Sun Java logo     Copyright      Index      Next     

Sun logo
Sun Java[TM] System Identity Manager 7.1 Admininstration 

Contents


List of Figures

List of Tables

Preface
Who Should Use This Book
Before You Read This Book
Conventions Used in This Book
Typographic Conventions
Symbols
Related Documentation
Books in This Documentation Set
Accessing Sun Resources Online
Contacting Sun Technical Support
Related Third-Party Web Site References
Sun Welcomes Your Comments

Chapter 1   Identity Manager Overview
The Big Picture
Goals of the Identity Manager System
Defining User Access
User Types
Delegating Administration
Identity Manager Objects
User Accounts
Roles
Resources and Resource Groups
Organizations and Virtual Organizations
Directory Junctions
Capabilities
Admin Roles
Policies
Audit Policies
Object Relationships

Chapter 2   Getting Started with Identity Manager
Identity Manager Interfaces
Identity Manager Administrator Interface
Administrator Interface Logon
Identity Manager User Interface
Customizing the User Interface
Identity Manager IDE
Help and Guidance
Identity Manager Help
Finding Information
Search Behavior
Advanced Query Syntax
Identity Manager Guidance
Logging In to Identity Manager
Forgotten User ID
Identity Manager Tasks
Where to Go from Here

Chapter 3   User and Account Management
About User Account Data
Identity
Assignments
Security
Delegations
Attributes
Compliance
The Accounts Area of the Interface
Actions Lists in the Accounts Area
Searching in the Accounts List Area
User Account Status
Working with User Accounts
Users
View
Create (New Actions List, New User Selection)
Edit
Move Users (User Actions)
Rename (User Actions)
Disable Users (User Actions, Organization Actions)
Enable Users (User Actions, Organization Actions)
Update Users (User Actions, Organization Actions)
Unlock Users (User Actions, Organization Actions)
Deletion (User Actions, Organization Actions)
Passwords
Finding Accounts
Bulk Account Actions
Launching Bulk Account Actions
Using Action Lists
Bulk Action View Attributes
Working with User Account Passwords
Changing User Account Passwords
Resetting User Account Passwords
Password Expiration on Reset
Managing Account Security and Privileges
Setting Password Policies
Creating a Policy
Dictionary Policy Selection
Password History Policy
Must Not Contain Words
Must Not Contain Attributes
Implementing Password Policies
User Authentication
Personalized Authentication Questions
Bypassing the Change Password Challenge after Authentication
Assigning Administrative Privileges
User Self-Discovery
Enabling Self-Discovery
Correlation and Confirmation Rules
Correlation Rules
Confirmation Rules
Anonymous Enrollment
Enabling Anonymous Enrollment
Configuring Anonymous Enrollment
User Enrollment Process

Chapter 4   Configuration
Understanding and Managing Roles
What are Roles?
Creating Roles
Editing Assigned Resource Attribute Values
Managing Roles
Renaming Roles
Synchronizing Identity Manager Roles and Resource Roles
Configuring Identity Manager Resources
What are Resources?
The Resources Area in the Interface
Managing the Resources List
Creating Resources
Managing Resources
Working with Account Attributes
Resource Groups
Global Resource Policy
Setting additional Timeout values
Bulk Resource Actions
Identity Manager ChangeLogs
What are ChangeLogs?
ChangeLogs and Security
ChangeLogs Feature Requirements
Configuring ChangeLogs
ChangeLog Policies Summary
ChangeLogs Summary
Saving ChangeLog Configuration Changes
Creating and Editing ChangeLog Policies
Creating and Editing ChangeLogs
Example
Example: Define Identity Attributes
Example: Configure the ChangeLog
CSV File Format in ChangeLogs
Columns
Rows
Text Values
Binary Values
Multi-Text Values
Multi-Binary Values
Formatting Examples
ChangeLog Filenames
Configuring Rotations and Sequences
Writing ChangeLog Scripts
Configuring Identity Attributes and Events
Working with Identity Attributes
Selecting Applications
Adding and Editing Identity Attributes
Adding Target Resources
Removing Target Resources
Importing Identity Attributes
Configuring Identity Events
Configuring Identity Manager Policies
What are Policies?
Must Not Contain Attributes in Policies
Dictionary Policy
Configuring the Dictionary Policy
Implementing the Dictionary Policy
Customizing Email Templates
Editing an Email Template
HTML and Links in Email Templates
Allowable Variables in the Email Body
Configuring Audit Groups and Audit Events
Editing Events in the Audit Configuration Group
Adding Events to the Audit Configuration Group
Remedy Integration
Configuring Identity Manager Server Settings
Reconciler Settings
Scheduler Settings
Email Template Server Settings
JMX
Editing Default Server Settings

Chapter 5   Administration
Understanding Identity Manager Administration
Delegated Administration
Creating Administrators
Filtering Administrator Views
Changing Administrator Passwords
Challenging Administrator Actions
Changing Answers to Authentication Questions
Customizing Administrator Name Display in the Administrator Interface
Understanding Identity Manager Organizations
Creating Organizations
Assigning Users to Organizations
Key Definitions and Inclusions
Assigning Organization Control
Understanding Directory Junctions and Virtual Organizations
Setting Up Directory Junctions
Refreshing Virtual Organizations
Deleting Virtual Organizations
Understanding and Managing Capabilities
Capabilities Categories
Working with Capabilities
Create a Capability
Edit a Capability
Save and Rename a Capability
Assigning Capabilities
Capabilities Hierarchy
Capabilities Definitions
Understanding and Managing Admin Roles
Admin Role Rules
The User Admin Role
Creating and Editing Admin Roles
General Tab
Scope of Control
Assigning Capabilities
Assigning User Forms to an Admin Role
Managing Work Items
Work Item Types
Working With Work Item Requests
Viewing Work Item History
Delegating Work Items
Audit Log Entries
Viewing Current Delegations
Viewing Previous Delegations
Creating Delegations
Ending Delegations
Account Approvals
Setting Up Approvers
Signing Approvals
Signing Subsequent Approvals
Configuring Digitally Signed Approvals and Actions
Server-Side Configuration for Signed Approvals
Client-Side Configuration for Signed Approvals
Prerequisites
Procedure
Viewing the Transaction Signature

Chapter 6   Data Synchronization and Loading
Data Synchronization Tools: Which to Use?
Discovery
Extract to File
Load from File
About CSV File Format
Load from Resource
Reconciliation
About Reconciliation Policies
Editing Reconciliation Policies
Starting Reconciliation
Canceling Reconciliation
Viewing Reconciliation Status
Working with the Account Index
Searching the Account Index
Examining the Account Index
Working with Accounts
Working with Users
Active Sync Adapters
Configuring Synchronization
Editing the Synchronization Policy
Editing Active Sync Adapters
Tuning Active Sync Adapter Performance
Changing Polling Intervals
Specifying the Host Where the Adapter Will Run
Starting and Stopping
Adapter Logging

Chapter 7   Reporting
Working with Reports
Reports
Creating Reports
Cloning Reports
Emailing Reports
Running Reports
Scheduling Reports
Downloading Report Data
Configuring Fonts for Report Output
Report Types
Auditor
The AuditLog
Real Time
Summary Reports
SystemLog
Usage Reports
Usage Report Charts
Risk Analysis
System Monitoring
Tracked Event Configuration
Working with Graphs
View Defined Graphs
Create Graphs
Edit Graphs
Delete Graphs
Working with Dashboards
Creating Dashboards
Edit Dashboards
Deleting Dashboards
Searching Transactions

Chapter 8   Task Templates
Enabling the Task Templates
Configuring the Task Templates
Configuring the General Tab
For the Create User or Update User Templates
For the Delete User Template
Configuring the Notification Tab
Configuring Administrator Notifications
Configuring User Notifications
Configuring the Approvals Tab
Enabling Approvals
Specifying Additional Approvers
Configuring the Approval Form
Configuring the Audit Tab
Configuring the Provisioning Tab
Configuring the Sunrise and Sunset Tab
Configuring Sunrises
Configuring Sunsets
Configuring the Data Transformations Tab

Chapter 9   PasswordSync
What is PasswordSync?
Before You Install
Install Microsoft .NET 1.1
Uninstall Previous Versions of PasswordSync
Installing PasswordSync
Configuring PasswordSync
Debugging PasswordSync
Error Logs
Trace Logs
Registry Keys
Uninstalling PasswordSync
Deploying PasswordSync
Configuring a JMS Listener Adapter
Implementing the Synchronize User Password Workflow
Setting Up Notifications
Configuring PasswordSync with a Sun JMS Server
Overview
Sample Scenario
Solution Overview
JMS Overview
JMS Settings Parameters
JMS Properties Parameters
Creating and Storing Administered Objects
Storing Administered Objects in an LDAP Directory
Storing Administered Objects in a File
Configuring the JMS Listener Adapter for this Scenario
Configuring Active Sync
Debugging Your Configuration
Failover Deployment for PasswordSync
Frequently Asked Questions about PasswordSync
Can PasswordSync be implemented without a Java Messaging Service?
Can PasswordSync be used in conjunction with other Windows password filters that are used to enforce custom password policies?
Can the PasswordSync servlet be installed on a different application server than Identity Manager?
Does the PasswordSync service send passwords over to the lh server in clear text?
Sometimes password changes result in com.waveset.exception.ItemNotLocked?

Chapter 10   Security
Security Features
Limiting Concurrent Login Sessions
Password Management
Pass-through Authentication
About Login Applications
Login Constraint Rules
Editing Login Applications
Setting Identity Manager Session Limits
Disabling Access to Applications
Editing Login Module Groups
Editing Login Modules
Configuring Authentication for Common Resources
Configuring X509 Certificate Authentication
Prerequisites
Configuring X509 Certificate Authentication in Identity Manager
Creating and Importing a Login Configuration Rule
Testing the SSL Connection
Diagnosing Problems
Cryptographic Use and Management
Cryptographically Protected Data
Server Encryption Key Questions and Answers
Where do server encryption keys come from?
Where are server encryption keys maintained?
How does the server know which key to use for decryption and re-encryption of encrypted data?
How do I update server encryption keys?
What happens to existing encrypted data if the "current" server key is changed?
What happens when you import encrypted data for which an encryption key is not available?
How are server keys protected?
Can I export the server keys for safe external storage?
What data is encrypted between the server and gateway?
Gateway Key Questions and Answers
Where do the gateway keys come from to encrypt or decrypt data?
How are gateway keys distributed to the gateways?
Can I update the gateway keys used to encrypt or decrypt the server-to-gateway payload?
Where are the gateway keys stored on the server, on the gateway?
How are gateway keys protected?
Can I export the gateway key for safe external storage?
How are server and gateway keys destroyed?
Managing Server Encryption
Security Practices
At Setup
During Use

Chapter 11   Identity Auditing
About Identity Auditing
Goals of Identity Auditing
Understanding Identity Auditing
Policy-Based Compliance
Continuous Compliance
Periodic Compliance
Logical Task Flow for Policy-Based Compliance
Periodic Access Reviews
Enabling Audit Logging
Email Templates
Administrator Interface Compliance Area
Manage Policies
Manage Access Scans
Access Review
About Audit Policies
Audit Policy Rules
Remediation Workflows
Remediators
Sample Audit Policy Scenario
Working with Audit Policies
Creating an Audit Policy
Before You Begin
Name and Describe the Audit Policy
Select a Rule Type
Select an Existing Rule
Select a Remediation Workflow
Select Remediators and Timeouts for Remediations
Select Organizations that Can Access this Policy
Creating a New Rule by Using the Rule Wizard
Editing an Audit Policy
The Edit Policy Page
Remediators Area
Remediation Workflow and Organizations Area
Sample Policies
Deleting an Audit Policy
Troubleshooting Audit Policies
Debugging Rules
Problem
Resolution
Problem
Resolution
Assigning Audit Policies
Audit Policy Scans and Reports
Scanning Users and Organizations
Working with Auditor Reports
Creating an Auditor Report
Compliance Violation Remediation and Mitigation
About Remediation
Remediator Escalation
Remediation Workflow Process
Remediation Responses
Remediation Email Template
Working with the Remediations Page
Viewing Policy Violations
Viewing Pending Requests
Viewing Completed Requests
Updating the Table
Prioritizing Policy Violations
Mitigating Policy Violations
From the Remediations Page
Remediating Policy Violations
Forwarding Remediation Requests
Editing a User from a Remediation Work Item
Periodic Access Reviews and Attestation
About Periodic Access Reviews
Access Review Scans
Attestation
Planning for a Periodic Access Review
Tuning Scan Tasks
Creating an Access Scan
Deleting an Access Scan
Managing Access Reviews
Launching an Access Review
Scheduling Access Review Tasks
Managing Access Review Progress
Modifying Scan Attributes
Canceling an Access Review
Deleting an Access Review
Managing Attestation Duties
Access Review Notification
Viewing Pending Requests
Acting on Entitlement Records
Closed-Loop Remediation
Forwarding Attestation Work Items
Digitally Signing Access Review Actions
Access Review Reports
Access Review Remediation
About Access Review Remediation
Remediator Escalation
Remediation Workflow Process
Remediation Responses
Working with the Remediations page
Unsupported Access Review Remediation Actions
Identity Auditing Tasks Reference

Chapter 12   Audit Logging
Overview
What Does Identity Manager Audit?
Creating Events
Auditing from Workflow
Examples
Audit Configuration
filterConfiguration
Account Management
Compliance Management
Configuration Management
Identity Manager Login/Logoff
Password Management
Resource Management
Role Management
Security Management
Task Management
Changes Outside Identity Manager
Service Provider Edition
extendedTypes
extendedActions
extendedResults
publishers
Database Schema
waveset.log
waveset.logattr
Log Database Keys
ObjectTypes, Actions, and Results
Reasons
Preventing Audit Log Tampering
Configuring tamper-resistant logging
Using Custom Publishers
Developing Publishers
Lifecycle
Configuration
Developing Formatters
Registering Publishers/Formatters

Chapter 13   Service Provider Administration
Overview of Service Provider Features
Enhanced End-User Pages
Password and Account ID policy
Identity Manager and Service Provider Synchronization
Access Manager integration
Initial Configuration
Edit Main Configuration
Directory Configuration
User Forms and Policy
Transaction Database
Tracked Event Configuration
Synchronization Account Indexes
Callout Configuration
Edit User Search Configuration
Transaction Management
Setting Default Transaction Execution Options
Setting Transaction Persistent Store
Set Advanced Transaction Processing Settings
Monitoring Transactions
Delegated Administration
Delegation Through Organization Authorization
Delegation Through Admin Role Assignment
Enabling Service Provider Admin Role Delegation
Configuring a Service Provider User Admin Role
Delegating Service Provider User Admin Roles
Administering Service Provider Users
User Organizations
Create Users and Accounts
Search Service Provider Users
Advanced Search
Search Results
Link Accounts
Delete, Unassign, or Unlink Accounts
Set Search Options
End-User Interface
Sample
Registration
Home and Profile Screens
Synchronization
Configure Synchronization
Monitor Synchronization
Start and Stop Synchronization
Migrate Users
Configuring Service Provider Audit Events

Appendix A   lh Reference
Usage
Usage Notes
class
commands
Examples
export command
Usage
Options
license command
Usage
Options
Examples
syslog command
Usage
Options

Appendix B   Advanced Search for Online Documentation
Wildcard Characters
Query Operators
Rules of Precedence
Default Operators

Appendix C   Audit Log Database Schema
Oracle
DB2
MySQL
Sybase
Audit Log Database Mappings

Appendix D   Active Sync Wizard
Overview
Setting Up Synchronization
Synchronization Mode
Running Settings
General Active Sync Settings
Event Types
Process Selection
Target Resources
Target Attribute Mappings

Index


Copyright      Index      Next     

Part No: 820-0816-10.   Copyright 2007 Sun Microsystems, Inc. All rights reserved.