Copyright      Index      Next
Sun[TM] Identity Manager 8.0 Administration

Contents

List of Tables

List of Figures

Preface

Who Should Use This Book

Before You Read This Book

Conventions Used in This Book

Typographic Conventions

Symbols

Related Documentation

Books in This Documentation Set

Accessing Sun Resources Online

Contacting Sun Technical Support

Related Third-Party Web Site References

Sun Welcomes Your Comments

Chapter 1   Identity Manager Overview

The Big Picture

Goals of the Identity Manager System

Defining User Access to Resources

User Types

Delegating Administration

Identity Manager Objects

User Accounts

Roles

Resources and Resource Groups

Organizations and Virtual Organizations

Directory Junctions

Capabilities

Admin Roles

Policies

Audit Policies

Object Relationships

Chapter 2   Getting Started with the Identity Manager UI

Identity Manager Administrator Interface

Logging in to the Identity Manager Administrator Interface

Session Limits and Cookies

Forgotten User ID

Identity Manager End-User Interface

The Five End-User Interface Tabs

Home

Work Items

Requests

Delegations

Profile

Logging in to the Identity Manager End-User Interface

Forgotten User ID

Help and Guidance

Identity Manager Help

Identity Manager Guidance

The Identity Manager Debug Page

Identity Manager IDE

Where to Go from Here

Chapter 3   User and Account Management

The Accounts Area of the Interface

Actions Lists in the Accounts Area

Searching in the Accounts List Area

User Account Status

The User Pages (Create/Edit/View)

Identity

Resources

Roles

Security

Delegations

Attributes

Compliance

Creating Users and Working with User Accounts

Enabling Process Diagrams

Creating Users

Creating Multiple Resource Accounts for a User

Why Assign Multiple Accounts per User per Resource?

Configuring Types of Accounts

Assigning Types of Accounts

Finding & Viewing User Accounts

Editing Users

Viewing User Accounts

Editing User Accounts

Reassigning Users to Another Organization

Renaming Users

Updating Resources Associated with an Account

Updating Resources on a Single User Account

Updating Resources on Multiple User Accounts

Deleting Identity Manager User Accounts

Deleting Resources from User Accounts

Deleting Resources from a Single User Account

Deleting Resources from Multiple User Accounts

Changing User Passwords

Changing Passwords from the User List Page

Changing Passwords from the Main Menu

Resetting User Passwords

Resetting Passwords from the User List Page

Expiring Passwords using the Identity Manager Account Policy

Disabling, Enabling, & Unlocking User Accounts

Disabling User Accounts

Enabling User Accounts

Unlocking User Accounts

Bulk Account Actions

Launching Bulk Account Actions

Using Action Lists

Bulk Action View Attributes

Correlation and Confirmation Rules

Correlation Rules

Confirmation Rules

Managing Account Security and Privileges

Setting Password Policies

Creating a Policy

Dictionary Policy Selection

Password History Policy

Must Not Contain Words

Must Not Contain Attributes

Implementing Password Policies

User Authentication

Personalized Authentication Questions

Bypassing the Change Password Challenge after Authentication

Assigning Administrative Privileges

User Self-Discovery

Enabling Self-Discovery

Anonymous Enrollment

Enabling Anonymous Enrollment

Configuring Anonymous Enrollment

User Enrollment Process

Chapter 4   Roles and Resources

Understanding and Managing Roles

What are Roles?

Putting Role Types to Work

Managing Roles Created In Versions Prior to Version 8.0

Using Role Types to Design Flexible Roles

Creating Roles

Completing the Create Role Form

Entering a Name and a Description for the Role

Assigning Resources and Resource Groups

Assigning Roles and Role Exclusions

Designating Role Owners and Role Approvers

Designating Notifications

Initiating Change-Approval and Approval Work Items

Editing and Managing Roles

Searching for Roles

Viewing Roles

Editing Roles

Cloning Roles

Assigning a Role to a Role

Removing a Role From a Role

Enabling and Disabling Roles

Deleting Roles

Assigning a Resource or Resource Group to a Role

Removing a Resource or Resource Group from a Role

Managing User Role Assignments

Assigning Roles to Users

Activating and Deactivating Roles on Specific Dates

Updating Roles Assigned to Users

Finding Users Assigned to a Role

Removing Roles Assigned to Users

Configuring Role Types

Configuring Role Types to be Directly Assignable to Users

Enabling Role Types for Assignable Activation Dates and Deactivation Dates

Enabling and Disabling Change-Approval and Change-Notification Work Items

Configuring the Maximum Number of Rows that the Role List Page will Load

Synchronizing Identity Manager Roles and Resource Roles

Understanding and Managing Resources

What are Resources?

The Resources Area in the Interface

Managing the Resources List

Opening the Configure Managed Resources Page

Enabling Resource Types

Adding a Custom Resource

Creating Resources

Managing Resources

View the Resource List

Edit a Resource Using the Resource Wizard

Edit a Resource Using the Resource List Command Options

Working with Account Attributes

Editing Resource Account Attributes

Resource Groups

Global Resource Policy

Setting additional Timeout values

Bulk Resource Actions

Chapter 5   Configuration & System Maintenance

Configuring Identity Manager Policies

What are Policies?

Opening the Policies Page

Policy Types

Must Not Contain Attributes in Policies

Dictionary Policy

Configuring the Dictionary Policy

Implementing the Dictionary Policy

Customizing Email Templates

Editing an Email Template

HTML and Links in Email Templates

Allowable Variables in the Email Body

Configuring Audit Groups and Audit Events

The Audit Configuration Page

Opening the Audit Configuration Page

Configuring Audit Groups

Remedy Integration

Configuring Identity Manager Server Settings

Reconciler Settings

Viewing Reconciler Status

Scheduler Settings

Email Template Server Settings

JMX

Configure JMX Polling Settings

Viewing JMX Data

Editing Default Server Settings

Configuring the End-User Interface

Enabling Process Diagrams in the End-User Interface

Registering Identity Manager

Registering Identity Manager from the Console

The register Command

Registering Identity Manager from the Administrator Interface

Editing Identity Manager Configuration Objects

Removing Records from the System Log

Chapter 6   Administration

Understanding Identity Manager Administration

Delegated Administration

Creating Administrators

Filtering Administrator Views

Changing Administrator Passwords

Challenging Administrator Actions

Enabling the Challenge Option for the Tabbed User Form

Enabling the Challenge Option for the “Change User Password” and “Reset User Password” Forms

Changing Answers to Authentication Questions

Customizing Administrator Name Display in the Administrator Interface

Understanding Identity Manager Organizations

Creating Organizations

Assigning Users to Organizations

User Members Rule Example

Assigning Organization Control

Understanding Directory Junctions and Virtual Organizations

Setting Up Directory Junctions

Refreshing Virtual Organizations

Deleting Virtual Organizations

Understanding and Managing Capabilities

Capabilities Categories

Working with Capabilities

View the Capabilities Page

Create a Capability

Edit a Capability

Save and Rename a Capability

Assigning Capabilities

Understanding and Managing Admin Roles

Admin Role Rules

The User Admin Role

Creating and Editing Admin Roles

General Tab

Scope of Control

Assigning Capabilities

Assigning User Forms to an Admin Role

The “End User” Organization

The End User Controlled Organization Rule

Managing Work Items

Work Item Types

Working With Work Item Requests

Viewing Work Item History

Delegating Work Items

Audit Log Entries

Viewing Current Delegations

Viewing Previous Delegations

Creating Delegations

Delegations to Deleted Users

Ending Delegations

Approvals

Setting Up Account Approvers

Signing Approvals

Signing Subsequent Approvals

Configuring Digitally Signed Approvals and Actions

Server-Side Configuration for Signed Approvals

Client-Side Configuration for Signed Approvals Using PKCS12

Prerequisites

Procedure

Client-Side Configuration for Signed Approvals Using PKCS11

Viewing the Transaction Signature

Chapter 7   Data Loading and Synchronization

Data Synchronization Tools: Which to Use?

Discovery

Extract to File

Load from File

About CSV File Format

Load from Resource

Reconciliation

Reconciliation in a Nutshell

About Reconciliation Policies

Editing Reconciliation Policies

Starting Reconciliation

Canceling Reconciliation

Viewing Reconciliation Status

Viewing Detailed Reconciliation Status

Viewing Reconciliation Status in the Resource List

Working with the Account Index

Searching the Account Index

Examining the Account Index

Working with Accounts

Working with Users

Using Task Schedule Repetition Rules

How Reconciliation Run Times are Scheduled

The “Accept All Dates” Sample Rule

Active Sync Adapters

Configuring Synchronization

Editing the Synchronization Policy

Editing Active Sync Adapters

Tuning Active Sync Adapter Performance

Changing Polling Intervals

Specifying the Host Where the Adapter Will Run

Starting and Stopping

Adapter Logging

Chapter 8   Reporting

Working with Reports

Report Types

Running Reports

Viewing Reports

Creating Reports

Editing and Cloning Reports

Emailing Reports

Scheduling Reports

Downloading Report Data

Configuring Report Output

Identity Manager Reports

AuditLog Reports

Individual User AuditLog Reports

Real Time Reports

Summary Reports

SystemLog Report

Usage Reports

Usage Report Charts

Workflow Report

Configuring Workflows to Capture Audit Timing Events

Specifying Attributes to Store for the Workflow Report

Defining the Workflow Report

Auditor Reports

Working with Graphs

Viewing Defined Graphs

Creating Graphs

Editing Graphs

Deleting Graphs

Working with Dashboards

Creating Dashboards

Editing Dashboards

Deleting Dashboards

System Monitoring

Tracked Event Configuration

Risk Analysis

Creating Risk Analysis Reports

Scheduling Risk Analysis Reports

Chapter 9   Task Templates

Enabling the Task Templates

Configuring the Task Templates

Configuring the General Tab

For the Create User or Update User Templates

For the Delete User Template

Configuring the Notification Tab

Configuring User Notifications

Configuring Administrator Notifications

Configuring the Approvals Tab

Enabling Approvals (Approvals Tab, “Approvals Enablement” Section)

Specifying Additional Approvers (Approvals Tab, “Additional Approvers” Section)

Configuring the Approval Form (Approvals Tab, “Approval Form Configuration” Section)

Configuring the Audit Tab

Configuring the Provisioning Tab

Configuring the Sunrise and Sunset Tab

Configuring Sunrises

Configuring Sunsets

Configuring the Data Transformations Tab

Chapter 10   Audit Logging

Overview

What Does Identity Manager Audit?

Creating Audit Events From Workflows

The com.waveset.session.WorkflowServices Application

Modifying Workflows to Log Standard Audit Events

Examples

Modifying Workflows to Log Timing Audit Events

Examples

What Information Do Timing Audit Events Store?

Audit Configuration

filterConfiguration

Account Management

Changes Outside Identity System

Compliance Management

Configuration Management

Event Management

Logins/Logoffs

Password Management

Resource Management

Role Management

Security Management

Service Provider Edition

Task Management

extendedTypes

extendedActions

extendedResults

publishers

Database Schema

waveset.log

waveset.logattr

Audit Log Truncation

Audit Log Configuration

Resizing Column Length Limits

Removing Records from the Audit Log

Preventing Audit Log Tampering

Configuring tamper-resistant logging

Using Custom Audit Publishers

Enabling Custom Audit Publishers

The Console, File, JDBC, & Scripted Publisher Types

The JMS Publisher Type

Why Use JMS?

Point-to-Point or Publish-and-Subscribe?

Configuring the JMS Publisher Type

The JMX Publisher Type

What is JMX?

Identity Manager’s JMX Publisher Implementation

Configuring the JMX Publisher Type

Viewing Audit Events with a JMX Client

Querying the MBean for Additional Information

Developing Custom Audit Publishers

Lifecycle

Configuration

Developing Formatters

Registering Publishers/Formatters

Chapter 11   PasswordSync

What is PasswordSync?

Before You Install

Install Microsoft .NET 1.1

Configure PasswordSync for SSL

Uninstall Previous Versions of PasswordSync

Installing PasswordSync on Windows

Configuring PasswordSync

Debugging PasswordSync on Windows

Error Logs

Uninstalling PasswordSync on Windows

Deploying PasswordSync on the Application Server

Adding and Configuring a JMS Listener Adapter

Implementing the Synchronize User Password Workflow

Setting Up Notifications

Configuring PasswordSync with a Sun JMS Server

Overview

Sample Scenario

Creating and Storing Administered Objects

Storing Administered Objects in an LDAP Directory

Storing Administered Objects in a File

Configuring the JMS Listener Adapter for this Scenario

Configuring Active Sync

Testing Your Configuration

Frequently Asked Questions about PasswordSync

Can PasswordSync be implemented without a Java Messaging Service?

Can PasswordSync be used in conjunction with other Windows password filters that are used to enforce custom password policies?

Can the PasswordSync servlet be installed on a different application server than Identity Manager?

Does the PasswordSync service send passwords over to the lh server in clear text?

Sometimes password changes result in com.waveset.exception.ItemNotLocked?

Chapter 12   Security

Security Features

Limiting Concurrent Login Sessions

Password Management

Pass-through Authentication

About Login Applications

Login Constraint Rules

Editing Login Applications

Setting Identity Manager Session Limits

Disabling Access to Applications

Editing Login Module Groups

Editing Login Modules

Login Module Processing Logic

Configuring Authentication for Common Resources

Configuring X509 Certificate Authentication

Prerequisites

Configuring X509 Certificate Authentication in Identity Manager

Creating and Importing a Login Correlation Rule

Testing the SSL Connection

Diagnosing Problems

Cryptographic Use and Management

Cryptographically Protected Data

Server Encryption Key Questions and Answers

Where do server encryption keys come from?

Where are server encryption keys maintained?

How does the server know which key to use for decryption and re-encryption of encrypted data?

How do I update server encryption keys?

What happens to existing encrypted data if the "current" server key is changed?

What happens when you import encrypted data for which an encryption key is not available?

How are server keys protected?

Can I export the server keys for safe external storage?

What data is encrypted between the server and gateway?

Gateway Key Questions and Answers

Where do the gateway keys come from to encrypt or decrypt data?

How are gateway keys distributed to the gateways?

Can I update the gateway keys used to encrypt or decrypt the server-to-gateway payload?

Where are the gateway keys stored on the server, on the gateway?

How are gateway keys protected?

Can I export the gateway key for safe external storage?

How are server and gateway keys destroyed?

Managing Server Encryption

Using Authorization Types to Secure Objects

Security Practices

At Setup

During Use

Chapter 13   Identity Auditing: Basic Concepts

About Identity Auditing

Goals of Identity Auditing

Understanding Identity Auditing

Policy-Based Compliance

Continuous Compliance

Periodic Compliance

Logical Task Flow for Policy-Based Compliance

Periodic Access Reviews

Working with Identity Auditing in the Administrator Interface

The Compliance Section of the Interface

Manage Policies

Manage Access Scans

Access Reviews

Identity Auditing Tasks Interface Reference

Email Templates

Enabling Audit Logging

About Audit Policies

Creating a Policy with Audit Policy Rules

Addressing Policy Violations with Remediation Workflows

Designating Remediators

A Sample Audit Policy Scenario

Chapter 14   Auditing: Audit Policies

Working with Audit Policies

Audit Policy Rules

Creating an Audit Policy

Opening the Audit Policy Wizard

Creating an Audit Policy: Overview

Before You Begin

Identify the Rules You Need

(Optional) Import Separation of Duty Rules into Identity Manager

(Optional) Import a Workflow into Identity Manager

Name and Describe the Audit Policy

Select a Rule Type

Select an Existing Rule

Use the Rule Wizard to Create a New Rule

Add Additional Rules

Select a Remediation Workflow

Select Remediators and Timeouts for Remediations

Select Organizations that Can Access this Policy

Editing an Audit Policy

The Edit Policy Page

Edit Audit Policy Description

Edit Options

Delete a Rule from the Policy

Add a Rule to the Policy

Change a Rule used by the Policy

Remediators Area

Remove or Assign Remediators

Adjust Escalation Timeouts

Remediation Workflow and Organizations Area

Change the Remediation Workflow

Select Remediation User Form Rule

Assign or Remove Visibility to Organizations

Sample Policies

IDM Role Comparison Policy

IDM Account Accumulation Policy

Deleting an Audit Policy

Troubleshooting Audit Policies

Debugging Rules

Assigning Audit Policies

Resolving Auditor Capabilities Limitations

Chapter 15   Auditing: Monitoring Compliance

Audit Policy Scans and Reports

Scanning Users and Organizations

Working with Auditor Reports

Creating an Auditor Report

Configuring the Audited Attribute Report

Compliance Violation Remediation and Mitigation

About Remediation

Remediator Escalation

Remediation Workflow Process

Remediation Responses

Remediation Email Template

Working with the Remediations Page

Viewing Policy Violations

Viewing Pending Requests

Viewing Completed Requests

Updating the Table

Prioritizing Policy Violations

Mitigating Policy Violations

From the Remediations Page

Remediating Policy Violations

Forwarding Remediation Requests

Editing a User from a Remediation Work Item

Periodic Access Reviews and Attestation

About Periodic Access Reviews

Access Review Scans

Attestation

Planning for a Periodic Access Review

Tuning Scan Tasks

Creating an Access Scan

Deleting an Access Scan

Managing Access Reviews

Launching an Access Review

Scheduling Access Review Tasks

Managing Access Review Progress

Modifying Scan Attributes

Canceling an Access Review

Deleting an Access Review

Managing Attestation Duties

Access Review Notification

Viewing Pending Requests

Acting on Entitlement Records

Closed-Loop Remediation

Forwarding Attestation Work Items

Digitally Signing Access Review Actions

Access Review Reports

Access Review Remediation

About Access Review Remediation

Remediator Escalation

Remediation Workflow Process

Remediation Responses

Working with the Remediations page

Unsupported Access Review Remediation Actions

Chapter 16   Data Exporter

What is Data Exporter?

Planning to Implement Data Exporter

Configuring Data Exporter

Defining Read and Write Connections

Defining the Warehouse Configuration Information

Configuring Warehouse Models

Configuring the Warehouse Task

Modifying the Configuration Object

Testing Data Exporter

Configuring Forensic Queries

Creating a Query

Saving a Forensic Query

Loading a Query

Maintaining Data Exporter

Monitoring Data Exporter

Monitoring Logging

Audit Logs

System Logs

Chapter 17   Service Provider Administration

Overview of Service Provider Features

Enhanced End-User Pages

Password and Account ID policy

Identity Manager and Service Provider Synchronization

Access Manager integration

Initial Configuration

Edit Main Configuration

Directory Configuration

User Forms and Policy

Transaction Database

Tracked Event Configuration

Synchronization Account Indexes

Callout Configuration

Edit User Search Configuration

Transaction Management

Setting Default Transaction Execution Options

Setting Transaction Persistent Store

Set Advanced Transaction Processing Settings

Monitoring Transactions

Delegated Administration

Delegation Through Organization Authorization

Delegation Through Admin Role Assignment

Enabling Service Provider Admin Role Delegation

Configuring a Service Provider User Admin Role

Delegating Service Provider User Admin Roles

Administering Service Provider Users

User Organizations

Create Users and Accounts

Search Service Provider Users

Advanced Search

Search Results

Link Accounts

Delete, Unassign, or Unlink Accounts

Set Search Options

End-User Interface

Sample

Registration

Home and Profile Screens

Synchronization

Configure Synchronization

Monitor Synchronization

Start and Stop Synchronization

Migrate Users

Configuring Service Provider Audit Events

Appendix A   lh Reference

Usage

Usage Notes

class

commands

Examples

syslog command

Usage

Options

Appendix B   Audit Log Database Schema

Oracle

DB2

MySQL

SQL Server

Audit Log Database Mappings

Appendix C   User Interface Quick Reference
Appendix D   Capabilities Definitions

Task-Based Capabilities Definitions

Functional Capabilities Definitions

Index

Copyright      Index      Next

---

Part No: 820-2954-10.   Copyright 2008 Sun Microsystems, Inc. All rights reserved.