Sun Java logo     Previous      Contents      Index      Next     

Sun logo
Sun[TM] Identity Manager 8.0 Administration 

Chapter 6
Administration

This chapter provides information and procedures for performing a range of administrative-level tasks in the Identity Manager system, such as creating and managing Identity Manager administrators and organizations. It also provides an understanding of how you can use roles, capabilities, and administrative roles in Identity Manager.

The information is grouped in the following topics:


Understanding Identity Manager Administration

Identity Manager administrators are users with extended Identity Manager privileges. Identity Manager administrators manage:

Unlike users, administrators in Identity Manager are assigned capabilities and controlled organizations. These are defined as follows:

Delegated Administration

In most companies, employees who perform administrative tasks hold specific responsibilities. Consequently, the account management tasks that these administrators can perform are limited in scope.

For example, an administrator might be responsible only for creating Identity Manager user accounts. With that limited scope of responsibility, the administrator likely does not need specific information about the resources on which user accounts are created, or about the roles or organizations that exist within the system.

Identity Manager can also restrict administrators to a specific tasks within a specific, defined scope.

Identity Manager supports the separation of responsibilities and a delegated administration model as follows:

You can specify delegations for a user from the Create User page when you set up a new user account, or when you edit a user account.

You can also delegate work items, such as requests for approvals, from the Work Items tab. For more information on delegations, see Delegating Work Items for details.


Creating Administrators

To create an administrator, assign one or more capabilities to a user and designate the organization(s) to which the capabilities will apply.

To create an administrator, follow these steps:

  1. In the Administrator interface, click Accounts in the menu bar. The User List page opens.
  2. To give an existing user administrative privileges, click the user name (the Edit User page opens), then click the Security tab.
  3. If a new user account needs to be created, see Creating Users.

  4. Make the selections as needed to establish administrative control:
    • Capabilities — Select one or more capabilities that should be assigned to this administrator. This information is required. For more information, see Understanding and Managing Capabilities.
    • Controlled Organizations — Select one or more organizations that should be assigned to the administrator. The administrator will control objects in the assigned organization and in any organizations beneath it in the hierarchy. This information is required. For more information, see Understanding Identity Manager Organizations.
    • User Form — Select the user form that this administrator will use when creating and editing Identity Manager users (if that capability is assigned). If you do not directly assign a user form, the administrator will inherit the user form assigned to the organization he belongs to. The form selected here supersedes any form selected within this administrator's organization.
    • Forward Approval Requests To — Select a user to forward all current pending approval requests to that user. This administrator setting also can be set from the Approvals page.
    • Delegate Work Items To — If available, use this option to specify delegations for this user account. You can specify the administrator’s manager, one or more selected users, or use a delegate approvers rule.
    • Figure 6-1  User Account Security page: Specifying Administrator privileges
      Set up administrator characteristics through the Create User - Security form.

Filtering Administrator Views

By assigning user forms to organizations and administrators, you establish specific administrator views of user information. Access to user information is set at two levels:

Understanding and Managing Capabilities describes built-in Identity Manager capabilities that you can assign.

Changing Administrator Passwords

Administrator passwords may be changed by an administrator with administrative password change capabilities assigned, or by the administrator-owner.

Administrators can change another administrator’s password using these forms:

An administrator can change his own password from the Passwords area. Click Passwords in the menu, then click Change My Password.


Note

The Identity Manager account policy applied to the account determines password limitations, such as password expiration, reset options, and notification selections. Additional password limitations may be set by password policies set on the administrator’s resources.


Challenging Administrator Actions

Identity Manager can be configured to prompt administrators for a password before processing certain account changes. If authentication fails, then the account changes will be cancelled.

There are three forms that administrators can use to change user passwords. These are the Tabbed User form, the Change User Password form, and the Reset User Password form. To ensure that administrators are required to enter their password before Identity Manager processes user account changes, be sure to update all three forms.

Enabling the Challenge Option for the Tabbed User Form

To require a password challenge on the Tabbed User form, follow these steps.

  1. In the Administrator interface, open the Identity Manager debug page ((more...) ) by typing the following URL into your browser. (You must have the Debug capability to open this page.)
  2. http://<AppServerHost>:<Port>/idm/debug/session.jsp

    The “System Settings” page (Identity Manager debug page) opens.

  3. Find the List Objects button, select UserForm from the drop-down menu, then click the ListObjects button.
  4. The “List Objects of type: UserForm” page opens.

  5. Locate the copy of the “Tabbed User Form” that you have in production and click edit. (The “Tabbed User Form” distributed with Identity Manager is a template and should not be modified.)
  6. Add the following code snippet inside the <Form> element:
  7. <Properties>

    <Property name='RequiresChallenge'>

    <List>

    <String>password</String>

    <String>email</String>

    <String>fullname</String>

    </List>

    </Property>

    </Properties>

    The value of the property is a list that can contain one or more of the following user view attribute names:

      • applications
      • adminRoles
      • assignedLhPolicy
      • capabilities
      • controlledOrganizations
      • email
      • firstname
      • fullname
      • lastname
      • organization
      • password
      • resources
      • roles
  8. Save your changes.

Enabling the Challenge Option for the “Change User Password” and “Reset User Password” Forms

To require a password challenge on the “Change User Password” and “Reset User Password” forms, follow these steps:

  1. In the Administrator interface, open the Identity Manager debug page ((more...) ) by typing the following URL into your browser. (You must have the Debug capability to open this page.)
  2. http://<AppServerHost>:<Port>/idm/debug/session.jsp

    The “System Settings” page (Identity Manager debug page) opens.

  3. Locate the List Objects button, select UserForm from the drop-down menu, then click the ListObjects button.
  4. The “List Objects of type: UserForm” page opens.

  5. Locate the copy of the “Change Password User Form” that you have in production and click edit. (The “Change Password User Form” distributed with Identity Manager is a template and should not be modified.)
  6. Locate the <Form> element, then go to the <Properties> element.
  7. Add the following line inside the <Properties> element and save your changes.
  8. <Property name='RequiresChallenge' value='true'/>

  9. Repeat steps 3 - 5, except edit the copy of the “Reset User Password Form” that you have in production.

Changing Answers to Authentication Questions

Use the Passwords area to change the answers you have set for account authentication questions. From the menu bar, select Passwords, and then select Change My Answers.

For more information about authentication, see User Authentication.

Customizing Administrator Name Display in the Administrator Interface

You can display an Identity Manager administrator by attribute (such as email or fullname) rather than accountId in some Identity Manager Administrator interface pages and areas, such as the following areas:

To configure Identity Manager to use a display name, add to the UserUIConfig object:

<AdminDisplayAttribute>
  <String>attribute_name</String>
</AdminDisplayAttribute>

For example, to use the email attribute as the display name, add the following attribute name to UserUIconfig:

<AdminDisplayAttribute>
  <String>email</String>
</AdminDisplayAttribute>


Understanding Identity Manager Organizations

Organizations allow you to:

By creating organizations and assigning users to various locations in an organizational hierarchy, you set the stage for delegated administration. Organizations that contain one or more other organizations are called parent organizations.

All Identity Manager users (including administrators) are statically assigned to one organization. Users also can be dynamically assigned to additional organizations.

Identity Manager administrators are additionally assigned to control organizations.


Creating Organizations

Create organizations in the Identity Manager Accounts area.

To create an organization, follow these steps:

  1. In the Administrator interface, click Accounts in the menu bar.
  2. The User List page opens.

  3. In the New Actions menu, select New Organization.

    Tip

    To create an organization at a specific location in the organizational hierarchy, select an organization in the list, and then select New Organization in the New Actions menu.


  4. Figure 6-2 illustrates the Create Organization page.

    Figure 6-2  Create Organization Page
    Use the Create Organization page to set up Identity Manager organizations.

Assigning Users to Organizations

Each user is a static member of one organization, and can be a dynamic member of more than one organization.

Organizational membership is defined as follows:

Select a User Members Rule from the User Members Rule field on the Create Organization page. Figure 6-3 shows an example of a User Members Rule.

Figure 6-3  Create Organization: User Members Rule Selections

Select user members rules from the field on the Create Organization page.

User Members Rule Example

The following example shows how you might set up a User Members Rule that can dynamically control an organization’s user membership.


Note

For information about creating and working with rules in Identity Manager, see Identity Manager Deployment Tools.


Key Definitions and Inclusions
Code Example

The following code example illustrates the syntax for a sample user member rule.

Code Example 6-1  Sample User Members Rule

<Rule name='Get Team Players'

     authType='UserMembersRule'>

   <defvar name='Team players'>

      <block>

         <defvar name='player names'>

            <list/>

         </defvar>

   <dolist name='users'>

      <invoke class='com.waveset.ui.FormUtil'

            name='getResourceObjects'>

         <ref>context</ref>

         <s>User</s>

         <s>singleton-AD</s>

         <map>

            <s>searchContext</s>

            <s>OU=Pro Ball Team,DC=dev-ad,DC=waveset,DC=com</s>

            <s>searchScope</s>

            <s>subtree</s>

            <s>searchAttrsToGet</s>

            <list>

               <s>distinguishedName</s>

            </list>

         </map>

      </invoke>

      <append name='player names'>

      <concat>

         <get>

            <ref>users</ref>

            <s>distinguishedName</s>

         </get>

            <s>:sampson-AD</s>

      </concat>

      </append>

   </dolist>

      <ref>player names</ref>

   </block>

   </defvar>

      <ref>Team players</ref>

</Rule>

Assigning Organization Control

Assign administrative control of one or more organizations from the Create User page or Edit User page. Select the Security form tab to display the Controlled Organizations field.

You can also assign administrative control of organizations by assigning one or more admin roles, from the Admin Roles field.


Understanding Directory Junctions and Virtual Organizations

A directory junction is a hierarchically related set of organizations that mirrors a directory resource’s actual set of hierarchical containers. A directory resource is one that employs a hierarchical namespace through the use of hierarchical containers. Examples of directory resources include LDAP servers and Windows Active Directory resources.

Each organization in a directory junction is a virtual organization. The top-most virtual organization in a directory junction is a mirror of the container representing the base context defined in the resource. The remaining virtual organizations in a directory junction are direct or indirect children of the top virtual organization, and also mirror one of the directory resource containers that are children of the defined resource’s base context container. This structure is illustrated in Figure 6-4.

Figure 6-4  Identity Manager Virtual Organization

Identity Manager virtual organization mapping directory-based resources.

Directory junctions can be spliced into the existing Identity Manager organizational structure at any point. However, directory junctions cannot be spliced within or below an existing directory junction.

Once you have added a directory junction to the Identity Manager organizational tree, you can create or delete virtual organizations in the context of that directory junction. In addition, you can refresh the set of virtual organizations comprising a directory junction at any time to ensure they stay synchronized with the directory resource containers. You cannot create a non-virtual organization within a directory junction.

You can make Identity Manager objects (such as users, resource, and roles) members of, and available to, a virtual organization in the same way as an Identity Manager organization.

Setting Up Directory Junctions

To set up directory junctions, follow these steps:

  1. In the Administrator interface, select Accounts in the menu bar.
  2. The User List page opens.

  3. Select an Identity Manager organization in the Accounts list. The organization you select will be the parent organization of the virtual organization you set up.
  4. Then, in the New Actions menu, select New Directory Junction.

    Identity Manager opens the Create Directory Junction page.

  5. Make selections to set up the virtual organization:
    • Parent organization — This field contains the organization you selected from the Accounts list; you can, however, select a different parent organization from the list.
    • Directory resource — Select the directory resource that manages the existing directory whose structure you want to mirror in the virtual organization.
    • User form — Select a user form that will apply to administrators in this organization.
    • Identity Manager account policy — Select a policy, or select the default option (inherited) to inherit the policy from the parent organization.
    • Approvers — Select administrators who can approve requests related to this organization.

Refreshing Virtual Organizations

This process refreshes and re-synchronizes the virtual organization with the associated directory resource, from the selected organization down. Select the virtual organization in the list, and then select Refresh Organization from the Organization Actions list.

Deleting Virtual Organizations

When deleting virtual organizations, you can select from two delete options:

Select an option, and then click Delete.


Understanding and Managing Capabilities

Capabilities are groups of rights in the Identity Manager system. Capabilities represent administrative job responsibilities, such as resetting passwords or administering user accounts. Each Identity Manager administrative user is assigned one or more capabilities, which provide a set of privileges without compromising data protection.

Not all Identity Manager users need capabilities assigned. Only those users who will perform one or more administrative actions through Identity Manager will require capabilities. For example, an assigned capability is not needed to enable a user to change his password, but an assigned capability is required to change another user’s password.

Your assigned capabilities govern which areas of the Identity Manager Administrator Interface you can access. All Identity Manager administrative users can access certain areas of Identity Manager, including:

Capabilities Categories

Identity Manager defines Capabilities as:

Built-in capabilities (those provided with the Identity Manager system) are protected, meaning that you cannot edit them. You can, however, use them within capabilities that you create.

Protected (built-in) capabilities are indicated in the list with a red key (or red key and folder) icon. Capabilities that you create and can edit are indicated in the capabilities list with a green key (or green key and folder) icon.

Working with Capabilities

This section describes how to create, edit, assign, and rename capabilities. These tasks are performed using the Capabilities page.

View the Capabilities Page

The Capabilities page is found under the Security tab.

To open the Capabilities page, follow these steps:

  1. In the Administrator interface, click Security in the top menu.
  2. Click Capabilities in the secondary menu.
  3. The Capabilities page opens and shows a list of Identity Manager capabilities.

Create a Capability

Use the following procedure to create a capability. To clone a capability, see Save and Rename a Capability.

To create a capability, follow these steps:

  1. In the Administrator interface, click Security in the top menu.
  2. Click Capabilities in the secondary menu.
  3. The Capabilities page opens and shows a list of Identity Manager capabilities.

  4. Click New.
  5. The Create Capability page opens.

  6. Complete the form as follows:
    1. Name the new capability.
    2. In the Capabilities section, use the arrow buttons to move the capabilities that should be assigned to users into the Assigned Capabilities box.
    3. In the Assigners box, select one or more users that will be allowed to assign this capability to other users. If no users are selected, the only user who will be able to assign this capability is the one that created the capability. If the user who created the capability does not have the Assign User Capability capability assigned, then one or more users must be selected in order to ensure that at least one user can assign the capability to another user.
    4. In the Organizations box, select one or more organizations to which this capability will be available.
    5. Click Save.

      Note

      The set of users from which you can make assigner selections are those who have been assigned the Assign Capability right.


Edit a Capability

You can edit a non-protected capability.

To edit a non-protected capability, follow these steps:

  1. In the Administrator interface, click Security in the top menu.
  2. Click Capabilities in the secondary menu.
  3. The Capabilities page opens and shows a list of Identity Manager capabilities.

  4. Right-click the capability in the list, and then select Edit. The Edit Capability page opens.
  5. Make your changes and click Save.

You cannot edit built-in capabilities. You can, however, save them with a different name in order to create your own capability. You can also use built-in capabilities in capabilities that you create.

Save and Rename a Capability

You can create a new capability by saving an existing capability with a new name. This process is known as cloning the capability.

To clone a capability, follow these steps:

  1. In the Administrator interface, click Security in the top menu.
  2. Click Capabilities in the secondary menu.
  3. The Capabilities page opens and shows a list of Identity Manager capabilities.

  4. Right-click the capability in the list, and then select Save As.
  5. A dialog box opens and asks you to type a name for the new capability.

  6. Type a name and click OK.

You can now edit the new capability.

Assigning Capabilities

Use the Create User page ((more...) ) or the Edit User page ((more...) ) to assign capabilities to users. You can also assign capabilities to a user by assigning an administrator role, which you set up through the Security area in the interface. See Understanding and Managing Admin Roles for more information.


Note

A list of Identity Manager’s default task-based and functional capabilities (with definitions) is included in Appendix D, "Capabilities Definitions" on (more...) . This appendix also lists the tabs and subtabs that may be accessed with each task-based capability.



Understanding and Managing Admin Roles

Admin Roles define two things: a set of capabilities and a scope of control. (The term scope of control refers to one or more managed organizations.) Once defined, admin roles can then be assigned to one or more administrators.


Note

Do not confuse roles with admin-roles. Roles are used to manage end-users’ access to external resources, whereas admin-roles are primarily used to manage Identity Manager administrator access to Identity Manager objects.

The information presented in this section is limited to admin roles. For information about roles, see Understanding and Managing Roles.


Multiple admin roles can be assigned to a single administrator. This enables an administrator to have one set of capabilities in one scope of control, and a different set of capabilities in another scope of control. For example, one admin role might grant the administrator the right to create and edit users for the controlled organizations specified in that admin role. A second admin role assigned to the same administrator, however, might grant only the “change users’ passwords” right in a separate set of controlled organizations as defined in that admin role.

Admin roles enable the reuse of capabilities and scope-of-control pairings. Admin roles also simplify the management of administrator privileges across a large number of users. Instead of directly assigning capabilities and controlled organizations to individual users, admin roles should be used to grant administrator privileges.

The assignment of capabilities or organizations (or both) to an admin role can be either direct or dynamic (indirect):

Admin Role Rules

Identity Manager provides sample rules that you can use to create rules for Admin Roles. These rules are available in the Identity Manager installation directory in sample/adminRoleRules.xml.

Table 6-1 provides the rule names and the authType you must specify for each rule.

Table 6-1  Admin Role Sample Rules  

Rule Name

authType

Controlled Organizations Rule

ControlledOrganizationsRule

Capabilities Rule

CapabilitiesRule

User Is Assigned Admin Role Rule

UserIsAssignedAdminRoleRule


Note

For information about the sample rules provided for service provider users admin roles, see Delegated Administration in the Service Provider Administration chapter.


The User Admin Role

Identity Manager includes a built-in admin role, named User Admin Role. By default, it has no assigned capabilities or controlled organization assignments. It cannot be deleted. This admin role is implicitly assigned to all users (end-users and administrators) at login time, regardless of the interface they log in to (for example, user, administrator, console, or IDE).


Note

For information about creating an admin role for service provider users, see Delegated Administration in the Service Provider Administration chapter.


You can edit the User Admin Role through the Administrator interface (select Security, and then select Admin Roles).

Because any capabilities or controlled organizations that are statically assigned through this admin role are assigned to all users, it is recommended that the assignment of capabilities and controlled organizations be done through rules. This will enable different users to have different (or no) capabilities, and assignments will be scoped depending on factors such as who they are, which department they are in, or whether they are managers, which can be queried for within the context of the rules.

The User Admin Role does not deprecate or replace the use of the authorized=true flag used in workflows. This flag is still appropriate in cases where the user should not have access to objects accessed by the workflow, except when the workflow is executing. Essentially, this lets the user enter a run as superuser mode.

There may be cases, however, where a user should have specific access to one or more objects outside of (and potentially inside of) workflows. In these cases, using rules to dynamically assign capabilities and controlled organizations allows for fine-grain authorization to those objects.

Creating and Editing Admin Roles

To create or edit an admin role, you must be assigned the Admin Role Administrator capability.

To access admin roles in the Administrator interface, click Security, and then click the Admin Roles tab. The Admin Roles list page allows you to create, edit, and delete admin roles for Identity Manager users and for service provider users.

To edit an existing admin role, click a name in the list. Click New to create an admin role. Identity Manager displays the Create Admin Role options (illustrated in Figure 6-5). The Create Admin Role view presents four tabs that you use to specify the general attributes, capabilities, and scope of the new admin role, as well as assignments of the role to users.

Figure 6-5  Admin Role Create Page: General Tab

Use the Create Admin Role page to set up admin roles.

General Tab

Use the General tab of the create admin role or edit admin role view to specify the following basic characteristics of the admin role:

Scope of Control

Identity Manager allows you to control which users are within an end user’s scope of control.

Use the Scope of Control tab (shown in Figure 6-6) to specify organizations that members of this organization can manage, or to specify the rule that determines the organizations to be managed by users of the admin role, and to select the user form for the admin role.

Figure 6-6  Create Admin Role: Scope of Control

You can include and exclude one or more objects from an admin role.

Assigning Capabilities

Capabilities assigned to the admin role determine what administrative rights users assigned the admin role have. For example, this admin role might be restricted to creating users only for the controlled organizations of the admin role. In that case, you assign the Create User capability.

On the Capabilities tab, select the following options:

Assigning User Forms to an Admin Role

You can specify a user form to for the members of an admin role. Use the Assign To Users tab on the create admin role or edit admin role view to specify the assignments.

The administrator assigned the admin role will use this user form when he creates or edits users in the organizations controlled by that admin role. A user form assigned through an admin role overrides any user form that is inherited from the organization of which the admin is a member. It does not override a user form that is directly assigned to the admin.

The user form that will be used when editing a user is determined in this order of precedence:

If an admin is assigned more than one admin role that controls the same organization but specifies different user forms, then an error is displayed when he attempts to create or edit a user in that organization. If an admin attempts to assign two or more admin roles that control the same organization but specify different user forms, then an error is displayed. Changes cannot be saved until the conflict is resolved.


The “End User” Organization

The End User organization provides a convenient way for administrators to make certain objects, such as resource and roles, available to end-users. End-users can view and potentially assign designated objects to themselves (pending an approval process) using the end-user interface ((more...) ).


Note

The “End User” organization was introduced in version 7.1.1 of Identity Manager.

Previously, in order to grant end-users access to Identity Manager configuration objects, such as Roles, Resources, Tasks, and so on, administrators had to edit configuration objects and use End User Tasks, End User Resources, and End User authTypes.

Going forward, Sun recommends using the “End User” organization to give end-users access to Identity Manager configuration objects.


The End User organization is implicitly controlled by all users, and enables them to view several types of objects, including tasks, rules, roles, and resources. Initially, however, the organization has no member objects.

The End User organization is a member of Top and cannot have child organizations. In addition, the End User organization is not displayed in the Accounts page list. When editing objects (such as Roles, AdminRoles, Resources, Policy, Tasks, and so on), however, you can make any object available to the End User organization using the Administrator user interface.

When end-users log in to the end-user interface, the following things happen:

The End User Controlled Organization Rule

The input argument to the End User Controlled Organization rule is the authenticating user's view. Identity Manager expects the rule to return one or more organizations that the user logging in to the End User interface will control. Identity Manager expects the rule to return either a string (for a single organization) or a list (for multiple organizations).

To manage these objects, users need the End User Administrator capability. Users who are assigned the End User Administrator capability can view and modify the contents of the End User Controlled Organization rule. These users can also view and modify the object types specified in the EndUser capability.

The End User Administrator capability is assigned to the Configurator user by default. Any changes made to the list or to organizations returned by the evaluation of the End User Controlled Organization rule will not be reflected dynamically for logged in users. These users must log out and then log in again to see the changes.

If the End User Controlled Organization rule returns an invalid organization (for example, an organization that does not exist in Identity Manager), the problem will be logged in the System Log. To correct the problem, log in to the Administrator user interface and fix the rule.


Managing Work Items

Some workflow processes generated by tasks in Identity Manager create action items or work items. These work items might be a request for approval or some other action request assigned to an Identity Manager account.

Identity Manager groups all work items in the Work Items area of the interface, enabling you to view and respond to all pending requests from one location.

Work Item Types

A work item might be one of the following types:

To view pending work items for each work item type, click Work Items in the menu.


Note

If you are a work item owner with pending work items (or delegated work items), then your Work Items list is displayed when you log into the Identity Manager User interface.


Working With Work Item Requests

To respond to a work item request, click one of the work item types in the Work Items area of the interface. Select items from the list of requests and then click one of the buttons available to indicate the action you want to take. The work item options vary depending on the work item type.

For more information about responding to requests, see the following topics:

Viewing Work Item History

Use the History tab in the Work Items area to view the results of previous work item actions.

Figure 6-7 displays a sample view of Work Item history.

Figure 6-7  Work Items History View

View of user's work items history.

Delegating Work Items

Work item owners can manage work loads by delegating work items to other users for a specified period of time. From the main menu, you can use the Work Items > Delegate My Work Items page to delegate future work items (such as requests for approval) to one or more users (delegates). Users do not need approver capabilities to be delegates.


Note

The delegation feature applies only to future work items. Existing items (those listed under My Work Items must be selectively forwarded through the forwarding feature.


There are other pages from which you can delegate work items:

Delegates can approve work items on a work item owner’s behalf during the effective delegation period. Delegated work items include the name of the delegate.

Any user can create one or more delegations for their future work items. Administrators who can edit a user can also create a delegation on that user’s behalf. An administrator cannot, however, delegate to someone that the user cannot delegate to. (With regards to delegations, the administrator’s scope of control is the same as the user on whose behalf the delegation is being made.)

Audit Log Entries

Audit log entries list the delegator’s name when delegated work items are approved or rejected. Changes to a user's delegate approver information are logged in the detailed changes section of the audit log entry when a user is created or modified.

Viewing Current Delegations

View delegations on the Current Delegations page.

To view current delegations, follow these steps:

  1. In the Administrator interface, click Work Items in the main menu.
  2. Click Delegate My Work Items in the secondary menu.
  3. Identity Manager displays the Current Delegations page, where you can view and edit delegations currently in effect.

Viewing Previous Delegations

View previous delegations on the Previous Delegations page.

To view previous delegations, follow these steps:

  1. In the Administrator interface, click Work Items in the main menu.
  2. Click Delegate My Work Items in the secondary menu.
  3. The Current Delegations page opens.

  4. Click Previous.
  5. The Previous Delegations page opens. Previously delegated work items can be used to set up new delegations.

Creating Delegations

Create a delegation using the New Delegation page.

To create a delegation, follow these steps:

  1. In the Administrator interface, click Work Items in the main menu.
  2. Click Delegate My Work Items.
  3. The Current Delegations page opens.

  4. Click New.
  5. The New Delegation page opens.

  6. Complete the form as follows:
    1. Select a work item type from the Select Work Item Type to Delegate selection list. To delegate all of your work items, select All Work Item Types.
    2. If you are delegating a role-type, organization, or resource work-item, specify the specific role(s), organization(s), or resource(s) that should define this delegation by using the arrows to move selections from the Available column to the Selected column.

    3. Delegate Work Items To — Select one of:
      • Selected Users — Select to search for users in your scope of control (by name) to be delegates. If any one of the selected delegates has also delegated his work items, then your future work item requests will be delegated to that delegate's delegates.
      • Select one or more users in the Users Selected area. Alternatively, click Add from Search to open the search feature and search for users. Click Add to add a found user to the list. To remove a delegate from the list, select it, and then click Remove.
      • My Manager — Select to delegate work items to your manager (if assigned)
      • DelegateWorkItemRule — Select a rule that returns a list of Identity Manager user names to which you can delegate the selected work item type.
    4. Start Date — Select the date on which delegation of the work item should start. By default, the day selected begins at 12:01 a.m.
    5. End Date — Select the date on which delegation of the work item should end. By default, the day selected ends at 11:59 p.m.

    6. Note

      It is possible to select the same start and end dates, in order to delegate work items for a single day.


    7. Click OK to save selections and return to the list of work items awaiting approval.

      Note

      After setting up delegation, any work items created during the effective delegation period are added to the delegate’s list. If you end a delegation or the delegation time period expires, then the delegated work items are returned to your list. This may result in duplicate work items on your list. However, when you approve or reject one, then the duplicate will be automatically removed from your list.


Delegations to Deleted Users

Identity Manager works as follows when a user is deleted that owns any pending work items:

Ending Delegations

End one or more delegations from the Current Delegations page.

To end one or more delegations, follow these steps:

  1. In the Administrator interface, click Work Items in the main menu.
  2. Click Delegate My Work Items in the secondary menu.
  3. The Current Delegations page opens.

  4. Select one or more delegations to end, and then click End.
  5. Identity Manager removes the selected delegation configurations, and returns any delegated work items of the type selected to your list of pending work items.


Approvals

When a user is added to the Identity Manager system, administrators who are assigned as approvers for new accounts must validate account creation.

Identity Manager supports three categories of approval:

In addition, if change-approvals are enabled, and changes are made to a role, a change-approval work item is sent to designated role owners.

Identity Manager supports change-approvals as follows:

Setting Up Account Approvers

Setting up account approvers for organization, role, and resource approvals is optional, but recommended. For each category in which approvers are set up, at least one approval is required for account creation. If one approver rejects a request for approval, the account is not created.

You can assign more than one approver to each category. Because only one approval within a category is needed, you can set up multiple approvers to help ensure workflow is not delayed or halted. If one approver is unavailable, others are available to handle requests. Approval applies only to account creation. By default, account updates and deletions do not require approval. You can, however, customize this process to require it.

You can customize workflows by using the Identity Manager IDE to change the flow of approvals, capture account deletions, and capture updates.

For information about the IDE, see Identity Manager IDE. For information about workflows, and an illustrated example of altering the approval workflow, see Identity Manager Workflows, Forms, and Views.

Identity Manager Approvers can either approve or reject an approval request.

Administrators can view and manage pending approvals from the Work Items area of the Identity Manager interface. From the Work Items page, click My Work Items to view pending approvals. Click the Approvals tab to manage approvals.

Signing Approvals

To approve a work item using a digital signature, you must first set up the digital signature as described in Configuring Digitally Signed Approvals and Actions.

To sign an approval, follow these steps:

  1. From the Identity Manager Administrator interface, select Work Items.
  2. Click the Approvals tab.
  3. Select one or more approvals from the list.
  4. Enter comments for the approval, and then click Approve.
  5. Identity Manager prompts you and asks whether to trust the applet.

  6. Click Always.
  7. Identity Manager displays a dated summary of the approval.

  8. Enter or click Browse to locate the keystore location (this location is set during the signed-approval configuration, as described in Step 10m in the procedure Client-Side Configuration for Signed Approvals Using PKCS12.).
  9. Enter the keystore password (this password is set during the signed-approval configuration, as described in Step 10l of the procedure Client-Side Configuration for Signed Approvals Using PKCS12).
  10. Click Sign to approve the request.

Signing Subsequent Approvals

After signing an approval, subsequent approval actions require only that you enter the keystore password and then click Sign. (Identity Manager should remember the keystore location from the previous approval.)

Configuring Digitally Signed Approvals and Actions

Use the following information and procedures to set up digital signing. You can digitally sign:

The topics discussed in this section explain the server-side and client-side configuration required to add the certificate and CRL to Identity Manager for signed approvals.

Server-Side Configuration for Signed Approvals

To enable server-side configuration, follow these steps:

  1. Open the system configuration object for editing and set security.nonrepudiation.signedApprovals=true
  2. For instructions on editing the system configuration object, see (more...) .

    If you are using PKCS11 you must also set security.nonrepudiation.defaultKeystoreType=PKCS11

    If you are using a custom PKCS11 Key provider, you must also set security.nonrepudiation.defaultPKCS11KeyProvider=<your provider name>)


    Note

    Please refer to the following items in the REF kit for more information on when you need to need to write a custom provider:

    com.sun.idm.ui.web.applet.transactionsigner.DefaultPKCS11KeyP rovider (Javadoc)

    REF/transactionsigner/SamplePKCS11KeyProvider

    The REF (Resource Extension Facility) kit is provided in the /REF directory on your product CD or with your install image.


  3. Add your certificate authority (CA)’s certificates as trusted certificates. To do this, you must first obtain a copy of the certificates.
  4. For example, if you are using a Microsoft CA, follow steps similar to these:

    1. Go to http://IPAddress/certsrv and log in with administrative privileges.
    2. Select Retrieve the CA certificate or certificate revocation list, and then click Next.
    3. Download and save the CA certificate.
  5. Add the certificate to Identity Manager as a trusted certificate:
    1. From the Administrator interface, select Security, and then select Certificates. Identity Manager displays the Certificates page.
    2. Figure 6-8  Certificates page
      Use the Certificates area to establish trusted CA certificates and CRLs.

    3. In the Trusted CA Certificates area, click Add. Identity Manager displays the Import Certificate page.
    4. Browse to and then select the trusted certificate, and then click Import.
    5. The certificate now displays in the list of trusted certificates.

  6. Add your CA's certificate revocation list (CRL):
    1. In the CRLs area of the Certificates page, click Add.
    2. Enter the URL for the CA's CRL.

    3. Note

      • The certificate revocation list (CRL) is a list of certificate serial numbers that have been revoked or are not valid.
      • The URL for the CA’s CRL may be http or LDAP.
      • Each CA has a different URL where CRLs are distributed; you can determine this by browsing the CA certificate’s CRL Distribution Points extension.

  7. Click Test Connection to verify the URL.
  8. Click Save.
  9. Sign applets/ts2.jar using jarsigner.

    Note

    Refer to http://java.sun.com/j2se/1.5.0/docs/tooldocs/windows/jarsigner.html for more information. The ts2.jar file provided with Identity Manager is signed using a self-signed certificate, and should not be used for production systems. In production, this file should be re-signed using a code-signing certificate issued by your trusted CA.


Client-Side Configuration for Signed Approvals Using PKCS12

The following configuration information is for signed approvals using PKCS12. To enable the client-side configuration, follow these steps:

Prerequisites

We now require at least JRE 1.5.

Procedure

Obtain a certificate and private key, and then export them to a PKCS#12 keystore.

For example, if using a Microsoft CA, you would follow steps similar to these:

  1. Using Internet Explorer, browse to http://IPAddress/certsrv, and then log in with administrative privileges.
  2. Select Request a certificate, and then click Next.
  3. Select Advanced request, and then click Next.
  4. Click Next.
  5. Select User for Certificate Template.
  6. Select these options:
    1. Mark keys as exportable
    2. Enable strong key protection
    3. Use local machine store
  7. Click Submit, and then click OK.
  8. Click Install this certificate.
  9. Select Run —> mmc to launch mmc.
  10. Add the Certificate snap-in:
    1. Select Console—>Add/Remove Snap-in.
    2. Click Add...
    3. Select Computer account.
    4. Click Next, and then click Finish.
    5. Click Close.
    6. Click OK.
    7. Go to Certificates—>Personal—>Certificates.
    8. Right-click Administrator All Tasks—>Export.
    9. Click Next.
    10. Click Next to confirm exporting the private key.
    11. Click Next.
    12. Provide a password, and then click Next.
    13. File CertificateLocation.
    14. Click Next, and then click Finish. Click OK to confirm.

    15. Note

      Note the information that you use in step 10l (password) and 10m (certificate location) of the client-side configuration. You will need this information to sign approvals.


Client-Side Configuration for Signed Approvals Using PKCS11

If you are using PKCS11 for signed approvals, refer to the following resources in the REF kit for configuration information:

com.sun.idm.ui.web.applet.transactionsigner.DefaultPKCS11KeyProvider (Javadoc)

REF/transactionsigner/SamplePKCS11KeyProvider

The REF (Resource Extension Facility) kit is provided in the /REF directory on your product CD or with your install image.

Viewing the Transaction Signature

Follow these steps to view the transaction signature in an Identity Manager AuditLog report:

  1. From the Identity Manager Administrator interface, select Reports.
  2. On the Run Reports page, select AuditLog Report from the New... list of options.
  3. In the Report Title field, enter a title (for example, “Approvals”).
  4. In the Organizations selection area, select all organizations.
  5. Select the Actions option, and then select Approve.
  6. Click Save to save the report and return to the Run Reports page.
  7. Click Run to run the Approvals report.
  8. Click the details link to see transaction signature information, including:
    • issuer
    • subject
    • certificate serial number
    • message signed
    • signature
    • signature algorithm



Previous      Contents      Index      Next     


Part No: 820-2954-10.   Copyright 2008 Sun Microsystems, Inc. All rights reserved.