Identity Manager Overview

The Sun Java™ System Identity Manager system enables you to securely and efficiently manage access to accounts and resources. By giving you the capabilities and tools to quickly handle periodic and daily tasks, Identity Manager facilitates exceptional service to internal and external customers.

The Big Picture

Today’s businesses require increased flexibility and capabilities from its IT services. Historically, managing access to business information and systems required direct interaction with a limited number of accounts. Increasingly, managing access means handling not only increased numbers of internal customers, but also partners and customers beyond your enterprise.

The overhead created by this increased need for access can be substantial. As an administrator, you must effectively and securely enable people – both inside and outside your enterprise – to do their jobs. And after you provide initial access, you face continuing detailed challenges, such as forgotten passwords, and changed roles and business relationships.

Identity Manager was developed specifically to help you manage these administrative challenges in a dynamic environment. By using Identity Manager to distribute access management overhead, you facilitate a solution to your primary challenges: How do I define access? And once defined, how do I maintain flexibility and control?

A secure, yet flexible design lets you set up Identity Manager to accommodate the structure of your enterprise and answer these challenges. By mapping Identity Manager objects to the entities you manage – users and resources – you significantly increase the efficiency of your operations.

Goals of the Identity Manager System

Defining User Access

Users in your extended enterprise can be anyone with a relationship to your company, including employees, customers, partners, suppliers, or acquisitions. In the Identity Manager system, users are represented by user accounts.

Depending on their relationships with your business and other entities, users need access to different things, such as computer systems, data stored in databases, or specific computer applications. In Identity Manager terms, these things are resources.

Because users often have one or more identities on each of the resources they access, Identity Manager creates a single, virtual identity that maps to disparate resources. This allows you to manage users as a single entity.

To effectively manage large numbers of users, you need logical ways to group them. In most companies, users are grouped into functional departments or divisions. Each of these departments typically requires access to different resources. In Identity Manager terminology, this type of group is called an organization.

Another way to group users is by similar characteristics, such as company relationships or job functions. Identity Manager recognizes these groupings as roles.

Within the Identity Manager system, you assign roles to user accounts to facilitate efficient enabling and disabling of access to resources. Assigning accounts to organizations enables efficient delegation of administrative responsibilities.

Identity Manager users are also directly or indirectly managed through the application of policies, which set up rules, and password and user authentication options.

Delegating Administration

To successfully distribute responsibility for user identity management, you need the right balance of flexibility and control. By granting select Identity Manager users administrator privileges and delegating administrative tasks, you reduce your overhead and increase efficiency by placing responsibility for identity management with those who know user needs best, such as a hiring manager. Users with these extended privileges are called Identity Manager administrators.

Delegation only works, however, within a secure model. To maintain an appropriate level of control, Identity Manager lets you assign different levels of capabilities to administrators. Capabilities authorize varying levels of access and actions within the system.

The Identity Manager workflow model also includes a method to ensure that certain actions require approval. Using workflow, Identity Manager administrators retain control over tasks and can track their progress. For detailed information about workflow, see Identity Manager Workflows, Forms, and Views.

Identity Manager Objects

A clear picture of Identity Manager objects and how they interact is crucial to successful management and deployment of the system. These are:

User Accounts

The user account setup process is dynamic. Depending on the role selection you make during account setup, you may provide more or less resource-specific information to create the account. The number and type of resources associated with the assigned role determine how much information is required at account creation.

You grant users administrative privileges to manage user accounts, resources, and other Identity Manager system objects and tasks. Identity Manager administrators manage organizations, and are assigned a range of capabilities to apply to objects in each managed organization.

Roles

A role is an Identity Manager object that represents Identity Manager user types and allows resources to be grouped and assigned to users. Typically, roles represent user job functions. In a financial institution, for example, roles might correspond to job functions like bank teller, loan officer, branch manager, clerk, accountant, or administrative assistant.

Roles define a base set of resources and resource attributes for users. They also can define relationships between other roles; for example, roles that contain or exclude other roles.

Users with the same role share access to a common base group of resources. You can assign one or more roles to each user, or no role.

As shown in the previous figure, User 1 and User 2 share access to the same set of resources through assignment of Role 2. User 1, however, has access to additional resources through the assignment of Role 1.

Resources and Resource Groups

Identity Manager resources store information about how to connect to a resource or system on which accounts are created. Resources to which Identity Manager provides access include:

Information stored by each Identity Manager resource is categorized in several major groups:

A related Identity Manager object, a resource group, can be assigned to user accounts in the same way resources are assigned. Resource groups correlate resources so that you can create accounts on resources in a specific order.

Organizations

Organizations are Identity Manager containers used to enable administrative delegation. They define the scope of entities that an Identity Manager administrator controls or manages.

Organizations can also represent direct links into directory-based resources; these are called virtual organizations. Virtual organizations allow direct management of resource data without loading information into the Identity Manager repository. By mirroring an existing directory structure and membership through a virtual organization, Identity Manager eliminates duplicate and time-consuming setup tasks.

Organizations that contain other organizations are parent organizations. You can create organizations in a flat structure or arrange them in a hierarchy. The hierarchy can represent departments, geographical areas, or other logical divisions by which you manage user accounts.

Capabilities

Each user can be assigned capabilities, or groups of rights, to enable him to perform administrative actions through Identity Manager. Capabilities allow the administrative user to perform certain tasks in the system and act on Identity Manager objects.

Typically, you assign capabilities according to specific job responsibilities, such as password resets or account approvals. By assigning capabilities and rights to individual users, you create a hierarchical administrative structure that provides targeted access and privileges without compromising data protection.

Identity Manager provides a set of default capabilities for common administrative functions. Capabilities meeting your specific needs can also be created and assigned.

Admin Roles

Admin roles enable you to define a unique set of capabilities for each set of organizations that are managed by an administrative user. An admin role is assigned capabilities and controlled organizations, which can then be assigned to an administrative user.

Capabilities and controlled organizations can be assigned directly to an admin role. They also can be assigned indirectly (dynamically) each time the administrative user logs in to Identity Manager. Identity Manager rules control dynamic assignment.

Object Relationships

The following table provides a quick glance at Identity Manager objects and their relationships.


Identity Manager object	What is it?	Where does it fit?
User account	An account on Identity Manager and on one or more resources. User data may be loaded into Identity Manager from resources. A special class of users, Identity Manager administrators, have extended privileges.	Role Generally, each user account is assigned to one or more roles. Organization User accounts are arranged in a hierarchy as part of an organization. Identity Manager administrators additionally manage organizations. Resource Individual resources can be assigned to user accounts. Capability Administrators are assigned capabilities for the organizations they manage.
Role	Profiles a class of users and defines the collection of resources and resource attributes on which accounts are managed.	Resource and resource group Resources and resource groups are assigned to roles. User account Roles group user accounts with similar characteristics. Role Defines relationships between other roles (inclusion or exclusion).
Resource	Stores information about a system, application, or other resource on which accounts are managed.	Role Resources are assigned to roles; a user account “inherits” resource access from its role assignments. User account Resources can be individually assigned to user accounts.
Resource Group	Ordered group of resources.	Role Resource groups are assigned to roles; a user account “inherits” resource access from its role assignments. User account Resource groups can be directly assigned to user accounts.
Identity Manager object	What is it?	Where does it fit?
Organization	Defines the scope of entities managed by an administrator; hierarchical.	Resource Administrators in a given organization may have access to some or all resources. Administrator Organizations are managed (controlled) by users with administrative privileges. Administrators may manage one or more organizations. Administrative privileges in a given organization cascade to its child organizations. User account Each user account can be assigned to an Identity Manager organization and one or more directory organizations.
Admin role	Defines a unique set of capabilities for each set of organizations assigned to an administrator.	Administrator Admin roles are assigned to administrators. Capabilities and organizations Capabilities and organizations are assigned, directly or indirectly (dynamically) to admin roles.
Capability	Defines a group of system rights.	Administrator Capabilities are assigned to administrators.
Policy	Sets password and authentication limits.	User account Policies are assigned to user accounts. Organization Policies are assigned to or inherited by organizations.

Identity Manager Terms

admin role

Unique set of capabilities for each set of organizations assigned to an administrative user.

administrator

Person who sets up Identity Manager or is responsible for operational tasks, such as creating users and managing access to resources.

administrator interface

approver

User with administrative capabilities responsible for approving or rejecting access requests.

business process editor (BPE)

capability

Group of access rights for user accounts that governs actions performed in Identity Manager; low-level access control within Identity Manager.

form

Object associated with a Web page that contains rules about how a browser should display user view attributes on that page. Forms can incorporate business logic, and are often used to manipulate view data before it is presented to the user.

identity template

organization

Identity Manager container used to enable administrative delegation. Organizations define the scope of entities (such as user accounts, resources, and administrator accounts) an administrator controls or manages. Organizations provide a “where” context, primarily for Identity Manager administrative purposes.

policy

Establishes limitations for Identity Manager accounts. Identity Manager policies establish user, password, and authentication options, and are tied to organizations or users. Resource password and account ID policies set rules, allowed words, and attribute values, and are tied to individual resources.

resource

In Identity Manager, stores information about how to connect to a resource or system on which accounts are created. Resources to which Identity Manager provides access include mainframe security managers, databases, directory services, applications, operating systems, ERP systems, and messaging platforms.

resource adapter

Identity Manager component that provides a link between the Identity Manager engine and the resource. This component enables Identity Manager to manage user accounts on a given resource (including create, update, delete, authenticate, and scan capabilities) as well as utilize that resource for pass-through authentication.

resource adapter account

Credentials used by an Identity Manager resource adapter to access a managed resource.

resource group

Collection of resources used to order the creation, deletion, and update of user resource accounts.

resource wizard

Identity Manager tool that steps through the resource creation and modification process, including setup and configuration of resource parameters, account attributes, identity template, and Identity Manager parameters.

role

In Identity Manager, a template or profile for a class of users. Each user can be assigned to one or more roles, which define account resource access and default resource attributes.

rule

Object in the Identity Manager repository that contains a function written in XPRESS, XML Object, or JavaScript languages. Rules provide a mechanism for storing frequently used logic or static variables for reuse within forms, workflows, and roles.

schema

schema map

Map of resource account attributes to Identity Manager account attributes for a resource. Identity Manager account attributes create a common link to multiple resources and are referenced by forms.

user

Person who holds an Identity Manager system account. Users can hold a range of capabilities in Identity Manager; those with extended capabilities are Identity Manager administrators.

user account

Account created using Identity Manager. Refers either to an Identity Manager account or accounts on Identity Manager resources. The user account setup process is dynamic; information or fields to be completed depend on the resources provided to the user directly or indirectly through role assignment.

user interface

Limited view of the Identity Manager system. Specifically tailored to users without administrative capabilities, it allows them to perform a range of self-service tasks such as changing passwords and setting answers to authentication questions.

workflow

A logical, repeatable process during which documents, information, or tasks are passed from one participant to another. Identity Manager workflows comprise multiple processes that control creation, update, enabling, disabling, and deletion of user accounts.

Previous Contents Next
Sun Java System Identity Manager 2005Q4M3 Administration