IBM Security Identity Manager
Version 6.0
Product Overview Guide
GC14-7692-01
IBM Security Identity Manager
Version 6.0
Product Overview Guide
GC14-7692-01
Note
Before using this information and the product it supports, read the information in Notices” on page 71.
Edition notice
Note: This edition applies to version 6.0 of IBM Security Identity Manager (product number 5724-C34) and to all subsequent releases and modifications until otherwise indicated in new editions.
Table of contents
Table list . . . v
About this publication . . . vii
Access to publications and terminology . . . vii
Accessibility . . . viii
Technical training . . . viii
Support information . . . viii
Statement of Good Security Practices . . . ix
Chapter 1. How to obtain software
images . . . 1
Chapter 2. Hardware and software
requirements
. . . 3
Hardware requirements. . . 3
Operating system support . . . 3
Virtualization support . . . 4
Java Runtime Environment support. . . 5
WebSphere Application Server support . . . 5
Database server support . . . 5
Directory server support . . . 6
Directory Integrator support . . . 7
Report server support . . . 7
Prerequisites for IBM Cognos report server . . . . 8
Browser requirements for client connections . . . . 9
Adapter level support . . . 9
Chapter 3. What's new in this release
11
Account ownership type . . . 11Identity Service Center user interface . . . 11
Shared access module . . . 12
Role management . . . 14
Extended role attributes . . . 14
Role assignment attributes . . . 14
Service management and provisioning . . . 15
Service level form . . . 16
Service connection mode . . . 16
Service status and failure retry . . . 17
Service tagging . . . 17
Enhanced adapter testing . . . 17
Account and access management . . . 18
Multiple level access types . . . 18
Account search in the self service console . . . 18
Authentication with an external user registry configured with WebSphere . . . 18
Vertical cluster support . . . 19
Application programming interfaces . . . 19
Web Services API . . . 20
Extensions to the Recertification Policy API. . . 20
Enhanced logging APIs for use in custom JavaScript . . . 20
Report data synchronization enhancements . . . . 21
Health monitoring . . . 22
IBM Cognos reporting framework . . . 22
Chapter 4. Known limitations,
problems, and workarounds . . . 23
Chapter 5. Features overview . . . 25
Access management . . . 25
Shared access . . . 26
Shared access documentation . . . 27
Roadmap for configuring shared access for a managed resource . . . 30
Support for corporate regulatory compliance . . . 34
Identity governance . . . 39
Triple user interface . . . 40
Administrative console user interface . . . 40
Self-care user interface. . . 40
Identity Service Center user interface . . . 41
Recertification . . . 42
Reporting . . . 42
Static and dynamic roles . . . 43
Self-access management . . . 43
Provisioning features . . . 43
Resource provisioning . . . 47
Request-based access to resources . . . 47
Roles and access control . . . 48
Hybrid provisioning model . . . 48
Chapter 6. Technical overview. . . 49
Users, authorization, and resources . . . 49
Main components . . . 50 People overview. . . 53 Users . . . 53 Identities . . . 53 Accounts . . . 54 Access . . . 54 Passwords . . . 55 Resources overview . . . 55 Services . . . 56 Adapters . . . 57
Adapter communication with managed resources 58 System security overview. . . 58
Security model characteristics . . . 59
Business requirements . . . 59
Resource access from a user's perspective . . . 59
Organization tree overview . . . 62
Nodes in an organization tree . . . 63
Entity types associated with a business unit . . 63
Entity searches of the organization tree . . . . 64
Policies overview . . . 64
Workflow overview. . . 66
Chapter 7. Initial login and password
information . . . 69
Notices
. . . 71
Index . . . 75
Table list
1. Hardware requirements for IBM Security
Identity Manager . . . 3
2. Operating system support . . . 3
3. Virtualization support . . . 4
4. Database server support. . . 6
5. Directory server support . . . 6
6. Supported versions of IBM Tivoli Directory Integrator . . . 7
7. Software requirements for IBM Cognos report server . . . 8
8. Prerequisites to run the UNIX and Linux adapter . . . 10
9. More information on role assignment attributes 15 10. Shared access features . . . 27
11. Installation and upgrade . . . 27
12. System configuration . . . 28
13. Shared access administration . . . 28
14. Data references . . . 29
15. Shared access troubleshooting . . . 29
16. Shared access application programming interfaces . . . 29
17. Shared access for users. . . 30
18. Configuring managed resources that are supported by the IBM Security Identity Manager . . . 33
19. Defining roles and provisioning policies to grant ownership of sponsored accounts . . . 33
20. Adding credentials with a connection to an account to the vault . . . 34
21. Adding credentials without a connection to an account to the vault . . . 34
22. Configuring a shared access policy to grant access to the credentials . . . 34
23. Summary of reports . . . 39
24. Policy types and navigation . . . 65
25. Initial user ID and password for IBM Security Identity Manager. . . 69
About this publication
IBM Security Identity Manager Product Overview Guide provides the general
information about IBM Security Identity Manager. It includes the information about:
v The product release, such as new or deprecated product features and functions v The open standards, technologies, and architecture on which the product is
based
v The user model and roles underlying the product features
v The graphical interfaces and tools provided to support various user roles
Access to publications and terminology
This section provides:
v A list of publications in the IBM Security Identity Manager library. v Links to Online publications.”
v A link to the IBM Terminology website” on page viii.
IBM Security Identity Manager library
The following documents are available in the IBM Security Identity Manager library:
v IBM Security Identity Manager Quick Start Guide, CF3L2ML
v IBM Security Identity Manager Product Overview Guide, GC14-7692-01 v IBM Security Identity Manager Scenarios Guide, SC14-7693-01
v IBM Security Identity Manager Planning Guide, GC14-7694-01 v IBM Security Identity Manager Installation Guide, GC14-7695-01 v IBM Security Identity Manager Configuration Guide, SC14-7696-01 v IBM Security Identity Manager Security Guide, SC14-7699-01 v IBM Security Identity Manager Administration Guide, SC14-7701-01 v IBM Security Identity Manager Troubleshooting Guide, GC14-7702-01 v IBM Security Identity Manager Error Message Reference, GC14-7393-01 v IBM Security Identity Manager Reference Guide, SC14-7394-01
v IBM Security Identity Manager Database and Directory Server Schema Reference, SC14-7395-01
v IBM Security Identity Manager Glossary, SC14-7397-01
Online publications
IBM posts product publications when the product is released and when the publications are updated at the following locations:
IBM Security Identity Manager library
The product documentation site displays the welcome page and navigation for the library.
http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/ com.ibm.isim.doc_6.0.0.2/kc-homepage.htm
IBM Security Systems Documentation Central
IBM Security Systems Documentation Central provides an alphabetical list of all IBM Security Systems product libraries and links to the online documentation for specific versions of each product.
IBM Publications Center
The IBM Publications Center site http://www-05.ibm.com/e-business/ linkweb/publications/servlet/pbi.wss offers customized search functions to help you find all the IBM publications you need.
IBM Terminology website
The IBM Terminology website consolidates terminology for product libraries in one location. You can access the Terminology website at http://www.ibm.com/
software/globalization/terminology.
Accessibility
Accessibility features help users with a physical disability, such as restricted mobility or limited vision, to use software products successfully. With this product, you can use assistive technologies to hear and navigate the interface. You can also use the keyboard instead of the mouse to operate all features of the graphical user interface.
For additional information, see the topic "Accessibility features for IBM Security Identity Manager" in the IBM Security Identity Manager Reference Guide.
Technical training
For technical training information, see the following IBM Education website at http://www.ibm.com/software/tivoli/education.
Support information
If you have a problem with your IBM®software, you want to resolve it quickly.
IBM provides the following ways for you to obtain the support you need:
Online
Go to the IBM Software Support site at http://www.ibm.com/software/ support/probsub.html and follow the instructions.
IBM Support Assistant
The IBM Support Assistant (ISA) is a free local software serviceability workbench that helps you resolve questions and problems with IBM software products. The ISA provides quick access to support-related information and serviceability tools for problem determination. To install the ISA software, see the IBM Security Identity Manager Installation Guide. Also see: http://www.ibm.com/software/support/isa.
Troubleshooting Guide
For more information about resolving problems, see the IBM Security
Statement of Good Security Practices
IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be
considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
Chapter 1. How to obtain software images
IBM Security Identity Manager installation files and fix packs can be obtained with the IBM Passport Advantage® website, or from a DVD distribution.
The Passport Advantage website provides packages, called eAssemblies, for IBM products.
To obtain eAssemblies for IBM Security Identity Manager, follow the instructions in the IBM Security Identity Manager Download Document.
The IBM Security Identity Manager Installation Guide provides full instructions for installing IBM Security Identity Manager and the prerequisite middleware products.
The procedure that is appropriate for your organization depends on the following conditions:
v Operating system used by IBM Security Identity Manager v Language requirements for using the product
v Type of installation you need to do:
eAssembly for the product and all prerequisites
The IBM Security Identity Manager installation program enables you to install IBM Security Identity Manager, prerequisite products, and required fix packs as described in the IBM Security Identity Manager
Installation Guide. Use this type of installation if your organization does
not currently use one or more of the products required by IBM Security Identity Manager.
eAssembly for a manual installation
You can install IBM Security Identity Manager separately from the prerequisites, and you can install separately any of the prerequisite products that are not installed. In addition, you must verify that each prerequisite product is operating at the required fix or patch level.
Chapter 2. Hardware and software requirements
IBM Security Identity Manager has specific hardware requirements and supports specific versions of operating systems, middleware, and browsers.
The topics in this section list the hardware requirements and the supported versions for each of the software products. The information lists the supported versions when the product release was released.
Note: Support for prerequisite software is continuously updated. To review the latest updates to this information, see the Software Product Compatibility Reports page at http://pic.dhe.ibm.com/infocenter/prodguid/v1r0/clarity/index.html.
Hardware requirements
IBM Security Identity Manager has these hardware requirements:
Table 1. Hardware requirements for IBM Security Identity Manager
System components Minimum values* Suggested values**
System memory (RAM) 2 gigabytes 4 gigabytes Processor speed Single 2.0 gigahertz Intel or
pSeries processor
Dual 3.2 gigahertz Intel or pSeries processors Disk space for product and
prerequisite products
20 gigabytes 25 gigabytes
* Minimum values: These values enable a basic use of IBM Security Identity Manager. ** Suggested values: You might need to use larger values that are appropriate for your production environment.
Operating system support
IBM Security Identity Manager supports multiple operating systems.
The IBM Security Identity Manager installation program checks to ensure that specific operating systems and levels are present before it starts the installation process.
Table 2. Operating system support
Operating system Platform Patch or maintenance level
AIX®Version 6.1 System p® None
AIX Version 7.1 System p None
Oracle Solaris 10 SPARC None
Windows Server 2008 Standard Edition x86-32 x86-64 None Windows Server 2008 Enterprise Edition x86-32 x86-64 None
Windows Server 2008 Release 2 Standard Edition
x86-64 None
Table 2. Operating system support (continued)
Operating system Platform Patch or maintenance level
Windows Server 2008 Release 2 Enterprise Edition
x86-64 None
Windows Server 2012 Standard Edition
x86-64 None
Red Hat Enterprise Linux 5.0 Red Hat Enterprise Linux 6.0
x86-32, x86-64, System p, System z x86-32, x86-64, System p, System z v For 5.0, Update 6. v For 6.0, Update 5.
v For both 5.0 and 6.0, Security Enhanced Linux must be disabled. See the topic "Red Hat Linux Server Configuration" in the IBM Security Identity Manager
Installation Guide.
SUSE Linux Enterprise Server 10.0
SUSE Linux Enterprise Server 11.0 System p, System z, x86-32, x86-64 System p, System z® , x86-32, x86-64 v For 10, SP3 v For 11, SP1
Virtualization support
IBM Security Identity Manager supports virtualization environments. See Table 3 for a list of the virtualization products that IBM Security Identity Manager supports at the time of product release.
Table 3. Virtualization support
Product Applicable operating systems
IBM AIX Workload Partitioning (WPAR) and Logical Partitioning (LPAR) 6.1 and 7.1 and future fix packs
All supported operating system versions automatically applied
IBM PowerVM®
Hypervisor (LPAR, DPAR, Micro-Partition), any supported version and future fix packs
AIX
IBM PR/SM™
, any version, and future fix packs
All supported operating system versions automatically applied
IBM z/VM®
Hypervisor 5.4 and any future fix packs
All supported operating system versions automatically applied
IBM z/VM Hypervisor 6.1 and any future fix packs
Linux KVM in SUSE Linux Enterprise Server
(SLES) 11
All supported operating system versions automatically applied
Red Hat KVM as delivered with Red Hat Enterprise Linux (RHEL) 5.4 and future fix packs
Linux, Windows
Red Hat KVM as delivered with Red Hat Enterprise Linux (RHEL) 6.0 and future fix packs
All supported operating system versions automatically applied
Sun Solaris 10 Global/Local Zones (SPARC) 10 and future fix packs
All supported operating system versions automatically applied
Table 3. Virtualization support (continued)
Product Applicable operating systems
Sun/Oracle Logical Domains (LDoms) any version and future fix packs
Solaris
VMware ESXi 4.0 and future fix packs All supported operating system versions automatically applied
VMware ESXi 5.0 and future fix packs All supported operating system versions automatically applied
Java Runtime Environment support
IBM Security Identity Manager requires the Java™Runtime Environment (JRE). When a required version of the WebSphere®Application Server is installed, the required version or a later version of the JRE is installed in the WAS_HOME/java directory. For information about the required versions of the WebSphere Application Server, see WebSphere Application Server support.”
Use of an independently installed development kit for Java, from IBM or other vendors, is not supported. The Java Runtime Environment requirements for using a browser to create a client connection to the IBM Security Identity Manager server are different than the JRE requirements for running the WebSphere Application Server.
WebSphere Application Server support
IBM Security Identity Manager runs as an enterprise application in a WebSphere Application Server environment.
IBM Security Identity Manager requires one of the following versions of WebSphere Application Server:
v WebSphere Application Server, Version 8.5 with WebSphere Application Server V8.5 Fix Pack 2.
v WebSphere Application Server, Version 8.5, Network Deployment, with the Identity Service Center user interface. WebSphere Application Server V8.5 Fix Pack 2 is required for support of all platforms.
v WebSphere Application Server, Version 7.0, with the WebSphere Fix Pack 29. WebSphere supports each of the operating systems that IBM Security Identity Manager supports. Review the WebSphere website for WebSphere requirements for each operating system: http://www.ibm.com/support/docview.wss?rs=180
&uid=swg27012369
Database server support
IBM Security Identity Manager supports multiple database server products.
Note: The Identity Service Center and Cognos reporting do not support Microsoft SQL Server database. Use DB2 database or Oracle database instead.
Table 4. Database server support
Database server Fix pack Notes
IBM DB2®
Enterprise Version 9.5.0.3
Fix Pack 3 IBM DB2 Workgroup Edition is required for Linux 32 bit operating system.
IBM DB2 Enterprise Version 9.7.0.7
Fix Pack 7 v IBM DB2 Workgroup Edition is required for Linux 32 bit operating system.
v Red Hat Linux 6.0 requires Fix Pack 4. v Windows 2012 requires Fix Pack 7. IBM DB2 Enterprise Version
10.1.0.2
Fix Pack 2 v IBM DB2 Enterprise 10.1 is only supported on 64 bit operating systems.
v Using IBM DB2 10.1 with IBM Tivoli®Directory Server 6.3 requires
Fix Pack 21. Oracle 10g Standard Edition
and Enterprise Edition Release 2
none The Oracle 11.1.0.7 database driver is required for both Oracle 10g Release 2 and 11g databases.
Oracle 11g Standard and Enterprise Edition Release 2
none The Oracle 11.1.0.7 database driver is required for both Oracle 10g Release 2 and 11g databases.
Microsoft SQL Server Enterprise Edition 2008
none Microsoft SQL Server Enterprise Edition 2008 Release 2
none
Directory server support
IBM Security Identity Manager supports multiple directory servers.
Table 5. Directory server support
Directory server Fix packs
Notes®
IBM Tivoli Directory Server, Version 6.2
Fix Pack 29 IBM Tivoli Directory Server, Version
6.3
Fix Pack 21
IBM Tivoli Directory Server supports the operating system releases that IBM Security Identity Manager supports. IBM Tivoli Directory Server, Version 6.3 Fix Pack 21 is required for IBM Tivoli Directory Server V6.3 to work with IBM DB2 10.1.
A fix pack can have requirements for a specific level of Global Security ToolKit (GSKit). For more information, see documentation that the directory server product provides. For example, access this website: http://www-947.ibm.com/ support/entry/portal/
documentation_expanded_list/software/ security_systems/tivoli_directory_server
Table 5. Directory server support (continued)
Directory server Fix packs
Notes®
Sun Directory Server Enterprise Edition 6.3.1 and 7.0
none See Oracle documentation to verify operating system support.
Oracle Directory Server Enterprise Edition 11.1.1
none
Directory Integrator support
IBM Security Identity Manager supports IBM Tivoli Directory Integrator. You can optionally install IBM Tivoli Directory Integrator for use with IBM Security Identity Manager.
IBM Tivoli Directory Integrator is used to enable communication between the installed agentless adapters and IBM Security Identity Manager. See the IBM
Security Identity Manager Installation Guide.
Table 6. Supported versions of IBM Tivoli Directory Integrator
Release Fix pack
IBM Tivoli Directory Integrator, Version 7.1 Fix Pack 3 IBM Tivoli Directory Integrator, Version 7.1.1 Fix Pack 2
IBM Tivoli Directory Integrator supports each of the operating system versions that IBM Security Identity Manager supports.
Report server support
IBM Security Identity Manager supports IBM Tivoli Common Reporting Version 2.1.1.
Note: Though IBM Tivoli Common Reporting is currently supported, it is being deprecated. It is the best practice to use IBM Cognos Business Intelligence Server version 10.2.1 to generate IBM Security Identity Manager reports.
The following fix packs and interim fixes are required. Install the fixes in the following order:
1. IBM Tivoli Common Reporting, Version 2.1.1, interim fix 2 2. IBM Tivoli Common Reporting, Version 2.1.1, interim fix 5 3. IBM Tivoli Integrated Portal Fix Pack 2.2.0.7
4. IBM Tivoli Common Reporting, Version 2.1.1, interim fix 6 To obtain fixes:
v Download the latest fixes for IBM Tivoli Common Reporting Server from the Fix Central website at http://www.ibm.com/support/fixcentral/.
v Obtain and install the IBM Tivoli Integrated Portal Fix Pack 2.2.0.7 before you install IBM Tivoli Common Reporting, Version 2.1.1, interim fix 6. For
instructions for obtaining IBM Tivoli Integrated Portal Fix Pack 2.2.0.7, see the IBM developerWorks®topic: Tivoli Common Reporting 2.1.1 Interim Fix 6.
Prerequisites for IBM Cognos report server
IBM Security Identity Manager supports IBM Cognos Business Intelligence Server version 10.2.1.
You must install the software in the following table to work with IBM Security Identity Manager Cognos reports.
Table 7. Software requirements for IBM Cognos report server
Software For more information, see
IBM Cognos Business Intelligence Server,
version 10.2.1. 1. Access the IBM Cognos BusinessIntelligence documentation at http://pic.dhe.ibm.com/infocenter/cbi/ v10r2m1/index.jsp.
2. Search for Business Intelligence
Installation and Configuration Guide 10.2.1.
3. Search for the installation information and follow the procedure.
Web server 1. Access the IBM Cognos Business
Intelligence documentation at
http://pic.dhe.ibm.com/infocenter/cbi/ v10r2m1/index.jsp.
2. In the right pane of the home page, under Supported hardware and
softwaresection, click IBM Cognos
Business Intelligence 10.2.1 Supported Software Environments.
3. Click 10.2.1 tab.
4. Click Software in the Requirements by
typecolumn under the section IBM
Cognos Business Intelligence 10.2.1. 5. Search for Web Servers section. Data sources 1. Access the IBM Cognos Business
Intelligence documentation at
http://pic.dhe.ibm.com/infocenter/cbi/ v10r2m1/index.jsp.
2. In the right pane of the home page, under Supported hardware and
softwaresection, click IBM Cognos
Business Intelligence 10.2.1 Supported Software Environments.
3. Click 10.2.1 tab.
4. Click Software in the Requirements by
typecolumn under the section IBM
Cognos Business Intelligence 10.2.1. 5. Search for Data Sources section.
Note: Optionally, you can install IBM Framework Manager, version 10.2.1 if you want to customize the reports or models.
Browser requirements for client connections
IBM Security Identity Manager has browser requirements for client connections. IBM Security Identity Manager supports the following browser versions: v Microsoft Internet Explorer 9.0
v Microsoft Internet Explorer 10.0
v Mozilla Firefox 3.6 (supported on AIX only)
Note:
1. Microsoft Internet Explorer 10.0 Metro mode is not supported.
2. Firefox 3.6 requires the Next-Generation Java plug-in, which is included in Java 6 Update 10 and newer version.
3. The Identity Service Center user interface is not supported in Firefox 3.6. v Mozilla Firefox 10 Extended Support Release (not supported on AIX)
Note: The Identity Service Center user interface is not supported in Firefox 10 Extended Support Release.
v Mozilla Firefox 17 Extended Support Release (not supported on AIX) v Mozilla Firefox 24 Extended Support Release (not supported on AIX) v IBM Security Identity Manager software distribution does not include the
supported browsers.
v The IBM Security Identity Manager administrative user interface uses applets that require a Java plug-in that is provided by Sun Microsystems JRE Version 1.6 or higher. When the browser requests a page that contains an applet, it attempts to load the applet with the Java plug-in. If the required JRE is not present on the system, the browser prompts the user for the correct Java plug-in, or fails to complete the presentation of the items in the window. The IBM Security Identity Manager user interface is displayed correctly for all pages that do not contain a Java applet, regardless of JRE installation.
v You must enable cookies in the browser to establish a session with IBM Security Identity Manager.
v Do not start two or more separate browser sessions from the same client computer. The two sessions are regarded as one session ID, which causes problems with the data.
Adapter level support
The IBM Security Identity Manager installation program always installs a number of adapter profiles.
The installation program installs these profiles: v AIX profile (UNIX and Linux adapter) v Solaris profile (UNIX and Linux adapter) v HP-UX profile (UNIX and Linux adapter) v Linux profile (UNIX and Linux adapter) v LDAP profiles (LDAP adapter)
The IBM Security Identity Manager installation program optionally installs the IBM Security Identity Manager LDAP adapter and IBM Security Identity Manager
UNIX and Linux adapter. Newer versions of the adapters might be available as separate downloads. Install the latest versions before you use the adapters.
You must take additional steps to install adapters if you choose not to install them during the IBM Security Identity Manager installation.
The following table lists the UNIX and Linux systems and versions that are supported by the UNIX and Linux adapter.
Table 8. Prerequisites to run the UNIX and Linux adapter
Operating system Version
AIX AIX 6.1, AIX 7.1
HP-UX HP-UX 11iv1, HP-UX 11iv1 trusted, HP-UX 11iv2, HP-UX 11iv2 trusted, HP-UX 11iv3, HP-UX 11iv3 trusted
Red Hat Linux Red Hat Enterprise Linux Enterprise Server 6.0, Red Hat Enterprise Linux Enterprise Server 6.1, Red Hat Enterprise Linux Enterprise Server 6.2
Oracle Solaris Oracle Solaris 10 SUSE Linux SLES 10.0, SLES 11.0
The following directory server versions are supported by the LDAP adapter: v IBM Tivoli Directory Server 6.1, IBM Tivoli Directory Server 6.2, IBM Tivoli
Directory Server 6.3
v Sun Directory Server Enterprise Edition 6.3, Sun Directory Server Enterprise Edition 6.3.1
The LDAP adapter supports an LDAP directory that uses the RFC 2798 scheme. This scheme supports communication between the IBM Security Identity Manager and systems that run IBM Tivoli Directory Server or Sun Directory Server
Enterprise Edition. The IBM Security Identity Manager LDAP Adapter Installation
Guide describes how to configure the LDAP adapter.
Adapters are available at the following IBM Passport Advantage website: http://www.ibm.com/software/sw-lotus/services/cwepassport.nsf/wdocs/ passporthome
Installation and configuration guides for adapters can be found in the IBM Security Identity Manager product documentation website at http://pic.dhe.ibm.com/ infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.isim.doc_6.0.0.2/kc-homepage.htm.
Chapter 3. What's new in this release
IBM Security Identity Manager Version 6.0 provides new infrastructure, processes, and controls to support privileged identity management. In addition, it provides enhanced support for operational role management and integration with other identity and access management solutions.
Note: The documentation updates in this library are added in the context of the IBM Security Identity Manager, version 6.0.0, Fix Pack 2.
The Identity Service Center, Cognos Reporting, and selected Shared Access features can only be available in your system after you install the fix pack.
See the following README files for installation, configuration, and removal details.
v ISIM6.0.0FP2_InstallAndConfig_README.pdf
v ISIM6.0.0FP2_UnInstallAndManualRemoval_README.pdf v ISPIM1.0.1FP2_InstallandConfig_README.pdf
See the topics that follow for detailed descriptions of new features and function.
Account ownership type
New account ownership types separate personal accounts from custodial accounts. Accounts that represent a user identity for personal use are individual accounts. All other accounts are sponsored accounts. Examples of sponsored accounts include the root account on a UNIX system, application accounts, and device accounts. The owner of a sponsored account typically configures the account and completes maintenance tasks such as password reset.
Password synchronization applies only to individual accounts. Account
entitlements in a provisioning policy are specified differently for each account type. The type of ownership affects the password management process and provisioning policy evaluation. For example, password synchronization synchronizes passwords only for accounts of ownership type "Individual". For provisioning policies, entitlement to a particular service can be based on the specific ownership type on the service.
You can filter accounts by ownership type when doing account management tasks. You can specify the ownership type when completing account request and account adoption tasks.
See "Ownership type management" in the IBM Security Identity Manager
Configuration Guide.
Identity Service Center user interface
IBM Security Identity Manager introduces the Identity Service Center, a new user interface, which provides the capability for managers or individuals to request access for individuals.
Note: The Identity Service Center does not support Microsoft SQL Server database. Use DB2 Universal Database™or Oracle database instead.
Unified access catalog
The Identity Service Center user interface contains a unified access catalog that provides sets of tasks, each tailored for the needs of the default user types:
v System administrator v Manager
v Employee v Auditor
Enhanced user experience
The Identity Service Center gives you an enhanced user experience that is tailored to your business goals:
v Request access to applications v View your requests
Modern, intuitive, and efficient user interface
You can model your business goals and user interface with a dedicated flow. The Identity Service Center has:
v Type ahead search v Guided tasks v Usable layout
v Work flow and tasks that are applicable to your business goals v Context-sensitive help
Customizable user interface
System administrators can easily customize the Identity Service Center user interface either by copying and modifying the customizable files that are installed with IBM Security Identity Manager. They can also customize the new user interface by replacing the icons and graphics. See the Identity Service Center user interface customization˝ section of the IBM Security
Identity Manager Configuration Guide for details.
Shared access module
IBM Security Identity Manager provides a shared access module that extends the identity and access management governance capabilities by supporting privileged identity management.
The shared access module is used by an IBM product called IBM Security Privileged Identity Manager. When you purchase IBM Security Privileged Identity Manager, you obtain a license to use the IBM Security Identity Manager shared access module. You can then install the optional shared access module component as part of the IBM Security Identity Manager installation.
The shared access module provides the following support for privileged identity management:
v Credential vault management for shared credentials, which can be connected or not connected to accounts.
v Lifecycle management of shared credentials. This management includes role-based access requests, role membership, and shared credential access.
v Auditing of shared credential activity to monitor accountability and compliance. v Single sign-on with automated checkin and checkout of shared IDs.
Automation of checkout and checkin is achieved when IBM Security Identity Manager is deployed as part of the IBM Security Privileged Identity Manager product solution.
v Management of shared credentials that are not connected to accounts.
v Ability to connect credentials to an account so that the password can be changed at checkin; ability to disconnect credentials from an account.
v The following items are deprecated:
– Adding credentials to the vault through Manage Users, Manage Services >
Accounts, or Manage Groups > Manage Members. Instead, use Manage
Shared Access > Manage Credential Vault.
– The #Credentials type identifier is deprecated and is provided for users with existing CSV files from a previous release. If you use this type identifier, read the column header descriptions because some of them have changed. It is suggested, however, that you use the #Credentials_v2 type identifier instead of the #Credentials type identifier in your CSV files for shared access bulk load.
v The USE_GLOBAL_SETTINGS column header in the CSV file is changed to USE_DEFAULT_SETTINGS.
v The following access control items (ACIs) are added:
Protection category Name Type Principal
Credential Default ACI for Credential: Grant All to Domain Admin
erCredential Domain Admin Credential Lease Default ACI for Credential Lease: Grant
All to Domain Admin
erCredentialLease Domain Admin Account Default ACI for Account: Grant Connect
to Domain Admin and Account Owner
erAccountItem Domain Admin Account Owner Credential Service Default ACI for Credential Service: Grant
All to Domain Admin
erCVService Domain Admin Person Default ACI for Person: Grant Search and
role assignment to Privileged Administrator Group
erPersonItem Privileged Admin
v The following ACIs are removed:
Protection category Name Type Principal
Identity Manager User
Default ACI for ITIM User: Grant Delegate to Privileged Administrator Group
erSystemUser Privileged Admin
Identity Manager User
Default ACI for ITIM User: Grant Add to Privileged Administrator Group
erSystemUser Privileged Admin Recertification
Policy
Default ACI for Recertification Policy: Grant All to Privileged Administrator Group
erRecertificationPolicy Privileged Admin
Report Default ACI for Pending Recertification Report: Grant Run to Privileged Administrator Group
Pending Recertification Report
Privileged Admin
Protection category Name Type Principal
Report Default ACI for Recertification Policies Report: Grant Run to Privileged Administrator Group Recertification Policies Report Privileged Admin Static Organizational Role
Default ACI for Role: Grant All to Privileged Administrator Group
erRole Privileged Admin
For more information, see: v Shared access˝ on page 26
v IBM Security Privileged Identity Manager product documentation website.
Role management
Role management now includes management of extended role attributes and role assignment attributes.
Extended role attributes
The IBM Security Identity Manager administrator can define, set, and modify extended role attributes when creating or modifying a role. These actions are achieved by using a new form template introduced in the form designer for role customization. Both static and dynamic roles support extended role attributes.
Note: Before you can use extended role attributes, you must first set the extended role attributes in LDAP by extending the role definition schema.
After you add the extended role attributes in LDAP, use the form designer to customize and save form templates for roles in the IBM Security Identity Manager administrative console.
Role assignment attributes
The role administration component is enhanced to include the ability to define role assignment attributes, which are associated with the person-role relationship. Only static roles support assignment attributes. Only the string type and text widget of assignment attributes are supported.
Optional role assignment attributes tasks include:
v Defining role assignment attributes when creating or modifying a static role. v Associating a custom label with each assignment attribute.
v Specifying assignment attribute values when adding user members to the role. v Specifying assignment attribute values to the existing user members of the role.
ACI capabilities for role assignment attributes
Both the default and new ACIs supports attribute-level permissions for role assignment attributes like other attributes in the role definition. You can now modify or create ACIs. You can set attribute-level permissions for granting or denying usage of these role assignment attributes within the role definition. Only authorized users can read or write assignment attributes. Additionally, you can: v Set ACIs to read or write assignment attribute values when adding a user to the
role.
ACI works the same way as it does for other entities. There is not ACI on specific role assignment attributes. The following attributes are available:
v erRoleAssignmentKeyis on the role that dictates the permission to define role assignment attributes on the role and an attribute.
v erRoleAssignmentsis on the person that dictates the permission to assign values for the assignment attributes.
You cannot define ACI on the assignment attribute that you defined on the role.
JavaScript capabilities for role assignment attributes
You can access these capabilities for role assignment attributes within the JavaScript interface:
v The role assignment attributes of the role schema.
v The role assignment attributes and their values for users in role membership. New JavaScript APIs include:
v Person v Role
v RoleAssignmentAttribute v RoleAssignmentObject
For more information, see the reference pages in the IBM Security Identity Manager
Reference Guide.
Role assignment attributes and the self-service console
For more information about adding or modifying role assignment attributes for a user profile in the self-service console, see the IBM Security Identity Manager Technotes.
Additional information
For more information on role assignment attributes, see the following topics:
Table 9. More information on role assignment attributes
Topic title IBM Security Identity Manager documentation
Role assignment attributes˝ Administration Guide
Role assignment attribute tables˝ Database and Directory Server Schema Reference
Person˝ Reference Guide
Role˝
RoleAssignmentAttribute˝ RoleAssignmentObject˝
Service management and provisioning
Service management and provisioning now supports a new account form, an advanced connection mode, new service status information, and service tagging. See:
v Service level form˝ on page 16
v Service connection mode˝
v Service status and failure retry˝ on page 17 v Service tagging˝ on page 17
Service level form
You can specify different account forms for each service instance of a particular service type.
You can define an account form for a service in the console. For example, you can customize the form for the account type, such as Windows Local Account Form. This feature can specify different account forms for each service instance of a particular service type. This feature removes the restriction of needing to use the same form for every service instance of a particular type.
You can use your new form to request a new account or modify an existing account. You can also use your new form for provisioning policy parameters. If you have an account form customized for a service, and you select service specific entitlements for that service in the provisioning policy, the specific widget for that attribute that you customized is displayed.
You can also use the new form for repeat account creation or modification in the administration console or the self service console.
See "Customizing account form templates for a service instance" in the IBM
Security Identity Manager Configuration Guide.
Service connection mode
This release introduces a new service form attribute for connection mode. Use this attribute to create a service that can function like either an automated or a manual service.
You can now specify a service connection mode of manual or automated. The connection mode setting dictates the IBM Security Identity Manager behavior for account management, and minimizes the configuration required for transition between different connection modes to end points.
The new attribute for connection mode is erconnectionmode. This attribute enables you to create a service and to specify a manual account request route before
installing the adapter for the managed resource. The advantage of using connection mode is that you do not need to create and later remove a manual service. After installing the adapter, you can change the service so that the managed resource handles the account requests. Use the change service task to change connection mode from manual to automatic.
After changing the service type to automatic, it is the default setting for any services of that service type.
Connection mode is not supported on ITIM service or any type of identity feed service, hosted service, or manual service types. Do not add the erconnectionmode attribute to the forms for those service types.
See the following topics in the "Services administration" chapter of the IBM Security
Identity Manager Administration Guide:
v "Creating a service that has manual connection mode" v "Changing connection mode from manual to automatic"
Service status and failure retry
The IBM Security Identity Manager administrative console is enhanced to display status information for each service, to search for services with a specific status, and to provide an option to retry blocked requests.
The values in the service status reflect the ability of the IBM Security Identity Manager server to contact the managed resource for the service for provisioning actions. The user interface also allows searching for services with a specific status value. You can use the value to locate services that failed or are recovering from a failure.
This release provides a new action, Retry Blocked Requests, that you can use to immediately restart the blocked requests from the Manage Services panel. This action tests a service to see whether the problem is corrected. If the test is successful, it restarts any blocked requests for a failed service.
For more information, see the topic "Service status" in the IBM Security Identity
Manager Administration Guide.
Service tagging
You can define multiple tags for a service in the service form.
You can use service tags to fine-tune provisioning policy entitlement for a service type. You can specify that entitlement is only applicable for services with matching tags.
On the administration console, you can trigger automated provisioning of new accounts and policy enforcements on all accounts of a service. Use the Manage Services console entry point, select Search, and then open the twistie for a service and click Enforce Policy.
See the topic "Service tagging" in the "Services administration" chapter of the IBM
Security Identity Manager Administration Guide.
Enhanced adapter testing
Service management and provisioning now support enhanced adapter testing. Enhanced adapter testing provides more information and more status information of the adapter that is configured for the resource. To start the adapter test, click
Test Connection in the service form.
Some examples about more information are adapter version, adapter installation platform, profile version, and other information.
Some examples about status information are time stamp of previous test, memory usage, other information.
For more information, see the Adapter documentation section in the IBM Security Identity Manager product documentation.
Account and access management
IBM Security Identity Manager extends account and access management to support multiple access levels, and to support account search in the self service console. See:
v Multiple level access types˝
v Account search in the self service console˝
Multiple level access types
IBM Security Identity Manager supports multiple level of access types that simulate a hierarchical tree structure with a set of linked nodes.
A hierarchy represents access levels. The access types are categorized in the form of parent-child access types. This structure aids in the administration of large deployments.
An administrator can do these actions:
v Manage access types in a hierarchical tree structure.
v Search an access type by categories during an access request by using the tree structure.
v Specify an access type from any level to associate with a group or role. v Translate organizational access types into system-defined access types in a
hierarchical tree structure.
v Categorize multiple access types in an organization for a particular access category. For example, access to all financial applications can be categorized under Application > Finance.
A user can search, filter, or request for an access based upon the access types. See the topic Access type management˝ in the IBM Security Identity Manager
Configuration Guide, and the topic Creating an access type based on role˝ in the IBM Security Identity Manager Administration Guide.
Account search in the self service console
Account search function is now available in the self service console
You can now search accounts when using the following features in the self service console:
v Viewing or changing accounts v Deleting accounts
v Changing passwords
You can base the account search on ownership type, account ID, service type (account profile), service (account type), or organizational container.
Authentication with an external user registry configured with
WebSphere
The IBM Security Identity Manager authentication mechanism is integrated with the container-based security capabilities of WebSphere Application Server.
IBM Security Identity Manager users can authenticate against a WebSphere Application Server user registry, and then be mapped to an IBM Security Identity Manager user.
The login support includes:
v Forgotten password, with challenge response v Password expiration
v Account suspension with maximum logon attempts
You can use an external user registry when doing an initial installation of IBM Security Identity Manager. Alternatively, you can install IBM Security Identity Manager with the custom registry, and then later reconfigure to use an external user registry.
Use of an external user registry requires configuration of the WebSphere security domain. IBM Security Identity Manager provides documentation of an example configuration of how to configure an external user registry. The example documentation is in the extensions directory in the product distribution. If you want to use an external user registry during an initial installation of IBM Security Identity Manager, you must do configuration steps before the installation. If you want to configure an external user registry after the IBM Security Identity Manager installation, you must finish the installation with the default custom user registry and then manually configure the external user registry.
For more information, see the topic "Using an external user registry for authentication" in the IBM Security Identity Manager Security Guide.
Vertical cluster support
You can now install IBM Security Identity Manager in a WebSphere deployment that uses vertical clusters.
A vertical cluster has cluster members on the same node, or physical machine. A horizontal cluster has cluster members on multiple nodes across many machines in a cell. You can now install an IBM Security Identity Manager into both horizontal and vertical cluster topologies.
For more information, see the following topics in the IBM Security Identity Manager
Installation Guide:
v "Clustered configuration"
v "Creating the WebSphere clusters for the IBM Security Identity Manager application"
Application programming interfaces
IBM Security Identity Manager supports additional application programming interfaces.
New additions include Web Services API, new APIs to manage recertification policies, and new logging APIs for use in JavaScript.
See:
v Web Services API˝ on page 20
v Extensions to the Recertification Policy API˝ on page 20
v Enhanced logging APIs for use in custom JavaScript˝
Web Services API
The IBM Security Identity Manager Web Services wrappers provide a lightweight communication channel to the IBM Security Identity Manager server.
You can use the Web Services API to add user functions into your custom built applications.
The Web Services client does not depend on installation of either IBM Security Identity Manager or WebSphere Application Server.
For more information, see the topic "Web Services API" in the IBM Security Identity
Manager Reference Guide.
Extensions to the Recertification Policy API
IBM Security Identity Manager uses recertification policies to automate the revalidation of entitlements granted to a user.
The introduction of new APIs provides capabilities to search, add, modify, delete, and run recertification policies in IBM Security Identity Manager from a remote application.
The recertification policy API consists of a set of Java classes. The classes abstract the more commonly used concepts of the recertification policies, such as
recertification policy targets, participants, recertification action, and policy schedules.
For more information, see:
v "Recertification Policy API" in the IBM Security Identity Manager Reference Guide v "Recertification policies" in the IBM Security Identity Manager Administration Guide
Enhanced logging APIs for use in custom JavaScript
The introduction of enhanced logging APIs provides new methods for use in custom JavaScript extensions.
The new methods provide the following increased flexibility in IBM Security Identity Manager:
v Ability to selectively log messages to the IBM Security Identity Manager trace log or message log.
v Ability to log message at specified severity like ERROR, WARN, or INFO for msg.log, and DEBUG_MIN, DEBUG_MID, or DEBUG_MAX for trace.log.
v Allows runtime configuration of which messages are written to the log file by specifying the component-logging level in the enRoleLogging.properties file. Before the IBM Security Identity Manager Version 6.0 release, the logging option from JavaScript was only to write to the msg.log at ERROR level. With the new logging APIs in Version 6.0, you can define custom-logging or tracing messages at different logging levels. You can also control the statements that are logged through runtime configuration. The log statements that are written to the log or trace files is controlled by configuring the logging levels in the
other IBM Security Identity Manager components. The component in the file is defined by the user in their log and trace methods. This configuration provides the following capabilities:
v Fine-grained control of custom-generated trace messages.
v Flexibility to indicate which custom JavaScript piece generated the log or trace message by viewing the component and method in the resulting log record. The new methods are on the Enrole JavaScript extension.
v For writing to the msg.log:
– logInfo(String component, String method, String message) – logWarn(String component, String method, String message) – logError(String component, String method, String message) v For writing to the trace.log:
– traceMax(String component, String method, String message) – traceMid(String component, String method, String message) – traceMin(String component, String method, String message)
For more information, see the following topics in the IBM Security Identity Manager
Reference Guide:
v "Enrole"
v "enRoleLogging.properties"
Report data synchronization enhancements
Report data synchronization was redesigned to improve performance, and a new utility provides remote data synchronization capability.
Note: Though IBM Tivoli Common Reporting is currently supported, it is being deprecated. It is the best practice to use IBM Cognos Business Intelligence Server version 10.2.1 to generate IBM Security Identity Manager reports.
The report data synchronization enhancements are:
v Redesign to improve the performance of data synchronization of the following entity types: – Accounts – Authorization Owners – Groups – Organizational Containers – People – Roles – Services
See the file ISIM_HOME/data/ReportDataSynchronization.properties for more details about the following properties:
– accountSynchronizationStrategy – authorizationOwnerSynchronizationStrategy – groupSynchronizationStrategy – organizationalContainerSynchronizationStrategy – personSynchronizationStrategy – roleSynchronizationStrategy
– serviceSynchronizationStrategy
v IBM Security Identity Manager report data synchronization utility: A self
contained utility that can be used to run the report data synchronization process outside of the IBM Security Identity Manager operational environment.
See the topic Data synchronization˝ in the IBM Security Identity Manager
Administration Guide.
Health monitoring
The IBM Security Identity Manager server is enhanced to provide deployment health monitoring features. These features include monitoring of performance and availability of various requests in the key components.
The provisioning and workflow components add instrumentation, which tracks events in the WebSphere Performance Monitoring Infrastructure (PMI) system. Additionally, the server includes new APIs to better integrate with monitoring products, such as IBM Tivoli Monitoring.
For more information, see the topic "IBM Security Identity Manager deployment health monitoring" in the IBM Security Identity Manager Performance Tuning Guide.
IBM Cognos reporting framework
IBM Security Identity Manager version 6.0 provides the Cognos reporting
framework to create and analyze reports. You can modify the schema and generate reports in different formats.
Note: Cognos reporting does not support Microsoft SQL Server database. Use DB2 database or Oracle database instead.
The IBM Cognos reporting framework includes the following items:
Reporting model
Represents the business view of IBM Security Identity Manager data. You can use the models to customize and generate different types of reports that suit your requirements.
Static reports
Ready-to-use reports that are bundled with the IBM Security Identity Manager reporting packages.
Chapter 4. Known limitations, problems, and workarounds
You can view the known software limitations, problems, and workarounds on the IBM Security Identity Manager Support site.
The Support site describes not only the limitations and problems that exist when the product is released, but also any additional items that are found after product release. As limitations and problems are discovered and resolved, the IBM Software Support team updates the online knowledge base. By searching the knowledge base, you can find workarounds or solutions to problems that you experience. The following link launches a customized query of the live Support knowledge base for items specific to version 6.0:
IBM Security Identity Manager Version 6.0 technical notes
To create your own query, go to the Advanced search page on the IBM Software Support website.
Chapter 5. Features overview
IBM Security Identity Manager delivers simplified identity management capabilities in a solution that is easy to install, deploy, and manage.
IBM Security Identity Manager provides essential password management, user provisioning, and auditing capabilities.
Access management
In a security lifecycle, IBM Security Identity Manager and several other products provide access management. You can determine who can enter your protected systems. You can also determine what can they access, and ensure that users access only what they need for their business tasks.
Access management addresses three questions from the business point of view: v Who can come into my systems?
v What can they do?
v Can I easily prove what they did with that access?
These products validate the authenticity of all users with access to resources, and ensure that access controls are in place and consistently enforced:
v IBM Security Identity Manager
Provides a secure, automated, and policy-based user management solution that helps effectively manage user identities throughout their lifecycle across both legacy and e-business environments. IBM Security Identity Manager provides centralized user access to disparate resources in an organization, with policies and features that streamline operations associated with user-resource access. As a result, your organization realizes numerous benefits, including:
– Web self-service and password reset and synchronization; users can self-administer their passwords with the rules of a password management policy to control access to multiple applications. Password synchronization enables a user to use one password for all accounts that IBM Security Identity Manager manages.
– Quick response to audits and regulatory mandates
– Automation of business processes related to changes in user identities by providing lifecycle management
– Centralized control and local autonomy
– Enhanced integration with the use of extensive APIs
– Choices to manage target systems either with an agent or agentless approach – Reduced help desk costs
– Increased access security through the reduction of orphaned accounts
– Reduced administrative costs through the provisioning of users with software automation
– Reduced costs and delays associated with approving resource access to new and changed users
v IBM Security Access Manager
Enables your organization to use centralized security policies for specified user groups to manage access authorization throughout the network, including the
vulnerable, internet-facing web servers. IBM Security Access Manager can be tightly coupled with IBM Security Identity Manager to reconcile user groups and accounts managed by IBM Security Access Manager with the identities managed by IBM Security Identity Manager to provide an integrated solution for resource access control.
IBM Security Access Manager delivers:
– Unified authentication and authorization access to diverse web-based applications within the entire enterprise
– Flexible single sign-on to web, Microsoft, telnet and mainframe application environments
– Rapid and scalable deployment of web applications, with standards-based support for Java Platform, Enterprise Edition (Java EE) applications – Design flexibility through a highly scalable proxy architecture and
easy-to-install web server plug-ins, rule- and role-based access control, support for leading user registries and platforms, and advanced APIs for customized security
v IBM Security Federated Identity Manager
Handles all the configuration information for a federation across organizational boundaries, including the partner relationships, identity mapping, and identity token management.
IBM Security Federated Identity Manager enables your organization to share services with business partner organizations and obtain trusted information about third-party identities such as customers, suppliers, and client employees. You can obtain user information without creating, enrolling, or managing identity accounts with the organizations that provide access to services that are used by your organization. So, users are spared from registering at a partner site, and from remembering additional logins and passwords. The result is improved integration and communication between your organization and your suppliers, business partners, and customers.
For more information about how access management products fit in larger solutions for a security lifecycle, see the IBM Security Management website: http://www.ibm.com/software/tivoli/solutions/security/
IBM Redbooks® and Redpapers also describe implementing IBM Security Identity
Manager within a portfolio of IBM security products.
Shared access
IBM Security Identity Manager supports shared access by providing a shared access module.
Installation and use of the shared access module is required for the IBM privileged identity management solution. The shared access module is licensed as part of the IBM Security Privileged Identity Manager product. When you purchase IBM Security Privileged Identity Manager, you obtain a license that enables you to use the IBM Security Identity Manager shared access module.
The shared access module extends the IBM Security Identity Manager support for account provisioning, and also extends the identity and governance framework. Highlights:
v Credential vault management for shared credentials, which can be connected or not connected to accounts.
v Shared access uses secure check in, check out, and logging of credentials from a credential vault server.
v Administrative control of shared credential access ensures individual accountability.
v Java APIs and Web Services APIs make it possible for application clients to programmatically access shared credentials.
v There is role-based access control for shared credential access and shared account ownership.
v Lifecycle management of shared credentials. This management includes role-based access requests, role membership, and shared credential access. v There is end-to-end auditing for administration and shared credential access
activities.
v There are web applications for shared credential administration and manual check out and checkin.
v Automation of checkout and checkin is achieved when IBM Security Identity Manager is deployed as part of the IBM Security Privileged Identity Manager product solution.
Shared access documentation
The shared access documentation includes topics that describe installation, configuration, administration, and troubleshooting of the shared access module. The documentation also describes shared access programming APIs, database schema, directory server schema, and user scenarios.
Features
Table 10. Shared access features
Description Link to documentation
Shared access module features Shared access˝ on page 26 Roadmap for deploying shared access for a
managed resource
Roadmap for configuring shared access for a managed resource˝ on page 30
Privileged administrator view and default access control items
See the topic "Scope of the privileged administrator group" in the IBM Security
Identity Manager Planning Guide
Privileged user view and default access control items
See the topic "Scope of the privileged user group" in the IBM Security Identity Manager
Planning Guide
Installation and upgrade
Table 11. Installation and upgradeDescription
See the following topics in theIBM Security Identity Manager Installation Guide
Installation of the shared access module "Shared access module configuration" Addition of the shared access module
during an upgrade on a WebSphere single server
"Configuring the shared access module during upgrade on a WebSphere single server"
Addition of the shared access module during an upgrade on a WebSphere cluster
"Configuring the shared access module during upgrade on a WebSphere cluster"
