Creating and Managing Administrators

This section is organized into the following topics:

• To Create an Administrator

• Filtering Administrator Views

• Changing Administrator Passwords

• Challenging Administrator Actions

• Changing Answers to Authentication Questions

• Customizing Administrator Name Display in the Administrator Interface

To Create an Administrator

To create an administrator, assign one or more capabilities to a user and designate the organizations to which the capabilities will apply.

1. In the Administrator interface, click Accounts in the menu bar.

   The User List page opens.

2. To give an existing user administrative privileges, click the user name (the Edit User page opens), then click the Security tab.

   If a new user account needs to be created, see Creating Users and Working with User Accounts.

3. Specify attributes to establish administrative control.

   Available attributes include:

   • Capabilities. Select one or more capabilities that should be assigned to this administrator. This information is required. For more information, see Understanding and Managing Capabilities.

   • Controlled Organizations. Select one or more organizations that should be assigned to the administrator. The administrator will control objects in the assigned organization and in any organizations beneath it in the hierarchy. This information is required. For more information, see Understanding Identity Manager Organizations.

   • User Form. Select the user form that this administrator will use when creating and editing Identity Manager users (if that capability is assigned). If you do not directly assign a user form, the administrator will inherit the user form assigned to the organization he belongs to. The form selected here supersedes any form selected within this administrator’s organization.

   • Forward Approval Requests To. Select a user to forward all current pending approval requests to that user. This administrator setting also can be set from the Approvals page.

   • Delegate Work Items To. If available, use this option to specify delegations for this user account. You can specify the administrator’s manager, one or more selected users, or use a delegate approvers rule.

     

Filtering Administrator Views

By assigning user forms to organizations and administrators, you establish specific administrator views of user information.

Access to user information is set at two levels:

• Organization. When you create an organization, you assign the user form that all administrators in that organization will use when creating and editing Identity Manager users. Any form set at the administrator level overrides the form set here. If no form is selected for the administrator or the organization, Identity Manager inherits the form selected for the parent organization. If no form is set there, Identity Manager uses the default form set in the system configuration.

• Administrator. When you assign a user administrative capabilities, you can directly assign a user form to the administrator. If you do not assign a form, the administrator inherits the form assigned to his organization (or the default form set in the system configuration if no form is set for the organization).

Understanding and Managing Capabilities describes built-in Identity Manager capabilities that you can assign.

Changing Administrator Passwords

Administrator passwords may be changed by an administrator with administrative password change capabilities assigned, or by the administrator-owner.

Administrators can change another administrator’s password using these forms:

• Change User Password form. There are two ways to open this form:

  • Click Accounts in the menu. The User List opens. Select an administrator and then, in the User Actions list, select Change Password. The Change User Password page opens.

  • Click Passwords in the menu. The Change User Password page opens.

• Tabbed User form. Click Accounts in the menu. The User List opens. Select an administrator, and then, in the User Actions menu, select Edit. The “Edit User” page (Tabbed User Form) opens. On the Identity form tab, type a new password in the Password and Confirm Password fields.

An administrator can change his own password from the Passwords area. Click Passwords in the menu, then click Change My Password.

The Identity Manager account policy applied to the account determines password limitations, such as password expiration, reset options, and notification selections. Additional password limitations may be set by password policies set on the administrator’s resources.

Challenging Administrator Actions

Identity Manager can be configured to prompt administrators for a password before processing certain account changes. If authentication fails, then the account changes will be cancelled.

There are three forms that administrators can use to change user passwords. These are the Tabbed User form, the Change User Password form, and the Reset User Password form. To ensure that administrators are required to enter their password before Identity Manager processes user account changes, be sure to update all three forms.

To Enable the Challenge Option for Tabbed User Forms

To require a password challenge on the Tabbed User form, follow these steps.

1. In the Administrator interface, open the Identity Manager debug page (The Identity Manager Debug Page) by typing the following URL into your browser. (You must have the Debug capability to open this page.)

   http://<AppServerHost>:<Port>/idm/debug/session.jsp

   The System Settings page (Identity Manager debug page) opens.

2. Find the List Objects button, select UserForm from the drop-down menu, then click the ListObjects button.

   The List Objects of type: UserForm page opens.

3. Locate the copy of the Tabbed User Form that you have in production and click edit. (The Tabbed User Form distributed with Identity Manager is a template and should not be modified.)

4. Add the following code snippet inside the <Form> element:

   <Properties> <Property name=’RequiresChallenge’> <List> <String>password</String> <String>email</String> <String>fullname</String> </List> </Property> </Properties>

   The property value is a list that can contain one or more of the following user view attribute names:

   • applications

   • adminRoles

   • assignedLhPolicy

   • capabilities

   • controlledOrganizations

   • email

   • firstname

   • fullname

   • lastname

   • organization

   • password

   • resources

   • roles

5. Save your changes.

To Enable the Challenge Option for Change User Password and Reset User Password Forms

To require a password challenge on the Change User Password and Reset User Password forms, follow these steps:

1. In the Administrator interface, open the Identity Manager debug page (The Identity Manager Debug Page) by typing the following URL into your browser. (You must have the Debug capability to open this page.)

   http://<AppServerHost>:<Port>/idm/debug/session.jsp

   The System Settings page (Identity Manager debug page) opens.

2. Locate the List Objects button, select UserForm from the drop-down menu, then click the ListObjects button.

   The List Objects of type: UserForm page opens.

3. Locate the copy of the Change Password User Form that you have in production and click edit. (The Change Password User Form distributed with Identity Manager is a template and should not be modified.)

4. Locate the <Form> element, then go to the <Properties> element.

5. Add the following line inside the <Properties> element and save your changes.

   <Property name=’RequiresChallenge’ value=’true’/>

6. Repeat steps 3 - 5, except edit the copy of the “Reset User Password Form” that you have in production.

Changing Answers to Authentication Questions

Use the Passwords area to change the answers you have set for account authentication questions. From the menu bar, select Passwords, and then select Change My Answers.

For more information about authentication, see the User Authentication section in Chapter 3, User and Account Management.

Customizing Administrator Name Display in the Administrator Interface

You can display an Identity Manager administrator by attribute (such as email or fullname) rather than by accountId in some Identity Manager Administrator interface pages and areas.

For example, you can display Identity Manager administrators by attribute in the following areas:

• Edit User (forward approvals selection list)

• Role table

• Create/Edit Role

• Create/Edit Resource

• Create/Edit Organization/Directory Junction

• Approvals

To configure Identity Manager to use a display name, add to the UserUIConfig object:

<AdminDisplayAttribute>
  <String>attribute_name</String>
</AdminDisplayAttribute>

For example, to use the email attribute as the display name, add the following attribute name to UserUIconfig:

<AdminDisplayAttribute>
  <String>email</String>
</AdminDisplayAttribute>