Previous      Contents      Next
Sun Java[tm] System Identity Manager Quick Start Guide

Chapter 4
Quick Start Scenario

This Quick Start Scenario provides a guided demonstration of some of Identity Manager’s most powerful features. The demonstration consists of three sections:

Basic Provisioning:
Provisioning to a resource (Active Directory, LDAP, Red Hat Linux, or Solaris)
Configuring email notifications when resource accounts are created, updated, or deleted
Requiring approvals before resource accounts are created, updated, or deleted
End User Self-Service:
Logging in with authentication questions when a password is forgotten
Changing passwords on one or more resources
Changing personal data
Advanced Features:
Viewing all changes to a user with the Historical User Change Report
Loading all accounts from the managed server into Identity Manager with reconciliation
Detecting changes on a managed server with reconciliation or Active Sync

In addition, the following users are provided to illustrate how different people in an organization can use Identity Manager:

Configurator: A super-user in Identity Manager who can provision resource accounts, configure Identity Manager, run reports, and reconcile accounts from the configured server

In a typical deployment, you can create different administrators who have subsets of these capabilities. For example, you might create a Report Administrator (to run reports), a Password Administrator (who can reset user passwords), and so forth.

Additionally, you can grant administrators capabilities in certain Identity Manager organizations to limit their scope of control – referred to as delegated administration. For example, administrators can have the Approver capability for the Sales organization, which allows them to approve or reject account creation for new users in the Sales organization, but not for new users in the Engineering organization.

Demoapprover: An administrator can approve or reject requests to create, update, or delete new user accounts.
End User: A typical employee with accounts on one or more managed servers.

End users can login to the Identity Manager End User Portal to manage their personal information (name, email address, etc.) and change their passwords.

---

Basic Provisioning

This section provides instructions for

Creating Accounts on a Configured Server
Configuring Identity Manager to Send Email Notifications
Configuring Identity Manager to Approve Account Creations

Creating Accounts on a Configured Server

You can create an account on the resource configured in the Setup Wizard by creating an Identity Manager user with the assigned resource, as follows:

Open a Web browser and type the following address into the address bar:

http://localhost:8080/idm/

Note	Depending on the options that you selected during the Tomcat installation, the port may be different.

Login to the Identity Manager Administrator interface as the Configurator user. The default password for this user is configurator.
Click the Accounts tab to navigate to the Accounts page.
Select New User from the New Actions menu to create a new user.
Enter the following information on the Identity tab:
Account ID
First name
Last name
Email address
Password

Note	The password must conform to the Password Policy described in the “Resource account whose password will be changed” table. You can modify this password policy to match your corporate standards by navigating to Security > Policies and clicking Password Policy.

In the Individual Resource Assignment field on the Assignments tab, select the resource that you configured in the Setup Wizard.
Optionally enter any additional information about the resource account on the Attributes tab.
Click Save.

The Create User Results should show that a Lighthouse user was created (this is the virtual user in Identity Manager) and that an account was created on the resource. You can use native tools on the resource to verify that the account was actually created.

Click OK at the bottom of the Results page.

The user that you just created should display on the List Accounts page.

Configuring Identity Manager to Send Email Notifications

Use the following steps to configure Identity Manager to send email notifications when new users are created:

Select the Server Tasks > Configure Tasks tabs to access the Task Configuration page.
Click Create User Template to edit properties for the workflow that runs when a user is created in Identity Manager.
Select the Notification tab.
Select Administrator List for the Determine Notification Recipients from field.
Select demoapprover from the Administrators to Notify field.

This is the demoapprover user that was created in the Setup Wizard. When you select this user, Identity Manager will send email to the email address that you specified in the Setup Wizard when new users are created in Identity Manager.

Select Account Creation Notification as the for the Email Template field.
Click Save.
Repeat steps 4–11 from the Creating Accounts on a Configured Server section to create a new user.
If you configured an SMTP server in the Setup Wizard, Identity Manager will send an email to the demoapprover.
If you configured a notification file in the Setup Wizard, you can open the notification file in a text editor to see the email that would have been sent.

Identity Manager uses a process diagram to illustrate the steps that are executed by the workflow when creating, updating, or deleting a user. If user interaction is required during a workflow (such as an approval) the process diagram shows which workflow steps have run and which steps will run after the required interaction is completed.

Figure 4-1  Example Process Diagram

For more information about workflows, and an illustrated example of altering the approval workflow, see Sun Java™ System Identity Manager Workflows, Forms, and Views.

Note	You can also Configure notifications for user updates and deletes. Repeat the preceding steps 1–7, being sure to select the appropriate email template (Update User Template or Delete User Template) for step 2. Enable the Notify User checkbox on the Notification tab to send an email to the end user who is being created, updated, or deleted. Use an Attribute, a Query on the resource, or a Rule to determine additional notification recipients.

Configuring Identity Manager to Approve Account Creations

When you add a user to the Identity Manager system, administrators who are assigned as approvers for new accounts must validate the account creation. Identity Manager supports four categories of approvals, applied to these Identity Manager objects:

Organization — Approval is needed for the user account to be added to the organization.
Role — Approval is needed for the user account to be assigned to a role.
Resource — Approval is needed for the user account to be given access to a resource.
Additional Approvals — Approvals are determined with a rule, query, or list in the Configurable Task. You will use this approval type for this scenario.

For this scenario, you will require the demoapprover administrator to approve an account creation, as follows:

Select the Server Tasks > Configure Tasks tabs to access the Task Configuration page.
Click Create User Template to edit properties for the workflow that is run when a user is created in Identity Manager.
Select the Approvals tab.
Select Administrator List for the Determine additional approvers from field.
Select demoapprover for the Approval Administrator field.
Enable all checkboxes in the Editable column of the Approval Attributes table to allow the approver to modify these attributes when approving user creations.
Click Save.
Repeat steps 4-11 in the Creating Accounts on a Configured Server section to create a new user.

Notice that the Create User Results page states that the creation is pending an approval from demoapprover. If you view the List Accounts page, the new user will not yet appear.

If you configured an SMTP server in the Setup Wizard, Identity Manager will send an email to the demoapprover to notify the administrator that an account creation approval has been requested.
If you configured a notification file in the Setup Wizard, you can open the notification file in a text editor to view the email that would have been sent.
Click Logout to log Configurator out of Identity Manager.
When the Login page displays, log in as demoapprover and use the password that you specified in the Setup Wizard.

Notice that there are only three tabs in Identity Manager when you are logged in as demoapprover – Home, Passwords, and Work Items.

Identity Manager only displays tabs and sub-tabs for pages that the logged in user can use. Because demoapprover only has the Approver capability, these three tabs are the only pages that are available.

Select the Work Items tab to view the Awaiting Approvals page.

Note	The process diagram (described in Configuring Identity Manager to Send Email Notifications) is stalled at this point, awaiting an approval.

Click the approval link in the table, and then click the approval.
If necessary, you can change user attributes or add comments about the approval.

Note	You can forward an approval to a different user by selecting that Identity Manager user’s name in the Forward to list.

Click Approve to approve the account creation request.
Logout demoapprover and log back in as Configurator.
Click the Accounts tab to verify that the new user was created after the approval. Also, demoapprover should receive an email notification that the account was created.

Note	You can also configure approvals for user updates and deletes. Repeat the preceding steps 1–7, being sure to select the appropriate email template (Update User Template or Delete User Template) for step 2. Use the Approval times out after option to specify what happens if an approval has not been accepted or rejected within a certain time period. You can reject the request, escalate the approval to a different approver, or run a custom task (such as send email to another administrator).

---

End User Self-Service

The End User Self-Service section demonstrates how end users can use Identity Manager to login with authentication questions when they forget their password, change their password on all resource accounts, and change their personal data.

In this section you are assuming the role of an end user and performing the following tasks:

Changing Your Authentication Questions’ Answers
Changing Your Password
Changing Your Personal Data

Changing Your Authentication Questions’ Answers

To change the answers to your authentication questions:

To view the login page for the end user interface, open a Web browser and type the following address into the address bar:

http://localhost:8080/idm/user/login.jsp

Note	Depending on the options that you selected for the Tomcat installation, the port may be different than 8080.

Enter the User ID and Password of a user that you created in the Basic Provisioning section.
Click Authentication Questions, and then click the Profiles tab.
Enter an answer for the displayed question.

Note	You can configure the list of authentication questions and question policy from the administrator interface. Log in as Configurator, select Configure > Policies, and click Default Lighthouse Account Policy.

Click Save to save the new answer to your question.
Click Logout.

Changing Your Password

To change your password:

Enter the same User ID that you entered in step 2 of the previous section, but leave the Password blank.
Click Forgot Your Password?.
Enter the same answer that you provided in step 4 of the previous section.
Click Login.

Because the login occurred with a forgotten password, you are prompted for a new password.

Enter a new password.

Notice that the new password will be set on the Lighthouse account (the Identity Manager user) and on the account on the configured resource.

Click Change Password.

Changing Your Personal Data

To change your personal data:

Click the Profiles tab, and then click the Account Attributes tab.
Modify the email address.
Click Save.

Notice that the email address has been updated for the Lighthouse user and possibly the resource account if the resource manages an email address.

Click Logout to logout of the end-user pages.

---

Advanced Features

This Advanced Features section demonstrates

Loading Users into Identity Manager
Detecting Changes on the Managed Server
Viewing the Historical User’s Change Report

Loading Users into Identity Manager

One of the first steps you perform for an Identity Manager deployment is to load all accounts from the managed resource into Identity Manager so they can be managed. Generally, most deployments manage multiple resources; however, for the purposes of this quick start scenario, only a single resource will be managed.

Select the Resources tab to access the List Resources page.
Expand the resource tree to find the resource that you configured in the Setup Wizard.
Enable the resource’s checkbox to select the resource.
Select Edit Reconciliation Policy from the Resource Actions list to define how accounts found on the resource will be reconciled with the users found in Identity Manager.

Initially, Identity Manager will have only a few administrators (Configurator, Administrator, demoapprover) and the users that you created in the Basic Provisioning section.

All other users on the managed resource will be considered UNMATCHED when reconciled because there are no Identity Manager users that match the resource accounts that are found.

Select Create new user based on resource account for the UNMATCHED situation in the Situation Options table.

The remaining situation options are used to determine how Identity Manager responds to other reconciliation situations. For this Quick Start Scenario, do not change the default values for these options.

Click Save to save the reconciliation policy.
Enable the resource’s checkbox.
Select Full Reconcile Now from the Resource Actions list to initiate a full reconciliation from the resource.
Enable the resource’s checkbox.
Select View Reconciliation Status from the Resource Actions list to view the status of the full reconciliation.

The time it takes to complete a full reconciliation can vary widely, based on the number of users on the managed resource, the speed of the managed resource, the speed of the Identity Manager server, and so forth.

When the reconciliation is complete, review the information provided to see how many accounts were created.
Select the Accounts tab to navigate to the List Accounts page.

Notice that all users from the resource are now listed on this page.

Detecting Changes on the Managed Server

Identity Manager accommodates bidirectional synchronization, depending on target resource functions and market need.

Identity Manager’s Reconciliation feature highlights inconsistencies between the resource accounts on Identity Manager and the accounts that actually exist on a resource, and to periodically correlate account data.

Reconciliation is designed for ongoing comparison, and it can

Diagnose account situations more specifically and support a wider range of responses
Detect native changes.
Be scheduled
Offer an incremental mode

It is important to note that, Identity Manager only stores those security-relevant account attributes that you specify, rather than storing every attribute on every account.

Identity Manager’s Active Sync feature allows information that is stored in an authoritative external resource (such as an application or database) to synchronize with Identity Manager user data. Setting up active synchronization for an Identity Manager resource enables it to “listen” or poll for changes to the authoritative resource.

Note	For detailed information about reconciliation and Active Sync, see the Dataloading and Synchronization chapters in Sun Java System Identity Manager Administration and Sun Java System Identity Manager Technical Deployment Overview.

For the purpose of this Scenario, you will use reconciliation to detect changes on a managed server. Use the following instructions:

Natively create a new user on the managed resource.

The method for creating a new user will vary depending on the resource.

You can create a new user with the Active Directory Users and Computers tool in Active Directory
You can import an LDIF file in a Directory Server
You can use the useradd command on a Red Hat Linux or Solaris server
Select the Resources tab to access the List Resources page.
Expand the resource tree to find the resource that you configured in the Setup Wizard.
Enable the resource’s checkbox to select the resource.
Select Incremental Reconcile Now from the Resource Actions list to initiate an incremental reconciliation from the resource.
Enable the resource’s checkbox.
Select View Reconciliation Status from the Resource Actions list to view the status of the incremental reconciliation.
After the reconciliation is complete, review the information to see how many accounts were created.
Select the Accounts tab to access the List Accounts page.

Notice that the new user you created on the resource is now listed on this page.

Viewing the Historical User’s Change Report

To view a user’s change report history:

Open a Web browser and type the following Web address in the address bar:

http://localhost:8080/idm/

Note	Depending on the options that you selected during the Tomcat installation, the port (8080) may be different.

Login to the Identity Manager Administrator interface as the Configurator user.

Note	The default password for this user is configurator.

Select the Reports tab to access the Run Reports page.
Click the Historical User Changes Report link to provide information about which report to run.
Enter the Account ID of the user specified in the End User Self-Service section.
Click Run.
Review the historical change report.

Notice that events such as creation, modifications, change password, login, and logout are reported. The report provides information about when the change occurred, which user caused the change, the result of the change, attribute-level before and after values for creations and modifications, which interface the change occurred in, and so forth.

You can run this report for all users by clicking the Run button located next to the User Historical Change Report on the Run Reports page.

---

Next Steps

There are many other important features in Identity Manager that are not discussed in this Quick Start Guide, such as:

Using the Identity Manager Integrated Development Environment (Identity Manager IDE) to edit forms
Using rules to encapsulate business process and corporate data links
Using role-based access control and resources
Using role exclusions

For more information about these and other Identity Manager features, consult the Identity Manager publications listed in the Related Documentation and Help section of the Preface.

To contact a Sales representative for more information about the Identity Manager product, get information about self-qualifying, or sign-up for the Identity Champions newsletter be sure to visit the following web site and select the Sun Identity Insights Program checkbox:

https://subscriptions.sun.com/subscription_center/ecomm.jsp

Previous      Contents      Next

---

Part No: 819-7564-10.   Copyright 2006 Sun Microsystems, Inc. All rights reserved.