Sun[TM] Identity Manager 8.0 Administration |
Chapter 2
Getting Started with the
Identity Manager UIRead this chapter to learn about the Identity Manager graphical interfaces and how you can quickly begin using Identity Manager.
Topics covered include:
Identity Manager Administrator InterfaceThe Identity Manager system includes two primary graphical interfaces through which users perform tasks—the end-user interface and the administrator interface. The end-user interface (also called the User interface) is discussed later in this chapter on (more...) . The Administrator interface is discussed here.
The Identity Manager Administrator interface serves as the primary administrative view of the product. Through this interface, Identity Manager administrators manage users, set up and assign resources, define rights and access levels, and audit compliance in the Identity Manager system.
Interface organization is represented by these elements:
- Navigation bar tabs — Located at the top of each interface page, these tabs let you navigate major functional areas.
- Subtabs or menus — Depending on your specific implementation, you may see secondary tabs or menus below each navigation bar tab. These subtab or menu selections let you access tasks within a functional area.
In some areas, such as Accounts, tabbed forms divide longer forms into one or more pages, enabling you to navigate them more easily. This is illustrated in Figure 2-1.
Note
A quick reference to performing administrative tasks in the UI is available in Appendix C, "User Interface Quick Reference" on (more...) .
Figure 2-1 Identity Manager Administrator Interface
Logging in to the Identity Manager Administrator InterfaceTo open the Administrator interface, follow these steps:
Session Limits and Cookies
If cookies are enabled in the administrator’s Web browser, administrators will remain logged on to the Administrator interface up to the time allotted by the configured session limit. If cookies are disabled in the browser, then certain actions will cause the system to prompt the administrator to log in again during the session. These actions are:
To avoid multiple login requests, cookies should be enabled.
Forgotten User ID
Identity Manager allows an administrator to retrieve his or her forgotten user ID. When an administrator clicks Forgot Your User ID? from the login page, a lookup page appears and requests identity attribute information associated with the account, such as first and last name, email address, or phone number.
Identity Manager then constructs a query to find a single user matching the entered values. If no match is found, or multiple matches are found, then an error message appears on the Lookup User ID page.
By default, the lookup feature is enabled. It can be disabled, however, by one of the following actions:
- Set forgotUserIdMode in login.jsp to a value of false
- Edit the system configuration object and set the attribute disableForgotUserId to a value of true for the admin attribute and/or the user attribute
For instructions on editing the system configuration object, see (more...) .
Note
If you upgrade from an earlier Identity Manager version to version 8.0, the Forgot Your User ID? feature will be disabled by default.
To enable this feature, you must modify the following attributes in the System Configuration object ((more...) ):
ui.web.user.disableForgotUserId = false
ui.web.admin.disableForgotUserId = false
The set of user attribute names presented are configured through the system configuration attributes security.authn.lookupUserIdAttributes.<Administrator Interface | User Interface>. The attributes that can be specified are those defined as queryable attributes in the IDM Schema Configuration configuration object.
If recovered, then Identity Manager sends email to the email address of the recovered user by using the User ID Recovery email template.
Identity Manager End-User InterfaceThe Identity Manager end-user interface (also known as the “Identity Manager User interface”) presents a limited view of the Identity Manager system. This view is specifically tailored to users without administrative capabilities.
Note
For instructions on how to log on to the end-user interface, see Logging in to the Identity Manager End-User Interface.
A user can perform various activities from the User interface, such as changing their password, performing self-provisioning tasks, and managing work items and delegations.
Identity Manager can be configured so that users can request an account by clicking a link on the end-user interface login page. For details, see Anonymous Enrollment.
The Five End-User Interface Tabs
The end-user interface is organized into five sections (or tabs): Home, Work Items, Requests, Delegations, and Profile.
Home
When a user logs in to the Identity Manager User interface, any pending work items and delegations for the user are displayed on the Home tab, as illustrated in the following figure:
Figure 2-2 User Interface (Home Tab):
The Home tab provides quick access to any pending items. Users can click an item in the list to respond to a work item request or perform other available actions.
Work Items
The Work Items tab is further divided into separate Approvals, Attestations, Remediations, and Other tabs. In this area of the user interface users can approve or reject any pending work items that the user owns or has the authority to act on.
Requests
The Requests tab has two subtabs: Launch Requests and View.
On the Launch Requests tab users have two choices: Update My Roles and Update My Resources.
- On the Update My Roles page, users can request from a list of available roles that may be appropriate for the user. When the end-user submits a role request, a work item is generated and an approval notification is sent to the designated approvers for that role. End-users can also request that they be removed or deassigned from one or more roles.
See the Roles and Resources chapter for information on how to create optional roles that end-users can request access to.
The View subtab displays status details for requests submitted by the user. From this area users can view the process status and task results for the requests they submit.
Delegations
From the Delegations tab, users can delegate work items to other Identity Manager users. For example, a user who is the assigned approver for one or more roles can designate that future approval work items be sent to a colleague for a certain amount of time while the user is away on vacation. Using the Delegations page, users can create and manage delegations without requiring the assistance of an administrator.
Profile
From the Profile tab end-users can manage their Identity Manger password and account attribute settings. This tab is divided into the following four subtabs:
- Change Password — End-users can change their password on a selected resource or on all resources.
- Account Attributes — End-users can change certain attributes, such as the account email address that Identity Manager sends account notifications to.
- Authentication Questions — Used to manage authentication questions and answers for the user account.
- Access Privileges — Lists the user’s currently assigned role and resource assignments.
Logging in to the Identity Manager End-User InterfaceTo open the end-user interface, follow these steps:
Forgotten User ID
Identity Manager allows end-users to retrieve their forgotten user IDs. For more information, see Forgotten User ID in the Logging in to the Identity Manager Administrator Interface section.
Help and GuidanceTo successfully complete some tasks, you might need to consult Help and Identity Manager guidance (field-level information and instructions). Help and guidance are available from the Identity Manager Administrator and User interfaces.
Identity Manager Help
For task-related help and information, click the Help button, which is located at the top of each Administrator and User interface page, as depicted in Figure 2-3.
Figure 2-3 Help button in the
Identity Manager interface
At the bottom of each Help window is a Contents link that guides you to other Help topics and the Identity Manager terms glossary.
Identity Manager Guidance
Identity Manager guidance is brief, targeted help that appears next to many page fields. Its goal is to help you enter information or make selections as you move through a page to perform a task.
A symbol marked with the letter “i” displays next to fields with guidance. Click the symbol to open a window and display its associated information.
Figure 2-4 Identity Manager Guidance
The Identity Manager Debug PageThe administrator interface includes pages that are useful when you need to optimize Identity Manager or troubleshoot a problem. To access these pages open the Identity Manager Debug Page, which is also called the System Settings page.
To open the Identity Manager Debug Page, type the following URL into your browser. (Depending on your platform and configuration, URLs may be case-sensitive.)
http://<AppServerHost>:<Port>/idm/debug/session.jsp
Users must have the Debug capability to view /idm/debug/ pages. For information about capabilities, see Assigning Capabilities.
Figure 2-5 The Identity Manager Debug Page (System Settings)
For information about troubleshooting Identity Manager, see Identity Manager Tuning, Troubleshooting, and Error Messages.
Identity Manager IDEThe Identity Manager Integrated Development Environment (IDE) provides a graphical view of Identity Manager forms, rules, and workflows. It is a fully integrated NetBeans plugin that is distributed with Identity Manager in the Identity Manager distribution package.
Using the IDE, you create and edit forms that establish the features available on each Identity Manager page. You can also modify Identity Manager workflows, which define the sequence of actions followed or tasks performed when working with Identity Manager user accounts. Additionally, you can modify rules defined in Identity Manager that determine workflow behaviors.
Figure 2-6 Identity Manager IDE interface
To download the Identity Manager IDE, visit this website:
https://identitymanageride.dev.java.net/
You can also use the Business Process Editor (BPE) to make customizations, if you have it installed with earlier versions of Identity Manager.
Where to Go from HereAfter you become familiar with Identity Manager interfaces and the ways that you can find information, use the following reference to guide you to the topics you want to focus on: