note: If a service has a specific policy enforcement setting, that setting is appliedto the noncompliant accounts; the global enforcement setting does not apply tothem.

Configuring a global enforcement policyAn administrator can create a global enforcement policy to resolve noncompliantaccounts on the services.

Before you begin


About this task

You can use the following options when configuring a global enforcement policy:v Mark

v Suspend

v Correct

v Alert

Setting a mark on an accountAn administrator can create a global enforcement policy and set a mark on anaccount that has a noncompliant attribute.

Before you begin



About this task

To set a mark on an account that has a noncompliant attribute, complete thesesteps:

Procedure1. From the navigation tree, select Configure System > Configure Global Policy

Enforcement.2. On the Configure Global Policy Enforcement page, select Mark and then

Submit in the Enforcement Action section.

Note: Changing the global policy enforcement action for the system can causea re-evaluation of account compliance and a modification of account data.

3. On the Confirmation page, select a time and date to schedule this operation.

Note: When you select this option, you can select the calendar and clock iconsto customize scheduled date and time.v Select Immediate and then Submit if you want to run the request

immediately.

Note: The current date and time are displayed.v Select Effective date and then Submit if you want to run the request at a

date and time that you customized.4. On the Success page, click Close.

Suspending an accountAn administrator can create a global enforcement policy and suspend an accountthat has a noncompliant attribute.

Before you begin


About this task

To suspend an account that has a noncompliant attribute, complete these steps:


Enforcement.2. On the Configure Global Policy Enforcement page, select Suspend and then


Note: Changing the global policy enforcement action for the system can causea re-evaluation of account compliance and a modification of account data.


Note: When you select this option, you can select the calendar and clock iconsto customize scheduled date and time.v Select Immediate and then Submit if you want to run the request

immediately.




Replacing a noncompliant attribute with a compliant attributeAn administrator can create a global enforcement policy to resolve disallowednoncompliant accounts on the services. The global enforcement policy candeprovision accounts that are not granted by any applicable provisioning policyentitlement. Disallowed accounts can be exempt from being removed at the remoteservice if they meet the criteria of exemption accounts. Criteria are defined in theexemption handler.

Before you begin


For more information about how to define exemption accounts in the exemptionhandler, see Policy enforcement actions in the ../admin/cpt/cpt_ic_services_policy.dita "Policy enforcement actions" topic in the IBM SecurityIdentity Manager Administration Guide.

Note: Your administrator can override the exemption handler that you defined orcreated.

About this task

To replace a noncompliant attribute on an account with a compliant attribute,complete these steps:


Enforcement.2. On the Configure Global Policy Enforcement page, select Correct and then


Note: Changing the global policy enforcement action for the system can causea re-evaluation of account compliance and a modification of account data.Furthermore, selecting Correct might cause account deprovisioning unless theaccount is exempt, which is account deletion, if an account is not granted byany provisioning policy entitlement.


Note: After you select this option, you can select the calendar and clock iconsto customize scheduled date and time.v Select Immediate and then Submit if you want to run the request

immediately.


date and time that you customized.

Chapter 14. Global policy enforcement 159

4. On the Success page, click Close.

Creating an alert on an accountYou can create an Alert to issue an alarm for an account that has a noncompliantattribute, and set up email notification of this alert.

Before you begin


About this task

When you are working with a particular service with Manage Services in thenavigation tree, you can set up a global policy enforcement alert for that service.Click the icon next to it in the list. Select Configure Policy Enforcement. ClickingUse Global Enforcement Action: Alert establishes a global policy alert for thatservice at the date and time you specify.

To set up an alert for an account that has a noncompliant attribute, complete thesesteps:


Enforcement.2. On the Configure Global Policy Enforcement page, select Alert in the

Enforcement Action section.3. Click Continue.4. On the Configure Global Policy Enforcement page, select the General page to

provide information and settings for the alert. Provide the participantinformation and time intervals. Specify the process types for which an alert isgenerated, and click Submit.Supply the following information:

Alert nameSpecify the name that identifies the alert.

Send compliance alert toSpecify the participants who receive the compliance alert.

Number of days to wait before escalating compliance alertSpecify the number of days before an alert is escalated.

Escalate compliance alert toSpecify the participants who receive an escalated compliance alert.

Number of days after which the system will take corrective actionSpecify the number of days that the system waits until corrective actionis taken.

Process Types tableSpecify the processes that generate a compliance alert.

Note: If no process type is selected, the system automatically corrects anoncompliant account for that process type. The correction can modifyor delete the account.


Generate AlertSpecify the process type for which an alert is generated. Selectthe check box of the process type for which you want togenerate alerts.

Process TypeSpecify the type of workflow process that generates acompliance alert.

5. On the Configure Global Policy Enforcement page, select the email page toprovide text for the alert notification email. Alternatively, choose to use thedefault template. If you do not use the default template, type the subject line ofthe email notification. Provide the plain text body or the XHTML dynamiccontext.

6. Click Submit.7. On the Confirmation page, select a time and date to schedule this operation.

Note: After you select this option, you can select the calendar and clock iconsto customize scheduled date and time.v Select Immediate, and then Submit if you want to run the request

immediately.



Chapter 14. Global policy enforcement 161

Chapter 15. Data import and export

IBM Security Identity Manager imports and exports data while maintaining dataintegrity.

Overview

Many enterprise applications, including IBM Security Identity Manager, are oftendeployed in stages. New policies and business logic can be developed and testedin a test environment and then migrated to a production environment.

The import and export tasks are useful to migrate IBM Security Identity Managerdata items and dependent objects from a test environment to a productionenvironment while maintaining data integrity.

You can use the import and export tasks to import previously exported objectsfrom a Java archive (JAR) file. Importing of supported object types is limited toIBM Security Identity Manager exported objects only.

There is a limitation on Java HTTPServletResponse for file downloads indisplaying double-byte character file names. When naming your export JAR file,do try to use a conventional ASCII file name.

Data migration

Migrating data across IBM Security Identity Manager servers consists of searchingfor and exporting configured objects from a source server. The migration importsthe objects into a target server.

Data migration automates the extraction of commonly configured object types andtheir dependencies. Data migration is a mechanism to move working or stagedconfigurations from a test environment to a production environment. Themechanism guarantees that the data is imported without loss of integrity. Thisinformation is for administrators who want to take advantage of the datamigration feature in IBM Security Identity Manager through the import and exporttasks.

Exports

There are two types of exports: partial and full. Both types of exports produce asingle downloadable JAR file. The file contains an XML file of serialized objectsthat is added to a list of completed exports.

Imports

Imports are initialized by an administrator on a target server after extractingobjects (after generating an export JAR file) from a source server. Imports consist ofthese stages:v JAR file uploadv Difference evaluationv Conflict resolutionv Data commitment to the system


Policy enforcement

Importing provisioning policies and dynamic organizational roles might result inassociating different people with new roles. Imported policies that have changesthat require re-evaluation might result in the following policy enforcement tasks:v Evaluating dynamic role changes and updating role membershipsv Finding provisioning policies associated with host selection policiesv Combining role memberships and provisioning policies with polices that are

being importedv Enforcing policies on all affected users through a new workflow process

Organizational charts

If there are differences in the organizational chart between the test (source) andtarget (production) systems, then the imported objects are treated as new objects.

To prevent the creation of duplicate objects when those objects exist in theproduction system, ensure that the organizational charts match in each system.

Object dependencies for data migrationTo migrate data, you must ensure that you include all the dependencies of themigrated object.

A dependency is generally an individual object referenced by a parent or root objectthat is required on a target system to successfully import the parent. To protect theintegrity of the data throughout the migration process, the import and export tasksautomatically detect and include exported object dependencies.

Full exports compared to partial exports

Exporting everything through the use of Export All saves all of the data that issupported by Export All in the system. If you export individual items with apartial export, you might not actually export all of the dependencies needed forthe object to function. A partial export saves only those dependencies that areneeded to create the object that is saved. For example, you might export aprovisioning policy that includes an automatic account creation function. Theidentity policy needed to create the user ID is not exported as a dependency of theprovisioning policy. The identity policy is not required for the creation of theprovisioning policy object. However, it might be required for the purpose that youintend for your provisioning policy. If that is the case, export and import thedependency as a separate object.

Policies

Identity policies and password policies are not exported when a provisioningpolicy is exported. You must explicitly export these policies as part of the exportprocess.

An identity, password, or provisioning policy role and service objects are notexported by default. If you want to export these items, you must manually addthem to the export list.


Services

If a service is exported, the service owner information is also exported. The dn isappropriately set if a person exists with the same name on the target system.

Role relationships

If a role that has a senior or junior role relationship is exported, then therelationship is also exported. The related role itself is not exported as adependency.

If the dependent role exists on the target system, then the role relationship iscreated. Otherwise, it is not created. Role relationships are never deleted duringimport.

Exporting multiple objects

Exporting multiple objects over a period of time might result in saving variationsof mutually shared dependencies that change over the course of the daily activityof the system. Keep the possibility of variations in mind as you plan your exportstrategy.

Dependencies and parent objects

Removal of a parent object is allowed. However, when a parent object is removed,the import and export tasks automatically remove all of its dependencies from theexport list.

Table 31. Dependencies and parent objects

Parent object Dependencies

Identity policy

Lifecycle rule

Lifecycle operation

Object profile

Identity policy

Lifecycle rule

Lifecycle operation

Password policy

Provisioning policy

Service

Service selection policy

Workflow

Service profile

Provisioning policy

Workflow

Organizational role

Adoption policy

Identity policy

Password policy

Provisioning policy

Service

Lifecycle rule Lifecycle operation

Chapter 15. Data import and export 165

Performing a full exportUse this procedure to export all exportable object types and generate a Java archive(JAR) file that contains the export data.

Before you begin


About this task

The JAR file that is generated by this task includes a full extract of all existingexportable objects, including their dependencies and references to containers.

To do a full export, complete these steps:

Procedure1. From the navigation tree, click Configure System > Export Data. The Export

Data page is displayed.2. On the Export Data page, click Export All. The Export All page is displayed.3. Optional: In the Export Name field, type a name to identify the export.4. In the Export to file (.jar) field, type a file name for the export, and then click

Submit. The Export Data page is displayed.5. On the Export Data page, click Refresh to update the list of export items in the

table.

Results

A full export JAR file is created and is displayed on the Export Data page.

What to do next

Perform additional export management tasks, such as downloading the JAR file, orclick Close.

Performing a partial exportUse this procedure to selectively export object types and generate a Java archive(JAR) file that contains the export data.

Before you begin


Ensure that you identified all the dependencies needed for the objects that youwant to export.


About this task

The JAR file that is generated by this task includes a full extract of the exportableobject types that you specify. The extract includes their dependencies andreferences to containers.

You can search for and select the following object types and include them in apartial export JAR file:v Adoption policyv Groupv Identity policyv Lifecycle operationv Lifecycle rulev Organizational rolev Password policyv Provisioning policyv Servicev Service selection policyv Workflow

To do a partial export, complete these steps:


Data page is displayed.2. On the Export Data page, click Create. The Create a Partial Export page is

displayed.3. To add objects to the export list, click Add. The Select Objects page is

displayed.4. To locate an object to export, complete these steps:

a. In the Name field, type information about the object that you want toexport.

b. Select the object type that you want to search by from the Object type list,and then click Search. The objects that match your search criteria aredisplayed in the table.

5. Select the check box next to the object that you want to export, and then clickOK. Selecting the check box at the top of this column selects all objects. Theobjects that you added are displayed on the Create a Partial Export page.

6. Verify the list of items that you want to export, and then click Continue. ThePartial Export page is displayed.

7. Optional: In the Export name field, type a name to identify the export.8. In the Export to file (.jar) field, type a file name for the export, and then click

Submit. The Export Data page is displayed.9. On the Export Data page, click Refresh to update the list of export items in the

table.

Results

A partial export JAR file is created and is displayed on the Export Data page.


What to do next

Perform additional export management tasks, such as downloading the JAR file, orclick Close.

Downloading the JAR fileUse this procedure to download a partial or full export Java archive (JAR) file tothe local system.

Before you begin


Ensure that you created an export file, including all dependencies and references tocontainers.

About this task

Export JAR files vary in size, depending on the type and number of objectsexported. Each row in the list of completed exports specifies the type of export(partial or full) and the number of objects that were processed. Each row specifiesa time stamp for when the export started and ended, the status of the export, anda link to the JAR file itself. The link to the JAR file allows you to download the fileand save it to location on a local system.

To download a JAR file to a local system, complete these steps:


Data page is displayed.2. On the Export Data page, click the file name of the JAR file that you want to

download. The File Download dialog is displayed.3. On the File Download dialog, click Save. The Save As dialog is displayed.4. Navigate to the location for saving the file, and then click Save.

Results

The JAR file is downloaded to the local system.

What to do next

Perform additional export management tasks, or click Close.

Deleting export recordsUse this procedure to delete export records from the table.

Before you begin



About this task

When the export record is deleted, all of its records are deleted from the database,including the Java archive (JAR) file. If you want to keep the JAR file, be sure todownload it from the export record onto your local system before deleting theexport record.

You cannot delete an export record if the export is still processing.

To delete export records from the table, complete these steps:


Data page is displayed.2. On the Export Data page, select the export that you want to delete, and then

click Delete.

Results

The export record is removed from the table on the Export Data page.

What to do next

Perform additional export management tasks, or click Close.

Uploading the JAR fileUse this procedure to upload a partial or full export Java archive (JAR) file fromthe local system.

Before you begin


Ensure that you saved an exported JAR file on your local system.

About this task

This task initializes the import of the JAR file through standard Java streams as thecontents are inserted into a bulk data service database as a blob.

To upload a JAR file from a local system, complete these steps:

Procedure1. From the navigation tree, click Configure System > Import Data. The Import

Data page is displayed.2. On the Import Data page, click Upload File. The Upload File page is displayed.3. Optional: In the Import name field, type a name to identify the import, and

then click Browse. The Choose file dialog is displayed.4. On the Choose file dialog, navigate to the location of the file, select the file, and

then click Open. The file name is displayed on the Import Data page.5. Click Submit to upload the file. The Import Data page is displayed.


6. On the Import Data page, click Refresh to update the list of import items in thetable.

Results

The JAR file is uploaded from the local system and is displayed on the ImportData page.

What to do next

Perform additional import management tasks, or click Close.

Resolving conflictsThe import process evaluates differences between the data imported and the datain the target server and helps resolve conflicts between the two.

Before you begin


Ensure that you imported a Java archive (JAR) file from your local system.

About this task

Difference evaluation generates a list of objects that are found in the import JARfile and in the target system. An administrator can use the list to resolve conflictson an object-by-object basis. The administrator decides precedence over existingdata or by overwriting existing data with the import data. Difference evaluationand conflict resolution are done for both partial and full export types.

Objects that exist in IBM Security Identity Manager at the time of the import thatare selected in the conflicts summary to be overwritten are updated.

Objects in the uploaded JAR file that are not in IBM Security Identity Manager atthe time of the import are added.

To resolve conflicts between the data in an uploaded JAR file and the data in theserver, complete these steps:


Data page is displayed, and the Status column of the table indicates whetherany conflicts are detected.

2. In the Status column on the table, click the Conflicts Detected link. TheEvaluate Import File page is displayed.

3. On the Evaluate Import File page, select the check box next to the object thatyou want to import and override the existing object, and then click Import.Selecting the check box at the top of this column selects all objects. The ImportData page is displayed.

4. On the Import Data page, click Refresh to update status of the import in thetable. The Status column indicates that the import is successful.


Results

The import process commits the data, re-establishes relationships between parentobjects and their dependencies. The process places objects in their correctcontainers in the IBM Security Identity Manager organizational chart.

If your session with the IBM Security Identity Manager console is idle and timesout while conflicts are being evaluated, or if you explicitly log off, then the importprocess status changes from Processing to Failed - Conflicts not Resolved. Ifthis status change occurs, repeat this procedure so that the data is committed.Typically, user sessions are configured to be idle for up to 10 minutes before timingout.

What to do next

Do additional import management tasks, or click Close.

Deleting importsUse this procedure to delete import records from the table.

Before you begin


About this task

This procedure deletes the import record and the Java archive (JAR) file that wasuploaded.

To delete import records from the table, complete these steps:


Data page is displayed.2. On the Import Data page, select the import that you want to delete, and then

click Delete.

Results

The import record is removed from the table on the Import Data page.

What to do next

Perform additional import management tasks, or click Close.

Making import and export JAR files portableFor import and export Java archive (JAR) files to be portable between twomachines, certain configuration settings must be the same in both systems.


About this task

To ensure that the import and export JAR files are portable between two systems,verify that these configuration settings are the same in both systems:v Keystore filev Keystore passwordv Hash algorithm


Chapter 16. Configuring and administering IBM TivoliCommon Reporting

IBM Tivoli Common Reporting (also called the reports pack) focuses on account,service, and request information.

IBM Tivoli Common Reporting contains a subset of the default reports availablefrom IBM Security Identity Manager Version 6.0 user interface. These reports donot apply any Access Control Information (ACIs) from IBM Security IdentityManager against the data they show.

Any report that is run from IBM Tivoli Common Reporting can be run by a IBMSecurity Identity Manager administrator who has full rights to view the data in thereport from the Tivoli Common Reporting console. These reports do not considerthe ACIs that IBM Security Identity Manager currently defines.

The versions of DB2®, Oracle, and Microsoft SQL Server that are supported by IBMSecurity Identity Manager Version 6.0 also support these reports.

You can administer and run the reports with the Tivoli Common Reportingsoftware that is included with IBM Security Identity Manager 6.0. For moreinformation about Tivoli Common Reporting, see the following website:

http://www.ibm.com/developerworks/spaces/tcr

You can edit the reports with the Eclipse Business Intelligence Reporting ToolVersion 2.2.1 at the following website:

http://catalog.lotus.com/wps/portal/topal/details?catalog.label=1TW10OT02

Installing or upgrading to Tivoli Common Reporting Version 2.1.1You can install or upgrade your instance of Tivoli Common Reporting to Version2.1.1.

Note:

v If the Tivoli Common Reporting Version 2.1.1 is already installed on yourcomputer through IBM Security Role and Policy Modeler, you can use it insteadof reinstalling it.

v Ensure that Tivoli Common Reporting server requirements are met. See thereport server requirements in the IBM Security Identity Manager Product OverviewGuide.

v Configure IBM Tivoli Common Reporting to run on nondefault ports if it isinstalled on the same system that has IBM Security Identity Manager version 6.0prerequisites. The default ports of Tivoli Common Reporting are likely to conflictwith ports of the installed products, and therefore the Tivoli Common Reportinginstallation is likely to fail.

v To install the Tivoli Common Reporting Version 2.1.1, see the website:http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/topic/com.ibm.tivoli.tcr.doc_211/ttcr_install.html.


http://www.ibm.com/developerworks/spaces/tcr


http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/topic/com.ibm.tivoli.tcr.doc_211/ttcr_install.html

http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/topic/com.ibm.tivoli.tcr.doc_211/ttcr_install.html

v To upgrade to Tivoli Common Reporting Version 2.1.1, see the website:http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/topic/com.ibm.tivoli.tcr.doc_211/ctcr_upgrade.html.

Importing the report package into Tivoli Common ReportingImport the report package into Tivoli Common Reporting to run IBM SecurityIdentity Manager Server Version 6.0 reports from within Tivoli Common Reporting.The report package installs Version 6.0 reports for the IBM Security IdentityManager into Tivoli Common Reporting.

Before you beginv Install IBM Security Identity Manager Version 6.0. For more information, see the

IBM Security Identity Manager Installation Guide.v Install Tivoli Common Reporting Version 2.1.1. See http://

publib.boulder.ibm.com/infocenter/tivihelp/v3r1/topic/com.ibm.tivoli.tcr.doc_211/ic-home.html.

Procedure1. Obtain the tcr_tim6.0_reporting_pack.zip file from the ISIM_HOME/

extensions/tcr/tcrpack directory. ISIM_HOME is the IBM Security IdentityManager installation directory.

2. Import the report package with the trcmd -import command. Seehttp://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/topic/com.ibm.tivoli.tcr.doc_211/ctcr_birt_reps_in_cog_importing.html.

Results

Importing the reports places them in Common Reporting > Public Folders >Tivoli Products. Select IBM Security Identity Manager 6.0 to see the availablereports.

What to do next

Generate the report.

See the topic "Generating reports in Tivoli Common Reporting" in the IBM SecurityIdentity Manager Administration Guide

Configuring embedded WebSphere Application ServerYou must configure a JDBC data source on the IBM Tivoli Common Reportingembedded WebSphere Application Server to run the IBM Security IdentityManager reports.

About this task

You must configure Tivoli Common Reporting to connect to the IBM SecurityIdentity Manager database. Complete these steps:v “Creating a Java Authentication and Authorization Service (JAAS) alias” on page

176v “Creating a Java Database Connectivity (JDBC) provider” on page 178v “Creating the data source” on page 181v “Saving the configuration” on page 185


http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/topic/com.ibm.tivoli.tcr.doc_211/ctcr_upgrade.html

http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/topic/com.ibm.tivoli.tcr.doc_211/ctcr_upgrade.html

http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/topic/com.ibm.tivoli.tcr.doc_211/ic-home.html



http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/topic/com.ibm.tivoli.tcr.doc_211/ctcr_birt_reps_in_cog_importing.html

http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/topic/com.ibm.tivoli.tcr.doc_211/ctcr_birt_reps_in_cog_importing.html

You can do the steps either manually or automatically, as follows:v Manual configuration is described in “Configuring embedded WebSphere

Application Server with wsadmin commands” on page 176v Automatic configuration is described in “Configuring embedded WebSphere

Application Server with a Jython script”

Both methods achieve the same result.

What to do next

Configure embedded WebSphere Application Server either with wsadmincommands or with a Jython script.

Configuring embedded WebSphere Application Server with aJython script

IBM Security Identity Manager includes a script to facilitate the configuration ofthe required data source for the packaged reports.

About this task

The ITIM_HOME/extensions/tcr/scripts/TIMsetupDatasource.py file is a Jythonscript used to automate the configuration of Tivoli Common Reporting for yourIBM Security Identity Manager environment. To use the script, complete thesesteps:1. Copy the TIMsetupDatasource.py file from ITIM_HOME/extensions/tcr/scripts/

TIMsetupDatasource.py to the computer where Tivoli Common Reporting isinstalled.

2. Edit the TIMsetupDatasource.py file and update the following parameters tomatch the values in your environment:aliasUseraliasPWdsDBVendor

For DB2 or MS SQL database servers:dsDBNamedsDBServerdsDBPortdsDBType

For Oracle database servers:dsDBURL

For all database servers:providerCPproviderImplClassdsDBHelper

The script documents the values of each of the preceding parameters.3. Run the wsadmin command on your Tivoli Common Reporting embedded

WebSphere Application Server:v For Windows, open a command prompt and type a command similar to this

example:TCR_HOME\profiles\TIPProfile\bin\wsadmin.bat –f TIMsetupDatasource.py

v For UNIX, open a shell and type a command similar to this example:TCR_HOME/profiles/TIPProfile/bin/wsadmin.sh –f TIMsetupDatasource.py

Chapter 16. Configuring and administering IBM Tivoli Common Reporting 175

What to do next

Configure the data source in Tivoli Common Reporting. For more information, see“Configuring the data source in Tivoli Common Reporting” on page 186.

Configuring embedded WebSphere Application Server withwsadmin commands

You must run a series of wsadmin commands to configure IBM Tivoli CommonReporting for use with IBM Security Identity Manager manually.

About this task

Complete these steps:v “Creating a Java Authentication and Authorization Service (JAAS) alias”v “Creating a Java Database Connectivity (JDBC) provider” on page 178v “Creating the data source” on page 181v “Saving the configuration” on page 185

The wsadmin commands must be run from a wsadmin prompt. To start wsadmin inpreparation to run the wsadmin commands, navigate to the bin directory of theTivoli Common Reporting embedded WebSphere Application Server profile andstart the wsadmin Jython interpreter.

Procedure1. Do one of the following to navigate to the bin directory of the Tivoli Common

Reporting embedded WebSphere Application Server profile.v For Windows, open a command prompt and type a command similar to this

example:cd "C:\Program Files\IBM\tcr\eWas61\profiles\tcrProfile\bin"

v For UNIX, open a shell and type a command similar to this example:cd /opt/IBM/tcr/eWas61/profiles/tcrProfile/bin

2. Type one of the following commands:v For Windows, type wsadmin.bat -lang jython

v For UNIX, type ./wsadmin.sh -lang jython

3. If prompted to log in, enter your Tivoli Common Reporting administratorcredentials. These entries are the same credentials you use to access your TivoliCommon Reporting administrative console, such as tcrAdmin.

What to do next

Create a JAAS authentication alias. For more information, see “Creating a JavaAuthentication and Authorization Service (JAAS) alias.”

Creating a Java Authentication and Authorization Service (JAAS)aliasCreate a JAAS authentication alias so you can authenticate database connectionsfrom the IBM Tivoli Common Reporting server to the IBM Security IdentityManager database server.

About this task

The JAAS authentication alias is not dependent on the database vendor.


Consider the following information about the user identified by the alias beforeyou create the alias:v The user must be able to access the tables that hold the data for your defined

reports.v The user is typically the person configured for the database connection to the

IBM Security Identity Manager database server.v The default user ID in IBM Security Identity Manager Version 5.0 and Version

5.1 is itimuser.v The default user ID in previous releases was enrole.

Table 32 references the required parameters for creating the JAAS authenticationalias with the wsadmin console.

Table 32. Required data for JAAS authentication alias

Parameter Description Example value

alias A user-defined name that identifies this collection ofdata.

IBM SecurityIdentity Managerdatabase alias

description A user-defined description for this collection of data. JAAS authenticationalias for the IBMSecurity IdentityManager database

userId The user ID to use when connecting to the database. itimuser

password The password associated with the user ID

You can find the user ID in the following location onthe IBM Security Identity Manager server:

ITIM_HOME/data/enRoleDatabase.properties# IBM Tivoli Identity Manager Database Userdatabase.db.user=itimuser

where ITIM_HOME is the installation directory for IBMSecurity Identity Manager.

mypassword

1. Collect the required data as described in Table 32.2. Run the wsadmin command in the WAS_HOME/bin/ directory of the Tivoli

Common Reporting server.3. With the collected data, create a JAAS authentication alias configuration with

wsadmin, with the following format:wsadmin> AdminConfig.create(’JAASAuthData’,AdminConfig.getid("/Security:/"),[["alias", "alias"],["description", "description"],["userId", "userId"],["password", "password"]])

where:v alias and description are any user-chosen values that you must remember for a

later step.v userId corresponds to a valid user on your IBM Security Identity Manager

database server with the necessary permissions to connect and read data fromthe IBM Security Identity Manager database.

v password is the password associated with the userId.


The following shows an example of the wsadmin command:wsadmin> AdminConfig.create(’JAASAuthData’,AdminConfig.getid("/Security:/"),[["alias", "IBM Tivoli Identity Manager DB Alias"],["description", "JAAS alias for the IBM Tivoli Identity Manager DB"],["userId", "itimuser"],["password", "mypassword"]])

What to do next

Create a JDBC provider. For more information, see “Creating a Java DatabaseConnectivity (JDBC) provider.”

Creating a Java Database Connectivity (JDBC) providerThe creation of a data source requires both identifying the JDBC provider valuesfor your environment and running a single wsadmin command.

About this task

The JDBC provider information is dependent on the database vendor.

Table 33 is a reference of which parameters are required when creating the JDBCprovider with the wsadmin console.

Table 33. Required data for a JDBC provider


classpath The classpathrequired by the JDBCprovider class

See Table 34

implementationClassName The JDBC providerimplementation class

See Table 35 on page 179

name A user-defined namefor this JDBCprovider

JDBC provider for the IBM SecurityIdentity Manager database

description A user-defineddescription for thisJDBC provider

JDBC provider under which to addthe IBM Security Identity Managerdatabase as a data source

Table 34. Example classpath values for the JDBC providers supported by IBM SecurityIdentity Manager

Databasetype Classpath

DB2 /opt/IBM/db2/V9.1/java/db2jcc.jar;/opt/IBM/db2/V9.1/java/db2jcc_license_cu.jar

MicrosoftSQL Server

C:/Program Files/Microsoft SQL Server 2005 JDBC Driver/sqljdbc_1.1/enu/sqljdbc.jar

Oracle /u01/app/oracle/product/10.2.0/Db_1/jdbc/lib/ojdbc14.jar


Table 35. Implementation class name for the JDBC providers supported by IBM SecurityIdentity Manager

Databasetype Implementation class name

DB2 com.ibm.db2.jcc.DB2ConnectionPoolDataSource

MicrosoftSQL Server

com.microsoft.sqlserver.jdbc.SQLServerConnectionPoolDataSource

Oracle oracle.jdbc.pool.OracleConnectionPoolDataSource

1. Collect the required data as described in these tables:v Table 33 on page 178v Table 34 on page 178v Table 35

For assistance with collecting this data, see “Identifying JDBC providerinformation from IBM Security Identity Manager” on page 180.

2. Start the wsadmin command as described in “Configuring embedded WebSphereApplication Server with wsadmin commands” on page 176.

3. With the collected data, create the JDBC provider with the following format:wsadmin> AdminConfig.create(’JDBCProvider’,AdminConfig.getid("/Cell:/"),[["classpath", "classpath"],["implementationClassName", "implementationClassName"],["name", "name"],["description", "description"]])

In the example, ’JDBCProvider’ and "/Cell:/" identify the type and location forthis configuration object.

The first element in each paired attribute list, namely "classpath","implementation", "name", and "description" identify the names of specificattributes used when creating this configuration element.

The second element in each paired attribute list is the value, which can vary frominstallation to installation.

The "name" and "description" values are user-chosen values. You must rememberthe "name" value for a later step.

The "classpath" and "implementationClassName" values must correspond to theactual implementation class name and required classpath for your database.

The following shows an example of the wsadmin command:wsadmin> AdminConfig.create(’JDBCProvider’, AdminConfig.getid("/Cell:/"),[["classpath","C:/Program Files/Microsoft SQL Server 2005 JDBC Driver/sqljdbc_1.1/enu/sqljdbc.jar"],["implementationClassName","com.microsoft.sqlserver.jdbc.SQLServerConnectionPoolDataSource"],["name", "JDBC provider for the ITIM DB"],["description", "JDBC provider for the ITIM DBunder which to add the ITIM DB as a data source"]])


What to do next

Create the data source. For more information, see “Creating the data source” onpage 181.

Identifying JDBC provider information from IBM Security IdentityManagerCreating a JDBC provider requires identifying the correct parameters. This sectionhelps you determine the values already in use by IBM Security Identity Manager.

About this task

The implementation class name and example classpath information are alsoavailable from your IBM Security Identity Manager WebSphere Application Server.

The classpath values as defined on the IBM Security Identity Manager WebSphereApplication Server server rely upon server variables that are not present on theTivoli Common Reporting embedded WebSphere Application Server server.Therefore, the classpath values can guide you as to which files in general arerequired, rather than point to a specific location.

Procedure1. With the WebSphere Application Server administrative console on your IBM

Security Identity ManagerWebSphere Application Server server, log in andnavigate to Resources > JDBC > JDBC Providers.

2. View the list of JDBC providers. If multiple JDBC providers related to IBMSecurity Identity Manager are displayed, select the provider identified asnon-XA. For example, select IBM Security Identity Manager non-XA DB2 JDBCProvider to view the implementation class name and classpath.

Example

Alternatively, you can obtain this information about the IBM Security IdentityManager WebSphere Application Server server with a wsadmin session on thatserver to list the JDBC provider identifiers (ID).

The following example output shows the wsadmin command line where eachquoted string is a JDBC provider ID:wsadmin> print AdminConfig.list("JDBCProvider")"Derby JDBC Provider (XA)(cells/fooNode01Cell/nodes/fooNode01/servers/server1|resources.xml#builtin_jdbcprovider)""Derby JDBC Provider (XA)(cells/fooNode01Cell|resources.xml#builtin_jdbcprovider)""Derby JDBC Provider(cells/fooNode01Cell/nodes/fooNode01/servers/server1|resources.xml#JDBCProvider_1201014593661)""ITIM XA DB2 JDBC Provider(cells/fooNode01Cell/nodes/fooNode01/servers/server1|resources.xml#JDBCProvider_1201032904744)""ITIM non-XA DB2 JDBC Provider(cells/fooNode01Cell/nodes/fooNode01/servers/server1|resources.xml#JDBCProvider_1201032906859)"

Given the list of JDBC providers, you can retrieve the parameter attributes of acertain JDBC provider ID by with the following wsadmin command. The followingJDBC provider ID used is from the JDBC provider ID list specified in the example:wsadmin> print AdminConfig.show("ITIM non-XA DB2 JDBCProvider(cells/fooNode01Cell/nodes/fooNode01/servers/server1|resources.xml#JDBCProvider_1201032906859)")

[classpath${ITIM_DB_JDBC_DRIVER_PATH}/db2jcc.jar;${ITIM_DB_JDBC_DRIVER_PATH}/db2jcc_license_cisuz.jar;${ITIM_DB_JDBC_DRIVER_PATH}/db2jcc_license_cu.jar]


[description "ITIM JDBC2 non-XA Compliant Driver (DB2)"][implementationClassName com.ibm.db2.jcc.DB2ConnectionPoolDataSource][name "ITIM non-XA DB2 JDBC Provider"][nativepath []][xa false]

Following is an example of output from the wsadmin session on a Windows-basedIBM Security Identity Manager WebSphere Application Server configured to use aMicrosoft SQL Server database:wsadmin> print AdminConfig.show(AdminConfig.getid("/JDBCProvider:ITIM non-XA MSSQL JDBCProvider"))[classpath${ITIM_DB_JDBC_DRIVER_PATH}/sqljdbc.jar][description "ITIM JDBC2 non-XA Compliant Driver (MSSQL)"][implementationClassName com.microsoft.sqlserver.jdbc.SQLServerConnectionPoolDataSource][name "ITIM non-XA MSSQL JDBC Provider"][nativepath []][xa false]

Or, by the containment string “/JDBCProvider:Provider Name”, as follows:wsadmin> print AdminConfig.show(AdminConfig.getid("/JDBCProvider:ITIM non-XA DB2 JDBC Provider"))

[classpath${ITIM_DB_JDBC_DRIVER_PATH}/db2jcc.jar;${ITIM_DB_JDBC_DRIVER_PATH}/db2jcc_license_cisuz.jar;${ITIM_DB_JDBC_DRIVER_PATH}/db2jcc_license_cu.jar][description "ITIM JDBC2 non-XA Compliant Driver (DB2)"][implementationClassName com.ibm.db2.jcc.DB2ConnectionPoolDataSource][name "ITIM non-XA DB2 JDBC Provider"][nativepath []][xa false]

Following is an example of output from the wsadmin session on a Solaris-basedIBM Security Identity Manager WebSphere Application Server configured to use anOracle database:wsadmin> print AdminConfig.show(AdminConfig.getid("/JDBCProvider:ITIM non-XA ORACLE JDBC Provider"))[classpath${ITIM_DB_JDBC_DRIVER_PATH}/ojdbc14.jar][description "ITIM JDBC2 non-XA Compliant Driver (ORACLE)"][implementationClassName oracle.jdbc.pool.OracleConnectionPoolDataSource][name "ITIM non-XA ORACLE JDBC Provider"][nativepath []][providerType "Oracle JDBC Driver"][xa false]

Note: The classpath values retrieved from the IBM Security Identity Managerserver configuration use a variable ${ITIM_DB_JDBC_DRIVER_PATH} that is notavailable to the Tivoli Common Reporting server when defining a JDBC provider.You must use the full path when specifying the JDBC provider classpath.

What to do next

Create a JDBC provider. For more information, see “Creating a Java DatabaseConnectivity (JDBC) provider” on page 178.

Creating the data sourceCreating a data source is the most complex, vendor-dependent step.


About this task

This task requires detailed connection and server information for your database,such as host name, port, database name, and other vendor-dependent settings. Formore information, see Table 36.

Table 36. Properties for DB2 and Microsoft SQL Server databases


databaseName The name of the database on the targetserver.

itimdb

serverName The host name or IP address of thedatabase server.

myserver.my.com

portNumber The port number for the database serverconnection.

1433

For DB2 and Microsoft SQL Server databases, the databaseName, serverName, andportNumber parameters are used to define the JDBC data source. For Oracledatabases, a single URL property is used.

Table 37. Data source helper class names

Databasevendor Data source helper class name

DB2 com.ibm.websphere.rsadapter.DB2UniversalDataStoreHelper

Microsoft SQLServer

com.ibm.websphere.rsadapter.ConnectJDBCDataStoreHelper

Oracle com.ibm.websphere.rsadapter.Oracle10gDataStoreHelper

Procedure1. Collect the required data as described in Table 36. For assistance with collecting

this data, see “Identifying data source information from IBM Security IdentityManager” on page 184.

2. Start the wsadmin command as described in “Configuring embedded WebSphereApplication Server with wsadmin commands” on page 176.

3. Create the data source. It is helpful for the remainder of the commands to savethe result of this command into a local variable ds.wsadmin> ds = AdminConfig.create(’DataSource’,AdminConfig.getid("/JDBCProvider:JDBC provider for the ITIM DB"),[["name", "ITIM DB Data Source"],["description", "ITIM DB Data Source"]])

4. Create a resource property set to hold additional properties. It is helpful for theremainder of the commands to save the result of this command into a localvariable ds_props.wsadmin> ds_props = AdminConfig.create(’J2EEResourcePropertySet’, ds, [])

5. Create the J2EE properties. For DB2 and Microsoft SQL Server data sources,there are four properties to set. These properties identify the database name,the database server, the server port, and the driver type. For Oracle datasources, they are set in a single property that identifies the complete JDBCconnection URL.

DB2 and Microsoft SQL Server database nameReplace, if necessary, the value itimdb in the following call with youractual database name:


wsadmin> AdminConfig.create(’J2EEResourceProperty’,ds_props,[["name", "databaseName"],["type", "java.lang.String"],["value", "itimdb"]])

DB2 and Microsoft SQL Server nameReplace, if necessary, the value localhost in the following call withyour actual database server name or IP address:wsadmin> AdminConfig.create(’J2EEResourceProperty’,ds_props,[["name", "serverName"],["type", "java.lang.String"],["value", "localhost"]])

DB2 and Microsoft SQL Server port numberReplace, if necessary, the value 1433 in the following call with youractual database server port number:wsadmin> AdminConfig.create(’J2EEResourceProperty’,ds_props,[["name", "portNumber"],["type", "java.lang.Integer"],["value", "1433"]])

DB2 and Microsoft SQL Server driver typeAll drivers used for IBM Security Identity Manager data sources aretype 4 for DB2 and Microsoft SQL Server databases, and thin forOracle databases:wsadmin> AdminConfig.create(’J2EEResourceProperty’,ds_props,[["name", "driverType"],["type", "java.lang.String"],["value", "4"]])

Oracle URLThis property is the only required property for Oracle databases and isnot a property for DB2 or Microsoft SQL Server databases. Replace, ifnecessary, the valuejdbc:oracle:thin:@myserver.mydomain.com:Port_Number:itimdb in thefollowing call with your actual database URL:wsadmin> AdminConfig.create(’J2EEResourceProperty’,ds_props,[["name", "URL"],["type", "java.lang.String"],["value", "jdbc:oracle:thin:@myserver.mydomain.com:Port_Number:itimdb"]])

6. Modify the data source.a. Update the data source configuration with the Java Naming and Directory

Interface (JNDI) name expected by the following:v IBM Security Identity Managerv Tivoli Common Reporting reports pack (jdbc/ibm/tivoli/tim)v JAAS authentication alias defined earlier in this configuration processv Vendor-dependent data source helper class name (see Table 37 on page

182)b. Replace, if necessary, in the following code ITIM DB Alias with the JAAS

authentication alias that you created earlier in this configuration process.c. Replace com.ibm.websphere.rsadapter.ConnectJDBCDataStoreHelper with

the appropriate data source helper class name for your database, as follows:wsadmin> AdminConfig.modify(ds,[["jndiName", "jdbc/ibm/tivoli/tim"],


["authDataAlias", "ITIM DB Alias"],["datasourceHelperClassname",

"com.ibm.websphere.rsadapter.ConnectJDBCDataStoreHelper"]])

What to do next

Save the configuration. For more information, see “Saving the configuration” onpage 185.

Identifying data source information from IBM Security IdentityManagerCreating a data source requires identifying the right configuration parameters usedby IBM Security Identity Manager.

About this task

The necessary database configuration information is available from your IBMSecurity Identity Manager WebSphere Application Server.

Procedure1. With the WebSphere Application Server ISC administrative console on your

IBM Security Identity Manager WebSphere Application Server, log in andnavigate to Resources > JDBC > Data Sources.

2. View the list of data sources and select ITIM Data Source.

Example

Alternatively, this information can be readily obtained on the IBM Security IdentityManager WebSphere Application Server with a wsadmin session on that server, asfollows:wsadmin> print AdminConfig.showall(AdminConfig.showAttribute(AdminConfig.getid("/DataSource:ITIM Data Source"), "propertySet"))[resourceProperties "[[[name databaseName][required false][type java.lang.String][value itimdb]] [[name driverType][required false][type java.lang.Integer][value 4]] [[name serverName][required false][type java.lang.String][value localhost]] [[name portNumber][required false][type java.lang.Integer][value 50000]]]"]

Some of this information is also available in the file ITIM_HOME/data/enRoleDatabase.properties on your IBM Security Identity Manager server. TheITIM_HOME directory is where IBM Security Identity Manager is installed.

Following is an example for Microsoft SQL Server:# JDBC driver URLdatabase.jdbc.driverUrl=jdbc:sqlserver://;server=myserver.mydomain.com;port=1433;database=itimdb

where:v myserver.mydomain.com is the host name of the IBM Security Identity Manager

database server.


v 1433 is the port on which the database server is listening.v itimdb is the IBM Security Identity Manager database name.

Following is an example for Oracle:# JDBC driver URLdatabase.jdbc.driverUrl=jdbc:oracle:thin:@myserver.mydomain.com:1521:itimdb

where:v myserver.mydomain.com is the host name of the IBM Security Identity Manager

database server.v 1521 is the port on which the database server is listening.v itimdb is the IBM Security Identity Manager database name.

What to do next

Create the data source. For more information, see “Creating the data source” onpage 181.

Saving the configurationAll changes are made in a copy of the configuration workspace within a wsadminsession. To commit the changes, you must explicitly save them.

Before you begin

Save the configuration by typing the following command:wsadmin> AdminConfig.save()

The IBM Tivoli Common Reporting server is configured to connect to your IBMSecurity Identity Manager database.

About this task

Procedure1. Stop and restart the Tivoli Common Reporting server for the new configuration

settings to take effect.2. Type quit to exit wsadmin. If you want to quit without saving, type quit again

to discard the changes.3. Test the connection with wsadmin.4. Type the following command, and substitute ITIM DB Data Source for the name

of the data source created earlier in this configuration process.wsadmin> AdminControl.testConnection (AdminConfig.getid("/DataSource:ITIM DB Data Source"))

Results

The following message is displayed after you run the command successfully:

WASX7217I: Connection to provided datasource was successful.

What to do next

Configure the data source in Tivoli Common Reporting. For more information, see“Configuring the data source in Tivoli Common Reporting” on page 186.


Configuring the data source in Tivoli Common ReportingConfigure the data source in Tivoli Common Reporting to work with IBM SecurityIdentity Manager Server Version 6.0 reports.

Before you beginv Install IBM Security Identity Manager Version 6.0. For more information, see the

IBM Security Identity Manager Installation Guide.v Install Tivoli Common Reporting Version 2.1.1. See http://

publib.boulder.ibm.com/infocenter/tivihelp/v3r1/topic/com.ibm.tivoli.tcr.doc_211/ic-home.html.

Procedure1. Log on to the Tivoli Common Reporting. See http://publib.boulder.ibm.com/

infocenter/tivihelp/v3r1/topic/com.ibm.tivoli.tcr.doc_211/ttcr_login.html.2. Configure the data source with the trcmd -modify command. See

http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/topic/com.ibm.tivoli.tcr.doc_211/rtcr_cli_modify.html.

Note:

v The MS SQL database password must not contain any special characters.v You must set the Classpath to include the JDBC driver for SQL server.

Results

The new data source is created in Tivoli Common Reporting.

Running a reportYou can run a report on demand or create a snapshot of it for later viewing.

Procedure1. To run a report on demand, complete these steps:

a. In the Format column of the report, click HTML or PDF. The On-DemandReport Parameters window is displayed.

b. In the On-Demand Report Parameters window, complete the parametersyou want and click Run.

2. To create a snapshot of a report, complete these steps:a. Right-click on a report and click Parameters. The Report Parameters

window is displayed.b. In the Report Parameters window, complete the parameters you want and

click Save.c. Right-click on a report and select Create Snapshot.d. In the Report Parameters window, complete the parameters you want and

click Create. The Report Snapshots window is displayed. The windowindicates the status of the snapshot.

e. In the Report Snapshots window, right-click on a completed snapshot andselect View as, and then indicate whether to format the snapshot in HTML,PDF, Excel, or PostScript.





http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/topic/com.ibm.tivoli.tcr.doc_211/ttcr_login.html

http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/topic/com.ibm.tivoli.tcr.doc_211/ttcr_login.html

http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/topic/com.ibm.tivoli.tcr.doc_211/rtcr_cli_modify.html

http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/topic/com.ibm.tivoli.tcr.doc_211/rtcr_cli_modify.html

What to do next

Create new reports with the Business Intelligence Reporting Tool designer. Formore information, see “Creating new reports with the Eclipse Business IntelligenceReporting Tool designer.”

Creating new reports with the Eclipse Business Intelligence ReportingTool designer

You can create and edit reports with the Eclipse Business Intelligence ReportingTool designer.

About this task

For tips on how to customize report designs, see Customizing Tivoli CommonReporting Report Designs on DeveloperWorks: http://www.ibm.com/developerworks/tivoli/library/t-tcr/ibm_tiv_tcr_customizing_report_designs.pdf

For information about the IBM Security Identity Manager database and its schema,see the Database and Schema Reference. You can locate this reference athttp://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itim.doc/im51_dbschema.htm.

Procedure1. Download the Eclipse Business Intelligence Reporting Tool designer from this

website: http://catalog.lotus.com/wps/portal/topal/details?catalog.label=1TW10OT02

2. Open the DVD media or the ZIP download package from Passport Advantage®.Examine the list of files.

3. Place the files into an Eclipse Report Project in a selected order.

What to do next

View the report descriptions and their example output. For more information, see“Report descriptions and parameters.”

Report descriptions and parametersThis section describes the reports and the report parameters.

Audit and security: accessesThis section describes the audit and security report that lists all access definitionsin the system.

The following table describes the parameters that you can use to filter the report toyour specifications.


http://www.ibm.com/developerworks/tivoli/library/t-tcr/ibm_tiv_tcr_customizing_report_designs.pdf


http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itim.doc/im51_dbschema.htm

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itim.doc/im51_dbschema.htm



Table 38. Filters for accesses report

Parameter Description

Access Type Displays the type of access, such as a shared folder orapplication. The default value for this parameter is thepercent symbol (%). You can use the percent symbol (%) as awildcard. For example, %abc1%. If you want to type-in theaccess hierarchy, use the following format: ParentAccess:Child Access:Child’s Child Access, and so on.

Access Displays the access for which you want to generate a report.Any indicates that all access can be included based upon theselection of the access type.

Service Displays the service information that has access associatedwith it.

Access Owner (Person) Displays the name of the access administration owner.

Dormant accountsThis section describes the dormant accounts report that lists the accounts that arenot recently used.

Accounts that do not have last access information are not considered dormant.Accounts that are not dormant include both new accounts for which the LastAccess Date field is blank, and existing accounts that are not used. These types ofaccounts are not displayed in a dormant account report. Reconciliation must bedone on a service.


Table 39. Filters for dormant accounts report


Service Displays the service information of the dormant account.

Dormant Period Displays the number of days dormant. The dormant period must be avalid positive integer.

Accounts listeddormant as of

Displays the list of accounts dormant as of the date.

Entitlements granted to an individualThis section describes the entitlements granted to an individual report that lists allusers with the provisioning policies for which they are entitled.


Table 40. Filters for entitlements granted to an individual report


Owner (Person) Displays the owner who is granted entitlements.

Note: This report shows direct entitlements and not inherited entitlements.


Noncompliant accountsThis section describes the report that lists all noncompliant accounts.


Table 41. Filters for noncompliant accounts


Service Displays the service information for a noncompliant account.

AccountCompliance

Displays the compliance reason for the account. For example: Disallowedor Noncompliant

Orphan accountsThis section describes the report that lists all accounts not having an owner.


Table 42. Filters for orphan accounts report


Service Displays the service information for the orphan account.

Account Status Displays the status of the orphan account. For example: Active orInactive.

Requests: approvals and rejectionsThis report shows request activities that were either approved or rejected.


Table 43. Filters for approvals and rejections report


Approver Displays information about requests acted upon by a specificapprover.

User ID Displays identification information of the user. You can use thepercent symbol (%) as a wildcard. For example: %joe01%

Service Displays the service information of the approval and rejection.

Approval Request Status Displays the status of the approval request.

Approval Activity Name Displays the name of the approval activity. You can use thepercent symbol (%) as a wildcard. For example: %Approval forjoe01%

Date Range Displays the date range of approval in number of days.

Start Date Displays the start date of the approval and rejection.

End Date Displays the end date of the approval and rejection.

Separation of duty policies reportsThis section describes various separation of duty policy reports.



Table 44. Filters for separation of duty policy definition report


Separation of Duty Policy Displays the name of the separation of duty policy.

Business Unit Displays the name of the business unit.

Note: The policy name and business unit parameters must be selected from theirrespective menus.

Separation of duty violation reportThis section describes the separation of duty violation report. This report containsthe person, policy, and rules violated, approval, and justification (if any), and whorequested the violating change.


Table 45. Separation of duty violation report


Policy Displays name of the separation of duty policy.


Rule Name Displays the rule name that is associated with the separationof duty policy.

ServicesThis section describes the report that lists services currently defined in the system.


Table 46. Filters for services report


Service Displays the service information.

Owner (Person) Displays the service owner information.

Business Unit Displays name of the business unit.

Summary of accounts on a serviceThis section describes a report that list a summary of accounts on a specifiedservice defined in the system.


Table 47. Filters for summary of accounts on a service report


Service Displays the service information for the account.


Table 47. Filters for summary of accounts on a service report (continued)


Account Status Displays the status of the service account. For example: Active orInactive.

Suspended accountsThis section describes the report that lists the suspended accounts.


Table 48. Filters for suspended accounts report


User ID Displays identification information of the user. You can use the percentsymbol (%) as a wildcard.

Account Owner(Person)

Displays the owner information of the suspended account.

Service Displays the service information of the suspended account.

Date Range Displays the number of days for the date range in the suspendedaccounts.

Start Date Displays the start date of the suspended accounts.

End Date Displays the end date of the suspended accounts.

User recertification history reportThis section describes the report that lists history of user recertifications donemanually (by specific recertifiers), or automatically (due to timeout action).


Table 49. Filters for user recertification history report


Date Range Displays the date range of user recertification history in number ofdays.Note: You can either select a standard report period, for example, thelast 30 days, or enter a specific start and end date for the report.

Start Date Displays the start date of user recertification history.

End Date Displays the end date of user recertification history.

Business Unit Displays name of the business unit.

UserRecertificationPolicy

Displays information about the user recertification policy.

User Displays the user from a business unit. You can use the percent symbol(%) as a wildcard. For example: %joe%

User Status Displays status of the user to be selected.

Recertifier Displays user to be selected as recertifier.

RecertificationDecision

Displays recertification decision to be selected.


User recertification policy definition reportThis section describes a report that lists information about the user recertificationpolicies defined in the system.


Table 50. Filters for user recertification policy definition report


User RecertificationPolicy

Displays the name of the user recertification policy.


User recertification policy detail definition report

The detail definition report displays this information:v User recertification policy informationv Recertifier informationv Role Targetv Account Targetv Group Target

Shared access audit history reportThis report shows the shared access audit history. The following table describes theparameters that you can use to filter the report to your specifications.

Table 51. Filters for shared access audit history report


Date Range Displays the date range of shared access in number of days.Note: You might use Tivoli Common Reporting that is installedon the remote machine. Rarely, it might happen that no data orpartial data is shown in the reports. To avoid this omission,provide the date and time that is on Security Identity Managerserver.

Start Date Displays the start date of the shared access history.

End Date Displays the end date of the shared access history.

Service Business Unit Displays the business unit associated with the service.

Service Displays the service information that has the shared accessassociated with it.

Shared Access OwnerBusiness Unit

Displays the business unit associated with the shared accessowner.

Shared Access Owner Displays the shared access owner name.

Shared Access Displays the name of the shared access entitlement, such ascredential name, or credential pool name.

Shared access entitlements by ownerThis report shows shared access entitlements for the selected owner. The followingtable describes the parameters that you can use to filter the report to yourspecifications.


Table 52. Filters for shared access entitlements by user report


Service BusinessUnit

Displays the business unit associated with the service.

Service Displays the service information that has the shared access entitlementsassociated with it.

Shared AccessOwner BusinessUnit

Displays the shared access owner business unit name.

Shared AccessOwner

Displays the shared access owner (person or role) name.

Shared access entitlements by roleThis report shows shared access entitlements for the selected role. The followingtable describes the parameters that you can use to filter the report to yourspecifications.

The Owner attribute is not present by default. You must map the Owner attribute inthe Organizational Roles with the schema mapping.

See the topic "Report schema mapping" in the IBM Security Identity ManagerAdministration Guide.

Table 53. Filters for shared access entitlements by role report



Role Displays the list of roles.

Entitlement Type Displays the type of an entitlement, such as credential, orcredential pool.

Reports maintenanceAn example maintenance window is when normal downtime does not affectbusiness requirements. An example maintenance task is when a database credentialpassword expires or changes.

Changing the JAAS authentication aliasWhen the database user name or password changes, you must update the JavaAuthentication and Authorization Service (JAAS) authentication alias.

Procedure1. Open a command shell.2. Identify the configuration object so you can see it in the modify command:

wsadmin>print AdminConfig.list("JAASAuthData")

The configuration object that displays is similar to this value:(cells/tcrCell|security.xml#JAASAuthData_1202487694421)

3. Change the password and user ID by running the following command:


wsadmin>AdminConfig.modifyconfiguration_object[["userid", "newid"]])[["password", "newpassword"]])

where:v configuration_object is object that you previously identified.v newid is the new user ID for the database.v newpassword is the new password associated with the user ID.

Example

The following example changes the password to mynewpassword for theconfiguration object (cells/tcrCell|security.xml#JAASAuthData_12024876944 21):wsadmin>AdminConfig.modify("(cells/tcrCell|security.xml#JAASAuthData_12024876944 21)",[["password", "mynewpassword"]])

You can use a similar call to update the userId attribute.

What to do next

Change the JDBC provider. For more information, see “Changing the JDBCprovider.”

Changing the JDBC providerThe JDBC driver is changed when you migrate from one database vendor, such asOracle, Microsoft SQL, to another, such as DB2. You might migrate the databaseacross database vendor platforms, such as Oracle to DB2. Remove the existingJDBC configuration and create a JDBC provider and data source configuration.

About this task

To create the data source configuration in the configuration section, complete thesesteps:

Procedure1. Remove the data source as follows:

wsadmin> AdminConfig.remove(AdminConfig.getid("/DataSource:ITIM DB Data Source"))

2. After you remove the data source, remove the JDBC provider as follows:wsadmin> AdminConfig.remove(AdminConfig.getid("/JDBCProvider:JDBC provider for the ITIM DB”))

3. Create a JDBC provider and data source for the new vendor and database. Formore information, see “Creating a Java Database Connectivity (JDBC) provider”on page 178.

What to do next

Change the data source. For more information, see “Changing the data source.”

Changing the data sourceIf the host or port of the database server changes, or database name changes, youmust update the data source configuration.


About this task

For Oracle databases, this configuration requires a change to the URL property toreflect the new JDBC URL. For DB2 and Microsoft SQL Server databases, thisconfiguration requires a change to the specific property or properties that changed.In the following example, the portNumber property is updated with 1435:

ExampleAdminConfig.modify(AdminConfig.getid("/DataSource/ITIM DB Data Source/J2EEResourcePropertySet:/J2EEResourceProperty/portNumber/"),[["value", "1435"]])

Similar commands can be used to update the other data source J2EE resourceproperties:

URL for Oracle databases

serverName and databaseName for DB2 and Microsoft SQL Server databases

What to do next

Save the configuration changes. For more information, see “Saving theconfiguration changes.”

Saving the configuration changesYou must save the configuration to update the data source changes.

About this task

To save the data source configuration, complete these steps:

Procedure1. Save the configuration with the wsadmin command.2. Restart the WebSphere Application Server.

Results

The configuration changes are saved into the WebSphere Application Server.

DebuggingThis topic provides the procedures for debugging.

Errors in report generation and formattingThis topic describes the errors in report generation and formatting.

About this task

If a report fails to format, you see an error message that is similar to this message:CTGTRV014E: The report cannot be successfully formatted because it completed witherrors, reference ID [REPORTIT_33_OBJECTID_7fe67fe6].Click on the following link to view the report with the errors.CTGTRV011E: See the Tivoli Common Reporting log files for more information.https://localhost:30343/TCR/Reports/view


To view the report with the formatting failure detailed in the report, completethese steps:

Procedure1. Click the link in the error message. Examine the generated report with errors.2. Scroll down to see the errors in red text at the bottom of the report.3. Click the plus symbol (+) next to the error message caption. You can expand

the list to view the entire stack trace. This stack trace can help you identify theissue or what type of error it is. For example, in case of data source passwordexpiration, the database credentials require certain updates in the wsadminconsole. Tivoli Common Reporting requires some maintenance to update thedatabase or JDBC credentials.

4. Modify the report in the Eclipse Business Intelligence Reporting Tool designerto fix the issue.

What to do next

Check the logs. For more information, see “Logs.”

LogsThis section describes the logs associated with Tivoli Common Reporting.

About this task

The Tivoli Common Reporting has two log files:

SystemErr.logShows the system error logs.

SystemOut.logShows the system output logs.

The log files are in one of the following directories:v TCR_HOME\eWas61\profiles\tcrProfile\logs\tcrServer

v The temporary directory on which Tivoli Common Reporting is installed. Forexample, C:\temp on Windows, or /temp on UNIX.

To interpret the information in logs, see the Tivoli Common Reporting informationcenter: http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/index.jsp?topic=/com.ibm.tivoli.tcr.doc/tcr_welcome.html.

For more information about logging and creating new Tivoli Common Reportingreports, see Report Logging for JavaScript Routines:

http://www.ibm.com/developerworks/tivoli/library/t-tcr/ibm_tiv_tcr_report_logging.pdf

Tivoli Common Reporting uses logger scripts to log during report generation.

Known problems and solutionsThis section describes the known problems and solutions associated with TivoliCommon Reporting.


http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/index.jsp?topic=/com.ibm.tivoli.tcr.doc/tcr_welcome.html

http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/index.jsp?topic=/com.ibm.tivoli.tcr.doc/tcr_welcome.html



Bar chart does not display the smaller value

Problem

If a bar chart contains two totals with a certain distance between the values, thesmaller value might not be displayed. For example, when you run the OrphanAccount report, one service might have 10,000 dormant accounts. The other servicehas only three dormant accounts. The software does not show the service withonly three dormant accounts.

Solution

This omission is a known problem.

Eclipse Business Intelligence Reporting Tool charting enginedoes not display all X-axis categories

Problem

When you run a report with a chart, the X-axis categories sometimes do notdisplay all available items.

Solution

This lack of all available items is a known problem.

Chart legend keeps disallowed series visible

Problem

If you run the Noncompliant Account report with the account complianceparameter set to Disallowed, the chart still displays Non-compliant although theparameter filters out noncompliant accounts.

Solution

Complete these steps:1. Duplicate the chart without the noncompliant series, but keep the disallowed

series.2. Duplicate the chart again without the disallowed series and keep the

noncompliant series. The noncompliant report now has three charts.3. Conditionally set the visibility of each chart based on the account compliance

parameter value.

Firefox version 1.5 displays a prior report generation whenrunning a PDF report

Problem

You might run a report and specify PDF output. Then, you leave the reportwindow open while you try to run the same report a second time with differentparameters. Firefox version 1.5 redisplays the first PDF report instead of displayingthe second report. Tivoli Common Reporting confirms that the second report is


being run and delivered to Firefox, but Firefox version 1.5 displays the first PDFreport again.

Solution

Do not run the report with the window open.

Graph chart displays the legend with all defined series

Problem

All series are shown in charts even though the report parameters might filter outspecified series values.

Solution

This lack of filtering in the display is a known problem.

Hyperlink within report is always displayed

Problem

The drilldown hyperlink on the Entitlements Granted to an Individual reportalways displays the hyperlink even if an owner is specified for a parameter.

Solution

Eclipse Business Intelligence Reporting Tool cannot conditionally disable ahyperlink with JavaScript.

Last record in table row is split between two pages

Problem

Eclipse Business Intelligence Reporting Tool sometimes splits a table row betweentwo pages.

Solution

This row division is a known problem.

OutOfMemoryException error occurs with large result sets

Problem

The default embedded embedded WebSphere Application Server Java VirtualMachine (JVM) configuration might cause the server to run out of memory. Theproblem occurs when processing reports with large result sets (tens of thousands).

Solution

Modify the JVM maximum heap size with wsadmin command on the TivoliCommon Reporting embedded WebSphere Application Server server, as follows:1. Type the following command:


AdminConfig.modify(AdminConfig.getid("/JavaVirtualMachine:/"),[["maximumHeapSize", "1024"]])

This sets the maximum heap size to 1024 MB.2. Use AdminConfig.save() to save the changes.3. Restart the Tivoli Common Reporting server so that the configuration changes

take effect.

To retrieve the current configuration of the JVM process, type the followingwsadmin command:print AdminConfig.show(AdminConfig.getid("/JavaVirtualMachine:/"))

You can find the OutOfMemoryException logs in the Tivoli Common ReportingWebSphere trace logs.

Parameter lists display duplicate names

Problem

If you use duplicate values in a dynamic list box parameter, you might not be ableto select the appropriate item. For example, you might have two different usersboth named Bob Smith with underlying values that are unique IDs. When you runa report, IBM Security Identity Manager displays Bob Smith twice because theirunderlying values are unique. However, when a user selects the second Bob Smithentry from the dropdown list, the list always selects the first Bob Smith.

Solution

When you run the report in the Eclipse Business Intelligence Reporting Tooldesigner and select the preview and File -> View Report, the two parameters areselected correctly.

PDF of large report does not load

Problem

When you run a large report and do not specify any report parameters to filterdown the data, the PDF output does not load.

Solution

When you run reports that might yield many results, specify as many reportparameters as possible. Also, when you run a large report, specify the HTMLoutput option.

Pie chart values overlap

Problem

Number values can overlap and become unreadable for small series sections in apie chart, such as the Suspended Account report chart.


Solution

This overlap of values is a known problem.

Report parameter lists do not include all values

Problem

The Tivoli Common Reporting user interface visually limits report parameters inlists.

Solution

If you do not see a required value in the list, type the first few letters of the value.Type letters until the value becomes visible in the list, so that you can select it. Forexample, there might be 1000 Hosted service N service definitions set up in a IBMSecurity Identity Manager deployment. The variable N is the number of the hostedservice. To select Hosted service 810, type Hosted service 81.

Reports cannot include Business Partner Persons

Problem

The IBM Security Identity Manager reports cannot report on Business PartnerPersons without report customization through the Eclipse Business IntelligenceReporting Tool report designer.

Solution

For information about customizing reports, see Customizing Tivoli Common ReportingReport Designs on DeveloperWorks: http://www.ibm.com/developerworks/tivoli/library/t-tcr/ibm_tiv_tcr_customizing_report_designs.pdf

Running large reports cause memory fragmentation

Problem

You can successfully generate large reports, such as one with 400,000 rows,according to the Tivoli Common Reporting trace files. The following shows anexample trace message with a large a report data set:[3/21/08 1:13:55:593 IST] 00000026 DiskCache IEnd of process, and the count of data is 418128

Due to the amount of data reported on, large reports can cause issues with theJava Virtual Machine (JVM) memory allocation. The volume can cause memoryfragmentation in the JVM. Subsequent runs of the report can fail due to out ofmemory exceptions.

Solution

Restart the Tivoli Common Reporting server.




Service parameters display invalid values

Problem

The service parameter used in the reports displays all service names in the list.However, the software does not display certain service parameter values in theIBM Security Identity Manager console.

Solution

This difference in report and console lists is a known problem.

Snapshot parameters do not display normal text

Problem

Snapshot parameters display a unique value instead of the normal display text ofthe dynamic list box parameters.

Solution

This display of a unique value is a known problem.

Snapshot report is empty in Excel format

Problem

When you create a snapshot of a report and there are zero results returned whenthe snapshot runs, downloading the Microsoft Excel format of the snapshotproduces an Excel error. For example:'XML ERROR in Style’

PDF and HTML formats download correctly.

Solution

This omission is a known problem.

Text in reports is displayed incorrectly when using Asianlanguages

Problem

When you run a report and try to display the results in PDF or HTML format, thetext is displayed as though it is corrupted. This problem occurs when Chinese,Korean, and Japanese languages are used.

Solution

Tivoli Common Reporting renders charts into images on the server. If the serverdoes not have the font support for the language to use, text in the charts looksgarbled.


Install and enable the appropriate Asian fonts in the operating system. Forexample, in Windows, complete these steps:1. Click Start -> Control Panel -> Regional and Language Options.2. Select the Languages tab.3. Select the Install files for East Asian Languages check box and click OK twice.

User Dn report parameter scale issueThe User Dn parameter in the User dropdown list of IBM Tivoli CommonReporting-based IBM Security Identity Manager reports does not scale completely.

Problem

The User Dn parameter does not scale completely in the User dropdown list whenthe number of user entries is large. An example of large user entries is theEntitlements Granted to Individual report.

Solution

Complete these steps:1. Use the Eclipse Business Intelligence Reporting Tool designer to modify the

Tivoli Common Reporting report that has the User Dn dynamic dropdown listreport parameter. Change the User DN report parameter to a static text boxreport parameter.

2. Substitute the parameter from AND NAPerson.DN like ? to ANDNAPerson.GIVENNAME like ? in the data set named Entitlements Granted to anIndividual Table.

3. Run the modification successfully in the Eclipse Business IntelligenceReporting Tool designer. Then, import an exported ZIP archive file of the reportpackage into Tivoli Common Reporting that allows this modified report to runwithout the User Dn parameter.


Chapter 17. Identity feed management

As administrator, you need to take a number of initial steps to take employee datafrom one or more human resources repositories. You use the data to populate theIBM Security Identity Manager registry with an equivalent set of users.

Overview

An identity is the subset of profile data that uniquely represents a person in one ormore repositories, and additional information related to the person. For example,an identity might be represented by unique combination of the first, last, fullname, and employee number of a person. The data might also contain additionalinformation such as phone numbers, manager, and email address. A data sourcecan be a customer's user repository or a file, a directory, or a custom source.

Use IBM Security Identity Manager to add a number of users to the system byreading a data source, such as a user repository, directory, file, or custom source.The process of adding users based on a user data repository is called an identityfeed, or HR feed.

Reconciliation for an identity feed is the process of synchronizing the data betweenthe data source and IBM Security Identity Manager. The initial reconciliationpopulates IBM Security Identity Manager with new users, including their profiledata. A subsequent reconciliation both creates new users and also updates the userprofile of any existing users that are found.

You can use several source formats to load identity records into the IBM SecurityIdentity Manager user registry.

You need to anticipate the effect of missing information in the user record. Forexample, the record that you feed into IBM Security Identity Manager might nothave an email address for the user. The user does not receive a password for anew account in an email and must call the help desk, or contact the manager.

Common sources for identity feeds

IBM Security Identity Manager supplies the following service types to handlemany of the most common sources for identity feeds:v Comma-Separated Value (CSV) identity feedv DSML identity feedv AD OrganizationalPerson identity feed (Microsoft Windows Active Directory)v INetOrgPerson (LDAP) identity feedv IDI data feed

You can populate initial content and subsequent changes to the content of thepeople registry from these sources:

Comma-Separated Value (CSV) fileUse a comma-separated value (CSV) file. A CSV file contains a set ofrecords separated by a carriage return/line (CR/LF) feed pair. Each recordcontains a set of fields separated by a comma. You can use a globalidentity policy to select the schema attributes that create a user ID.


Directory Services Markup Language (DSML) v1 fileUse a DSML v1 file to populate the people registry. A DSML file representsdirectory structural information in an XML file format. If you run theidentity feed more than one time, duplicate people are modified accordingto the newest file. A global identity policy does not apply to a DSML file.

Windows Server Active DirectoryFrom Windows Server Active Directory, importing only the informationfound in the inetOrgPerson schema portion of a Windows Server ActiveDirectory user. You can use a global identity policy to select the schemaattributes that create a user ID. The identity feed process uses all userobjects in the specified base.

INetOrgPerson identity feedUse an LDAP directory server. The data uses the objectclass implied by theperson profile name specified in the service definition. You can use aglobal identity policy to select the schema attributes that create a user ID.The identity feed process ignores records that do not have the specifiedobjectclass.

Custom identity sourcesUse custom identity sources to populate initial content and subsequentchanges to the content of the people registry. Depending on the identitysource, you might use a global identity policy to select the schemaattributes that create a user ID.

For example, use an IBM Tivoli Directory Integrator identity feed to obtainmore flexibility than a standard data feed provides. Additional capabilitiesinclude:v Working with a subset of data, such as filtering users in a specified

departmentv Enabling additional attribute mapping beyond the standard mappingv Enabling data lookups, such as the manager of an employee, obtained

from another data sourcev Changing detection on the data sourcev Using databases and human resource systems such as DB2 Universal

Database™ and SAPv Controlling attributes; for example, updating status such as suspending

a personv Deleting identity recordsv Initiating changes with IBM Tivoli Directory Integrator, instead of using

IBM Security Identity Manager reconciliations

For more information about providing customized identity feeds, see theinformation about IBM Tivoli Directory Integrator integration in the IBM SecurityIdentity Manager extensions directory.

Enabling workflow for identity feeds

Regardless of the method used, the IBM Security Identity Manager Server can beconfigured to call the workflow engine for identity feed records. Enabling theworkflow engine results in enforcement of all applicable provisioning policies forincoming identities. The configuration results in slower feed performance. Personsare automatically enrolled in any applicable dynamic roles even if the workflowengine is not enabled for an identity feed. For initial loads, consider importing


identities into the system and then enabling applicable provisioning policies toimprove identity feed performance.

Comma-Separated Value (CSV) identity feedThe Comma-Separated Value (CSV) identity feed provides capability for readingcomma-separated value (CSV) file to add users to IBM Security Identity Manager.

CSV service type

This identity feed service type parses identity feeds with CSV file formats thatcomply with RFC 4180 grammar. The IBM Security Identity Manager parser hasthe following RFC enhancements:v Trims leading and trailing white space from unquoted text in a field. In contrast,

RFC 4180 regards all space to be significant, whether inside or outside ofquotation mark delimiters.

v Allows quoted and unquoted text to be in the same field. In contrast, RFC 4180does not allow both text types in the same field.

v Does not enforce the RFC 4180 restriction that all records have the same numberof fields. However, the code that calls the CSV parser reports an error if a recordhas more fields than the CSV header has.

v Allows record termination to use carriage return (CR) or to use carriagereturn/line feed (CR/LF) to be compatible with both UNIX and DOS base files.In contrast, RFC 4180 terminates all records with carriage return/line feed(CR/LF).

Services that use CSV files

IBM Security Identity Manager has the following types of services that use CSVfiles as input:v CSV identity feedv Custom services that use the Manual Service Provider type. These custom

services use a CSV file format for the reconciliation upload file. This service typecan be used for both identity and account feeds.By default, all accounts defined in a CSV file for reconciliation of a manualservice are marked as active in IBM Security Identity Manager. To suspend aperson or account using a manual service reconciliation, add the erpersonstatusor the eraccountstatus attribute to the CSV file (depending on whether the feedis for identities or accounts). A value of 0 (zero) indicates active. A value of 1indicates inactive.

v Custom services that use the Directory Integrator Adapter Provider type that usethe IBM Tivoli Directory Integrator CSV connector. This service type can be usedfor both identity and account feeds.

CSV file format

A CSV file contains a set of records separated by a carriage return/line feed(CR/LF) pair (\r\n), or by a line feed (LF) character. Each record contains a set offields separated by a comma. If the field contains either a comma or a CR/LF, thecomma must be escaped with double quotation marks as the delimiter. The firstrecord in the CSV source file defines the attributes provided in each of thefollowing records. For example:uid,sn,cn,givenname,mail,initials,employeenumber,erroles

Chapter 17. Identity feed management 205

The sn and cn attributes are required by the object classes used by IBM SecurityIdentity Manager to represent a person. The identity feed process uses all objects inthe file. The CSV file cannot contain binary attributes.

You might use a multi-valued attribute to specify a user who has membership inmultiple groups. Groups might include Service Owner, Windows LocalManagement (a self-defined group), and Manager. If you include multi-valuedattributes, they must be represented by using multiple columns with the sameattribute name.

To specify multi-valued attributes, repeat the column the required number of times.For example:cn, erroles, erroles, erroles, sncn1,role1, role2, role3, sn1cn2,rolea,,,sn2

The record that you feed into IBM Security Identity Manager might not have anemail address for the user. That user does not receive a notification email thatcontains the password for a new account, and must call the help desk or contactthe manager.

CSV connector for IBM Tivoli Directory Integrator

Information about the CSV connector for IBM Tivoli Directory Integrator isavailable in the following product directory:ITIM_HOME/extensions/examples/idi_integration/HRFeedCSV/ITDIFeedExpress

UTF-8 encoding in an identity feed file

Your identity feed file must be in UTF-8 format. You must use an editor thatsupports UTF-8 encoding.v Windows

The following are UTF-8 capable: Microsoft Word 97 or later, or the Notepadeditor that is included with the Windows 2003 Server or Windows XP operatingsystems.To save a file in UTF-8 format using Notepad, click File > Save As. Then,expand the list of choices for the Encoding field and select UTF-8.

v LinuxThe Vim text editor (a version of the classic vi editor) is UTF-8 capable. To workwith files in UTF-8 format using the Vim text editor, specify the following::set encoding=utf-8:set guifont=-misc-fixed-medium-r-normal--18-120-100-100-c-90-iso10646-1

If your version of UNIX does not include this text editor, access this Web site:http://www.vim.org

Note: For the 7-bit ASCII code subset, the UTF-8 encoded Unicode format isidentical to 7-bit ASCII format. For input files that contain 7-bit ASCII (ASCIIcharacter values between hex 20 to hex 7e), you can use a normal text editor tocreate the file. For files containing any other character values (including extendedEuropean characters), you must save the file in UTF-8 format.

For an exact list of the 7-bit ASCII characters as supported by UTF-8, access thisWeb site and click the Basic Latin link in the first column:


http://www.vim.org

http://www.unicode.org/charts

Directory Services Markup Language (DSML) identity feedThe Directory Services Markup Language (DSML) identity feed provides capabilityfor reading a DSML file to add users to IBM Security Identity Manager.

DSML service type

The IBM Security Identity Manager Server allows for integration of various humanresource (HR) type data feeds. You can add large numbers of individuals to theIBM Security Identity Manager Server without manually adding each individual.An identity record in HR data becomes an instance of a person object in IBMSecurity Identity Manager. One type of HR type data feed is the DSML IdentityFeed service. The service can receive the information in one of two ways: areconciliation or an unsolicited event notification through an event notificationprogram.

The mechanisms that handle HR data in IBM Security Identity Manager requiresthat the HR data be in an XML format. The format uses the standard schemadefined by the Directory Services Markup Language (DSML version 1). See theDSML website at http://www.oasis-open.org for DSMLv1. When sendingasynchronous notifications, an XML message format defined by the DirectoryAccess Markup Language (DAML version 1) is used. DAML is an XMLspecification defined by IBM that allows specification of add, modify, and deleteoperations.

DSML file format

DSML is an XML format that describes directory information. A DSML filerepresents directory structure information in an XML file format. The DSML filemust contain only valid attributes of the IBM Security Identity Manager profile.The identity feed process uses all objects in the file.

The erPersonPassword attribute is used in an identity feed only during a Personcreate process, not in a Person modify process. If the value of theerPersonPassword attribute is set, then the IBM Security Identity Manager accountpassword is set to that value when the person and account are created. Thefollowing statement sets a value for the erPersonPassword attribute:<attr name="erpersonpassword"><value>panther2</value></attr>

If you select a DSML file format for an identity feed, specify a DSML file similar tothis one:<entry dn="uid=sparker"><objectclass><oc-value>inetOrgPerson</oc-value></objectclass><attr name="givenname"><value>Scott</value></attr><attr name="initials"><value>SVP</value></attr><attr name="sn"><value>Parker</value></attr><attr name="cn"><value>Scott Parker</value></attr><attr name="telephonenumber"><value>(919) 321-4666</value></attr><attr name="postaladdress"><value>222 E. First Street Durham, NC 27788</value></attr></entry>


Your identity feed file must be in UTF-8 format. You must use an editor thatsupports UTF-8 encoding.



http://www.oasis-open.org

v WindowsThe following are UTF-8 capable: Microsoft Word 97 or later, or the Notepadeditor that is included with the Windows 2003 Server or Windows XP operatingsystems.To save a file in UTF-8 format using Notepad, click File > Save As. Then,expand the list of choices for the Encoding field and select UTF-8.






JavaScript code within DSML identity feedsThe human resources database can also provide changes to the IBM SecurityIdentity Manager server proactively as changes are detected.

The IBM Security Identity Manager server comes with a Java Naming andDirectory Interface (JNDI) Service Provider. The provider can be used as aprogramming interface to deliver the changes to the server. These changes arereceived by the server as an event notification of change. This feature is calledevent notification. When using an event notification program to import HR data,add, modify, and delete operations are available.

Using the JNDI service provider for DAMLBefore using the JNDI Service Provider for DAML, you need to understand boththe JNDI interface specification and LDAP. The JNDI Service Provider uses bothconcepts. This section provides links to information that you need to understandabout the JNDI interface and LDAP.

JNDI The Java Naming and Directory Interface for accessing Directory typeinformation from a Java program. See the website for Sun Microsystem athttp://java.sun.com/products/jndi/tutorial/ for a tutorial on the JNDI.

LDAP Lightweight Directory Access Protocol. Information about this protocol canbe obtained from many sources, such as the OpenLDAP Foundation athttp://www.openldap.org.

The Java libraries required to use JNDI and DAML/DSML are contained withinthe lib directory of the IBM Security Identity Manager server directory.


http://www.vim.org


http://java.sun.com/products/jndi/tutorial/

http://www.openldap.org

Event notifications of HR dataHR data can be sent to the IBM Security Identity Manager server from anotherprogram as a DAML/HTTPS message.

The DAML/HTTPS message is sent to the IBM Security Identity Manager server asan HTTPS Post request. The Java Naming and Directory Interface JNDI ServiceProvider for DAML/HTTPS is provided for this purpose.

Initializing the contextFor all operations with the JNDI SP for DAML, the first step is to initialize thecontext. The context must be initialized with all of the protocol properties neededto communicate with the IBM Security Identity Manager Server.

Before you begin


Ensure that you imported these packages:v import javax.naming.*;

v import javax.naming.directory.*;v import java.util.*;

About this task

To initialize the context, modify the following environment variables:Hashtable env = new Hashtable();env.put (Context.INITIAL_CONTEXT_FACTORY,"com.ibm.daml.jndi.DAMLContextFactory");env.put(Context.SECURITY_PRINCIPAL,serviceUserName);env.put(Context.SECURITY_CREDENTIALS, servicePassword);env.put("com.ibm.daml.jndi.DAMLContext.CA_CERT_DIR", certDirLocation);env.put(Context.PROVIDER_URL,providerURL);env.put("com.ibm.daml.jndi.DAMLContext.URL_TARGET_DN", serviceDN);

DirContext damlContext = new InitialDirContext (env);

Results

When the context is initialized, a bind request is sent to the Security IdentityManager Server. If the environment variables are not correct, a NamingException isthrown.

What to do next

After initialization, you can do these tasks:v Add a person entryv Modify a person entryv Remove a person entry

Adding a person entryThe attributes for adding a person are the same as the attributes used in the filereconciliation method.


Before you begin


Ensure that you have initialized the context.

About this task

The attributes for adding a person are the same as the attributes used in the filereconciliation method. The DN for the new person entry must include at aminimum a unique attribute used to identify the person, such as the uid. TheJavaScript placement rule defined for the DSML Identity Feed service is used todetermine the organizational unit to which the person entry is added. Iforganization information is not provided, the person is added to the root of theorganization. (The DN is specified through the createSubcontext /destroySubcontext / modifyAttributes methods in the following example).

The objectclass attribute must be defined and must match the LDAP object classthat is mapped to the person type you want to add. This class is typicallyinetOrgPerson, but other objectclasses can be used by defining them through theEntity Configuration feature in the IBM Security Identity Manager Server. Add therequired objectclass as a new entity, with "Entity Type" = "Person".

To add a person, complete these steps:

Procedure1. Define the DN of the person you want to add.2. Create an Attributes object to contain the list of Attribute objects for the new

user.3. Call createSubContext on the context.

Results

After creating the DN and the attributes for the person, a call to createSubcontextis made with the JNDI context.

ExampleBasicAttributes ba = new BasicAttributes(true);ba.put(new BasicAttribute("objectclass","inetorgperson"));ba.put(new BasicAttribute("uid", uid));ba.put(new BasicAttribute("cn", "JoeSmith"));ba.put(new BasicAttribute("mail", uid + "@acme.com"));

damlContext.createSubcontext("uid="+ uid, ba);

What to do next

You can do these tasks:v Add another person entryv Modify the information of a person entryv Remove a person entry


Modifying a person entryTo modify a person entity, you must create a list of modification items and thencall modifyAttributes on the context.

Before you begin



About this task

To modify the attribute values for a person (including adding new attributes, ordeleting existing ones), complete these steps:

Procedure1. Define the DN of the person you want to modify.2. Create a list of ModificationItems containing the required changes.3. Call modifyAttributes on the context.

Results

After defining the DN of the person, a call to modifyAttributes is made with theJNDI context.

ExampleVector mods = new Vector();// Add a new attribute (or additional value ifit already exists)mods.add(new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("roomnumber", "102")));// Modify an existing Attributemods.add(new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("title","Consultant")));// Modify an existing Attribute to a multi-valued value AttributenewOuAt = new BasicAttribute("ou");newOuAt.add("Research Department");newOuAt.add("DevelopmentDivision");mods.add(new ModificationItem(DirContext.REPLACE_ATTRIBUTE, newOuAt));// Delete one existing attributemods.add(new ModificationItem(DirContext.REMOVE_ATTRIBUTE,new BasicAttribute("initials", null)));String dn = "uid=" + uid;damlContext.modifyAttributes(dn,(ModificationItem[])mods.toArray(new ModificationItem[mods.size()]));

What to do next

You can do these tasks:v Add person entryv Remove a person entry

Removing a person entryTo remove a person, define the DN for the person and then call destroySubContexton the context.

Before you begin




About this task

To remove a person entry, complete these steps:

Procedure1. Define the DN of the person you want to remove.2. Call destroySubContext on the context.

Results

After defining the DN of the person, a call to destroySubContext is made with theJNDI context.

ExampledamlContext.destroySubcontext("uid=" + uid);

What to do next

You can do these tasks:v Add person entryv Modify the information of a person entry

Sample driver for event notifications of HR dataThis Java test program and sample compiler add 100 person entries to the IBMorganization.

Purpose

This program assumes that a tenant with the short name of ibm exists, containingan organization named IBM Security Identity Manager. In the organization, there isa DSML Identity Feed service with the following attributes:v Service name - dsmltestv UID - dsmlv Password - dsml

This information is all specified in the serviceDN, serviceUID, andservicePassword lines in the following sample program.

The location of the IBM Security Identity Manager Server is specified in theproviderURL line.

Sample program

This sample program does not use a client certificate (it is not using two-way SSLauthentication). A copy of the CA certificate for the server certificate installed inthe IBM Security Identity Manager Server must exist in the directory\certificates (cerDirLocation line).

// TestDSML.javaimport java.io.*;import java.util.*;import javax.naming.*;import javax.naming.directory.*;

public class TestDSML {// Service DN.This is constructed of four parts:// "erservicename=dsmltest" specifies the name of the Service// "ou=itim" is the Organization// "ou=ibm" is the Tenant


// "dc=com" is the base of the LDAP tree for IBM Security Identity Manager.static final String DEFAULT_SERVICEDN =

"erservicename=dsmltest, ou=itim, ou=ibm, dc=com";static final String DEFAULT_HOST =

"localhost:4443";

public static void main(String arg[]) {// number of people to processint noOfPeople = Integer.getInteger("count", 100).intValue();// required operation ("add", "del", "mod")String op = System.getProperty("op", "add").toLowerCase();

String certDirLocation = "\\certificates"; //where to get the CA certificates// URL to use.// Use "/enrole/unsolicited_notification" to specify the Unsolicited Notification Servlet,// which is the servlet used for DSML requests -String host = System.getProperty("host", DEFAULT_HOST);String providerURL = "https:// " + host + "/enrole/unsolicited_notification";// Target DNString serviceDN = System.getProperty("servicedn", DEFAULT_SERVICEDN);

String serviceUID = "dsml"; // user id defined for the serviceString servicePassword = "dsml"; // password define for the services

// create and fill the environment tableHashtable env = new Hashtable();env.put (Context.INITIAL_CONTEXT_FACTORY,

"com.ibm.daml.jndi.DAMLContextFactory");env.put(Context.SECURITY_PRINCIPAL, serviceUID);env.put(Context.SECURITY_CREDENTIALS, servicePassword);env.put("com.ibm.daml.jndi.DAMLContext.CA_CERT_DIR", certDirLocation);env.put(Context.PROVIDER_URL, providerURL);env.put("com.ibm.daml.jndi.DAMLContext.URL_TARGET_DN", serviceDN);

DirContext damlContext = null;try {

// generate connection requestdamlContext = new InitialDirContext (env);

}catch (NamingException e) {

System.out.println("Error connecting to server at \"" + providerURL + "\": " + e.getMessage());return;

}for (int i = 1; i<=noOfPeople; i++) {

String sn = "smith" + i;String uid = "jsmith" + i;String dn = "uid=" + uid;

try {if (op.startsWith("add")) {BasicAttributes ba = new BasicAttributes(true);ba.put(new BasicAttribute("objectclass","inetorgperson"));ba.put(new BasicAttribute("uid", uid));ba.put(new BasicAttribute("cn", "Joe Smith"));ba.put(new BasicAttribute("mail", uid + "@acme.com"));ba.put(new BasicAttribute("sn"));

damlContext.createSubcontext(dn, ba);}else if (op.startsWith("del")) {damlContext.destroySubcontext(dn);}else if (op.startsWith("mod")) {Vector mods = new Vector();// Add a new attribute (or additional value if it already exists)mods.add(new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("roomnumber", "102")));// Modify an existing Attributemods.add(new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("title", "Consultant")));// Modify an existing Attribute to a multi-valued valueAttribute newOuAt = new BasicAttribute("ou");newOuAt.add("Research Department");newOuAt.add("Development Division");mods.add(new ModificationItem(DirContext.REPLACE_ATTRIBUTE, newOuAt));// Delete one existing attributemods.add(new ModificationItem(DirContext.REMOVE_ATTRIBUTE, new BasicAttribute("initials", null)));

damlContext.modifyAttributes(dn, (ModificationItem[])mods.toArray(new ModificationItem[mods.size()]));}}catch (Exception e) {

System.out.println("Error, DN \"" + dn + "\": " + e.getMessage());e.printStackTrace();}

}}}


Sample compiler

A sample Windows XP script to compile the preceding test program is:@rem compileDsmlTest.cmd - compile DSML Test Programsetlocalrem locationof the lib directory containing the jar files from therem IBM Security Identity Manager installation lib directory, as listed belowset LIB=C:\ITIM\libset APP=TestDSML

rem Library files from IBM Security Identity Manager lib directory -set AGENTLIB=%LIB%\enroleagent.jarset CLASSPATH=.;%AGENTLIB%;%LIB%\jlog.jar

javac -classpath %CLASSPATH% -d . %APP%.javaendlocal

Importing HR data with reconciliationHR data can be imported into the IBM Security Identity Manager Server from a filewritten in DSML, with the DSML Identity Feed service provider.

Before you begin


In a cluster environment, the DSML file is present on all cluster member machinesat the same location. In a reconciliation, the DSML file can be found regardless ofwhich cluster member initiates the reconciliation.

The DSML file must be present on the Security Identity Manager Server machinefor a single server setup.

About this task

When you use the DSML Identity Feed Service to import HR data from a DSMLfile, only the add and modify person operations are done. The delete personoperation is not available when importing identity record information from aDSML file.

Note: When processing identity record information from a DSML file, it isassumed that the data set reconciled does not represent the entire personpopulation for the Security Identity Manager Server. Because of this assumption,the polling method can be used to add or modify persons, but not delete them. Todelete persons, the event notification interface must be used.

To import the HR data with the DSML Identity Feed service type, complete thesesteps:

Procedure1. Create an instance of the DSML Identity Feed service.2. Configure the service to refer to a DSML file that contains the identity record

data. Specify the full path name to the DSML file. Use the service test feature toverify that the file name is correct.

3. Reconcile the service.


Results

When reconciling the DSML Identity Feed service, the identity record entries areread from the DSML file. For each identity record entry, the objectclass is matchedup to the appropriate person profile in IBM Security Identity Manager. If a matchis made, the distinguished name (dn) is converted into a search filter. The searchfilter looks for an existing match to a person entry that exists in the organizationthat contains the service. If a single match is found, then the person entry is usedas an update to the existing entry. If no match is found, the individual is added asa new person entry. Duplicate matches return an error and the entry is not added.

Example

These statements are a sample of a DSML entry for a person:<entry dn="uid=jsmith">

<objectclass><oc-value>inetOrgPerson</oc-value>

</objectclass><attr name="sn"><value>smith</value></attr><attr name="uid"><value>jsmith</value></attr><attr name="mail"><value>[email protected]</value></attr><attr name="givenname"><value>John</value></attr><attr name="cn"><value>John Smith</value></attr>

</entry>

What to do next

You can now add, modify, and delete identity information with the IBM SecurityIdentity Manager interface.

You can add more users, modify existing users with the DSML file, and deletingusers.

DSML identity feed service formThe fields on the DSML identity feed service form are used to specify informationabout the Directory Services Markup Language (DSML) identity feed. For example,you might select a service profile to import identity data with DSML. Complete thefields on the form to connect to the server where the service resides.

The following fields are available on the DSML identity feed service form:

Service nameSpecify a name that helps you identify the service instance.

DescriptionSpecify additional information about the service instance.

User IDSpecify the administrative user ID for the service instance.

PasswordSpecify the administrative password for the service instance. If passwordauthentication is used, enter a value. Otherwise, reconciliation later fails.

File nameSpecify the file name, including the path name, that contains the userinformation.

Note: In cluster environments, the file must be stored at the same locationon all cluster members.


Use workflowSelect this check box to use workflow for this service instance and todetermine whether to automatically create accounts for entries. This featurecan be used for small incremental feeds, but not for importing largeamounts of data.

Placement ruleSpecify a rule to be used for placing a user (person) in the organizationtree. This rule is defined with a script. The context of the script is theidentity information for the current user in the feed and the service thatdefines the feed itself.

Sample DSML file for reconciliationUse this example as a model for creating the DSML file you want to use to importHR data with reconciliation.

Sample

The following DSML file is a complete sample XML for use in reconciliation:<?xml version="1.0" encoding="UTF-8"?><dsml>

<directory-entries>

<entry dn="uid=janesmith"><objectclass>

<oc-value>inetOrgPerson</oc-value></objectclass><attr name="ou"><value>Engineering</value></attr><attr name="sn"><value>Smith </value></attr><attr name="uid"><value>janesmith</value></attr><attr name="mail"><value>[email protected]</value></attr><attr name="givenname"><value>Jane</value></attr><attr name="cn"><value>Jane Smith</value></attr><attr name="initials"><value>JS</value></attr><attr name="employeenumber"><value>E_1974</value></attr><attr name="title"><value>Research and Development</value></attr><attr name="telephonenumber"><value>(888) 555-1614</value></attr><attr name="mobile"><value>(888) 555-8216</value></attr><attr name="homepostaladdress"><value>15440 Laguna Canyon Rd, Irvine, CA 92614</value></attr><attr name="roomnumber"><value>G-114</value></attr><attr name="homephone"><value>(888) 555-3222</value></attr><attr name="pager"><value>(888) 555-7756</value></attr><attr name="erAliases">

<value>j.smith</value><value>jane_smith</value><value>JaneSmith</value>

</attr><attr name="erRoles">

<value>Engineering</value><value>Development</value>

</attr></entry><entry dn="uid=johndoe">

<objectclass><oc-value>inetOrgPerson</oc-value>

</objectclass><attr name="ou"><value>Sales-West</value></attr><attr name="sn"><value>Doe</value></attr><attr name="uid"><value>johndoe</value></attr><attr name="mail"><value>[email protected]</value></attr><attr name="givenname"><value>John</value></attr><attr name="cn"><value>JohnDoe</value></attr><attr name="initials"><value>JD</value></attr><attr name="employeenumber"><value>S_1308</value></attr><attr name="title"><value>Sales Engineer</value></attr><attr name="telephonenumber"><value>(888) 555-1620</value></attr><attr name="mobile"><value>(888) 555-8210</value></attr><attr name="homepostaladdress"><value>15440 Laguna Canyon Rd, Irvine, CA 92614</value></attr><attr name="roomnumber"><value>G-120</value></attr><attr name="homephone"><value>(888) 555-3228</value></attr><attr name="pager"><value>(888) 555-7750</value></attr>


<attr name="erAliases"><value>j.doe</value><value>john_doe</value><value>JohnDoe</value>

</attr><attr name="erRoles">

<value>Sales</value></attr>

</entry>

</directory-entries>

</dsml>copy from here to there

AD Organizational identity feedAD Organizational identity feed provides capability for creating users based onuser records from Windows Server Active Directory (AD).

This feed uses a directory resource as the source for the feed. Information from theAD organizationalPerson objectclass is mapped to the inetOrgPerson schema.This identity feed loads all user objects under a specified base.

AD Organizational service type

When you create a service instance for this identity feed, the following informationis required:v URL used to connect to the directory resourcev User ID and password to gain access to the resourcev Naming context, which is the search base in LDAP terminology, and defines

where in the directory tree to begin the searchv Name attribute, which must be selected from the values that are provided

After creation, this service is set to reconcile a specific branch of the directory.

Customized attribute mapping

The Attribute Mapping file name option provides a way to customize themapping of LDAP attributes to IBM Security Identity Manager attributes.

The format of the attribute mapping file is feedAttrName=itimAttrName. Lines thatbegin with a number sign (#) or semicolon (;) are interpreted as comments.

The attribute mapping file completely overrides the default mappings. Allattributes that are needed from the feed source must be included in the mappingfile.

These attributes must be included in the mapping file:v Attributes that are specified as required in the person profile formv Attributes that are specified as required in the LDAP schema for the target

person profile

If an attribute from the feed source is not included in the attribute mapping file,the value is not set on the IBM Security Identity Manager attribute.

The following example shows that six attributes are mapped. All other LDAPattributes are ignored.


#feedAttrName=itimAttrNamecn=cnsn=sntitle=titletelephonenumber=mobilemail=maildescription=description









inetOrgPerson identity feedThe inetOrgPerson identity feed supports LDAP directory server with the RFC2798(inetOrgPerson LDAP objectclass).

This feed uses a directory resource as the source for the feed. This identity feedloads all inetOrgPerson objects under a specified base. Records that do not haveobjectclass=inetOrgPerson are ignored.

inetOrgPerson service type

When you create a service instance for this identity feed, the following informationis required:v URL used to connect to the directory resourcev User ID and password to gain access to the resourcev Naming context, which is the search base in LDAP terminology, and defines

where in the directory tree to begin the search


http://www.vim.org


v Name attribute, which must be selected from the values that are provided

After creation, this service is set to reconcile a specific branch of the directory.

Customized attribute mapping

The Attribute Mapping file name option provides a way to customize themapping of LDAP attributes to IBM Security Identity Manager attributes.

The format of the attribute mapping file is feedAttrName=itimAttrName. Lines thatbegin with a number sign (#) or semicolon (;) are interpreted as comments.

The attribute mapping file completely overrides the default mappings. Allattributes needed from the feed source must be included in the mapping file.Attributes specified as required in the person profile form or LDAP schema for thetarget person profile must be in the mapping file. If an attribute from the feedsource is not included in the attribute mapping file, the value is not set on the IBMSecurity Identity Manager attribute.

The following example shows that six attributes are mapped. All other LDAPattributes are ignored.#feedAttrName=itimAttrNamecn=cnsn=sntitle=titletelephonenumber=mobilemail=maildescription=description









http://www.vim.org


IBM Tivoli Directory Integrator (IDI) data feedThe IBM Tivoli Directory Integrator (IDI) identity feed is used to support datafeeds from custom identity sources, and to provide greater flexibility over thestandard data feeds.

The IDI data feed is provided for instances where the other HR feeds are notsufficient. Use an IDI data feed to define custom identity feeds.

Use of this data feed requires knowledge of IBM Tivoli Directory Integrator (IDI).

This data feed is used to provide greater flexibility over the standard data feeds.Examples of this flexibility include:v Ability to work with a subset of data, such as filtering users in a specified

departmentv Additional attribute mapping beyond the one-to-one mapping provided by the

standard feedsv Data lookups, such as to derive a supervisor or manager from another data

sourcev Change detection on the data sourcev Databases and HR systems, such as DB2, Oracle, PeopleSoft, and SAPv Control over attributes, such as updating status or suspending a personv Deletion of peoplev Changes driven by IBM Tivoli Directory Integrator instead of by IBM Security

Identity Manager reconciliations (used for deletions, updates, and changedetection)









http://www.vim.org



Managing identity information with IBM Tivoli DirectoryIntegrator

You can use IBM Tivoli Directory Integrator to import identity information intoIBM Security Identity Manager and to manage accounts on external resources inthe IBM Security Identity Manager data store. Identity data can come from ahuman resources repository or another source, such as a company-wide directory.An identity record in HR data becomes an instance of a person object in IBMSecurity Identity Manager. Integration with IBM Tivoli Directory Integratorrequires network connectivity with the IBM Security Identity Manager system anda new service type to manage data feeds.

Advantages of using IBM Tivoli Directory Integrator include:v Avoiding the need for custom programming to manipulate raw personal

information data into a form that can be imported into IBM Security IdentityManager. IBM Tivoli Directory Integrator can be used to parse data from acomma-separated file or a database and feed the result into IBM SecurityIdentity Manager as personal information data or changes to that data.Previously, a Directory Services Markup Language (DSML) file or custom JavaNaming and Directory Interface (JNDI) client was required.

v Managing identity data in which IBM Security Identity Manager can act as aDSMLv2 client to retrieve person data from IBM Tivoli Directory Integrator inreconciliation by running searches against IBM Tivoli Directory Integrator, whichacts as a DSMLv2 server. IBM Security Identity Manager can also act as aDSMLv2 server, accepting requests from a DSMLv2 client such as IBM TivoliDirectory Integrator, with the JNDI service provider.

Note: DSMLv2 is deprecated in IBM Security Identity Manager Version 5.0 infavor of the remote method invocation (RMI)-based IDI adapter framework.DSMLv2 continues to be supported in this release.

v Providing advantages in account management. See additional documentation inthe extensions directory.

See additional documentation provided by the IBM Tivoli Directory Integratorproduct. For examples of customizing schemas and importing data in an identitydata feed, navigate to the ITIM_HOME/extensions/examples directory.

Scenario: bulk loading identity dataA typical scenario for the use of IBM Tivoli Directory Integrator might be anadministrator who is interested in bulk loading identity data into IBM SecurityIdentity Manager.

Before you begin


An instance of Tivoli Directory Integrator must be running.



About this task

This scenario includes the following high-level tasks:

Procedure1. Setting up the Tivoli Directory Integrator configuration, including a DSMLv2

event handler and an assembly line with a connector to the wanted datasource.

2. Starting the Tivoli Directory Integrator event handler.3. Setting up a IBM Security Identity Manager service to communicate with the

Tivoli Directory Integrator configuration.4. Running the reconciliation to initiate the communication.

Results

These events occur after the reconciliation:1. IBM Security Identity Manager sends a search request message to Tivoli

Directory Integrator, which searches the enterprise data store for the identitydata.

2. Tivoli Directory Integrator sends the data back to IBM Security IdentityManager, which processes the data. This processing includes evaluation of theposition in the organization tree in which to place people and evaluation of rolemembership. Processing also includes evaluation of a supervisor relationship,possibly evaluation of provisioning policy, and insertion of data into the IBMSecurity Identity Manager data store. Evaluation of the provisioning policycould result in account management actions.

3. The identity information is loaded into IBM Security Identity Manager from theenterprise data store.

What to do next

You can now add, modify, and delete identity information with the IBM SecurityIdentity Manager interface.

For additional scenarios on the use of Tivoli Directory Integrator, see theextensions directory for these descriptions:v Identity feed with JNDIv End user account managementv Account event notification

Identity feeds that retain group membershipEnsure that identity feeds retain a user's membership in both customized anddefault groups.

All default IBM Security Identity Manager groups initially have no members,except for the administrator group, which contains one user whose account isnamed itim manager. When you load the first identity records into IBM SecurityIdentity Manager, some individuals might become members of the manager group.

Table 54. Group membership after initial identity feed

Group name Membership

Administrator 1 member with an account named itim manager


Table 54. Group membership after initial identity feed (continued)

Group name Membership

Manager Zero or more, depending on whether the initial identityfeed has an identity record that indicates the user has amanaged relationship.

Service owner Zero

Help desk assistant Zero

The first help desk assistant and first service owner is a user that the administratorexplicitly adds to the group. Alternatively, a user automatically gains membershipin the service owner group if you specify the user as owner of a service. If youspecify the user as the manager of another user, a user automatically gainsmembership in the manager group.

A user who is a member of a customized group must also be a member of thedefault group of the same category. Otherwise, processing results areunpredictable.

If the incoming identity record for a user initially indicates membership in acustomized group, IBM Security Identity Manager includes the user as a memberof both the customized group and the default group of the same category. IBMSecurity Identity Manager interprets a subsequent identity feed that includes thesame user as a modification of the existing IBM Security Identity Manager user. Ifthe subsequent identity feed specifies that the user has membership only in thecustomized group, and not also in the default group of the same category, the useris removed from membership in the default group. To avoid this problem, ensurethat both initial and subsequent identity feeds specify that a user has membershipin both a customized and the default group of the same category.

Map of inetOrgPerson to Windows Server Active Directory attributesThe IBM Security Identity Manager inetOrgPerson attributes map to WindowsServer Active Directory attributes. The differences are shown in boldface type.

Table 55. Map of inetOrgPerson and Windows Server Active DirectoryorganizationalPerson attributes

IBM Security Identity ManagerinetOrgPerson attributes

Windows Server Active DirectoryorganizationalPerson attributes

cn cn

departmentNumber department

description comment

employeeNumber employeeID

givenName givenName

homePhone homePhone

homePostalAddress homePostalAddress

initials initials

internationaliSDNNumber internationallSDNNumber

jpegPhoto thumbnailPhoto

l l

mail mail


Table 55. Map of inetOrgPerson and Windows Server Active DirectoryorganizationalPerson attributes (continued)

IBM Security Identity ManagerinetOrgPerson attributes

Windows Server Active DirectoryorganizationalPerson attributes

manager manager

mobile mobile

o o

ou ou

pager pager

physicalDeliveryOfficeName physicalDeliveryOfficeName

postalAddress postalAddress

postalCode postalCode

postOfficeBox postOfficeBox

preferredDeliveryMethod preferredDeliveryMethod

registeredAddress registeredAddress

secretary assistant

seeAlso seeAlso

sn sn

st st

street streetaddress

telephoneNumber telephoneNumber

teletexTerminalIdentifier teletexTerminalIdentifier

telexNumber telexNumber

title title

uid < - intentionally blank - >

userPassword userPasswordNote: Encryption by the directory serverprevents IBM Security Identity Managerfrom using the value of this attribute.

x121Address x121Address

User passwords provided by an identity feedEncryption by the directory server prevents IBM Security Identity Manager fromusing the userPassword attribute in the inetOrgPerson schema to provide userpassword data in an inetOrgPerson identity feed from LDAP or a Windows ServerActive Directory identity feed.

Other identity feeds that use CSV, DSML, or IBM Tivoli Directory Integrator-basedformats can provide a password for a new user. Given the identity feed value, IBMSecurity Identity Manager uses the erPersonPassword attribute to create apassword for a new user's IBM Security Identity Manager account. TheerPersonPassword attribute is used only to create a password for a new IBMSecurity Identity Manager user. If the user exists, the value of theerPersonPassword attribute cannot be used to change the IBM Security IdentityManager user's login password.


In any identity feed where the erPersonPassword is not provided, IBM SecurityIdentity Manager generates a new password for a new use. The application sendsthe generated password by email to the new user. If the email address of the useris not populated, the user must contact the help desk to obtain a password.Depending your site requirements, the new user's password might also be sent tothe user's manager.

The password value that IBM Tivoli Directory Integrator provides must be encodedin base64 format.

These identity feed attributes provide a value in clear text that is the password fora new user:v CSV column name: erPersonPasswordv DSML tag: erPersonPassword

Attributes in an identity feed that are not in a schemaYou can include some attributes in an identity feed that are not contained in theidentity feed object class (organizationalPerson for Windows Server ActiveDirectory; inetOrgPerson for IBM Security Identity Manager).

For example, the erRoles attribute determines a user's membership in a IBMSecurity Identity Manager group. The erRoles attribute is not in either theorganizationalPerson or the inetOrgPerson schema. Based on the value of theerRoles attribute in an initial identity feed, a user might become a member of acustomized group. The user might also become a member of a default Help DeskAssistant group.

A repeated identify feed might not contain a value for an attribute that waspreviously specified for the user, for both organizationalPerson andinetOrgPerson schemas. The identity feed process deletes that attribute for the IBMSecurity Identity Manager user.

If the incoming identity record for a user initially indicates membership in acustomized group, IBM Security Identity Manager includes the user as a memberof both the customized group and the default group of the same category. IBMSecurity Identity Manager interprets a subsequent identity feed that includes thesame user as a modification of the existing IBM Security Identity Manager user. Ifthe subsequent identity feed specifies that the user has membership only in thecustomized group, and not also in the default group of the same category, the useris removed from membership in the default group. To avoid this problem, ensurethat both initial and subsequent identity feeds specify that a user has membershipin both a customized and the default group of the same category.

For the Windows Server Active Directory feed, this problem also occurs for anyinetOrgPerson attribute that is not also contained in the organizationalPersonschema. For an inetOrgPerson identity feed, the problem occurs for anyinetOrgPerson attribute that is not supported by the identity feed.

Supported formats and special processing of attributesIBM Security Identity Manager provides special processing for manager andsecretary attributes, and for the erRoles attribute.


Supported formats and special processing for manager andsecretary attributes

The manager and secretary attributes refer to another person entry within IBMSecurity Identity Manager.

Note: The Windows Server Active Directory identity feed maps the WindowsServer Active Directory assistant attribute to the secretary attribute.

Internally, IBM Security Identity Manager uses a special format for theDistinguished Name (DN) of person directory entries. The format is inconvenientand difficult to specify in the identity feed data. So the identity feed code allowsthese attributes to be specified in more useful formats. IBM Security IdentityManager supports three formats for the values:v A search filter (containing an equal (=) operator, but not erglobalid) that is a

comma-separated list of attribute=value pairs.v A simple name (not containing an equal (=) operator), which is assumed to be

the value of the naming attribute for the person object class (that is, cn).v A full IBM Security Identity Manager DN (containing an equal (=) operator and

erglobalid). The expression must exactly match the IBM Security IdentityManager LDAP DN of one of the currently defined person objects.

For the first two cases, IBM Security Identity Manager converts the value to anLDAP search filter. The process does a subtree search of the organization to find aunique matching person. If the search returns zero matches, or more than onematch, then the value is considered invalid, and is removed from the list. Asuitable warning message is written to the IBM Security Identity Manager log.

A potential issue can occur with both the manager and secretary attributes if theyreference a person who is also defined in the same feed. In this case, it is possiblethat when the attribute value is processed as above, the person that it references isnot yet been created. This issue can occur even if the manager or secretary personis defined earlier in the identity feed file. The cause is multithreaded andasynchronous processing done by IBM Security Identity Manager during anidentity feed. This situation results in deleting the attribute from the person,because the attribute references an invalid person. A warning is written to the logs.

There are two solutions to this reference dependency issue. First, run the identityfeed a second time, after all processing completes from the first run. This secondfeed is much faster, because only changed entries cause in any significantprocessing during the feed. Alternatively, define these people (managers andsecretaries) in a separate identity feed file. Run that identity feed first, then run themain feed after the first feed fully completes. This separate, first feed might alsocontain entries that reference managers that are defined in the same feed. Youmight need to run the separate, first feed twice, or split the feed again.

Asynchronous workflow activities to create or modify people might still berunning, even after the identity feed status seems to be complete. In this case, youmust wait for an additional interval of time after the first feed seems to becomplete, before submitting the second feed.


Supported formats and special processing for erRoles attributevalues

The erRoles attribute is used to specify the list of roles to which a person belongs.In IBM Security Identity Manager, groups are equivalent to roles that IBM SecurityIdentity Manager, as an enterprise product, provides. IBM Security IdentityManager uses the erRoles attribute to specify the groups to which a user belongs.For example, specifying an identity feed attribute erRoles with a value of HelpDesk Assistant causes the user to belong to the Help Desk Assistant group. TheerRoles attribute can be multi-valued.

These formats are supported:v A simple name (not containing an equals (=) operator), which is assumed to be

the value of the erRoleName attribute. IBM Security Identity Manager does asubtree search to find a unique matching static role. The name is not valid ifzero or more than one role is a match.

v A full IBM Security Identity Manager DN, which must exactly match the IBMSecurity Identity Manager LDAP DN of one of the currently defined static roles.

Any invalid value is removed from the value list. If this results in zero remainingvalues, the attribute is removed from the attribute list. A suitable warning messageis written to the log.

Modifiable schema classes and attributesYou can modify some IBM Security Identity Manager schema classes andattributes.

You can create new classes with names that begin with the characters er, a prefixthat previously was reserved for IBM Security Identity Manager schema classesand attributes.

The IBM Security Identity Manager schema classes and attributes that you canmodify have a unique object identifier (OID) prefix. An OID is a string of numbersthat identifies a unique class in an LDAP schema. The IBM Security IdentityManager schema classes and attributes that remain read-only have the followingOID prefix:1.3.6.1.4.1.6054.1.1

Person naming and organization placementWhen the IBM Security Identity Manager Server imports HR data, the servercreates Distinguished Names (DN) for each identity record. The server also placesthe person in a specific organizational unit based on the information provided.

To uniquely identify and place each individual, each entry (or person) mustorganize its data in a way that the IBM Security Identity Manager Server canrecognize as individual pieces (attributes). The IBM Security Identity ManagerServer must also be configured to recognize attributes that are passed. Recognitionis done by matching the objectclass attribute against the defined person profiles. Bydefault, the LDAP standard inetOrgPerson objectclass is expected.


Determining the placement of the personThe IBM Security Identity Manager Server determines where to place in theorganization chart. The server uses a placement rule defined in the DSML IdentityFeed service.

A person might be defined as a member of the marketing department in theidentity source. The placement rule instructs the server to place the person in themarketing department in the IBM Security Identity Manager organization chart.This rule is used for initial placement of persons during an add operation and formoving a person to a different location during a modify operation.

Note: Organization names returned by placement rules must be unique within thecontext of the service unless an organization path is used to specify anorganization container. If an organization path is provided by the placement rule,the organization name must be unique within that organization container.

Placement rules are written with JavaScript that returns the organization path in adistinguished name (DN) format. This information is used to search for anorganizational unit in which to place a person. This DN indicates the requiredorganization path relative to the organization base. The syntax of this path can berepresented with the following pseudo BNF notation:orgDn ::= orgRdn | orgRdn "," orgDnorgRdn ::= prefix ’=’ nameprefix ::= ’l’ | ’o’ | ’ou’name ::= string

where string is the textural value, l is location, o is organization, and ou is theorganizational unit, business partner organization, or Admin Domain.

Note: The prefixes noted here are the default values. If the customer uses adifferent schema, then these prefixes are the values mapped in entity configuration.

Example

To illustrate, examine the following organization chart:IBM (organization)

Marketing (organizational unit)Facilities (organizational unit)

Irvine (location)

The path for the Marketing department is ou=Marketing, o=IBM. The path for theIrvine Facilities department is l=Irvine, ou=Facilities, o=IBM.

The JavaScript function returns a string in this format, but omits the organization.The attributes of the identity record from the identity source can be retrieved fromthe JavaScript code to construct the path. Because of the programming flexibilityprovided by JavaScript code, the information used from the identity source can bemanipulated in several ways. Programming constructs such as switch statementscan be used to map specific organization names to different paths in the server.String manipulation can be used to tokenize or concatenate names to derive paths.For example, a string of IBM/Facilities/Irvine can be tokenized andreconstructed in DN format as l=Irvine, ou=Facilities, o=IBM.


The following example demonstrates one use of this scripting capability. Theidentity source for the Acme organization uses the attributes div for division, bufor business unit, and dept for department. The logical layout of the organizationis as follows:organization

divisionbusiness-unit

department

In the IBM Security Identity Manager Server, this structure is mapped toorganizations and organizational units and looks like this example:organization

organizational unit (division)organizational unit (business-unit)

organizational unit (department)

The following JavaScript code can be used for the placement rule to make thisconversion:return "ou=" + entry.dept[o] + ",ou=" + entry.bu[o] + ",ou=" + entry.dw[o];

Note: All identities in this feed are assumed to be within the Acme organization.

For an organization that uses a multi-valued ou attribute, the placement rule mightbe:var ou =entry.ou;var filt = ’’;for (i = 0, i < ou.length, ++i){

if (i==0)filt = ’’ou=’’ + ou[i];

}else

{filt = filt + ’’,ou=’’ + ou[i];

}}return filt;

The IBM Security Identity Manager Server evaluates this script when adding aperson to place that person in the organization. During a modify request, thisscript is evaluated. If the value is different from the current placement of theperson, the person is moved to the new location based on the returned path.

Creating an identity feed serviceCreate a service instance for an identity type, such as CSV or DSML.

Before you begin


Before you can create a service in IBM Security Identity Manager, you must createa service type. Alternatively, you can use one of the service types that wasautomatically created when the IBM Security Identity Manager Server wasinstalled. You can create a service type by installing the adapter profile. You canalso add new schema classes and attributes for the service to your LDAP directory.


Before you can create a service for an adapter, the adapter must be installed, andthe adapter profile must be created.

About this task

The service name and description that you provide for each service are displayedon the console. Therefore, it is important to provide values that make sense to yourusers and administrators.

To create an identity feed service instance, complete these steps:


displayed.2. On the Select a Service page, click Create. The Create a Service wizard is

displayed.3. On the Select the Type of Service page, select an identity feed service type, and

then click Next.If the table contains multiple pages, you can:v Click the arrow to go to the next page.v Type the number of the page that you want to view and click Go.

4. On the Service Information page, specify the appropriate values for the serviceinstance.

5. Click Test Connection to validate that the data in the fields is correct, and thenclick Finish.

Results

For the inetOrgPerson identity feed, a successful test connection message confirmsthat all required fields are filled and that the specified target can be reached. Itdoes not guarantee that reconciliation of the LDAP resource is successful orproduces the wanted results.

A message indicates that you successfully created the service instance for thespecific identity feed service type.

What to do next

Schedule reconciliation, or run a reconciliation immediately with the task listassociated with the service.

When the Select a Service page is displayed, click Refresh to refresh the Servicestable and display the new service instance.

Performing an immediate reconciliation on an identity feed serviceInitiate® a reconciliation activity immediately on an identity feed service. During areconciliation, the IBM Security Identity Manager Server requests the identityrecord information from the specified file.


Before you begin


Set up a suitable identity feed service.

Procedure

To run a reconciliation now, complete these steps:1. From the navigation tree, click Manage Services. The Select a Service page is





3. In the Services table, click the icon ( ) next to the identity feed service, andthen click Reconcile Now.

Results

A message indicates that you successfully submitted a reconciliation request to runimmediately.

What to do next

To view the results of the reconciliation, click View my request, or click Close.

Creating a reconciliation schedule for an identity feed serviceSchedule a reconciliation to run at a specific interval. During a reconciliation, theIBM Security Identity Manager Server requests the identity record informationfrom the specified file.

Before you begin


Set up a suitable identity feed service.

Procedure

To create a reconciliation schedule for an identity feed service, complete thesesteps:


1. From the navigation tree, click Manage Services. The Select a Service page isdisplayed.

2. On the Select a Service page, complete these steps:a. Type information about the service in the Search information field.b. In the Search by field, specify whether to search against services or



3. In the Services table, click the icon ( ) next to the identity feed service, andthen click Set Up Reconciliation. The Manage Schedules page is displayed.

4. On the Manage Schedules page, complete the following steps:a. Specify whether a policy evaluates the accounts that the reconciliation

returns.b. Click Create. The Set Up Account Reconciliation notebook is displayed.

5. On the General page, type information about reconciliation schedule.6. On the Schedule page, select a schedule interval for the reconciliation. The

fields displayed depend on the scheduling option that you select.7. Optional: On the Query page, specify an LDAP search filter for account

attributes to include in a query. Select this option if you want to do a“supporting data only” reconciliation.

8. Click OK to save the new schedule and close the page.

Results

A message indicates that you successfully created a reconciliation schedule.

What to do next

Select another services task, or click Close. When the Select a Service page isdisplayed, click Refresh to refresh the Services table.


Chapter 18. IBM Security Identity Manager utilities

IBM Security Identity Manager provides utilities to configure database schema,LDAP, and commonly used system properties.

System configuration tool (runConfig)To configure commonly used system properties, you might use the systemconfiguration tool (runConfig) to change property files that contain IBM SecurityIdentity Manager system settings. You might also change WebSphere ApplicationServer settings for IBM Security Identity Manager.

For example, when you change a computer that provides the mail server at yoursite, the IP address for the mail server might change. Use the system configurationtool to specify the new address for the mail server.

For more information about this utility, see the IBM Security Identity ManagerInstallation and Configuration Guide.

runConfig commandThe runConfig command starts the system configuration tool that IBM SecurityIdentity Manager provides.

Command description

To manually start the system configuration tool, run this command:

ITIM_HOME/bin/runConfig

If the EJB User or System User user IDs or passwords are changed on theoperating system, use an additional install argument to force the update on theWebSphere Application Server. If these user IDs or passwords are changed, runthis command:

ITIM_HOME/bin/runConfig install

If you have problems with the system configuration tool, check theITIM_HOME/install_logs/runConfig.stdout log file for more information. Thesystem configuration requires several minutes to complete. It requires additionaltime if the install argument is used.

Database configuration tool (DBConfig)To configure the IBM Security Identity Manager database, you can use the databaseconfiguration tool (DBConfig).

The database configuration tool creates the database schema and default data thatIBM Security Identity Manager requires. Run this tool only if the command failedto configure the database during installation. If the IBM Security Identity Managerdatabase tables were previously configured, running the DBConfig commandprompts the user. Then, the user can choose to drop all previously existing IBMSecurity Identity Manager tables, or to exit without configuring the database.


See the IBM Security Identity Manager Installation and Configuration Guide.

DBConfig commandThe DBConfig command starts the database configuration tool that IBM SecurityIdentity Manager provides.

Command description

To manually start the database configuration tool, run this command:

ITIM_HOME/bin/DBConfig

After you change a field value, click Test to ensure that the connection to thedatabase is active. When the database test is successful, the Test button changes toContinue. After you click Continue, the database configuration requires severalminutes to complete.

If you have problems with the database configuration tool, check theITIM_HOME/install_logs/dbConfig.stdout log file for more information.

Directory server configuration tool (ldapConfig)To configure the directory server for IBM Security Identity Manager, you can usethe directory server configuration tool (ldapConfig).

Do not run the directory server configuration tool, unless the LDAP configurationfails during the ldapConfig installation process. The directory server configurationtool creates the LDAP schema and default data for IBM Security Identity Manager.Running the directory server configuration tool after the directory server isconfigured, will restore the default values that IBM Security Identity Manager uses.If you changed the value of any of these IBM Security Identity Manager attributes,the value is overwritten with the default value. For example, ldapConfig resets thepassword for the user ID named itim manager to the default password of "secret".

See the IBM Security Identity Manager Installation and Configuration Guide.

ldapConfig commandThe ldapConfig command starts the directory server configuration tool that IBMSecurity Identity Manager provides.

Command description

To manually start the directory server configuration tool, run this command:

ITIM_HOME/bin/ldapConfig

Click Test to ensure that the connection to the directory server can be established.When the test for a connection to the directory server is successful, the fields in theIdentity Manager Directory Information section become active.

If you have problems with the directory server configuration tool, check theITIM_HOME/install_logs/ldapConfig.stdout log file for more information. Thedirectory server configuration requires several minutes to complete.


SAConfig: shared access module utilityUse SAConfig to manually configure the shared access module.

Run the utility from the bin directory in IBM Security Identity Manager installationlocation.

Table 56. Running SAConfig

Operating system Command

Windows In C:\Program Files\IBM\isim\bin, either click SAConfig oropen a command window and enter SAConfig.

UNIX or Linux In /opt/IBM/isim/bin, enter ./SAConfig.

Chapter 18. IBM Security Identity Manager utilities 235

Chapter 19. IBM Security Identity Manager integration for IBMSmartCloud Control Desk

This section introduces the IBM Security Identity Manager integration for IBMSmartCloud Control Desk offering and provides instructions for installing andconfiguring this package.

Introduction to the IBM Security Identity Manager integration for IBMSmartCloud Control Desk

The IBM Security Identity Manager integration for IBM SmartCloud Control Deskprovides communication between IBM Security Identity Manager and IBMSmartCloud Control Desk.

The following sections briefly describe IBM SmartCloud Control Desk and itsintegration with IBM Security Identity Manager.

IBM SmartCloud Control DeskIBM SmartCloud Control Desk is a computerized asset management system thatenables companies to maintain, repair, and support the operation of theirrevenue-generating assets, both from an enterprise asset management and aninformation technology (IT) asset management point of view. IBM SmartCloudControl Desk stores and maintains data about assets, facilities, and inventory. Youcan use IBM SmartCloud Control Desk to schedule maintenance work, track assetstatus, manage inventory and resources, respond to requests for support, managepurchasing, and analyze costs.

The IBM SmartCloud Control Desk software is divided into modules, each ofwhich consists of a group of related applications that help you manage a particularbusiness function. For example, the Purchasing module includes the followingapplications:v The Invoices application is used to record invoices and match them against

purchase orders and receipts.v The Purchase Orders application is used for purchasing materials or services.v The Receiving application is used to receive materials into inventory or record

the receipt of services.v Several other applications related to purchasing.

The Service Desk module includes applications to manage customer requests forhelp, information, and service. The principal user of the Service Desk module is aservice desk agent who uses the software to record requests from internal orexternal customers and takes steps to resolve the issue. The resolution of an issueoften requires a workflow of activities involving several people. Anyone can recordthe solution in a knowledge base where the solution is retrieved and applied toissues of a similar nature.

The Service Desk applications most directly related to the IBM Security IdentityManager integration are the ticket applications:v The Service Requests application is used to create records of customer calls or

e-mail messages requesting service.


v The Incidents application is used to create records of incidents that result in aninterruption to or reduction in the quality of a service.

v The Problems application is used to create records of the underlying problemsthat cause incidents and service requests.

Service Request, Incident, and Problem records are referred to as ticket records orticket types. Ticket records are created by a service desk agent or by automaticallyusing data from e-mail messages, system monitoring tools, or external softwareapplications such as IBM Security Identity Manager. After a ticket record is created,a person or group takes ownership of the ticket and follows the issue through toresolution. The IBM Security Identity Manager integration for IBM SmartCloudControl Desk can create Service Request type tickets for all changePasswordoperations that occur. The created Service Request is given the status of eitherClosedor New, depending on whether the changePassword operation wassuccessful in IBM Security Identity Manager.

Integration between IBM Security Identity Manager and IBMSmartCloud Control Desk

The integration allows for the management of IBM SmartCloud Control Desk usersthrough IBM Security Identity Manager.

Managing IBM SmartCloud Control Desk users is supported when the IBMSmartCloud Control Desk native registry is being used as the primary userrepository. If application server security is enabled, then the IBM SmartCloudControl Desk users are being managed through LDAP, and the service providercannot be used to manage the users. The integration also provides the ability tocreate IBM SmartCloud Control Desk Service Requests when any passwords arechanged through IBM Security Identity Manager. This functionality addresses theneed of being able to automate password change requests. Most service requests inIBM SmartCloud Control Desk involve password changes. Automating thepassword change task by allowing the users to change their password in real timeallows for a process bottleneck to be alleviated. Creating Service Requests is donewhether or not application server security is being used. If application serversecurity is being used, then authentication is required to create service requesttickets. The integration between IBM Security Identity Manager and IBMSmartCloud Control Desk allows for increased flexibility between the two productsand speeds up the process of user management in IBM SmartCloud Control Desk.

Prerequisite softwareThis section describes the prerequisite software products for the IBM SecurityIdentity Manager integration for IBM SmartCloud Control Desk.

Before you install the IBM Security Identity Manager integration for IBMSmartCloud Control Desk, the following products must be installed and runningon one of the specified operating systems:v IBM Security Identity Manager Version 6.0 on Windows, AIX, HP-UX, or Solarisv IBM SmartCloud Control Desk Version 7.5 on Windows, AIX, Linuxv IBM Maximo® Administration Machine with Base Services on Windows

The IBM SmartCloud Control Desk product must be supported by a webapplication server and a database server. See the IBM SmartCloud™ Control DeskWiki for a list of supported software.


https://www.ibm.com/developerworks/wikis/display/tivoli/SmartCloud+Control+Desk+-+System+Requirements

https://www.ibm.com/developerworks/wikis/display/tivoli/SmartCloud+Control+Desk+-+System+Requirements

Components of the IBM Security Identity Manager integration for IBMSmartCloud Control Desk

This section describes the components that are required to integrate IBM SecurityIdentity Manager and IBM SmartCloud Control Desk and the communicationpaths between them.

The components of the IBM Security Identity Manager integration for IBMSmartCloud Control Desk solution are the Maximo Enterprise Adapter (MEA), theMaximo Application Server, and a IBM Security Identity Manager server. The IBMSecurity Identity Manager server sends requests to the Maximo Application Server.The Maximo Application Server sends responses to the IBM Security IdentityManager.

Installation road mapThis section provides an overview of the tasks that are required to set upcommunication between IBM Security Identity Manager and IBM SmartCloudControl Desk.

After you install the prerequisite software, perform the tasks listed in Table 57 toset up the IBM Security Identity Manager integration with IBM SmartCloudControl Desk. Table 57 describes the role of each component in the installation.

Table 57. Installation and configuration tasks

Step Task Description

1 Obtain the installationpackage. For moreinformation, see “Obtainingthe installation package”

The IBM Security Identity Manager integration forIBM SmartCloud Control Desk installation packagecontains the files needed to install or configure themajor components required for integration.

2 Configure the IBMSmartCloud Control Deskapplication server. For moreinformation, see “ConfiguringIBM SmartCloud ControlDesk” on page 240

Install and activate the IBM SmartCloud ControlDesk application server interfaces that allowcommunication between IBM SmartCloud ControlDesk and IBM Security Identity Manager.

In this step, you also deploy a new maximo.ear fileon your IBM SmartCloud Control Desk applicationserver to support the integration between IBMSecurity Identity Manager and IBM SmartCloudControl Desk.

3 Configure IBM SecurityIdentity Manager. For moreinformation, see “ConfiguringIBM Security IdentityManager” on page 244

Configure IBM Security Identity Manager to use thenew changePassword workflow extension andenable the new IBM SmartCloud Control Deskservice provider.

Obtaining the installation packageThis section describes the contents of the IBM Security Identity Managerintegration for IBM SmartCloud Control Desk installation package.1. Obtain the IBM Security Identity Manager integration for IBM SmartCloud

Control Desk installation package.

Chapter 19. IBM Security Identity Manager integration for IBM SmartCloud Control Desk 239

2. Download the tim_sd_integration.zip file to your Maximo AdministrationMachine where Base Services is installed. This file is located in thesedirectories.v UNIX and Linux operating systems

ITIM_HOME/extensions/6.0/maximo

v Windows operating systemsC:\Program Files\IBM\itim60\extensions\6.0\maximo

3. Extract the file into your Maximo Base Services installation directory.Examples: C:\IBM\Maximo; C:\IBM\SMP\Maximo

Table 58 lists the subdirectory and files that exist in your Maximo Base Servicesinstallation directory after you extract the installation package. Maximo_Installrefers to the Maximo Base Services installation directory.

Table 58. IBM Security Identity Manager integration for IBM SmartCloud Control Deskinstallation package

Top-level directory Files Description

Maximo_Install\tim_51

maximo.jar

maximoserviceprofile.jar

The files in the tim_51subdirectory are used toconfigure IBM Security IdentityManager Version to supportintegration with IBMSmartCloud Control Desk.

Configuring IBM SmartCloud Control DeskIn the following sections, Maximo_Install refers to the Maximo Base Servicesinstallation directory.

Table 59. Steps for configuring IBM SmartCloud Control Desk


1 Download and expand the IBMSecurity Identity Managerintegration as described in“Obtaining the installationpackage” on page 239.

After you expand the package, theMaximo_Install\tim_51 subdirectory containsthe maximo.jar and maximoserviceprofile.jarfiles, which are components of the IBMSecurity Identity Manager integration.

2 Ensure that yourmaximo.properties file isconfigured correctly and that it ispointing to the correct databaseserver.

The maximo.properties file is located in thefollowing folder:

Maximo_Install\applications\maximo\properties.

Verify that the JDBC connection string specifiesthe correct location of the database server thatsupports the IBM SmartCloud Control Deskinstallation.

3 Configure the Maximo EnterpriseAdapter. Follow the instructions asdescribed in “Configuring theMaximo Enterprise Adapter” onpage 241.

The Maximo Enterprise Adapter is theframework for integrating external applicationswith Maximo. When you configure the MaximoEnterprise Adapter, you install and activate theMaximo interfaces required to establishcommunication between IBM SmartCloudControl Desk and IBM Security IdentityManager.


Table 59. Steps for configuring IBM SmartCloud Control Desk (continued)


4 Rebuild and deploy the maximo.earfile to WebSphere. Follow theinstructions as described in“Configuring WebSphere” on page242.

When you install IBM SmartCloud ControlDesk, a maximo.ear file is built and installed onthe IBM SmartCloud Control Desk server andthen deployed to WebSphere, which supportsyour IBM SmartCloud Control Deskinstallation. (The web application server mightreside on the same or a different host computeras Maximo Base Services.) For the IBM SecurityIdentity Manager integration with IBMSmartCloud Control Desk to function properly,you must rebuild the maximo.ear file on theMaximo server. After rebuilding, themaximo.ear must be redeployed on WebSphere.

Configuring the Maximo Enterprise AdapterThis section describes how to configure the Maximo Enterprise Adapter to supportIBM Security Identity Manager.

The procedure for configuring the Maximo Enterprise Adapter consists of twoparts:1. Running the updatedb.bat script that is provided with Maximo Base Services.

This script automatically installs the Maximo integration interfaces required forcommunication between the IBM SmartCloud Control Desk application serverand the IBM Tivoli Directory Integrator Server.

2. Completing the Maximo Enterprise Adapter configuration by activating theintegration interfaces from within the integration module of IBM SmartCloudControl Desk.

Running updatedb.batPerform the following procedure to obtain and run the updatedb.bat script.

Before you begin

In these instructions, Maximo_Install refers to the Maximo Base Servicesinstallation directory.

About this task

To obtain and run the updatedb.bat script:

Procedure1. Log on to the WebSphere Application Server administration console.2. Click Servers > Server Types > WebSphere Application servers.3. Select MXServer and click Stop.4. After the server is stopped, open a command prompt.5. Change to the following directory: Maximo_Install\tools\maximo.6. Run the updatedb.bat script.7. Go back to the administration console.8. Select MXServer and click Start.


Results

The updatedb.bat script invokes the IBM Security Identity Manager update scriptfor IBM SmartCloud Control Desk, which creates the Object Structures required forthe integration.

Configuring WebSphereThis section describes how to configure WebSphere. In these instructions,Maximo_Install refers to the Maximo Base Services installation directory.

For the IBM Security Identity Manager integration to function properly, a classprovided with the IBM Security Identity Manager integration must be built intothe maximo.ear file.

If your IBM SmartCloud Control Desk installation is supported by WebSphereApplication Server, complete the following procedure to build theMaxUserProcess.class into the maximo.ear file on the IBM SmartCloud ControlDesk administration machine, and then deploy the maximo.ear file on yourWebSphere Application Server.

Note: When the tim_sd_integration.zip file is extracted into the Maximo_Installdirectory it automatically adds the MaxUserProcess.class to the correct directory.No further configuration for this class is needed.

Enabling IBM SmartCloud Control Desk user deletion(optional)

IBM SmartCloud Control Desk does not allow users to be deleted when theLOGINTRACKING variable is enabled.

If you delete IBM SmartCloud Control Desk users, then disable theLOGINTRACKING variable. This action is performed by using the following steps:1. Log on to the IBM SmartCloud Control Desk server with administrative

permissions.2. Click Go To → Security → Users.3. From the Action menu, select Security Controls.4. Clear the Enable Login Tracking? check box if it is checked.

Note: If LOGINTRACKING is not checked, select the Maximo User DeletionEnabled? check box on the IBM SmartCloud Control Desk service form. This checkbox in IBM Security Identity Manager is required to delete IBM SmartCloudControl Desk users. For more information about configuring a IBM SmartCloudControl Desk service, see “Configuring IBM Security Identity Manager” on page244.

Adding password link to IBM SmartCloud Control Desk(optional)

IBM Security Identity Manager manages the IBM SmartCloud Control Desk userswhen either the native registry is used or when LDAP is used to store the userinformation. LDAP is used to store the user information when J2EE applicationserver security is enabled. When the IBM SmartCloud Control Desk native registryis used, the IBM SmartCloud Control Desk service provider is used to manage the


users. However when LDAP is used, only the LDAP adapter is used to manage theIBM SmartCloud Control Desk users through IBM Security Identity Manager.

The Forgot Your Password? link is not enabled when J2EE application serversecurity is enabled. However, it is enabled when the native registry is being used.By optionally pointing this link to the IBM Security Identity Manager self-serviceuser interface, the password can be reset when either LDAP or the native registryis being used to store IBM SmartCloud Control Desk users, providing that aservice is configured to manage the IBM SmartCloud Control Desk server.

The IBM SmartCloud Control Desk interface can be optionally modified to pointthe Forgot Your Password? link to the IBM Security Identity Manager self-serviceinterface. This action enables IBM SmartCloud Control Desk users to manage theirpasswords through IBM Security Identity Manager. They can even reset the IBMSmartCloud Control Desk password if they forget it and are unable to log in.

To add the link to the IBM SmartCloud Control Desk login page, complete thesesteps:1. Select the Maximo_Install\applications\maximo\maximouiweb\webmodule\

webclient\login directory.2. Modify the login.jsp file.

a. Search for the following line in the login.jsp file: <buttonid="forgotpwdlink" class="link" type="submit"><span><%=labels.forgotPassword%></span></button>

b. Comment out the line as shown: 

c. Add the following line underneath the commented-out line: <ahref="http://hostname:port/itim/self"><%=labels.forgotPassword%></a>

d. Replace the host name and port with appropriate values for the specificIBM Security Identity Manager deployment.

e. Go to Step a. to search and change all the Forgot Password links.

Building IBM SmartCloud Control DeskThis section describes the building of IBM SmartCloud Control Desk.

Complete these steps:1. Open a command prompt on the Maximo Base Services administration

machine.

Note: The Maximo Base Services software can be installed on the same or adifferent computer from the WebSphere Application Server that supports IBMSmartCloud Control Desk.

2. Change to the directory: Maximo_Install\deployment.3. Type the following command to rebuild the maximo.ear file:

buildmaximoear.cmd

The buildmaximoear.cmd file rebuilds the maximo.ear file, automatically pullingin the modified class files and replacing the ones that were originally includedin the maximo.ear file. Allow this process to complete.

4. Copy the new maximo.ear file from the Maximo Base Services server to anylocation on the WebSphere Application Server. The new maximo.ear file islocated in the following directory on the Maximo Base Services administrationmachine:Maximo_Install\deployment\default

Deploying IBM SmartCloud Control Desk on WebSphereApplication Server

This section describes the deployment of IBM SmartCloud Control Desk onWebSphere Application Server.

Perform the following procedure to deploy IBM SmartCloud Control Desk onWebSphere Application Server:1. Log on to the WebSphere Application Server administrative console.2. Expand the Applications node in the navigation pane and select Enterprise

Applications that displays the Enterprise Applications window.3. Select the check box next to MAXIMO and click Update.4. Click Replace the entire application.5. Click Remote File System and click Browse.6. Select the node of your WebSphere Application Server.7. Browse to the location of the maximo.ear file that you copied. Select the file

and click OK.8. Click Next.9. Click Next on Select installation options.

10. Click Next on Map modules to servers.11. Click Finish on the Summary page. The maximo.ear file is redeployed. This

process can take several minutes.12. Click Save to Master Configuration.13. Expand the Applications node in the navigation pane and select Enterprise

Applications.14. Select the check box next to MAXIMO and click Start. Allow this process to

complete.15. Log out of the WebSphere Application Server administration console.

Configuring IBM Security Identity ManagerThis section describes steps for configuring IBM Security Identity Manager.

Note: In the following sections, ISIM_HOME refers to the directory where IBMSecurity Identity Manager is installed.

Table 60. Steps for configuring IBM Security Identity Manager


1 Add maximo.jar to the Shared Librarydirectory

The maximo.jar archive contains the code that drives theintegration between IBM Security Identity Manager and IBMSmartCloud Control Desk.

2 Add maximo.jar to the Shared LibraryEntries

IBM Security Identity Manager needs to know about themaximo.jar file to use it.

3 Modify enRole.properties The IBM SmartCloud Control Desk connection information for thepassword extension needs to be set in the properties file.


Table 60. Steps for configuring IBM Security Identity Manager (continued)


4 Modify scriptframework.properties The changePassword extension is a script extension, and theproperties file needs to be modified to reflect this change.

5 Restart WebSphere Application Server WebSphere Application Server needs to be restarted for thechanges to take effect.

6 Configure Workflow Extension The changePassword extension needs to be set up in the IBMSecurity Identity Manager configuration.

7 Configure IBM SmartCloud ControlDesk service profile

To manage IBM SmartCloud Control Desk users, the serviceprofile must be configured.

Configuring WebSphereFor the integration between IBM Security Identity Manager and IBM SmartCloudControl Desk to work properly, complete these steps.1. Copy the maximo.jar file from the Maximo_Install\tim_51 directory on the

Maximo Base Services Administration machine to the ISIM_HOME\lib directoryon the IBM Security Identity Manager Server. For cluster environments, copythe file to the ISIM_HOME/lib directory on each cluster member.

2. Log on to the WebSphere Application Server administration console for the IBMSecurity Identity Manager installation.

3. Click Environment → Shared Libraries → ITIM_LIB.4. Modify the classpath by adding the following line:

${ISIM_HOME}/lib/maximo.jar

5. Click OK.

Configuring IBM Security Identity Manager 6.0For the integration between IBM Security Identity Manager and IBM SmartCloudControl Desk to work properly, complete these steps.

Modify enRole.properties1. Navigate to the ISIM_HOME\data directory.2. Edit the enRole.properties file by adding the following text.

####################################### Maximo Workflow Extension Properties#####################################maximo.url=http://hostname:portmaximo.security=truemaximo.user=maxadminmaximo.password=maxadmin

3. Replace hostname and port with the values that correspond to the IBMSmartCloud Control Desk environment.

4. Set the maximo.security value to either true or false depending on whether ornot application server security is enabled. If the value is set to true, then themaximo.user and maximo.password fields are required to enable Service Requestcreation for IBM SmartCloud Control Desk when application server security isenabled. For cluster environments, this file must be modified on each clustermember.

5. Save the enRole.properties file and close it.

Modify scriptframework.properties1. Navigate to the ISIM_HOME\data directory.


2. Edit the scriptframework.properties file by adding the following line underthe Workflow extensions section:ITIM.extension.Workflow.Maximo=com.ibm.itim.maximo.MaximoExtension

3. Save the scriptframework.properties file and close it.

Restart WebSphere Application Server

Restart the WebSphere Application Server by stopping and then starting it. Forcluster environments, restart all the application cluster members.

Configure the changePasssword workflow extension

For the changePassword extension to function properly, complete these steps:1. Log in to IBM Security Identity Manager as an administrator.2. Click Configure System → Manage Operations.3. Select the Entity type level radio button.4. Click the changePassword link.5. Double-click the CHANGEPASSWORD extension box.6. Click the Postscript tab and add the following text:

Maximo.addTicket(Entity.get(), activity);

7. Click OK.8. Click Apply, and then click OK to verify the changes.

Configure the IBM SmartCloud Control Desk service provider

To enable support for IBM SmartCloud Control Desk user management, completethese steps:1. Copy the maximoserviceprofile.jar file from the Maximo_Install\tim_51

directory to a machine with a Web browser that can log in to IBM SecurityIdentity Manager. Perform the remaining steps from that machine.

2. Log in to IBM Security Identity Manager using the administrative console.3. Click Manage Service Types.4. Click Import.5. Click Browse and navigate to the directory containing the

maximoserviceprofile.jar file.6. Select maximoserviceprofile.jar.7. Click OK and allow a few minutes for the operation to complete.8. Click Manage Services.9. Click Create, select Maximo Service from the menu, and then click Next.

10. Type a unique service name and supply the IBM SmartCloud Control DeskURL in the form of either http://hostname:port or https://hostname:port,depending on whether SSL is being used on the IBM SmartCloud ControlDesk server.

11. Type a user ID and password if you would like to run the operations as aspecific user other than the default user MXINTADM. Leaving these fields blankresults in the operations being executed as MXINTADM.

12. Select the Maximo User Deletion Enabled? check box if LOGINTRACKING isfalse and you would like to delete IBM SmartCloud Control Desk users.

13. Click Test Connection, verify that the test was successful, and then clickFinish.


Note: When choosing to execute the operations as a specific user, make sure togive that user the necessary privileges. For example, to add users to groups, theaccount configured to execute the group assignment must have the authority toassign users to those groups. For more information about authorizing groupreassignment, see the IBM SmartCloud Control Desk documentation. It also mightbe necessary to modify the default provisioning policy created when the newservice is created to make sure that all needed attributes are set. When you create aMaximo service through the IBM Security Identity Manager API, the service profilename is maximoserviceprofile. For creating an account, the account profile name isMaximoAccount. If SSL is being used, see the appropriate documentation for yourversion of WebSphere for instructions on how to add the certificate.

Adapter attributesThis section describes the adapter attributes.

Attribute descriptions

The IBM Security Identity Manager Server communicates with the IBMSmartCloud Control Desk service provider using attributes that are included intransmission packets that are sent over a network. The combination of attributeswhich are included in the packets, depends on the type of action that the SecurityIdentity Manager Server requests from the IBM SmartCloud Control Desk serviceprovider.

Table 61 contains a list of the attributes that are used by the IBM SmartCloudControl Desk service provider, and gives a brief description and the data type forthe value of the attribute.

Table 61. Attributes, descriptions, and corresponding data types

Attribute Directory server attribute Description Data format

Userid eruid Specifies the user ID of the account. String

Password erpassword Specifies the account password. String

Status eraccountstatus Specifies the status of the account(ACTIVE, INACTIVE).

String

Type ermaximousertype Specifies the type of the Maximo user. String

Defsite ermaximodefsite Specifies the default site of theaccount.

String

Storeroomsite ermaximostoresite Specifies the storeroom site of theaccount.

String

Querywithsite ermaximoquerysite Specifies whether or not to use theinsert site as a display filter.

Boolean

Emailpswd ermaximoemailpswd Specifies whether or not to e-mail thepassword to the user on accountcreation.

Boolean

Sysuser ermaximosysuser Specifies whether or not the account isa system account.

Boolean

Screenreader ermaximoscreen Specifies whether or not the accountrequires a screen reader.

Boolean

Firstname ermaximofirstname Specifies the first name of the personsupporting the user account.

String


Table 61. Attributes, descriptions, and corresponding data types (continued)

Attribute Directory server attribute Description Data format

Lastname ermaximolastname Specifies the last name of the personsupporting the user account.

String

Phonenum ermaximophone Specifies the primary phone numberfor the person.

String

PhoneType ermaixmophonetype Specifies the type of the primaryphone number for the person.

String

Email ermaximoemail Specifies the primary e-mail addressfor the person.

String

Memo ermaximomemo Specifies the memo for the person. String

Addressline1 ermaximoaddress Specifies the address of the person. String

City ermaximocity Specifies the city of the person. String

Stateprovince ermaximostate Specifies the state of the person. String

Postalcode ermaximozip Specifies the zip of the person. String

Country ermaximocountry Specifies the country of the person. String

Groupname ermaximogroupname Specifies the name of the group. String

GroupDescription ermaximogroupdescription Specifies the description of the group. String

IBM SmartCloud Control Desk service provider attributes byaction

The following lists are typical IBM SmartCloud Control Desk service provideractions that are organized by their functional transaction group. The lists includemore information about required and optional attributes sent to the IBMSmartCloud Control Desk service provider to complete that action.

System Login Add

A System Login Add is a request to create a user account in the domain withthe specified attributes.

Table 62. Add request attributes

Required attributes Optional attribute

eruid

ermaximoemailpswd

All other supported attributes

System Login Change

A System Login Change is a request to change one or more attributes for thespecified users.

Table 63. Change request attributes


eruid All other supported attributes

System Login Delete

A System Login Delete is a request to remove the specified user from the IBMSmartCloud Control Desk registry.


Table 64. Delete request attributes


eruid None

System Login Suspend

A System Login Suspend is a request to disable a user account. The user is notremoved, and the attributes are not modified.

Table 65. Suspend request attributes


eruid

eraccountstatus

None

System Login Restore

A System Login Restore is a request to activate a user account that waspreviously suspended. After an account is restored, the user can access thesystem with the same attributes before the Suspend function was called.

Table 66. Restore request attributes


eruid

eraccountstatus

None

Reconciliation

The Reconciliation request synchronizes user account information between IBMSecurity Identity Manager and the service provider.

Table 67. Restore request attributes


None None


Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features contained in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM might have patents or pending patent applications that cover subject matterdescribed in this document. The furnishing of this document does not grant youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan Ltd.1623-14, Shimotsuruma, Yamato-shiKanagawa 242-8502 Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement might not applyto you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.


IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it to enable: (i) theexchange of information between independently created programs and otherprograms (including this one) and (ii) the mutual use of the information which hasbeen exchanged, should contact:

IBM CorporationJ46A/G4555 Bailey AvenueSan Jose, CA 95141-1003U.S.A.

Such information might be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environmentsmight vary significantly. Some measurements might have been made ondevelopment-level systems and there is no guarantee that these measurements willbe the same on generally available systems. Furthermore, some measurementsmight have been estimated through extrapolation. Actual results might vary. Usersof this document should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements, or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility, or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding the future direction or intent of IBM are subject to changeor withdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing, or distributing applicationprograms that conform to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. The sample


programs are provided "AS IS", without warranty of any kind. IBM shall not beliable for any damages arising out of your use of the sample programs.

Each copy or any portion of these sample programs or any derivative work, mustinclude a copyright notice as follows: © (your company name) (year). Portions ofthis code are derived from IBM Corp. Sample Programs. © Copyright IBM Corp.2004, 2012. All rights reserved.

If you are viewing this information softcopy, the photographs and colorillustrations might not appear.

Trademarks

The following terms are trademarks of the International Business MachinesCorporation in the United States, other countries, or both: http://www.ibm.com/legal/copytrade.shtml

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

Java and all Java-based trademarks and logos are trademarks of Sun Microsystems,Inc. in the United States, other countries, or both.

Adobe, the Adobe logo, PostScript, and the PostScript logo are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States,and/or other countries.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

The Oracle Outside In Technology included herein is subject to a restricted uselicense and can only be used in conjunction with this application.

Other company, product, and service names might be trademarks or service marksof others.

Notices 253

http://www.ibm.com/legal/copytrade.shtml

http://www.ibm.com/legal/copytrade.shtml

Index

Aaccess types

changing 60creating 59deleting 61overview 59

accessibility xaccount validation logic 151accounts

policy enforcement 157adapter attributes

Tivoli Service Request Manager 247adoption policies 73attributes

eruri 65

Cchange

global adoption policies 74checkout form

customizing 70configuration

credential default settings 63external credential vault 66shared access utility 235

configuringIBM SmartCloud Control Desk 240,

241configuring for IBM SmartCloud Control

Desk 242console interface

configuration files 33title bar 40

createglobal adoption policies 73

credentialcheckin configuration 63checkout configuration 63default settings 63password configuration 63

credential vaultconfiguration 66external credential vault 66KMIP services 66

css customizationsmigrating 21

customizingservice form template 65user interface 1

Ddelete

global adoption policies 74dependencies

export 164DSML file

samplereconciliation 216

DSML Identity Feedplacement rule, using 228

DSML identity feedsJavaScript 208

Eeducation xentities 127

adding 121adding lifecycle rules 139adding operations 130categories 121changing 122changing lifecycle rules 140changing operations 131deleting 123deleting lifecycle rules 141deleting operations 132mapping attributes 121overview 121running lifecycle rules 141

eruri attribute 65event notification

HR feed 209events 135export

deleting 168dependencies 164full 166, 168JAR file 166, 168objects 163, 166, 168partial 166, 168

external credential vaultconfiguring 66

Fform designer 85, 86, 87, 88, 89, 91, 92,

93, 94, 95, 96, 97, 98, 100, 101, 102, 103adding eruri attribute 65constraints 113control types 106interface changes 117interface description 104properties 113

form templatesmodifying 86, 87, 88, 89, 91, 92, 94,

95, 96, 97, 98, 100, 101, 102, 103, 104,106, 113, 117

opening 85, 93removing 103resetting 103

formscustomizing 85, 86, 87, 88, 89, 91, 92,

93, 94, 95, 96, 97, 98, 100, 101, 102,103, 104, 106, 113, 117

removing 103

Gglobal adoption policies

change 74create 73delete 74

global enforcement policyconfiguring 157creating alerts and alarms 160replacing an attribute 159setting a mark 157suspending account 158

global policy enforcementdefinition 157

HHR feed

asynchronous notificationadding a person 210removing a person 211sample compiler 212sample driver 212

event notificationdescription 209

importing data 214reconciliation

importing data 214

IIBM

Software Support xSupport Assistant x

IBM SmartCloud Control Desk 237, 245building maximo.ear 243components 239configuring 240, 241, 242configuring WebSphere 245deploying 244enabling user deletion 242installation road map 239installing 239overview 237prerequisite software 238

IBM Tivoli Directory Integratormanaging identity feeds 221

identityfeed 222

identity feeds 203AD Organizational 217attribute mapping table 223attributes not in schema 225bulk loading data 221creating a service 229creating reconciliation schedule 231CSV 205DSML 207IBM Tivoli Directory Integrator 220IDI 220immediate reconciliation 231


identity feeds (continued)inetOrgPerson 218JavaScript code 208managing with IBM Tivoli Directory

Integrator 221modifiable classes and attributes 227person placement 228placement rule 228reconciliation

organization placement 227person naming 227

user passwords 224import

conflict resolution 170deleting 171JAR file 169, 170objects 163, 169, 170

initializingJNDI 209

installingIBM SmartCloud Control Desk 239

JJAR file

downloading 168uploading 169, 170

JavaScriptDSML identity feeds 208

JNDIdefinition 208DSML identity feeds 208initializing 209

Join directives 147join directives examples 153, 154

KKey Management Interoperability

Protocol services 66

LLDAP

definition 208lease expiration 63lifecycle rules

adding 139changing 140deleting 141filtering 136LDAP filter expressions 142matching criteria 135modifying 138name keyword 144overview 135processing 137relationship expressions 142, 143running 141scheduling 136schema information 138system expressions 144

MMaximo 238, 239, 240, 241, 242, 243, 244,

245, 247Maximo Enterprise Adapter 241migrating customizations 21

Nnotices 251

Oobjects

data migration 163exporting 163, 166importing 163migrating 163

onlinepublications ixterminology ix

operations 127add operation 127adding 130changePassword operation 128changing 131delete operation 128deleting 132modify operation 128restore operation 129selfRegister operation 129suspend operation 130transfer operation 130

ownership types 125

Pplacement rule

defining 228use 228

policiesadoption 73global adoption

change 74create 73delete 74

post office 77content code examples 80customizing email template 78dynamic content custom tags 79enabling for workflow activities 84JavaScript extensions 81label properties 80messages properties 80modifying sample email content 83testing email template 82

problem-determination xpublications

accessing online ixlist of for this product ix

Rreconciliation

creating a schedule 231manual service 49

reconciliation (continued)manual service overview 48reconciling accounts

immediately 231sample DSML file 216

ruleslifecycle

system expressions 144

SSAConfig 235sample compiler

asynchronous notificationHR feed 212

event notifications 212sample driver

asynchronous notificationHR feed 212

event notifications 212sample file

DSMLreconciliation 216

service definition file 50service form template

adding eruri attribute 65service type 215service types 43services 45

creating identity feed 229policy enforcement 157reconciling accounts 49, 231

shared accessadvanced configuration 69approval 70checkout operation 69recertification 70

shared access configuration 63system expressions

lifecycle rules 144

Tterminology ixTivoli Service Request Manager

adapter attributes 247adding password link 243configuring Tivoli Identity

Manager 244integration 238updatedb.bat 241

training xtroubleshooting x

Uunique identifier 65updatedb.bat 241user interface

configuration files 1customization

administrative console 32self-service 1

customizing 1request parameters 11

home page 14


user interface (continued)task access 30, 37

Vview definitions

user interface elements 4

WWebSphere 242

Index 257

��

Printed in USA

SC14-7696-00

ibm security identity manager version 6.0: configuration guide · accessibility. technical training

Documents