Sun Java logo     Copyright      Index      Next     

Sun logo
Sun[TM] Identity Manager 8.0 Administration 


List of Tables

List of Figures

Who Should Use This Book
Before You Read This Book
Conventions Used in This Book
Typographic Conventions
Related Documentation
Books in This Documentation Set
Accessing Sun Resources Online
Contacting Sun Technical Support
Related Third-Party Web Site References
Sun Welcomes Your Comments

Chapter 1   Identity Manager Overview
The Big Picture
Goals of the Identity Manager System
Defining User Access to Resources
User Types
Delegating Administration
Identity Manager Objects
User Accounts
Resources and Resource Groups
Organizations and Virtual Organizations
Directory Junctions
Admin Roles
Audit Policies
Object Relationships

Chapter 2   Getting Started with the Identity Manager UI
Identity Manager Administrator Interface
Logging in to the Identity Manager Administrator Interface
Session Limits and Cookies
Forgotten User ID
Identity Manager End-User Interface
The Five End-User Interface Tabs
Work Items
Logging in to the Identity Manager End-User Interface
Forgotten User ID
Help and Guidance
Identity Manager Help
Identity Manager Guidance
The Identity Manager Debug Page
Identity Manager IDE
Where to Go from Here

Chapter 3   User and Account Management
The Accounts Area of the Interface
Actions Lists in the Accounts Area
Searching in the Accounts List Area
User Account Status
The User Pages (Create/Edit/View)
Creating Users and Working with User Accounts
Enabling Process Diagrams
Creating Users
Creating Multiple Resource Accounts for a User
Why Assign Multiple Accounts per User per Resource?
Configuring Types of Accounts
Assigning Types of Accounts
Finding & Viewing User Accounts
Editing Users
Viewing User Accounts
Editing User Accounts
Reassigning Users to Another Organization
Renaming Users
Updating Resources Associated with an Account
Updating Resources on a Single User Account
Updating Resources on Multiple User Accounts
Deleting Identity Manager User Accounts
Deleting Resources from User Accounts
Deleting Resources from a Single User Account
Deleting Resources from Multiple User Accounts
Changing User Passwords
Changing Passwords from the User List Page
Changing Passwords from the Main Menu
Resetting User Passwords
Resetting Passwords from the User List Page
Expiring Passwords using the Identity Manager Account Policy
Disabling, Enabling, & Unlocking User Accounts
Disabling User Accounts
Enabling User Accounts
Unlocking User Accounts
Bulk Account Actions
Launching Bulk Account Actions
Using Action Lists
Bulk Action View Attributes
Correlation and Confirmation Rules
Correlation Rules
Confirmation Rules
Managing Account Security and Privileges
Setting Password Policies
Creating a Policy
Dictionary Policy Selection
Password History Policy
Must Not Contain Words
Must Not Contain Attributes
Implementing Password Policies
User Authentication
Personalized Authentication Questions
Bypassing the Change Password Challenge after Authentication
Assigning Administrative Privileges
User Self-Discovery
Enabling Self-Discovery
Anonymous Enrollment
Enabling Anonymous Enrollment
Configuring Anonymous Enrollment
User Enrollment Process

Chapter 4   Roles and Resources
Understanding and Managing Roles
What are Roles?
Putting Role Types to Work
Managing Roles Created In Versions Prior to Version 8.0
Using Role Types to Design Flexible Roles
Creating Roles
Completing the Create Role Form
Entering a Name and a Description for the Role
Assigning Resources and Resource Groups
Assigning Roles and Role Exclusions
Designating Role Owners and Role Approvers
Designating Notifications
Initiating Change-Approval and Approval Work Items
Editing and Managing Roles
Searching for Roles
Viewing Roles
Editing Roles
Cloning Roles
Assigning a Role to a Role
Removing a Role From a Role
Enabling and Disabling Roles
Deleting Roles
Assigning a Resource or Resource Group to a Role
Removing a Resource or Resource Group from a Role
Managing User Role Assignments
Assigning Roles to Users
Activating and Deactivating Roles on Specific Dates
Updating Roles Assigned to Users
Finding Users Assigned to a Role
Removing Roles Assigned to Users
Configuring Role Types
Configuring Role Types to be Directly Assignable to Users
Enabling Role Types for Assignable Activation Dates and Deactivation Dates
Enabling and Disabling Change-Approval and Change-Notification Work Items
Configuring the Maximum Number of Rows that the Role List Page will Load
Synchronizing Identity Manager Roles and Resource Roles
Understanding and Managing Resources
What are Resources?
The Resources Area in the Interface
Managing the Resources List
Opening the Configure Managed Resources Page
Enabling Resource Types
Adding a Custom Resource
Creating Resources
Managing Resources
View the Resource List
Edit a Resource Using the Resource Wizard
Edit a Resource Using the Resource List Command Options
Working with Account Attributes
Editing Resource Account Attributes
Resource Groups
Global Resource Policy
Setting additional Timeout values
Bulk Resource Actions

Chapter 5   Configuration & System Maintenance
Configuring Identity Manager Policies
What are Policies?
Opening the Policies Page
Policy Types
Must Not Contain Attributes in Policies
Dictionary Policy
Configuring the Dictionary Policy
Implementing the Dictionary Policy
Customizing Email Templates
Editing an Email Template
HTML and Links in Email Templates
Allowable Variables in the Email Body
Configuring Audit Groups and Audit Events
The Audit Configuration Page
Opening the Audit Configuration Page
Configuring Audit Groups
Remedy Integration
Configuring Identity Manager Server Settings
Reconciler Settings
Viewing Reconciler Status
Scheduler Settings
Email Template Server Settings
Configure JMX Polling Settings
Viewing JMX Data
Editing Default Server Settings
Configuring the End-User Interface
Enabling Process Diagrams in the End-User Interface
Registering Identity Manager
Registering Identity Manager from the Console
The register Command
Registering Identity Manager from the Administrator Interface
Editing Identity Manager Configuration Objects
Removing Records from the System Log

Chapter 6   Administration
Understanding Identity Manager Administration
Delegated Administration
Creating Administrators
Filtering Administrator Views
Changing Administrator Passwords
Challenging Administrator Actions
Enabling the Challenge Option for the Tabbed User Form
Enabling the Challenge Option for the “Change User Password” and “Reset User Password” Forms
Changing Answers to Authentication Questions
Customizing Administrator Name Display in the Administrator Interface
Understanding Identity Manager Organizations
Creating Organizations
Assigning Users to Organizations
User Members Rule Example
Assigning Organization Control
Understanding Directory Junctions and Virtual Organizations
Setting Up Directory Junctions
Refreshing Virtual Organizations
Deleting Virtual Organizations
Understanding and Managing Capabilities
Capabilities Categories
Working with Capabilities
View the Capabilities Page
Create a Capability
Edit a Capability
Save and Rename a Capability
Assigning Capabilities
Understanding and Managing Admin Roles
Admin Role Rules
The User Admin Role
Creating and Editing Admin Roles
General Tab
Scope of Control
Assigning Capabilities
Assigning User Forms to an Admin Role
The “End User” Organization
The End User Controlled Organization Rule
Managing Work Items
Work Item Types
Working With Work Item Requests
Viewing Work Item History
Delegating Work Items
Audit Log Entries
Viewing Current Delegations
Viewing Previous Delegations
Creating Delegations
Delegations to Deleted Users
Ending Delegations
Setting Up Account Approvers
Signing Approvals
Signing Subsequent Approvals
Configuring Digitally Signed Approvals and Actions
Server-Side Configuration for Signed Approvals
Client-Side Configuration for Signed Approvals Using PKCS12
Client-Side Configuration for Signed Approvals Using PKCS11
Viewing the Transaction Signature

Chapter 7   Data Loading and Synchronization
Data Synchronization Tools: Which to Use?
Extract to File
Load from File
About CSV File Format
Load from Resource
Reconciliation in a Nutshell
About Reconciliation Policies
Editing Reconciliation Policies
Starting Reconciliation
Canceling Reconciliation
Viewing Reconciliation Status
Viewing Detailed Reconciliation Status
Viewing Reconciliation Status in the Resource List
Working with the Account Index
Searching the Account Index
Examining the Account Index
Working with Accounts
Working with Users
Using Task Schedule Repetition Rules
How Reconciliation Run Times are Scheduled
The “Accept All Dates” Sample Rule
Active Sync Adapters
Configuring Synchronization
Editing the Synchronization Policy
Editing Active Sync Adapters
Tuning Active Sync Adapter Performance
Changing Polling Intervals
Specifying the Host Where the Adapter Will Run
Starting and Stopping
Adapter Logging

Chapter 8   Reporting
Working with Reports
Report Types
Running Reports
Viewing Reports
Creating Reports
Editing and Cloning Reports
Emailing Reports
Scheduling Reports
Downloading Report Data
Configuring Report Output
Identity Manager Reports
AuditLog Reports
Individual User AuditLog Reports
Real Time Reports
Summary Reports
SystemLog Report
Usage Reports
Usage Report Charts
Workflow Report
Configuring Workflows to Capture Audit Timing Events
Specifying Attributes to Store for the Workflow Report
Defining the Workflow Report
Auditor Reports
Working with Graphs
Viewing Defined Graphs
Creating Graphs
Editing Graphs
Deleting Graphs
Working with Dashboards
Creating Dashboards
Editing Dashboards
Deleting Dashboards
System Monitoring
Tracked Event Configuration
Risk Analysis
Creating Risk Analysis Reports
Scheduling Risk Analysis Reports

Chapter 9   Task Templates
Enabling the Task Templates
Configuring the Task Templates
Configuring the General Tab
For the Create User or Update User Templates
For the Delete User Template
Configuring the Notification Tab
Configuring User Notifications
Configuring Administrator Notifications
Configuring the Approvals Tab
Enabling Approvals (Approvals Tab, “Approvals Enablement” Section)
Specifying Additional Approvers (Approvals Tab, “Additional Approvers” Section)
Configuring the Approval Form (Approvals Tab, “Approval Form Configuration” Section)
Configuring the Audit Tab
Configuring the Provisioning Tab
Configuring the Sunrise and Sunset Tab
Configuring Sunrises
Configuring Sunsets
Configuring the Data Transformations Tab

Chapter 10   Audit Logging
What Does Identity Manager Audit?
Creating Audit Events From Workflows
The com.waveset.session.WorkflowServices Application
Modifying Workflows to Log Standard Audit Events
Modifying Workflows to Log Timing Audit Events
What Information Do Timing Audit Events Store?
Audit Configuration
Account Management
Changes Outside Identity System
Compliance Management
Configuration Management
Event Management
Password Management
Resource Management
Role Management
Security Management
Service Provider Edition
Task Management
Database Schema
Audit Log Truncation
Audit Log Configuration
Resizing Column Length Limits
Removing Records from the Audit Log
Preventing Audit Log Tampering
Configuring tamper-resistant logging
Using Custom Audit Publishers
Enabling Custom Audit Publishers
The Console, File, JDBC, & Scripted Publisher Types
The JMS Publisher Type
Why Use JMS?
Point-to-Point or Publish-and-Subscribe?
Configuring the JMS Publisher Type
The JMX Publisher Type
What is JMX?
Identity Manager’s JMX Publisher Implementation
Configuring the JMX Publisher Type
Viewing Audit Events with a JMX Client
Querying the MBean for Additional Information
Developing Custom Audit Publishers
Developing Formatters
Registering Publishers/Formatters

Chapter 11   PasswordSync
What is PasswordSync?
Before You Install
Install Microsoft .NET 1.1
Configure PasswordSync for SSL
Uninstall Previous Versions of PasswordSync
Installing PasswordSync on Windows
Configuring PasswordSync
Debugging PasswordSync on Windows
Error Logs
Uninstalling PasswordSync on Windows
Deploying PasswordSync on the Application Server
Adding and Configuring a JMS Listener Adapter
Implementing the Synchronize User Password Workflow
Setting Up Notifications
Configuring PasswordSync with a Sun JMS Server
Sample Scenario
Creating and Storing Administered Objects
Storing Administered Objects in an LDAP Directory
Storing Administered Objects in a File
Configuring the JMS Listener Adapter for this Scenario
Configuring Active Sync
Testing Your Configuration
Frequently Asked Questions about PasswordSync
Can PasswordSync be implemented without a Java Messaging Service?
Can PasswordSync be used in conjunction with other Windows password filters that are used to enforce custom password policies?
Can the PasswordSync servlet be installed on a different application server than Identity Manager?
Does the PasswordSync service send passwords over to the lh server in clear text?
Sometimes password changes result in com.waveset.exception.ItemNotLocked?

Chapter 12   Security
Security Features
Limiting Concurrent Login Sessions
Password Management
Pass-through Authentication
About Login Applications
Login Constraint Rules
Editing Login Applications
Setting Identity Manager Session Limits
Disabling Access to Applications
Editing Login Module Groups
Editing Login Modules
Login Module Processing Logic
Configuring Authentication for Common Resources
Configuring X509 Certificate Authentication
Configuring X509 Certificate Authentication in Identity Manager
Creating and Importing a Login Correlation Rule
Testing the SSL Connection
Diagnosing Problems
Cryptographic Use and Management
Cryptographically Protected Data
Server Encryption Key Questions and Answers
Where do server encryption keys come from?
Where are server encryption keys maintained?
How does the server know which key to use for decryption and re-encryption of encrypted data?
How do I update server encryption keys?
What happens to existing encrypted data if the "current" server key is changed?
What happens when you import encrypted data for which an encryption key is not available?
How are server keys protected?
Can I export the server keys for safe external storage?
What data is encrypted between the server and gateway?
Gateway Key Questions and Answers
Where do the gateway keys come from to encrypt or decrypt data?
How are gateway keys distributed to the gateways?
Can I update the gateway keys used to encrypt or decrypt the server-to-gateway payload?
Where are the gateway keys stored on the server, on the gateway?
How are gateway keys protected?
Can I export the gateway key for safe external storage?
How are server and gateway keys destroyed?
Managing Server Encryption
Using Authorization Types to Secure Objects
Security Practices
At Setup
During Use

Chapter 13   Identity Auditing: Basic Concepts
About Identity Auditing
Goals of Identity Auditing
Understanding Identity Auditing
Policy-Based Compliance
Continuous Compliance
Periodic Compliance
Logical Task Flow for Policy-Based Compliance
Periodic Access Reviews
Working with Identity Auditing in the Administrator Interface
The Compliance Section of the Interface
Manage Policies
Manage Access Scans
Access Reviews
Identity Auditing Tasks Interface Reference
Email Templates
Enabling Audit Logging
About Audit Policies
Creating a Policy with Audit Policy Rules
Addressing Policy Violations with Remediation Workflows
Designating Remediators
A Sample Audit Policy Scenario

Chapter 14   Auditing: Audit Policies
Working with Audit Policies
Audit Policy Rules
Creating an Audit Policy
Opening the Audit Policy Wizard
Creating an Audit Policy: Overview
Before You Begin
Identify the Rules You Need
(Optional) Import Separation of Duty Rules into Identity Manager
(Optional) Import a Workflow into Identity Manager
Name and Describe the Audit Policy
Select a Rule Type
Select an Existing Rule
Use the Rule Wizard to Create a New Rule
Add Additional Rules
Select a Remediation Workflow
Select Remediators and Timeouts for Remediations
Select Organizations that Can Access this Policy
Editing an Audit Policy
The Edit Policy Page
Edit Audit Policy Description
Edit Options
Delete a Rule from the Policy
Add a Rule to the Policy
Change a Rule used by the Policy
Remediators Area
Remove or Assign Remediators
Adjust Escalation Timeouts
Remediation Workflow and Organizations Area
Change the Remediation Workflow
Select Remediation User Form Rule
Assign or Remove Visibility to Organizations
Sample Policies
IDM Role Comparison Policy
IDM Account Accumulation Policy
Deleting an Audit Policy
Troubleshooting Audit Policies
Debugging Rules
Assigning Audit Policies
Resolving Auditor Capabilities Limitations

Chapter 15   Auditing: Monitoring Compliance
Audit Policy Scans and Reports
Scanning Users and Organizations
Working with Auditor Reports
Creating an Auditor Report
Configuring the Audited Attribute Report
Compliance Violation Remediation and Mitigation
About Remediation
Remediator Escalation
Remediation Workflow Process
Remediation Responses
Remediation Email Template
Working with the Remediations Page
Viewing Policy Violations
Viewing Pending Requests
Viewing Completed Requests
Updating the Table
Prioritizing Policy Violations
Mitigating Policy Violations
From the Remediations Page
Remediating Policy Violations
Forwarding Remediation Requests
Editing a User from a Remediation Work Item
Periodic Access Reviews and Attestation
About Periodic Access Reviews
Access Review Scans
Planning for a Periodic Access Review
Tuning Scan Tasks
Creating an Access Scan
Deleting an Access Scan
Managing Access Reviews
Launching an Access Review
Scheduling Access Review Tasks
Managing Access Review Progress
Modifying Scan Attributes
Canceling an Access Review
Deleting an Access Review
Managing Attestation Duties
Access Review Notification
Viewing Pending Requests
Acting on Entitlement Records
Closed-Loop Remediation
Forwarding Attestation Work Items
Digitally Signing Access Review Actions
Access Review Reports
Access Review Remediation
About Access Review Remediation
Remediator Escalation
Remediation Workflow Process
Remediation Responses
Working with the Remediations page
Unsupported Access Review Remediation Actions

Chapter 16   Data Exporter
What is Data Exporter?
Planning to Implement Data Exporter
Configuring Data Exporter
Defining Read and Write Connections
Defining the Warehouse Configuration Information
Configuring Warehouse Models
Configuring the Warehouse Task
Modifying the Configuration Object
Testing Data Exporter
Configuring Forensic Queries
Creating a Query
Saving a Forensic Query
Loading a Query
Maintaining Data Exporter
Monitoring Data Exporter
Monitoring Logging
Audit Logs
System Logs

Chapter 17   Service Provider Administration
Overview of Service Provider Features
Enhanced End-User Pages
Password and Account ID policy
Identity Manager and Service Provider Synchronization
Access Manager integration
Initial Configuration
Edit Main Configuration
Directory Configuration
User Forms and Policy
Transaction Database
Tracked Event Configuration
Synchronization Account Indexes
Callout Configuration
Edit User Search Configuration
Transaction Management
Setting Default Transaction Execution Options
Setting Transaction Persistent Store
Set Advanced Transaction Processing Settings
Monitoring Transactions
Delegated Administration
Delegation Through Organization Authorization
Delegation Through Admin Role Assignment
Enabling Service Provider Admin Role Delegation
Configuring a Service Provider User Admin Role
Delegating Service Provider User Admin Roles
Administering Service Provider Users
User Organizations
Create Users and Accounts
Search Service Provider Users
Advanced Search
Search Results
Link Accounts
Delete, Unassign, or Unlink Accounts
Set Search Options
End-User Interface
Home and Profile Screens
Configure Synchronization
Monitor Synchronization
Start and Stop Synchronization
Migrate Users
Configuring Service Provider Audit Events

Appendix A   lh Reference
Usage Notes
syslog command

Appendix B   Audit Log Database Schema
SQL Server
Audit Log Database Mappings

Appendix C   User Interface Quick Reference
Appendix D   Capabilities Definitions
Task-Based Capabilities Definitions
Functional Capabilities Definitions


Copyright      Index      Next     

Part No: 820-2954-10.   Copyright 2008 Sun Microsystems, Inc. All rights reserved.