Chapter 2. Planning
2.4 Entities design
Tivoli Identity Manager is concerned with managing users and their accounts.
Passwords, group memberships, and other attributes are associated with the
users and accounts, which all relate to managed systems and applications. To enable management of users, accounts, and associated information, Tivoli Identity Manager uses an organizational tree and roles, groups and ACIs, and various type of policies. Tivoli Identity Manager also uses elements of workflow, audit logs, and reports. We describe these components in the following sections.
The entities managed by Tivoli Identity Manager are:
Users, accounts, and attributes
Passwords
Group membership
Managed systems and applications
2.4.1 Users, accounts, and attributes
A person can be classified as a person, a business partner person (BPPerson), or custom person in Tivoli Identity Manager. A person is typically an employee of the company or organization. A BPPerson is typically an individual who needs access to an organization’s resources that are managed by the Tivoli Identity Manager system but who is not considered an employee.
All classes of users are managed in the same way. However, more information is required when adding a person than when adding a BPPerson. A custom person is used when the standard person definition does not suit an organization and has to be extended for the organization.
A person can be placed anywhere in the organization tree, so the organization tree can represent the user structure of a company.
The information used for each person is defined as attributes on the person objects, which can include first, last, and full names, phone numbers, employee number, supervisor, and e-mail address.
The Tivoli Identity Manager person1 with its attributes is mapped to a directory server iNetOrgPerson object with its attributes. To differentiate between a person and a BPPerson, Tivoli Identity Manager maps the BPPerson to an
organizationalPerson object with its attributes. In a situation where predefined attributes cannot entirely describe a person, new attributes can be defined that will cause changes in the directory server schema. For more details, see Chapter 4, “Implementation” on page 101.
An account represents a person’s access entitlement to the Tivoli Identity Manager system and to services that are managed by Tivoli Identity Manager
1 The Tivoli Identity Manager person refers to the person object as it exists after the base installation of Tivoli Identity Manager.
Chapter 2. Planning 45 (managed resource), such as Microsoft Windows, Sun™ Solaris™, SAP®, DB2, Tivoli Access Manager, and so on. Accounts require unique attributes that are defined by the managed resource.
An orphan account is an account that is not associated with a person. Orphan accounts are generated when the reconciliation process cannot automatically associate the account with a person using adoption rules.
2.4.2 Passwords
The majority of accounts have passwords associated with them. However, an account that is associated with a manual service type such as Voice mail setup, Telephone setup, Employee badge request, and so on does not have a password defined.
Owners or administrators can manage account passwords centrally using the Tivoli Identity Manager Web interface.
Passwords can be synchronized. The synchronization can be applied to all accounts that are associated with a user or selected accounts. For most passwords, this synchronization is one-way. Tivoli Identity Manager sets the password and pushes it to the managed targets. Tivoli Identity Manager cannot accept a password change request from a target and push this request to all associated accounts. The exception is the Microsoft Windows password synchronization function and the Reverse Password Synchronization for IBM Tivoli Access Manager WebSEAL agent, which both intercept a password change and pass it through Tivoli Identity Manager.
Tivoli Identity Manager can generate a random password that can be displayed to an administrator or mailed to a user. To further improve security, the shared secret can be used by an account owner to retrieve a new or changed password for an account when the system is configured to not e-mail passwords in the clear. In that case, the user receives a temporary URL that can be accessed only with the shared secret. In addition, Tivoli Identity Manager can be configured to store the shared secret in LDAP as a hashed value for additional protection.
Tivoli Identity Manager uses a challenge/response function to verify users’
identities if they have forgotten their Tivoli Identity Manager password. The user can choose challenge questions from a standard list or can enter challenge questions. When logging in to Tivoli Identity Manager for the first time, the user provides the challenge questions (if configured) and responses. On subsequent logins to Tivoli Identity Manager, the user can select a “Forgot password” option and a subset of the challenge/response questions are used to verify the user’s identity.
2.4.3 Group membership
Accounts are granted access to target systems and applications by placing them into groups previously defined on the target systems. These can be groups on UNIX systems or in Windows domains, SAP groups or profiles, or any other access control grouping mechanism.
Group lists, for most managed targets, are updated with the reconciliation function. Therefore, administrators do not manually enter group names; they select from an existing list that is synchronized with the target.
Service group
With Tivoli Identity Manager, users and administrators can request and manage access to resources such as shared folders, e-mail groups, or applications.
Access entitlement can be mapped to an existing group on a managed service.
A service group is a new type of entity introduced in Tivoli Identity Manager 5.0. A service group is reconciled from the managed service as part of the supporting data. Administrators can view the groups on a service, manage group members, provide a business friendly name and description of the access represented by the group, and expose the access to a user so that the user can directly request or delete access. Administrators can also assign an admin owner for the access, define approval workflows for access requests, and configure recertification policies for the access based on the group. Business users are no longer required to manage an account directly to gain access to IT resources, because Tivoli Identity Manager integrates account management with access
management.
2.4.4 Managed systems and applications
Tivoli Identity Manager manages users on many different managed systems, including operating systems such as UNIX and Windows servers, as well as applications such as databases and business applications.
Tivoli Identity Manager deploys an adapter to perform the administration of accounts on the target systems or applications. Some adapters are deployed physically to the system or application and interact locally. Other adapters operate remotely and can be deployed anywhere in the network.
Note: Tivoli Identity Manager does not create or delete groups on managed targets. Also, it does not manage access control lists or resource access on the managed targets. The local administrators or application owners must perform these functions using the native system or application tools.
Chapter 2. Planning 47