Chapter 2 Getting Started with the Identity Manager User Interface

Read this chapter to learn about the Identity Manager graphical user interfaces (UI) and how you can quickly begin using Identity Manager.

Topics covered include:

• Identity Manager Administrator Interface

• Logging in to the Identity Manager Administrator Interface

• Identity Manager End-User Interface

• Logging in to the Identity Manager End-User Interface

• Help and Guidance

• The Identity Manager Debug Page

• Identity Manager IDE

• Where to Go from Here

Identity Manager Administrator Interface

The Identity Manager system includes two primary graphical interfaces through which users perform tasks. These interfaces are the end-user interface and the administrator interface. The end-user interface (also called the User interface) is discussed later in this chapter on Identity Manager End-User Interface. The Administrator interface is discussed here.

The Identity Manager Administrator interface serves as the primary administrative view of the product. Through this interface, Identity Manager administrators manage users, set up and assign resources, define rights and access levels, and audit compliance in the Identity Manager system.

Interface organization is represented by these elements:

• Navigation bar tabs. Located at the top of each interface page, these tabs let you navigate major functional areas.

• Subtabs or menus. Depending on your specific implementation, you may see secondary tabs or menus below each navigation bar tab. These subtab or menu selections let you access tasks within a functional area.

In some areas, such as Accounts, tabbed forms divide longer forms into one or more pages, enabling you to navigate them more easily. This is illustrated in Figure 2–1.

A quick reference to performing administrative tasks in the UI is available in Appendix C, User Interface Quick Reference.

Figure 2–1 Identity Manager Administrator Interface

Logging in to the Identity Manager Administrator Interface

To Open the Administrator Interface

1. Open a Web browser and type the following URL into the address bar:

   http://<AppServerHost>:<Port>/idm/login.jsp

2. Enter your user ID and password and click Log In.

   The Administrator interface opens if your User ID has assigned capabilities and an assigned controlled organization.

Session Limits and Cookies

If cookies are enabled in the administrator’s Web browser, administrators will remain logged on to the Administrator interface up to the time allotted by the configured session limit. If cookies are disabled in the browser, then certain actions will cause the system to prompt the administrator to log in again during the session.

These actions include:

• Administrator, role, and organization rename cancellation

• Organization deletion cancellation

• User login module and admin login module creation

To avoid multiple login requests, cookies should be enabled.

Forgotten User ID

Identity Manager allows an administrator to retrieve his or her forgotten user ID. When an administrator clicks Forgot Your User ID? from the login page, a lookup page appears and requests identity attribute information associated with the account, such as first and last name, email address, or phone number.

Identity Manager then constructs a query to find a single user matching the entered values. If no match is found, or multiple matches are found, then an error message appears on the Lookup User ID page.

The lookup feature is enabled by default, but you can use one of the following actions to disable this feature:

• Set forgotUserIdMode in login.jsp to a value of false.

• Edit the system configuration object and set the disableForgotUserId attribute to a value of true for the admin attribute and/or the user attribute.

  For instructions on editing the system configuration object, see Editing Identity Manager Configuration Objects.

If you upgrade from an earlier Identity Manager version to version 8.1, the Forgot Your User ID? feature will be disabled by default.

To enable this feature, you must modify the following attributes in the System Configuration object (Editing Identity Manager Configuration Objects):

ui.web.user.disableForgotUserId = false
ui.web.admin.disableForgotUserId = false

The set of user attribute names presented are configured through the system configuration attributes security.authn.lookupUserIdAttributes.<Administrator Interface | User Interface>. The attributes that can be specified are those defined as queryable attributes in the IDM Schema Configuration configuration object.

If recovered, then Identity Manager sends email to the email address of the recovered user by using the User ID Recovery email template.

Identity Manager End-User Interface

The Identity Manager end-user interface (also known as the “Identity Manager User interface”) presents a limited view of the Identity Manager system. This view is specifically tailored to users without administrative capabilities.

For instructions on how to log on to the end-user interface, see Logging in to the Identity Manager End-User Interface.

A user can perform various activities from the User interface, such as changing their password, performing self-provisioning tasks, and managing work items and delegations.

Identity Manager can be configured so that users can request an account by clicking a link on the end-user interface login page. For details, see Anonymous Enrollment.

The Five End-User Interface Tabs

The end-user interface is organized into five sections:

Home Tab

When a user logs in to the Identity Manager User interface, any pending work items and delegations for the user are displayed on the Home tab, as illustrated in the following figure.

Figure 2–2 User Interface (Home Tab)

The Home tab provides quick access to any pending items. Users can click an item in the list to respond to a work item request or perform other available actions.

Work Items Tab

The Work Items tab is further divided into separate Approvals, Attestations, Remediations, and Other tabs. In this area of the user interface users can approve or reject any pending work items that the user owns or has the authority to act on.

Requests Tab

The Requests tab has two subtabs: Launch Requests and View.

On the Launch Requests tab users have two choices: Update My Roles and Update My Resources.

• On the Update My Roles page, users can request from a list of available roles that may be appropriate for the user. When the end-user submits a role request, a work item is generated and an approval notification is sent to the designated approvers for that role. End-users can also request that they be removed or deassigned from one or more roles.

  See the Chapter 5, Roles and Resources chapter for information on how to create optional roles that end-users can request access to.

• On the Update My Resources page, users can request from a list of individual resources that may be appropriate for the user. As with role-requests, resource-requests generate work items that require an approval before they can be processed.

The View subtab displays status details for requests submitted by the user. From this area users can view the process status and task results for the requests they submit.

Delegations Tab

From the Delegations tab, users can delegate work items to other Identity Manager users. For example, a user who is the assigned approver for one or more roles can designate that future approval work items be sent to a colleague for a certain amount of time while the user is away on vacation. Using the Delegations page, users can create and manage delegations without requiring the assistance of an administrator.

Profile Tab

End-users can manage their Identity Manger password and account attribute settings from the Profile tab. This tab is divided into the following four subtabs:

• Change Password. End-users can change their password on a selected resource or on all resources.

• Account Attributes. End-users can change certain attributes, such as the account email address that Identity Manager sends account notifications to.

• Authentication Questions. Used to manage authentication questions and answers for the user account.

• Access Privileges. Lists the user’s currently assigned role and resource assignments.

Logging in to the Identity Manager End-User Interface

Use the following instructions to log into the Identity Manager End-User Interface.

To Open the End-User Interface

1. Open a Web browser and type the following URL into the address bar:

   http://<AppServerHost>:<Port>/idm/user/login.jsp

2. Enter a user ID and password and click Log In.

   The end-user interface opens.

Retrieving Forgotten User IDs

Identity Manager allows end-users to retrieve their forgotten user IDs. For more information, see Forgotten User ID in the Logging in to the Identity Manager Administrator Interface section.

Help and Guidance

To successfully complete some tasks, you might need to consult Help and Identity Manager guidance (field-level information and instructions). Help and guidance are available from the Identity Manager Administrator and User interfaces.

Identity Manager Help

For task-related help and information, click the Help button, which is located at the top of each Administrator and User interface page, as depicted in the following figure.

Figure 2–3 Help Button in the Identity Manager Interface

At the bottom of each Help window is a Contents link that guides you to other Help topics and the Identity Manager terms glossary.

Identity Manager Guidance

Identity Manager guidance is brief, targeted help that appears next to many page fields. Its goal is to help you enter information or make selections as you move through a page to perform a task.

A symbol marked with the letter “i” displays next to fields with guidance. Click the symbol to open a window and display its associated information.

Figure 2–4 Identity Manager Guidance

The Identity Manager Debug Page

The administrator interface includes pages that are useful when you need to optimize Identity Manager or troubleshoot a problem. To access these pages open the Identity Manager Debug Page, which is also called the System Settings page.

To open the Identity Manager Debug Page, type the following URL into your browser. (Depending on your platform and configuration, URLs may be case-sensitive.)

http://<AppServerHost>:<Port>/idm/debug/session.jsp

Users must have the Debug capability to view /idm/debug/ pages. For information about capabilities, see Assigning Capabilities to Users.

Figure 2–5 The Identity Manager Debug Page (System Settings)

For information about troubleshooting Identity Manager, seeChapter 5, Tracing and Troubleshooting, in Sun Identity Manager 8.1 System Administrator’s Guide.

Identity Manager IDE

The Sun Identity Manager Integrated Development Environment (Identity Manager IDE) provides a graphical view of Identity Manager forms, rules, and workflows. It is a fully integrated NetBeans plugin that is distributed with Identity Manager in the Identity Manager distribution package.

Using the Identity Manager IDE, you create and edit forms that establish the features available on each Identity Manager page. You can also modify Identity Manager workflows, which define the sequence of actions followed or tasks performed when working with Identity Manager user accounts. Additionally, you can modify rules defined in Identity Manager that determine workflow behaviors.

Figure 2–6 Identity Manager IDE Interface

To download the Identity Manager IDE, visit this website:

https://identitymanageride.dev.java.net/

You can also use the Business Process Editor (BPE) to make customizations, if you have it installed with earlier versions of Identity Manager.

Where to Go from Here

After you become familiar with Identity Manager interfaces and the ways that you can find information, use the following reference to guide you to the topics you want to focus on: