ibm® security privibm® security privileged identity …step user interface (pim administrative...
TRANSCRIPT
IBM® SECURITY PRIVIBM® SECURITY PRIVIBM® SECURITY PRIVIBM® SECURITY PRIVILEGED IDENTITY ILEGED IDENTITY ILEGED IDENTITY ILEGED IDENTITY
MANAGER V2.0.2MANAGER V2.0.2MANAGER V2.0.2MANAGER V2.0.2
Integration with IBM Security Identity Manager (ISIM)
Version 1.0 March 2016
Configuration CookbookConfiguration CookbookConfiguration CookbookConfiguration Cookbook Chee Meng Low
Haan-Ming Lim
1111 | | | | P a g e
Contents 1. Introduction .......................................................................................................................................... 3
1.1. Illustration on how to set up ISPIM –ISIM tethering...................................................................... 4
1.1.1. Persona .................................................................................................................................. 4
1.1.2. Scenario ................................................................................................................................. 4
2. Jake sets up ISPIM Service at ISIM ......................................................................................................... 6
2.1. Set up ISPIM Service on ISIM ......................................................................................................... 6
2.2. Reconcile the service instance ...................................................................................................... 7
3. Jake sets up Provisioning Policy and account request workflow for ISPIM Accounts at ISIM ................ 9
3.1. Set up ISPIM Account Request workflow (Optional) ..................................................................... 9
3.2. Set up the provisioning policy for ISPIM accounts ....................................................................... 12
3.3. Set up ISPIM account defaults ..................................................................................................... 14
3.4. Set the Policy Enforcement Behavior setting .............................................................................. 18
4. Jake sets up ISIM Access for ISPIM domain and roles ......................................................................... 19
4.1. Set up Access Request Workflow ................................................................................................ 19
4.2. Set up Access Types for ISPIM Groups (Optional) ....................................................................... 21
4.3. Set up Access for ISPIM System Roles ......................................................................................... 22
4.4. Set up an ISPIM domain and enable access................................................................................. 24
4.5. Set up an ISPIM Shared Access Role and enable access .............................................................. 27
5. Adam requests for ISPIM Privileged Admin account ........................................................................... 30
6. Adam sets up Credentials and Shared Access Policies in ISPIM Domain ............................................. 33
7. Ben requests ISPIM Account and Shared Access Role ......................................................................... 35
8. Ben performs ISPIM Check-in-Check-out operations .......................................................................... 36
9. Jake exercises User Lifecycle Operations............................................................................................. 36
2222 | | | | P a g e
10. Jake sets up Re-Certification Campaign ........................................................................................... 36
11. Ben re-certifies his ISPIM Shared Access Role ................................................................................. 43
12. Jake sets up ISIM and ISPIM Reports at Cognos Server ................................................................... 43
13. Jake generates ISIM and ISPIM Reports for auditing ....................................................................... 43
13. Other Notes ..................................................................................................................................... 48
13.1. ISIM set up tips when integrated with ISPIM........................................................................... 48
13.2. IBM® Security Privileged Identity Manager set up tips when integrated with IBM® Security
Identity Manager ..................................................................................................................................... 49
3333 | | | | P a g e
Document HistoryDocument HistoryDocument HistoryDocument History
VersionVersionVersionVersion UpdatesUpdatesUpdatesUpdates Developer/IDDDeveloper/IDDDeveloper/IDDDeveloper/IDD DateDateDateDate
1.0 Created cookbook. Chee Meng Low/
Haan-Ming Lim
March 2016
For cookbook updates, contact one of the following authors: For cookbook updates, contact one of the following authors: For cookbook updates, contact one of the following authors: For cookbook updates, contact one of the following authors:
Chee Meng ([email protected])
Haan-Ming ([email protected])
4444 | | | | P a g e
1.1.1.1. InInInIntroductiontroductiontroductiontroduction
This cookbook describes scenarios to integrate the IBM® Security Privileged Identity Manager (ISPIM) with
IBM® Security Identity Manager (ISIM). The scenarios define specific goals and describe how to achieve
them.
1.1.1.1.1.1.1.1. IllustrIllustrIllustrIllustration on how to set up ation on how to set up ation on how to set up ation on how to set up ISPIM ISPIM ISPIM ISPIM ––––ISIMISIMISIMISIM tetheringtetheringtetheringtethering
Set up a basic configuration of IBM® Security Privileged Identity Manager (ISPIM) – IBM® Security
Identity Manager (ISIM) tethering by using the ISPIM v2.0.2 virtual appliance (VA) and ISIM v7.0.1 VA.
1.1.1.1.1.1.1.1.1.1.1.1. PersonaPersonaPersonaPersona
PersonaPersonaPersonaPersona UserUserUserUser RoleRoleRoleRole
Jake Overall System Administrator of IAM Systems in
JK Enterprises
Adam System Administrator for the Support
department. He is the owner, or administrator,
of various server systems in the department.
Ben Application Team Leader in Support
department. He needs occasional administrator
access to different server systems to upgrade
software, restart systems or collect logs.
1.1.2.1.1.2.1.1.2.1.1.2. ScenarioScenarioScenarioScenario
ScenarioScenarioScenarioScenario StepStepStepStep AdditionalAdditionalAdditionalAdditional
JK Enterprises has ISIM deployed for
identity management across the
enterprise, and has recently installed
ISPIM for management of shared
privileged credentials.
Jake wants ISIM to manage the lifecycle
of user accounts on ISPIM. He would
like requests for ISPIM Accounts,
System Roles (Privileged Admin) and
Shared Access Roles to be made
• Jake would like ISPIM Role requests
made at ISIM to be approved by the
respective ISPIM Role or Credential
Owner, such as a Privileged Admin
user at ISPIM, and optionally by
5555 | | | | P a g e
through ISIM approval workflows, and
to apply ISIM reporting and re-
certification on ISPIM accounts.
another such as the user’s manager.
This is achieved by associating
various ISPIM Roles to appropriate
ISIM approval workflows.
• The out-of-the-box Request Access
and Approval Workflow feature of
standalone ISPIM will not be used
and should be disabled. This is
because all ISPIM-related Access
Requests should go through the ISIM
user interface and workflows.
Jake wants to delegate the on-boarding
and management of Credential-to-Role
entitlements at ISPIM to a Privileged
Admin user in each major department.
He wants to use ISIM to set up separate
admin domain in ISPIM, one for each
department, such as for “Support” and
“Engineering”.
For each particular domain, Jake will provide
ISPIM Roles such as “SupportTeamLeads”
into the domain, associate each Role with an
ISIM approval workflow, and assign the
domain ownership to a user with “Privileged
Admin” system role like Adam.
Adam can then log on to ISPIM to administer
credentials and entitlements in his domain.
Adam and Ben can use the ISIM Service
Center to request for accounts on
ISPIM, likewise, for accounts to other
enterprise systems.
For example, Ben will request for ISPIM Roles
such as “SupportTeamLeads”, and Adam will
approve his request through the ISIM Service
Center.
Adam will use the ISPIM Service Center
to on-board Credentials and associated
objects like Resources and Identity
Providers. He will entitle these
Credentials to an appropriate ISPIM
Role in his domain.
ISIM cannot be used to on-board and
manage the Credentials that are managed by
ISPIM. ISIM has visibility and control on the
ISPIM Roles at ISPIM, but not on the actual
Credentials, and Credential-to-Role
entitlements that are managed by ISPIM.
Ben will either use Enterprise Single
Sign-On (ESSO) Agent or ISPIM Self-
Service User Interface (SSUI) to check-
out credentials that he is entitled to.
6666 | | | | P a g e
2.2.2.2. Jake sets up Jake sets up Jake sets up Jake sets up ISPIMISPIMISPIMISPIM Service at Service at Service at Service at ISIMISIMISIMISIM
2.1.2.1.2.1.2.1. Set up Set up Set up Set up ISPIMISPIMISPIMISPIM Service on Service on Service on Service on ISIMISIMISIMISIM
StepStepStepStep User InterfaceUser InterfaceUser InterfaceUser Interface (PIM Administrative Console)(PIM Administrative Console)(PIM Administrative Console)(PIM Administrative Console)
Create a service of
Service Type ISPIM ISPIM ISPIM ISPIM
ProfileProfileProfileProfile.
Specify the URL to the
ISPIM server.
For example, the URL to
the Load Balancer of an
ISPIM virtual appliance
(VA) cluster.
Note:Note:Note:Note:
ISIM requires “https”
for the Server URL of
the ISPIM server.
Therefore, it is
necessary for the CA
certificate of the ISPIM
server to be uploaded
into the trusted
certificate store of the
ISIM virtual appliance
7777 | | | | P a g e
first.
Under AuthenticationAuthenticationAuthenticationAuthentication,
configure an existing
ISPIM account with
System Admin system
role. For example, PIM PIM PIM PIM
ManagerManagerManagerManager for
authentication to the
ISPIM server.
2.2.2.2.2.2.2.2. ReconcileReconcileReconcileReconcile the service instancethe service instancethe service instancethe service instance
SSSSteptepteptep User InterfaceUser InterfaceUser InterfaceUser Interface (PIM Administrative Console)(PIM Administrative Console)(PIM Administrative Console)(PIM Administrative Console)
8888 | | | | P a g e
Run Reconcile NowReconcile NowReconcile NowReconcile Now on the
ISPIM Service instance.
Reconcile both the out-of-
the-box and existing ISPIM
organization structure,
system groups and roles
into corresponding groups
under the ISPIM service in
ISIM.
9999 | | | | P a g e
Run Manage GroupsManage GroupsManage GroupsManage Groups on the
same ISPIM service to verify
that the out-of-the-box
ISPIM groups are synced
over.
3.3.3.3. Jake sets up Provisioning Policy and Jake sets up Provisioning Policy and Jake sets up Provisioning Policy and Jake sets up Provisioning Policy and aaaaccount ccount ccount ccount rrrrequest equest equest equest wwwworkflow for orkflow for orkflow for orkflow for
ISPIMISPIMISPIMISPIM Accounts at Accounts at Accounts at Accounts at ISIMISIMISIMISIM
3.1.3.1.3.1.3.1. Set up ISet up ISet up ISet up ISPIMSPIMSPIMSPIM Account Request Account Request Account Request Account Request wwwworkflow (Optional)orkflow (Optional)orkflow (Optional)orkflow (Optional)
SSSSteptepteptep User InterfaceUser InterfaceUser InterfaceUser Interface (PIM Administrative Console)(PIM Administrative Console)(PIM Administrative Console)(PIM Administrative Console)
10101010 | | | | P a g e
If the default or other
existing Account Request
workflows are not suitable
for IBM® Security Privileged
Identity Manager (ISPIM)
Account Request
workflows, create a new
workflow just for the ISPIM
Service Profile.
Add one or more ActivitiesActivitiesActivitiesActivities
to the WorkflowWorkflowWorkflowWorkflow. For
example, Approval ActivityApproval ActivityApproval ActivityApproval Activity.
In this example, the
workflow consists of an
Approval ActivityApproval ActivityApproval ActivityApproval Activity (by the
ISIM admin) and an Email Email Email Email
ActivityActivityActivityActivity that sends an email
to a certain designated
user or role.
11111111 | | | | P a g e
Once submitted, the new
workflows are added to the
list of existing Account Account Account Account
Request WorkflowsRequest WorkflowsRequest WorkflowsRequest Workflows.
However, for this
workflows to be invoked on
an ISPIM Account Request,
it must be tied to certain
entitlements within a
Provisioning Policy for
ISPIM accounts.
12121212 | | | | P a g e
3.2.3.2.3.2.3.2. Set up Set up Set up Set up the pthe pthe pthe provisioning rovisioning rovisioning rovisioning ppppolicy for Iolicy for Iolicy for Iolicy for ISPIM SPIM SPIM SPIM aaaaccountsccountsccountsccounts
StepStepStepStep User InterfaceUser InterfaceUser InterfaceUser Interface (PIM Administrative Console)(PIM Administrative Console)(PIM Administrative Console)(PIM Administrative Console)
Create or edit the
provisioning policy for IBM®
Security Privileged Identity
Manager (ISPIM) Accounts.
13131313 | | | | P a g e
Specify the entitlement as
the ISPIM Service, with the
appropriate Account Request
Workflow.
Now, when the user requests
for an ISPIM Account, the
specified workflow is
triggered.
14141414 | | | | P a g e
3.3.3.3.3.3.3.3. Set up Set up Set up Set up ISPIMISPIMISPIMISPIM aaaaccount ccount ccount ccount ddddefaultsefaultsefaultsefaults
StepStepStepStep User InterfaceUser InterfaceUser InterfaceUser Interface (PIM Administrative Console)(PIM Administrative Console)(PIM Administrative Console)(PIM Administrative Console)
Populate some required and
useful attributes for the IBM®
Security Privileged Identity
Manager (ISPIM) accounts that
are created.
16161616 | | | | P a g e
If the IBM® Security Identity
Manager (ISIM) is able to sync
password to ISPIM, then set
the Change password at next Change password at next Change password at next Change password at next
logonlogonlogonlogon flag to uncheckeduncheckeduncheckedunchecked. By
default, the user is assigned to
the Privileged UserPrivileged UserPrivileged UserPrivileged User group and
under the root Business UnitBusiness UnitBusiness UnitBusiness Unit in
ISPIM.
Do notnotnotnot miss this step as errors may arise when provisioning an ISPIM account to the
user.
18181818 | | | | P a g e
3.4.3.4.3.4.3.4. Set the Policy Enforcement Behavior settingSet the Policy Enforcement Behavior settingSet the Policy Enforcement Behavior settingSet the Policy Enforcement Behavior setting
StepStepStepStep User InterfaceUser InterfaceUser InterfaceUser Interface (P(P(P(PIM Administrative Console)IM Administrative Console)IM Administrative Console)IM Administrative Console)
Choose the preferred option:
• Mark Mark Mark Mark invalidates ISPIM accounts
(when user access to ISPIM system
role is revoked) will only be
marked but will not be revoked.
• CorrectCorrectCorrectCorrect revokes the ISPIM account.
19191919 | | | | P a g e
4.4.4.4. Jake sets up IJake sets up IJake sets up IJake sets up ISIM SIM SIM SIM Access for Access for Access for Access for ISISISISPIM PIM PIM PIM domain and rolesdomain and rolesdomain and rolesdomain and roles
Jake sets up IBM® Security Identity Manager (ISIM) Access for IBM® Security Privileged Identity Manager
(ISPIM) groups, domain and roles, so that users can request for such access through the ISIM Service
Center.
4.1.4.1.4.1.4.1. Set up Access Request Set up Access Request Set up Access Request Set up Access Request WorkflowWorkflowWorkflowWorkflow
StepStepStepStep User InterfaceUser InterfaceUser InterfaceUser Interface (PIM Administrative Console)(PIM Administrative Console)(PIM Administrative Console)(PIM Administrative Console)
Set up one or more Access
Request Workflows for ISPIM
Shared Access Role access
requests.
Jake can set up different
variations of workflow, each
consisting one or more
approval or mail activity
involving certain participants
like Access Owner,
Administrator or Manager.
The following example
workflow can be applied to
all Access for any ISIM service
besides ISPIM.
Configure a simple workflow
and add an Approval by Approval by Approval by Approval by
Access OwnerAccess OwnerAccess OwnerAccess Owner activity.
20202020 | | | | P a g e
Add an Email ActivityEmail ActivityEmail ActivityEmail Activity to notify
the Administrator.
It is possible to create
workflows specific to ISPIM
Service Profile.
If multi-stage approval is
required, just stack the
Approval Activities in the
workflow’s activity definition.
Whenever a Role or Access is
defined, you can choose from
one of these workflows to be
applied.
21212121 | | | | P a g e
4.2.4.2.4.2.4.2. Set up Access Types for Set up Access Types for Set up Access Types for Set up Access Types for ISPIMISPIMISPIMISPIM Groups (Optional)Groups (Optional)Groups (Optional)Groups (Optional)
If necessary, create new Access Types to represent the various types of IBM® Security Privileged
Identity Manager (ISPIM) Accesses to be made available to IBM® Security Identity Manager (ISIM)
users.
StepStepStepStep User InterfaceUser InterfaceUser InterfaceUser Interface (PIM Administrative Console)(PIM Administrative Console)(PIM Administrative Console)(PIM Administrative Console)
In the following example, a PIM Access PIM Access PIM Access PIM Access
TypeTypeTypeType is added under ApplicationApplicationApplicationApplication, and 3
custom Access Types were added under
PIMPIMPIMPIM to represent accesses for PIM Group,
PIM Domain and PIM Role.
22222222 | | | | P a g e
4.3.4.3.4.3.4.3. Set up Access for ISet up Access for ISet up Access for ISet up Access for ISPIM SPIM SPIM SPIM System RolesSystem RolesSystem RolesSystem Roles
StepStepStepStep User InterfaceUser InterfaceUser InterfaceUser Interface (PIM Administrative Console)(PIM Administrative Console)(PIM Administrative Console)(PIM Administrative Console)
For each Privileged Identity
Manager (PIM) Group, also
known as System Role, to
be made available for
request, enable AccAccAccAccessessessess for
the corresponding GroupGroupGroupGroup
(of type ISPIM GroupISPIM GroupISPIM GroupISPIM Group)
under the IBM® Security
Privileged Identity Manager
(ISPIM) service.
The following example
shows how the AccessAccessAccessAccess is
configured for the
Privileged AdminPrivileged AdminPrivileged AdminPrivileged Admin Group.
Classify the Access Access Access Access under
the appropriate
AcAcAcAccessTypecessTypecessTypecessType, and specify an
Approval WorkflowApproval WorkflowApproval WorkflowApproval Workflow for
requests that belong to this
AccessAccessAccessAccess.
Jake, who is the admin,
would need to approve
these requests.
23232323 | | | | P a g e
Repeat the process for
other PIM GroupsPIM GroupsPIM GroupsPIM Groups where
necessary.
It is not necessary to
expose the Privileged UserPrivileged UserPrivileged UserPrivileged User
group as an Access, since
this group entitlement is
already defined in the
Account DefaultsAccount DefaultsAccount DefaultsAccount Defaults for an
ISPIM account.
24242424 | | | | P a g e
4.4.4.4.4.4.4.4. Set up an Set up an Set up an Set up an ISPIM ISPIM ISPIM ISPIM domain and enable accessdomain and enable accessdomain and enable accessdomain and enable access
Create a Privileged Identity Manager (PIM) Group of type “ISPIM admin domainISPIM admin domainISPIM admin domainISPIM admin domain” under the ISPIM
service.
StepStepStepStep User InterfaceUser InterfaceUser InterfaceUser Interface (PIM Administrative Console)(PIM Administrative Console)(PIM Administrative Console)(PIM Administrative Console)
Create a PIM domain SupportSupportSupportSupport
under the PIM Business Unit /JK /JK /JK /JK
EnterprisesEnterprisesEnterprisesEnterprises.
This creates a PIM Business Unit
/JK Enterprises/Support/JK Enterprises/Support/JK Enterprises/Support/JK Enterprises/Support within
PIM.
25252525 | | | | P a g e
If the domain owner assigned
through one of the following ways:
a)a)a)a) Through ITIM Manager, then add the owner user (which should also be a
member of the PIM Privileged AdminPIM Privileged AdminPIM Privileged AdminPIM Privileged Admin group) as a member of the group
created earlier.
b)b)b)b) Through workflows, then enable access for this PIM domain, with the
appropriate access type and approval workflow. The steps you take must be
similar to 4.3 Set up Access for ISPIM System Roles.
27272727 | | | | P a g e
4.5.4.5.4.5.4.5. Set up an Set up an Set up an Set up an ISPIMISPIMISPIMISPIM Shared Access Role and enable accessShared Access Role and enable accessShared Access Role and enable accessShared Access Role and enable access
Create a Privileged Identity Manager (PIM) Group with type ISPIM roleISPIM roleISPIM roleISPIM role under the IBM® Security
Privileged Identity Manger (ISPIM) service.
StepStepStepStep User InterfaceUser InterfaceUser InterfaceUser Interface
Create a PIM Group
representing the
PIM Shared Access
Role of Support Support Support Support
Team LeadsTeam LeadsTeam LeadsTeam Leads in the
PIM Business Unit
/JK /JK /JK /JK
Enterprises/SupportEnterprises/SupportEnterprises/SupportEnterprises/Support.
28282828 | | | | P a g e
Select Enable AccessEnable AccessEnable AccessEnable Access
and set the Access Access Access Access
TypeTypeTypeType accordingly.
Select the
appropriate
Approval WorkflowApproval WorkflowApproval WorkflowApproval Workflow.
Since the approval
workflow involves
the Access OwnerAccess OwnerAccess OwnerAccess Owner,
the Access OwnerAccess OwnerAccess OwnerAccess Owner
property must be
set to Adam.
29292929 | | | | P a g e
Ensure that the PIM
Group that is
configured earlier is
listed under groups
of type ISPIM roleISPIM roleISPIM roleISPIM role
under the ISPIM
service.
30303030 | | | | P a g e
5.5.5.5. Adam requests for Adam requests for Adam requests for Adam requests for ISPIMISPIMISPIMISPIM Privileged Admin accountPrivileged Admin accountPrivileged Admin accountPrivileged Admin account
StepStepStepStep User InterfaceUser InterfaceUser InterfaceUser Interface (ISIM console)(ISIM console)(ISIM console)(ISIM console)
Adam logs on to IBM®
Security Identity
Manager (ISIM) Service
Center to request for a
Privileged Identity
Manager (PIM)
account, membership
to PIM Privileged
Administrator group,
and administrator
rights to the SupportSupportSupportSupport
PIM Domain.
32323232 | | | | P a g e
Adam’s requests result
in a batchbatchbatchbatch request
involving multiple
required approvals.
Assuming that approval
workflow is already set
up, Adam should see a
PendingPendingPendingPending status with
pending activities.
The approving parties,
for example, Jake, can
log on to ISIM Manage Manage Manage Manage
Activities Activities Activities Activities to approve
the requests.
Expected ResultsExpected ResultsExpected ResultsExpected Results StepStepStepStep AdditionalAdditionalAdditionalAdditional
Once all requests have
been approved, Adam
would get an email
notification of his PIM
account creation and
password, and he would be
able to log in to PIM
consoles.
As a Privileged Administrator, Adam can log on
to ISPIM Admin and Service Center consoles,
under the designated PIM domain.
If Adam wants to be the
domain admin for more
PIM domains, he can
return to the ISIM Service
Center to request.
33333333 | | | | P a g e
6.6.6.6. Adam sets up Credentials and Shared Access Policies in Adam sets up Credentials and Shared Access Policies in Adam sets up Credentials and Shared Access Policies in Adam sets up Credentials and Shared Access Policies in ISPIM ISPIM ISPIM ISPIM DomainDomainDomainDomain
StepStepStepStep User InterfaceUser InterfaceUser InterfaceUser Interface (PIM Console)(PIM Console)(PIM Console)(PIM Console)
On-board Credentials
with associated
Resources and
Identity Providers
through IBM®
Security Privileged
Identity Manager
(ISPIM) Service
Center.
Grant the privileged
users access to
credentials through
ISPIM Service Center
Manage Access.
See IBM Security
Privileged Identity
Manager v2.0.2
Creating Access.
35353535 | | | | P a g e
7.7.7.7. Ben requests Ben requests Ben requests Ben requests ISPIMISPIMISPIMISPIM Account and Shared Access RoleAccount and Shared Access RoleAccount and Shared Access RoleAccount and Shared Access Role
StepStepStepStep User InterfaceUser InterfaceUser InterfaceUser Interface (ISIM console)(ISIM console)(ISIM console)(ISIM console)
Log on to the IBM® Security
Identity Manager (ISIM)
Service Center to request for
IBM® Security Privileged
Identity Manager (ISPIM)
Account and for a PIM Role,
such as Support Team LeadsSupport Team LeadsSupport Team LeadsSupport Team Leads.
The approval process will
require Adam, who is the
Access Owner, to log in to
ISIM Service Center to
approve.
Once the request is
approved, Ben can proceed
to perform Check-in-Check-
out (CICO) operations.
If Ben requires more PIM
Roles, he can return to the
Service Center to request for
more.
If custom Access Types are
configured for PIM Access as
described earlier, Ben can
36363636 | | | | P a g e
zoom in to specific PIM
Access Types when required.
In the following example,
available Accesses are
filtered by the access type
PIM Shared Access RolePIM Shared Access RolePIM Shared Access RolePIM Shared Access Role.
8.8.8.8. Ben performs Ben performs Ben performs Ben performs ISPIMISPIMISPIMISPIM CheckCheckCheckCheck----inininin----CheckCheckCheckCheck----out operationsout operationsout operationsout operations
The steps taken are the same as standalone IBM® Security Privileged Identity Manager deployments.
9.9.9.9. Jake exercises User Lifecycle OperationsJake exercises User Lifecycle OperationsJake exercises User Lifecycle OperationsJake exercises User Lifecycle Operations
Jake performs the following operations:
StepStepStepStep AdditionalAdditionalAdditionalAdditional
Suspend an IBM® Security Identity
Manager (ISIM) User
Depending on the Policy Enforcement Configuration, check that the
expected result occurred.
Delete an ISIM User Depending on the Policy Enforcement Configuration, check that the
expected result occurred.
Remove an IBM® Security Privileged
Identity Manager (ISPIM) Privileged AdminPrivileged AdminPrivileged AdminPrivileged Admin
access from an ISIM or ISPIM User
Depending on the Policy Enforcement Configuration, check that the
expected result occurred.
10.10.10.10. Jake sets up ReJake sets up ReJake sets up ReJake sets up Re----CertificationCertificationCertificationCertification CampaignCampaignCampaignCampaign
StepStepStepStep User InterfaceUser InterfaceUser InterfaceUser Interface (PIM Admin Console)(PIM Admin Console)(PIM Admin Console)(PIM Admin Console);;;;
37373737 | | | | P a g e
Jake logs in to
IBM® Security
Identity Manager
(ISIM) Admin
Console to create
a new Re-
Certification Policy
for IBM® Security
Privileged Identity
Manager (ISPIM)
Shared Access
Roles.
38383838 | | | | P a g e
Jake searches and
adds the ISPIM
Accesses
representing the
Shared Access
Roles on PIM, and
selects all to add
as Access Targets
to the policy.
39393939 | | | | P a g e
Jake sets up the
re-certification
schedule.
Jake proceeds to
set up the re-
certification policy
details.
He specifies that
users should self-
certify their
accesses and that
their accesses will
be approved even
if there is no
response from the
user within 10
days.
Alternatively, Jake
can specify that
the access will be
automatically
revoked if there is
no response in 10
40404040 | | | | P a g e
days.
If necessary, Jake
can select
AdvancedAdvancedAdvancedAdvanced
configuration
mode to configure
more advanced
workflows through
the Workflow
Designer.
Jake proceeds
review and update
the email
templates for both
re-certification
and rejection.
41414141 | | | | P a g e
After saving the
policy, Jake can
run the policy
immediately, or
run the policy on
its next scheduled
date.
42424242 | | | | P a g e
Jake can bring up
the ISPIM service
groups and check
on the re-
certification status
for different
accesses
periodically.
43434343 | | | | P a g e
11.11.11.11. Ben reBen reBen reBen re----certifies his certifies his certifies his certifies his ISPIMISPIMISPIMISPIM Shared Access RoleShared Access RoleShared Access RoleShared Access Role
StepStepStepStep User InterfaceUser InterfaceUser InterfaceUser Interface
Ben receives an email
notification to re-certify his
PIM role.
Ben logs in to IBM® Security
Identity Manager (ISIM)
Service Center, clicks on
Manage ActivitiesManage ActivitiesManage ActivitiesManage Activities and sees a
pending “re-certification”
activity.
He enters the justification and
clicks ApproveApproveApproveApprove to re-certify his
need for continual access.
12.12.12.12. Jake Jake Jake Jake sets up sets up sets up sets up ISIM ISIM ISIM ISIM and and and and ISPIMISPIMISPIMISPIM Reports at Cognos ServerReports at Cognos ServerReports at Cognos ServerReports at Cognos Server
Jake refers to the guides on the deployment of the IBM® Security Identity Manager (ISIM) and IBM®
Security Privileged Identity Manager (ISPIM) reporting packages to the Cognos Server and configures
them to point to the respective ISIM and ISPIM databases.
13.13.13.13. Jake generates Jake generates Jake generates Jake generates ISIMISIMISIMISIM and and and and ISPIMISPIMISPIMISPIM Reports for auditingReports for auditingReports for auditingReports for auditing
StepStepStepStep User InterfaceUser InterfaceUser InterfaceUser Interface
44444444 | | | | P a g e
Jake logs in to Cognos
Reporting server.
He clicks on the ISIM ISIM ISIM ISIM
Reporting ModelReporting ModelReporting ModelReporting Model to see the
available out-of-the-box
ISIM reports.
45454545 | | | | P a g e
He proceeds to generate
reports related to Access
entitlements.
Jake selects the PIM PIM PIM PIM
Reporting ModelReporting ModelReporting ModelReporting Model. He
generates the following
out-of-the-box reports.
46464646 | | | | P a g e
He continues to generate a
report for Shared Access Shared Access Shared Access Shared Access
Credentials by RoleCredentials by RoleCredentials by RoleCredentials by Role.
Jake then generates
reports for privileged
accesses performed
through Enterprise Single
Sign-On Agent, and drill
down into a command log
captured from one of the
puTTy sessions.
48484848 | | | | P a g e
13.13.13.13. Other NotesOther NotesOther NotesOther Notes
13.1.13.1.13.1.13.1. ISIMISIMISIMISIM set up tset up tset up tset up tipsipsipsips when integrated with when integrated with when integrated with when integrated with ISPIMISPIMISPIMISPIM
StepStepStepStep AdditionalAdditionalAdditionalAdditional
If IBM® Security Privileged Identity
Manager (ISPIM) virtual appliance is
configured to authenticate against
standalone registry:
• Enable Password Sync so that IBM® Security Identity Manager (ISIM)
password is synced to ISPIM.
• If external registry authentication is enabled at ISIM, make sure to
also set up a managed service for the user registry, so that the ISIM
password is synced to the external registry password, and also that
ISIM can perform password syncing to ISPIM. When configuring
against HR Feed, remember to set Accounts Defaults for ISIM
account to not require user to change password upon first logon.
• If ISIM password syncing to ISPIM is not enabled (or not working),
user’s initial ISPIM password can be retrieved from the email
notification sent out by ISPIM to user’s email.
Additional configuration, including ACI
manipulation, is required to delegate ISPIM
service management to a different user
(not ITIM Manager).
For example, a dedicated ISIM domain needs to be created for ISPIM, where
the ISPIM Service is created under, and the user needs to be made the
Service Owner.
Additional configuration, including ACI and
View manipulation, is required to delegate
management of respective ISPIM domains
and roles (through ISIM Admin Console) to
respective Domain Owner (Privileged Privileged Privileged Privileged
AdminAdminAdminAdmin) users.
For example, a dedicated ISIM View needs to be created for Privileged AdminPrivileged AdminPrivileged AdminPrivileged Admin
users, and ACIs granted for these users to manage the Roles created within
their respective ISPIM domain.
This configuration has not yet been tested in the lab.
Since ISIM Separation of Duty policies are
applied to ISIM Roles only, and not to
Accesses, additional configuration and
customization is required to configure ISIM
such that there is an ISIM Role
corresponding to each ISPIM Role.
In this case, users request for full-fledged ISIM Roles representing ISPIM
Roles, and rely on customized workflows to auto-create the corresponding
Service Groups. This configuration has not been tested in the lab.
49494949 | | | | P a g e
13.2.13.2.13.2.13.2. IBM® Security PrivileIBM® Security PrivileIBM® Security PrivileIBM® Security Privileged Identity Manager setged Identity Manager setged Identity Manager setged Identity Manager set up tips when integrated up tips when integrated up tips when integrated up tips when integrated
with IBM® Security Identity Managerwith IBM® Security Identity Managerwith IBM® Security Identity Managerwith IBM® Security Identity Manager
StepStepStepStep User InterfaceUser InterfaceUser InterfaceUser Interface
Do not enable the Request or Delete
Access panel on IBM® Security Privileged
Identity Manager (ISPIM) Self-Service User
Interface. The user can enable the View View View View
AccessAccessAccessAccess so that the user can see what
Accesses is granted.
This is to ensure all Access Requests go through IBM® Security Identity
Manager (ISIM). Access requests from ISPIM Self-Service User Interface goes
through ISPIM access workflows, which is usually not configured, leading to
automatic approval.
Disable Checkout SearchCheckout SearchCheckout SearchCheckout Search for any
Credentials, and also disable the global
default setting.
This is to prevent users from discovering and requesting for a Role through
ISPIM workflows, bypassing ISIM. Role requests from ISPIM Self-Service User
Interface goes through ISPIM access workflows, which is usually not
configured, leading to automatic approval.
Alter the Access Control Information (ACI)
to prevent Privileged Administrators from
being able to change ISPIM role
memberships through ISPIM. Users may
enable View Role MembershipView Role MembershipView Role MembershipView Role Membership.
This is to ensure that all role management activities occur at ISIM.