Administration

This chapter provides information and procedures for performing a range of administrative-level tasks in the Identity Manager system, such as:

Creating Identity Manager administrators, and delegated administration

Defining organizations and virtual organizations

Creating and managing administrators

Understanding Identity Manager Administration

Identity Manager administrators are users with extended Identity Manager privileges. You establish Identity Manager administrators to manage:

User accounts

System objects, such as roles and resources

Organizations

Identity Manager differentiates administrators from users through the assignment of:

Extended capabilities. Administrators apply extended capabilities to accounts, roles, and resources in each managed organization.

Controlled organizations. Once assigned to control an organization, the administrator can manage objects in that organization and in any organizations below that organization in the hierarchy.

Delegated Administration

In most companies, employees with administrative tasks to perform hold specific and varied responsibilities. In many cases, an administrator needs to perform account management tasks that are “transparent” to other users or administrators, or that are limited in scope.

For example, an administrator might be responsible only for creating Identity Manager user accounts. With that limited scope of responsibility, the administrator likely does not need specific information about the resources on which he creates user accounts; or about the roles or organizations that exist within the system.

Identity Manager supports separation of responsibility and this delegated administration model by allowing administrators to “see” and manage only those objects within a specific, defined scope.

Identity Manager implements the ability to delegate individual system activities to administrators by:

Providing limited control over specific organizations and objects within those organizations

Filtering administrator views of Identity Manager user create and edit pages

Giving administrators specific job duties in the form of capabilities

Understanding Identity Manager Organizations

Logically and securely manage user accounts and administrators

Limit access to resources, applications, roles, and other Identity Manager objects

By creating organizations and assigning users to various locations in an organizational hierarchy, you set the stage for delegated administration. Organizations that contain one or more other organizations are called parent organizations.

All Identity Manager users (including administrators) are statically assigned to one organization. Users also can be dynamically assigned to additional organizations.

Identity Manager administrators are additionally assigned to control organizations.

Creating Organizations

Create organizations in the Identity Manager Accounts area. To create an organization:

From the menu bar, select Accounts.

Select New Organization from the New Actions list on the Accounts page.

Use the Create Organization page to set up Identity Manager organizations.

Figure 1. Create Organization

Assigning Users to Organizations

Each user is a static member of one organization, and can be a dynamic member of more than one organization. Organizational membership is determined by:

Direct (static) assignment — Assign users directly to an organization from the Create or Edit User page. (Select the Identity form tab to display the Organizations field.) A user must be directly assigned to one organization.

Rule-driven (dynamic) assignment — Dynamically assign users to an organization by assigning a rule to the organization that, when evaluated, returns a set of member users. Identity Manager will evaluate the user member rule when:

Listing the users in an organization

Finding users (through the Find Users page) that includes searching for users that are in an organization with a user member rule

Requesting access to a user, and the current administrator controls an organization with a user member rule

Select a user members rule from the User Members Rule field on the Create Organization page.

Select user members rules from the field on the Create Organization page.

Figure 2. Create Organization: User Members Rule Selections

The following sample shows how you might set up a user members rule that can dynamically control an organization’s user membership.

Key Definitions and Inclusions

For a rule to appear in the User Member Rule option box, its authType must be set as authType=’UserMembersRule’.

The context is the currently authenticated Identity Manager user's session.

The defined variable (defvar) 'Astros players' gets the dn for each user that is a member of the Windows Active Directory ou 'Houston Astros'.

For each user found, the append logic will concatenate the dn of each member user of the 'Houston Astros' ou with the name of the Identity Manager Resource prefixed by a colon (as in ":dogbreath-AD").

The results returned will be a list of dn’s concatenated with the Identity Manager resource name in the format "<dn>:dogbreath-AD".

Sample User Members Rule

Assigning Organization Control

Assign administrative control of one or more organizations from the Create or Edit User page. Select the Security form tab to display the Controlled Organizations field.

You can also assign administrative control of organizations by assigning one or more admin roles, from the Admin Roles field.

Understanding Directory Junctions and Virtual Organizations

A directory junction is a hierarchically related set of organizations that mirrors a directory resource’s actual set of hierarchical containers. A directory resource is one that employs a hierarchical namespace through the use of hierarchical containers. Examples of directory resources include LDAP servers and Windows Active Directory resources.

Each organization in a directory junction is a virtual organization. The top-most virtual organization in a directory junction is a mirror of the container representing the base context defined in the resource. The remaining virtual organizations in a directory junction are direct or indirect children of the top virtual organization, and also mirror one of the directory resource containers that are children of the defined resource’s base context container.

Directory junctions can be spliced into the existing Identity Manager organizational structure at any point. However, directory junctions cannot be spliced within or below an existing directory junction.

Once you have added a directory junction to the Identity Manager organizational tree, you can create or delete virtual organizations in the context of that directory junction. In addition, you can refresh the set of virtual organizations comprising a directory junction at any time to ensure they stay synchronized with the directory resource containers. You cannot create a non-virtual organization within a directory junction.

You can make Identity Manager objects (such as users, resource, and roles) members of, and available to, a virtual organization in the same way as an Identity Manager organization.

Setting Up Directory Junctions

From the Identity Manager menu bar, select Accounts.

Select an Identity Manager organization in the Accounts list, and then select New Directory Junction from the New Actions list.

The organization you select will be the parent organization of the virtual organization you set up.

Identity Manager displays the Create Directory Junction page.

Make selections to set up the virtual organization:

Parent organization — This field contains the organization you selected from the Accounts list; you can, however, select a different parent organization from the list.

Directory resource — Select the directory resource that manages the existing directory whose structure you want to mirror in the virtual organization.

User form — Select a user form that will apply to administrators in this organization.

Identity Manager account policy — Select a policy, or select the default option (inherited) to inherit the policy from the parent organization.

Approvers — Select administrators who can approve requests related to this organization.

Refreshing Virtual Organizations

This process refreshes and re-synchronizes the virtual organization with the associated directory resource, from the selected organization down. Select the virtual organization in the list, and then select Refresh Organization from the Organization Actions list.

Deleting Virtual Organizations

Delete the Identity Manager organization only — Deletes the Identity Manager directory junction only.

Delete the Identity Manager organization and the resource container — Deletes the Identity Manager directory junction and the corresponding organization on the native resource.

Creating Administrators

You “create” an Identity Manager administrator by extending the capabilities of a Identity Manager user. When creating or editing a user, you can give him administrative control by:

Designating organizations that he can manage

Assigning capabilities within the organizations he manages

Selecting the form he will use when creating and editing Identity Manager users (if capabilities are assigned that allow him to perform those actions)

Selecting an approver to receive pending approval requests (if capabilities are assigned that allow him to approve requests)

To give a user administrative privileges, select Accounts to go to the Identity Manager Accounts area, and then select the Security form tab.

Controlled Organizations — Select one or more organizations. The administrator can control objects in the selected organization and in any organizations beneath it in the hierarchy. The scope of his control is further defined by his assigned capabilities. You must make a selection in this area.

Capabilities — Select one or more capabilities this administrator will have within the organizations he controls. For more information and descriptions of Identity Manager capabilities, read Chapter 5, Configuration.

User Form — Select the user form that this administrator will use when creating and editing Identity Manager users (if that capability is assigned). If you do not directly assign a user form, the administrator will inherit the user form assigned to the organization he belongs to. The form selected here supersedes any form selected within this administrator's organization.

Forward Approval Requests To — Select a user to forward all pending approval requests to. This administrator setting also can be set from the Approvals page.

Set up administrator characteristics through the Create User - Security form.
Create Administrator

Figure 4. Create Administrator

Filtering Administrator Views

By assigning user forms to organizations and administrators, you establish specific administrator views of user information. Access to user information is set at two levels:

Organization — When you create an organization, you assign the user form that all administrators in that organization will use when creating and editing Identity Manager users. Any form set at the administrator level overrides the form set here. If no form is selected for the administrator or the organization, Identity Manager inherits the form selected for the parent organization. If no form is set there, Identity Manager uses the default form set in the system configuration.

Administrator — When you assign a user administrative capabilities, you can directly assign a user form to the administrator. If you do not assign a form, the administrator inherits the form assigned to his organization (or the default form set in the system configuration if no form is set for the organization).

Configuration

Changing Administrator Passwords

Administrator passwords may be changed by an administrator with administrative password change capabilities assigned, or by the administrator-owner.

Accounts area — Select an administrator from the list, and then select Change Password from the User Actions list.

Edit User page — Select the Identity form tab, and then enter and confirm a new password.

Passwords area — Enter an administrator name, and then click Change Password.

Find

An administrator can change his own password from the Passwords area. Select Passwords, and then select Change My Password to access self-service password fields.

Challenging Administrator Actions

You can set an option to require that an administrator be challenged for his Identity Manager login password before processing certain account changes. If the password fails, then the account action does not succeed.

Edit User (account/modify.jsp)

Change User Password (admin/changeUserPassword.jsp)

Reset User Password (admin/resetUserPassword.jsp)

requestState.setOption(UserViewConstants.OP_REQUIRES_CHALLENGE, "email, fullname, password");

where the value of the option is a comma-delimited list of one or more of these user view attribute names:

applications

adminRoles

assignedLhPolicy

capabilities

controlledOrganizations

firstname

fullname

lastname

organization

password

resources

roles

Set this option in the admin/changeUserPassword.jsp and admin/resetUserPassword pages as follows:

Changing Answers to Authentication Questions

Use the Passwords area to change the answers you have set for account authentication questions. From the menu bar, select Passwords, and then select Change My Answers.

Customizing Administrator Name Display in the Administrator Interface

You can display an Identity Manager administrator by attribute (such as email or fullname) rather than accountId in some Identity Manager Administrator interface pages and areas. These include:

Edit User (forward approvals selection list)

Role table

Create/Edit Role

Create/Edit Resource

Create/Edit Organization/Directory Junction

Approvals

To configure Identity Manager to use a display name, add to the UserUIConfig object:

<AdminDisplayAttribute>
<String>"attribute_name"</String>
</AdminDisplayAttribute>

For example, to use the email attribute as the display name, add to UserUIconfig:

Approvals

When a user is added to the Identity Manager system, administrators who are assigned as approvers for new accounts must validate account creation. Identity Manager supports three categories of approvals, applied to these Identity Manager objects:

Organization — Approval is needed for the user account to be added to the organization.

Role — Approval is needed for the user account to be assigned to a role.

Resource — Approval is needed for the user account to be given access to a resource.

Signed Approvals

Configuration

Setting Up Approvers

Setting up approvers for each of these categories is optional, but recommended. At least one approval for each category in which approvers are set up is required for account creation. If one approver rejects a request for approval, the account is not created.

You can assign more than one approver to each category. Because only one approval within a category is needed, you can set up multiple approvers to help ensure workflow is not delayed or halted. If one approver is unavailable, others are available to handle requests. Approval applies only to account creation. By default, account updates and deletions do not require approval; however, you can customize this process to require it.

Identity Manager illustrates the approval process and the status of an account creation request as a workflow diagram. You can customize the workflow by using the Business Process Editor (BPE) to change the flow of approvals, capture account deletions, and capture updates.

For more information about the BPE, workflows, and an illustrated example of altering the approval workflow, see Identity Manager Workflows, Forms, and Views.

Previous Contents Next
Sun Java System Identity Manager 2005Q4M3 Administration