Product overview

ii Product overview
Contents
Product overview. . . . . . . . . . . 1
Initial login and password information . . . . . 1
Access management with IBM Tivoli Identity
Manager and other products . . . . . . . . . 2
Support for corporate regulatory compliance . . . 3
Identity governance . . . . . . . . . . . . 8
Release information . . . . . . . . . . . . 8
Whats new in this release . . . . . . . . . 9
Hardware and software requirements. . . . . 14
Installation images and fix packs . . . . . . 21
Known limitations, problems, and workarounds 22
Technical overview . . . . . . . . . . . . 40
Users, authorization, and resources . . . . . 40
Main components . . . . . . . . . . . 42
People overview. . . . . . . . . . . . 43
Resources overview . . . . . . . . . . 45
System security overview. . . . . . . . . 48
Organization tree overview . . . . . . . . 53
Policies overview . . . . . . . . . . . 54
Workflow overview. . . . . . . . . . . 56
Features overview . . . . . . . . . . . . 57
Improved user interface . . . . . . . . . 57
Recertification . . . . . . . . . . . . 58
Reporting . . . . . . . . . . . . . . 59
Static and dynamic roles . . . . . . . . . 59
Self-access management . . . . . . . . . 59
Provisioning features . . . . . . . . . . 60
Resource provisioning . . . . . . . . . . 64
About this information . . . . . . . . . . 65
Intended audience . . . . . . . . . . . 65
Publications . . . . . . . . . . . . . 65
Tivoli technical training . . . . . . . . . 66
Support information . . . . . . . . . . 66
Conventions used in this information. . . . . 67
Notices . . . . . . . . . . . . . . . 70
Accessibility . . . . . . . . . . . . . . 72
Index . . . . . . . . . . . . . . . 73
iii
iv Product overview
Product overview
These topics describe the product and its surrounding business and technology
context.
They include information about:
v The particular product release, such as new or deprecated product features and
functions
v The open standards, technologies, and architecture on which the product is
based
v The user model and roles underlying the product features
v The graphical interfaces and tools provided to support various user roles
v The information center for viewing documentation
Initial login and password information
To get started after installing IBM

Tivoli

Identity Manager, you need to know the

login URL and the initial user ID and password.
Login URL
The login URL enables you to access the IBM Tivoli Identity Manager web
interface.
The login URL for the IBM Tivoli Identity Manager administrative console is:
http://ip-address:port/itim/console/main/
Where ip-address is the IP address or DNS address of the IBM Tivoli Identity
Manager server, and port is the port number. The default port for new installations
of IBM Tivoli Identity Manager is 9080.
The login URL for the IBM Tivoli Identity Manager self-service console is:
http://ip-address:port/itim/self
Where ip-address is the IP address or DNS address of the IBM Tivoli Identity
Manager server, and port is the port number. The default port for new installations
of IBM Tivoli Identity Manager is 9080.
Initial user ID and password
The initial user ID and password to authenticate to IBM Tivoli Identity Manager is:
Table 1. Initial user ID and password for IBM Tivoli Identity Manager
User ID Password
itim manager secret
1
Access management with IBM Tivoli Identity Manager and other
products
In a security lifecycle, IBM Tivoli Identity Manager and several other products
provide access management that enables you to determine who can enter your
protected systems, what can they access, and how to ensure that users access only
what they need for their business tasks.
Access management addresses three questions from the business point of view:
v Who can come into my systems?
v What can they do?
v Can I easily prove what theyve done with that access?
These products validate the authenticity of all users with access to resources, and
ensure that access controls are in place and consistently enforced:
v IBM Tivoli Identity Manager
Provides a secure, automated and policy-based user management solution that
helps effectively manage user identities throughout their lifecycle across both
legacy and e-business environments. IBM Tivoli Identity Manager provides
centralized user access to disparate resources in an organization, using policies
and features that streamline operations associated with user-resource access. As
a result, your organization realizes numerous benefits, including:
Web self-service and password reset and synchronization; users can
self-administer their passwords using the rules of a password management
policy to control access to multiple applications. Password synchronization
enables a user to use one password for all accounts that IBM Tivoli Identity
Manager manages.
Quick response to audits and regulatory mandates
Automation of business processes related to changes in user identities by
providing life-cycle management
Centralized control and local autonomy
Enhanced integration with the use of extensive APIs
Choices to manage target systems either with an agent or agentless approach
Reduced help desk costs
Increased access security through the reduction of orphaned accounts
Reduced administrative costs through the provisioning of users using
software automation
Reduced costs and delays associated with approving resource access to new
and changed users
v Tivoli Access Manager
Enables your organization to use centralized security policies for specified user
groups to manage access authorization throughout the network, including the
vulnerable, internet-facing Web servers. Tivoli Access Manager can be tightly
coupled with IBM Tivoli Identity Manager to reconcile user groups and accounts
managed by Tivoli Access Manager with the identities managed by IBM Tivoli
Identity Manager to provide an integrated solution for resource access control.
Tivoli Access Manager delivers:
Unified authentication and authorization access to diverse Web-based
applications within the entire enterprise
2 Product overview
Flexible single sign-on to Web, Microsoft

, telnet and mainframe application

environments
Rapid and scalable deployment of Web applications, with standards-based
support for Java

2 Enterprise Edition (J2EE) applications

Design flexibility through a highly scalable proxy architecture and
easy-to-install Web server plug-ins, rule- and role-based access control,
support for leading user registries and platforms, and advanced APIs for
customized security
v Tivoli Federated Identity Manager
Handles all the configuration information for a federation across organizational
boundaries, including the partner relationships, identity mapping, and identity
token management.
Tivoli Federated Identity Manager enables your organization to share services
with business partner organizations and obtain trusted information about
third-party identities such as customers, suppliers, and client employees. You
can obtain user information without having to create, enroll, or manage identity
accounts with the organizations that provide access to services that are used by
your organization. Consequently, users are spared from having to register at a
partner site, and from having to remember additional logins and passwords. The
result is improved integration and communication between your organization
and your suppliers, business partners, and customers.
For more information how access management products fit in larger solutions for a
security lifecycle, refer to the Tivoli Security Management Web site:
http://www.ibm.com/software/tivoli/solutions/security/
IBM Redbooks

and Redpapers also describe implementing IBM Tivoli Identity

Manager within a portfolio of IBM security products.
Support for corporate regulatory compliance
IBM Tivoli Identity Manager provides support for corporate regulatory compliance.
Compliance areas
Tivoli Identity Manager addresses corporate regulatory compliance in the following
key areas:
v Provisioning and the approval workflow process
v Audit trail tracking
v Enhanced compliance status
v Password policy and password compliance
v Account and access provisioning authorization and enforcement
v Recertification policy and process
v Reports
Provisioning and the approval workflow process
Tivoli Identity Manager provides support for provisioning, user accounts and
access to various resources. When implemented as one of a suite of security
products, Tivoli Identity Manager plays a key role to ensure that resources are
provisioned only to authorized persons, safeguarding the accuracy and
completeness of information processing methods and granting authorized users
access to information and associated assets. Tivoli Identity Manager provides an
Product overview 3
integrated software solution for managing the provisioning of services,
applications, and controls to employees, business partners, suppliers, and others
associated with your organization across platforms, organizations, and
geographies. You can use its provisioning features to control the setup and
maintenance of user access to system and account creation on a managed resource.
At its highest level, an identity management solution automates and centralizes the
process of provisioning resources, such as operating systems and applications, to
people in, or affiliated with, an organization. Organizational structure can be
altered to accommodate the provisioning policies and procedures. However, the
organization tree used for provisioning resources does not necessarily reflect the
managerial structure of an organization. Administrators at all levels can use
standardized procedures for managing user credentials. Some levels of
administration can be reduced or eliminated, depending on the breadth of the
provisioning management solution. Furthermore, you can securely distribute
administration capabilities, manually or automatically, among various
organizations.
The approval process can be associated with different types of provisioning
requests, including account and access provisioning requests. Life cycle operations
can also be customized to incorporate the approval process.
Models for provisioning
Depending on business needs, Tivoli Identity Manager provides alternatives to
provision resources to authorized users on request-based, role-based, or hybrid
models.
Approval workflows
Account and access request workflows are invoked during account and access
provisioning. You typically use account and access request workflows to define
approval workflows for account and access provisioning.
Account request workflows provide a decision-based process to determine if the
entitlement provided by a provisioning policy should be granted. The entitlement
provided by a provisioning policy specifies the account request workflow that
applies to the set of users in the provisioning policy membership. If multiple
provisioning policies apply to the same user for the same service target, and there
are different account request workflows in each provisioning policy, the account
request workflow that is invoked for the user is determined based on the priority
of the provisioning policy. If a provisioning policy has no associated workflow and
the policy grants an account entitlement, the operations that are related to the
request run immediately. For example, an operation might add an account.
However, if a provisioning policy has an associated workflow, that workflow runs
before the policy grants the entitlement. If the workflow returns a result of
Approved, the policy grants the entitlement. If the workflow has a result of
Rejected, the entitlement is not granted. For example, a workflow might require a
managers approval. Until the approval is submitted and the workflow completes,
the account is not provisioned. When you design a workflow, consider the intent of
the provisioning policy and the purpose of the entitlement itself.
4 Product overview
Tracking
Tivoli Identity Manager provides audit trail information about how and why a
user has access. On a request basis, Tivoli Identity Manager provides a process to
grant, modify, and remove access to resources throughout a business, and to
establish an effective audit trail using automated reports.
The steps involved in the process, including approval and provisioning of
accounts, are logged in the request audit trail, and corresponding audit events are
generated in the database for audit reports. User and Account lifecycle
management events, including account and access changes, recertification, and
compliance violation alerts, are also logged in the audit trail.
Enhanced compliance status
Tivoli Identity Manager provides enhanced compliance status on items such as
dormant and orphan accounts, provisioning policy compliance status,
recertification status, and a variety of reports.
v Dormant accounts. You can view a list of dormant accounts using the Reports
feature. Tivoli Identity Manager includes a dormant account attribute to service
types that you can use to find and manage unused accounts on services.
v Orphan accounts. Accounts on the managed resource whose owner in the Tivoli
Identity Manager Server cannot be determined are orphan accounts, which are
identified during reconciliation when the applicable adoption rule cannot
successfully determine the owner of an account.
v Provisioning policy compliance status. The compliance status based on the
specification of provisioning policy is available for accounts and access. An
account could be either compliant, non-compliant with attribute value violations,
or disallowed. An access is either compliant or disallowed.
v Recertification status. The recertification status is available for user, account,
and access target types, which indicates whether the target type is certified,
rejected, or never certified. The timestamp of the recertification is also available.
Password policy and password compliance
Tivoli Identity Manager provides the ability to create and manage password
policies. password policy defines the password strength rules that are used to
determine whether a new password is valid. A password strength rule is a rule to
which a password must conform. For example, password strength rules might
specify that the minimum number of characters of a password must be five and
the maximum number of characters must be ten.
The Tivoli Identity Manager administrator can also create new rules to be used in
password policies.
If password synchronization is enabled, the administrator must ensure that
password policies do not have any conflicting password strength rules. When
password synchronization is enabled, Tivoli Identity Manager combines policies for
all accounts that are owned by the user to determine the password to be used. If
conflicts between password policies occur, the password might not be set.
Provisioning policy and policy enforcement
A provisioning policy grants access to many types of managed resources, such as
Tivoli Identity Manager server, Windows NT

servers, Solaris servers, and so on.

Product overview 5
Provisioning policy parameters help system administrators define the attribute
values that are required and the values that are allowed.
Policy enforcement is the manner in which Tivoli Identity Manager allows or
disallows accounts that violate provisioning policies.
You can specify one of the following policy enforcement actions to occur for an
account that has a noncompliant attribute.
Mark Sets a mark on an account that has a noncompliant attribute.
Suspend
Suspends an account that has a noncompliant attribute.
Correct
Replaces a noncompliant attribute on an account with the correct attribute.
Alert Issues an alert for an account that has a noncompliant attribute.
Recertification policy and process
A recertification policy includes activities to ensure that users provide confirmation
that they have a valid, ongoing need for the target type specified (user, account,
and access). The policy defines how frequently users must validate an ongoing
need. Additionally, the policy defines the operation that occurs if the recipient
declines or does not respond to the recertification request. Tivoli Identity Manager
supports recertification policies that use a set of notifications to initiate the
workflow activities that are involved in the recertification process. Depending on
the user response, a recertification policy can mark a users roles, accounts, groups,
or accesses as recertified, suspend or delete an account, or delete a role, group, or
access.
Audits that are specific to recertification are created for use by several reports that
are related to recertification:
Accounts, access, or users pending recertification
Provides a list of recertifications that are not completed.
Recertification history
Provides a historical list of recertifications for the target type specified.
Recertification policies
Provides a list of all recertification policies.
User recertification history
Provides history of user recertification.
User recertification policy
Provides a list of all user recertification policies.
Reports
Security administrators, auditors, managers, and service owners in your
organization can use one or more of the following reports to control and support
corporate regulatory compliance:
v Accesses Report, which lists all access definitions in the system.
v Approvals and Rejections Report, which shows request activities that were either
approved or rejected.
v Dormant Accounts Report, which lists the accounts that have not been used
recently.
6 Product overview
v Entitlements Granted to an Individual Report, which lists all users with the
provisioning policies for which they are entitled.
v Noncompliant Accounts Report, which lists all noncompliant accounts.
v Orphan Accounts Report, which lists all accounts not having an owner.
v Pending Recertification Report, which highlights recertification events that can
occur if the recertification person does not take action on an account or access.
This report supports data filtering by a specific service type or a specific service
instance.
v Recertification Change History Report, which shows a history of accesses
(including accounts) and when they were last recertified. This report serves as
evidence of past recertifications.
v Recertification Policies Report, which shows the current recertification
configuration for a given access or service.
v Separation of Duty Policy Definition Report, which lists the separation of duty
policy definitions.
v Separation of Duty Policy Violation Report, which contains the person, policy,
and rules violated, approval and justification (if any), and who requested the
violating change.
v Services Report, which lists services currently defined in the system.
v Summary of Accounts on a Service Report, which lists a summary of accounts
on a specified service defined in the system.
v Suspended Accounts Report, which lists the suspended accounts.
v User Recertification History Report, which lists the history of user
recertifications performed manually (by specific recertifiers), or automatically
(due to time out action).
v User Recertification Policy Definition Report, which lists the user recertification
policy definitions.
All reports are available to all users when the appropriate access controls are
configured. However, certain reports are designed specifically for certain types of
users.
Table 2. Summary of reports
Designed for Available reports
Security administrators
v Dormant Accounts
v Orphan Accounts
v Pending Recertification
v Recertification History
v Recertification Policies
v User Recertification History
v User Recertification Policies
Managers
v Pending Recertification
v Recertification History
v Recertification Policies
v User Recertification History
v User Recertification Policies
Product overview 7
Table 2. Summary of reports (continued)
Designed for Available reports
Service owners
v Dormant Accounts
v Orphan Accounts
v Pending Recertification
v Recertification History
v Recertification Policies
v User Recertification History
v User Recertification Policies
Auditors
v Dormant Accounts
v Orphan Accounts
v Pending Recertification
v Recertification History
v Recertification Policies
v User Recertification History
v User Recertification Policies
End users, help desk,
and developers
None
Identity governance
IBM Tivoli Identity Manager extends the identity management governance
capabilities with a focus on operational role management. Using roles simplifies
the management of access to IT resources.
Identity governance includes these Tivoli Identity Manager features:
Role management
Manages user access to resources, but unlike user provisioning, role
management does not grant or remove user access. Instead, it sets up a
role structure to do it more efficiently.
Entitlement management
Simplifies access control by administering and enforcing fine-grained
authorizations.
Access certification
Provides ongoing review and validation of access to resources at role or
entitlement level.
Privileged user management
Provides enhanced user administration and monitoring of system or
administrator accounts that have elevated privileges.
Separation of duties
Prevents and detects business-specific conflicts at role or entitlement level.
Release information
This section describes new features and hardware and software requirements for
IBM Tivoli Identity Manager.
8 Product overview
Whats new in this release
IBM Tivoli Identity Manager continues to deliver new identity management
capabilities in line with common standards and best practices. This release extends
identity management governance capabilities with a focus on compliance.
Role management capabilities
Roles manage user access to resources, but unlike user provisioning, role
management does not grant or remove user access. Instead, it sets up a role
structure to do it more efficiently. IBM Tivoli Identity Manager 5.1 extends identity
management governance capabilities with a focus on operational role management.
Management of access to IT resources using roles is simplified and enhanced with
these role management capabilities:
Role hierarchies
Role hierarchies allow security administrators to build and plan logical role
hierarchies and to build more meaningful role relationships.
v Role relationships can be implemented.
v Immediate parent-child role relationships can be tracked and navigated.
v Separation of duty can be evaluated where role hierarchy is used.
Role relationships
Role relationships allow roles to be logically linked by allowing parent-child
role relationships in the hierarchy, in which child roles inherit the
entitlements of their parent roles.
v A parent role can have multiple child roles.
v A child role can have multiple parent roles.
v Role relationships can be evaluated to determine which entitlements are
inherited and granted.
v Provisioning behavior can be changed by role hierarchy assignment; for
example, by making a department role a child of an application role.
Role classification
Role classification is the ability to classify a role for workflow and policy
customization purposes.
v Default role types are business and application types.
v Business roles encompass the kind of job that a person does.
v Application roles encompass the kind of access that the person requires.
v Role relationships and role classification can be used to define how
different role types relate.
Role ownership and approvals
Role owners can be users or other roles.
v Roles can have multiple owners.
v Workflow participants and access control items (ACIs) are enhanced to
analyze and resolve role participants.
Role administration
Organizational roles are a method of providing users with entitlements to
managed resources by determining which resources are provisioned for a user
or set of users who share similar responsibilities. A role is a job function that
identifies the tasks that a person can perform and the resources to which the
person has access.
Product overview 9
Separation of duty capabilities
Separation of duty is a policy-driven feature to manage potential or existing role
conflicts. A separation of duty policy is a logical container of separation rules that
define mutually exclusive relationships among roles. Separation of duty policies
are defined by one or more business rules that exclude users from membership in
multiple roles that might present a business conflict.
The purpose of the separation of duty policy is to group the rules for ease of
administration. For example, you can assign a set of administrators to a policy,
making the administrators responsible for tracking the violations of a set of rules.
Separation of duty capabilities include:
v Violation tracking through the administrative console, which provides identity
governance and accountability
v Violation and exemptions auditing through reports, which helps prevent or
highlight inappropriate use of privileges
v Approval workflow for separation of duties, which helps achieve compliance
goals
v New access control items (ACIs), which reflect new separation of duty policy
targets
v Evaluation of the separation of duty policy when workflow is used for identity
feeds
v Prevention of invalid or inconsistent (with business policy) combinations of
roles, which prohibits parent-child relationships within a separation of duty
policy
v Workflow participant type (SoD Policy Owner)
v Violations entity for workflow and notification customization
v Approval process, which allows for exemptions when a violation occurs; the
exemptions can be revoked later
Separation of duty policies
A separation of duty policy is a logical container of separation rules that define
mutually exclusive relationships among roles. Separation of duty policies are
defined by one or more business rules that exclude users from membership in
multiple roles that might present a business conflict.
Separation of duty policies reports
This section describes various separation of duty policy reports.
Separation of duty violation report
This section describes the separation of duty violation report. This report
contains the person, policy, and rules violated, approval and justification (if
any), and who requested the violating change.
SeparationOfDutyRuleViolation
Object that provides information about a specific separation of duty rule
violation. Use this object to get specific information about a separation of duty
policy violation. This object cannot be created for use by the user. The user can
work only with SeparationOfDutyRuleViolation objects that the system has
generated as part of the approveSoDViolation workflow.
ParticipantType
Workflow Participant Type constants.
10 Product overview
User recertification
IBM Tivoli Identity Manager provides the ability to certify and validate a users
access to IT resources on a regular interval. User recertification is a type of
certification process that combines recertification of a users accounts, group
memberships of accounts, and role memberships into a single activity.
User recertification activities are completed by a specified participant, such as a
manager or application owner. Each user recertification activity lists accounts,
group memberships, and role memberships owned by a user. Groups that are
enabled as access are displayed within the activity using the access information
rather than the group information. The participant can individually approve or
reject whether the user still requires each account, group membership, and role
membership. Several actions can be taken when a resource or membership is
rejected, including suspension of the resource or removal of the membership.
The user recertification policy provides options for configuring the scope of the
recertification, workflow activities, notifications, and timeout and rejection
behaviors.
Recertification policies
Recertification simplifies and automates the process of periodically revalidating
a target type (account or access) or a membership (role or resource group). The
recertification process validates whether the target type or membership is still
required for a valid business purpose. The process sends recertification
notification and approval events to the participants that you specify. A
recertification policy includes activities to ensure that users provide confirmation
that they have a valid, ongoing need for a specified resource or membership.
Creating a user recertification policy
As an administrator, you can create a user recertification policy to recertify the
accounts, group membership of accounts, and memberships of users.
User recertification history report
This section describes the report that lists history of user recertifications
performed manually (by specific recertifiers), or automatically (due to time out
action).
User recertification policy definition report
This section describes a report that lists information about the user
recertification policies defined in the system.
Group management capabilities
IBM Tivoli Identity Manager provides additional security administration
enhancements through new group management capabilities.
Group management capabilities include:
v Ability to create, change, delete groups on the target resource as long as the
Tivoli Identity Manager version 5.1 adapter is installed
v Synchronous group provisioning to the target resource for creating, modifying,
and deleting groups
v Streamlined navigation in the administrative console for group management
v New version 5.1 adapters and profiles take advantage of group management
capabilities
Product overview 11
Group administration
IBM Tivoli Identity Manager provides predefined groups. You can also create
and modify customized groups.
Tivoli Common Reporting
IBM Tivoli Identity Manager features new reporting capabilities for auditing
purposes and provides reports based on a common reporting component named
IBM Tivoli Common Reporting. This component is based on the Eclipse Business
Intelligence Reporting Tool and provides custom report authoring, report
distribution, report scheduling capabilities, and the ability to run and manage
reports from multiple IBM Tivoli products.
Tivoli Common Reporting is a reporting feature that is available as an additional
benefit to owners of Tivoli products. Tivoli Common Reporting offers Tivoli
customers a common approach to viewing and administering reports. Tivoli
products provide report packages based on Tivoli Common Reporting, with reports
that have a common look and feel across all Tivoli products.
For more details about the Tivoli Common Reporting component, see the
documentation on the Tivoli Common Reporting DVD. For more information about
the availability of Tivoli Identity Manager reports, see the Tivoli Identity Manager
Support Site.
Reports included with Tivoli Common Reporting
v Accesses Report
v Approvals and Rejections Report
v Dormant Accounts Report
v Entitlements Granted to an Individual Report
v Noncompliant Accounts Report
v Orphan Accounts Report
v Separation of Duty Policy Definition Report
v Separation of Duty Policy Violation Report
v Services Report
v Summary of Accounts on a Service Report
v Suspended Accounts Report
v User Recertification History Report
v User Recertification Policy Definition Report
Configuring and administering IBM Tivoli Common Reporting
IBM Tivoli Common Reporting (also called the reports pack) focuses on
account, service, and request information.
New APIs
These new application programming interfaces (APIs) are available to support the
new features of IBM Tivoli Identity Manager 5.1.
v Group
v GroupEntity
v GroupFactory
v GroupManager
v GroupMO
v GroupSearch
12 Product overview
v GroupService
v New methods on the Role, RoleEntity, and RoleMO classes
v SeparationOfDutyPolicy
v SeparationOfDutyPolicyManager
v SeparationOfDutyPolicyMO
v SeparationOfDutyRule
v UserRecertificationCompletionImpact
v UserRecertificationWorkflowAssignmentMO
New workflow extensions
These new workflow extensions are available to support the new features of IBM
Tivoli Identity Manager 5.1.
v approveRolesByOwner
v approveRolesWithOperation
v callApprovalOperation
v addSeparationOfDutyPolicy
v callSODApprovalOperation
v constructApprovalDocument
v remediateAccountsAndGroups
v remediateRoleMemberships
v updateRecertificationStatusAllApproved
v updateRecertificationStatusEmptyDocument
Sample workflow: sequential approval for user recertification using
packaged approval node
This scenario shows an organization policy that requires user recertification to
be approved by two levels of approvers. The first approver submits decisions
that are reviewed by the second approver. The second approver can change the
decisions made by the first approver and then submit the final decisions. The
request in this scenario is for recertification approval of user resources
(accounts, groups, or roles).
Sample workflow: user recertification role membership approval by role
owner
This scenario shows an organization with a policy that requires that role
membership recertifications are completed by individual role owners, while the
users accounts and groups are recertified by the manager. After all approvals
have been completed, the individual resource decisions are combined and
remediated.
New JavaScript functions
These new JavaScript

functions are available to support the new features of IBM

Tivoli Identity Manager 5.1.
v PackagedApprovalDocument
v PackagedApprovalItem
v RecertificationWorkflow
v SeparationOfDutyRuleViolation
PackagedApprovalDocument
A relevant data object used in multi-item approval, used exclusively in user
recertification workflows. This object is made up of multiple
Product overview 13
PackagedApprovalItem objects from the user recertification approval and allows
for searching and retrieving recertification items.
PackagedApprovalItem
A relevant data object used in IBM Tivoli Identity Manager multi-item
approval, used exclusively in user recertification workflows. This object
represents the individual roles, accounts, and groups that are presented to the
user during the recertification process. Some items might contain a decision
code indicating the choice of the approvers for that item. Each item also
contains a list of children that is used to represent relationships between
accounts and groups.
RecertificationWorkflow
Provides extended capabilities to user recertification workflows, including audit
support for the reporting and view requests functions.
SeparationOfDutyRuleViolation
Object that provides information about a specific separation of duty rule
violation. Use this object to get specific information about a separation of duty
policy violation. This object cannot be created for use by the user. The user can
work only with SeparationOfDutyRuleViolation objects that the system has
generated as part of the approveSoDViolation workflow.
Hardware and software requirements
Hardware and software requirements that are stated here for IBM Tivoli Identity
Manager take precedence over any other mention in other IBM Tivoli Identity
Manager publications.
These requirements were current when this publication went to production. For
possible updates to this information, contact your customer support representative.
Operating system requirements
The IBM Tivoli Identity Manager installation program checks to ensure that
specific operating systems and levels are present before starting the installation
process.
Table 3 identifies the operating systems, patches, and minimum requirements for
installation:
Table 3. Operating system requirements for IBM Tivoli Identity Manager
Operating system Patch or maintenance level requirements
AIX

Version 5.3 None

AIX Version 6.1
1
None
Sun Server Solaris 10 (SPARC)
2
None
Windows

Server 2003 Standard

Edition and Enterprise Edition
None
Windows Server 2008 Standard
Edition and Enterprise Edition
None
Red Hat Linux

Enterprise 4.0
for Intel

, System p

and System
z

None
Red Hat Linux Enterprise 5.0 for
Intel, System p and System z
None
14 Product overview
Table 3. Operating system requirements for IBM Tivoli Identity Manager (continued)
Operating system Patch or maintenance level requirements
SUSE Linux Enterprise Server
9.0 for Intel, System p and
System z
None
SUSE Linux Enterprise Server
10.0 for Intel, System p and
System z
None
SUSE Linux Enterprise Server
11.0 for Intel, System p and
System z
None
Note:
1. Support is also available for AIX 6.1 WPAR.
2. Support is also available for Sun Server Solaris 10 64-bit LDOM.
Hardware requirements
IBM Tivoli Identity Manager has these hardware requirements:
Table 4. Hardware requirements for IBM Tivoli Identity Manager
System components Minimum values* Recommended values**
System memory (RAM) 2 gigabytes 4 gigabytes
Processor speed Single 2.0 gigahertz Intel or
pSeries

processor
Dual 3.2 gigahertz Intel or
pSeries processors
Disk space for product and
prerequisite products
20 gigabytes 25 gigabytes
* Minimum values: These values enable a basic use of IBM Tivoli Identity Manager.
** Recommended values: You might need to use larger values that are appropriate for your
production environment.
Software prerequisites
IBM Tivoli Identity Manager has these software prerequisites:
Java Runtime Environment (JRE) requirements:
IBM Tivoli Identity Manager requires JRE version 1.5 SR9, which is installed in the
WAS_HOME/java directory when WebSphere

Application Server Fix pack 23 is

installed.
Use of an independently installed development kit for Java, from IBM or other
vendors, is not supported. The JRE requirements for using a browser to create a
client connection to the IBM Tivoli Identity Manager server are different than the
JRE requirements for running the WebSphere Application Server.
WebSphere Application Server requirements:
The following table lists the required version of WebSphere Application Server and
any applicable fix pack or APAR requirements.
Product overview 15
Table 5. Requirements for using WebSphere Application Server with IBM Tivoli Identity
Manager
Application
server
Fix
pack,
patch,
and
maintenance
level
requirements
Cumulative
fix
Additional
APARs
AIX
5.3
AIX
6.1
Solaris
10
Windows
Server
2003
Windows
Server
2008
Red
Hat
Linux
4.0
Red
Hat
Linux
5.0
SUSE
Linux
9.0,
SUSE
Linux
10.0
SUSE
Linux
11.0
WebSphere
Application
Server
Version
6.1
Fix
pack
23
None None
WebSphere
Application
Server
Version
7.0
Fix
pack 5
None None
Database server requirements:
IBM Tivoli Identity Manager has these database server requirements:
Table 6. Database server requirements
Database
server
Fix
pack,
patch,
and
maintenance
level
requirements
AIX
5.3
AIX
6.1
Solaris
10
Windows
Server
2003
Windows
Server
2008
Red
Hat
Linux
4.0
Red
Hat
Linux
5.0
SUSE
Linux
9.0
SUSE
Linux
10.0
SUSE
Linux
11.0
IBM
DB2

Enterprise
Version
9.1
Fix pack
4
IBM
DB2
Enterprise
Version
9.5
1
Fix pack
3B
IBM
DB2
Enterprise
Version
9.7
Microsoft
SQL
Server
2005,
Enterprise
Edition
2
16 Product overview
Table 6. Database server requirements (continued)
Database
server
Fix
pack,
patch,
and
maintenance
level
requirements
AIX
5.3
AIX
6.1
Solaris
10
Windows
Server
2003
Windows
Server
2008
Red
Hat
Linux
4.0
Red
Hat
Linux
5.0
SUSE
Linux
9.0
SUSE
Linux
10.0
SUSE
Linux
11.0
Oracle
10g
Release
2
(Version
10.2.0.1)
3
Oracle
11g
Release
1
3
4
Note:
1. IBM DB2 Enterprise 9.5 is not supported on Linux 32 bit operating systems or
on any Linux operating systems on pSeries hardware. IBM DB2 9.5 WorkGroup
Edition is bundled for Linux 32 bit operating systems.
2. IBM Tivoli Identity Manager must be running on a supported Windows
operating system if Microsoft SQL Server is used for the IBM Tivoli Identity
Manager database.
3. The Oracle 11.1.0.7 database driver is required for both Oracle 10gR2 and
Oracle 11g databases.
4. Oracle 11g version 11.1.0.7.0 supports Windows Server 2008 32 and 64 bit
operating systems.
Directory server requirements:
IBM Tivoli Identity Manager has these directory server requirements:
Table 7. Directory server requirements
Directory
server
Fix
pack,
patch,
and
maintenance
level
requirements
AIX
5.3
AIX
6.1
Solaris
10
Windows
Server
2003
Windows
Server
2008
Red
Hat
Linux
4.0
Red
Hat
Linux
5.0
SUSE
Linux
9.0,
SUSE
Linux
10.0
SUSE
Linux
11.0
IBM
Tivoli
Directory
Server
Version
6.1
2
IBM
Tivoli
Directory
Server
Version
6.2
1
Product overview 17
Table 7. Directory server requirements (continued)
Directory
server
Fix
pack,
patch,
and
maintenance
level
requirements
AIX
5.3
AIX
6.1
Solaris
10
Windows
Server
2003
Windows
Server
2008
Red
Hat
Linux
4.0
Red
Hat
Linux
5.0
SUSE
Linux
9.0,
SUSE
Linux
10.0
SUSE
Linux
11.0
Sun
Enterprise
Directory
Server
Version
6.3
Note:
1. Supported with Tivoli Directory Server 6.1 Fix pack 1.
2. Supported with Tivoli Directory Server 6.1 Fix pack 4.
Directory Integrator requirements:
Tivoli Identity Manager has these optional directory integrator requirements:
You can optionally install IBM Tivoli Directory Integrator Version 6.1.1, Version
6.1.2, or Version 7.0 for use with IBM Tivoli Identity Manager.
IBM Tivoli Directory Integrator is used to enable communication between the
installed agentless adapters and IBM Tivoli Identity Manager. For more
information on agentless adapters, refer to the IBM Tivoli Identity Manager
Installation and Configuration Guide.
Table 8. Directory integrator requirements
Directory
integrator
Fix
pack,
patch,
and
maintenance
level
requirements
AIX
5.3
AIX
6.1
Solaris
10
Windows
Server
2003
Windows
Server
2008
Red
Hat
Linux
4.0
Red
Hat
Linux
5.0
SUSE
Linux
9.0,
SUSE
Linux
10.0
SUSE
Linux
11.0
IBM
Tivoli
Directory
Integrator
Version
6.1.1
IBM
Tivoli
Directory
Integrator
Version
6.1.2
18 Product overview
Table 8. Directory integrator requirements (continued)
Directory
integrator
Fix
pack,
patch,
and
maintenance
level
requirements
AIX
5.3
AIX
6.1
Solaris
10
Windows
Server
2003
Windows
Server
2008
Red
Hat
Linux
4.0
Red
Hat
Linux
5.0
SUSE
Linux
9.0,
SUSE
Linux
10.0
SUSE
Linux
11.0
IBM
Tivoli
Directory
Integrator
Version
7.0
Note:
For the UNIX

and Linux adapter IBM Tivoli Identity Manager requires:

Version 6.1.1, Fix Pack FP0003 or higher
Version 6.1.2, Fix Pack FP0001 or higher
Version 7.0, Fix Pack FP0001 or higher
Report server requirements:
The following table lists the required version of Tivoli Common Reporting Server
and any applicable fix pack or APAR requirements.
Table 9. Requirements for using Tivoli Reporting Server with IBM Tivoli Identity Manager
Report server Fix pack, patch, and maintenance level
requirements
Cumulative fix Additional APARs
Tivoli Common Reporting
Server, Version 1.2.0.1
Interim fix 02 of fix pack 2 None None
You can download the latest fixes for Tivoli Common Reporting Server from the
Fix Central Web site at http://www.ibm.com/support/fixcentral/
Browser requirements for client connections:
IBM Tivoli Identity Manager has browser requirements for client connections.
The IBM Tivoli Identity Manager administrative user interface uses applets that
require a Java plug-in provided by Sun Microsystems JRE Version 1.5 or higher.
When the browser requests a page that contains an applet, it attempts to load the
applet using the Java plug-in. If the required JRE is not present on the system, the
browser prompts the user for the correct Java plug-in, or fails to complete the
presentation of the items in the window. The Tivoli Identity Manager user interface
is displayed correctly for all pages that do not contain a Java applet, regardless of
JRE installation.
Cookies must be enabled in the browser to establish a session with IBM Tivoli
Identity Manager.
Product overview 19
Note: Do not start two or more separate browser sessions from the same client
computer. The two sessions are regarded as one session ID, which will cause
problems with the data.
The following table lists the browser and browser versions that are supported by
IBM Tivoli Identity Manager. Supported browsers are not included with the
product installation.
Table 10. Browser requirements
BrowserFix
pack,
patch,
and
maintenance
level
requirements
AIX
5.3
AIX
6.1
Solaris
10
Windows
Server
2003
Windows
Server
2008
Windows
clients
Red
Hat
Linux
4.0
Red
Hat
Linux
5.0
SUSE
Linux
9.0,
SUSE
Linux
10.0
SUSE
Linux
11.0
Mozilla,
Firefox
Version
2.0
Mozilla,
Firefox
Version
3.0
1
Mozilla,
Firefox
Version
3.5
1
Microsoft
Internet
Explorer,
Version
7.0
1
Microsoft
Internet
Explorer,
Version
8.0
1
Note:
1. Supported with Windows Server 2003 Service Pack 1 (SP1).
Supported adapter levels
IBM Tivoli Identity Manager supports the use of agentless and agent-based
adapters.
The IBM Tivoli Identity Manager installation program will always install the
following adapter profiles:
v AIX profile (UNIX and Linux adapter)
v Solaris profile (UNIX and Linux adapter)
v HP-UX profile (UNIX and Linux adapter)
v Linux profile (UNIX and Linux adapter)
v LDAP profiles (LDAP adapter)
20 Product overview
The IBM Tivoli Identity Manager installation program will optionally install the
agentless adapter profiles for the IBM Tivoli Identity Manager LDAP adapter and
IBM Tivoli Identity Manager UNIX and Linux adapter. It is recommended that you
install the latest adapter profile before you start using the adapter.
You must take additional steps to install adapters if you choose not to install them
during the IBM Tivoli Identity Manager installation or if the adapter is not
installed as a service profile with IBM Tivoli Identity Manager.
The LDAP adapter supports an LDAP directory that uses the RFC 2798 schema,
which enables communication between the IBM Tivoli Identity Manager and
systems running IBM IBM Tivoli Directory Server or Sun ONE directory server.
The IBM Tivoli Identity Manager LDAP Adapter Installation Guide describes how to
configure the LDAP adapter. The following table lists the UNIX and Linux systems
and versions that are supported by the UNIX and Linux adapter.
Table 11. Prerequisites to run the UNIX and Linux adapter
Operating system Version
AIX AIX 5.1, AIX 5.2, AIX 5.3
HP-UX HP-UX 11i Trusted, HP-UX 11i Non-Trusted
Red Hat Linux Red Hat Enterprise Linux Advanced Server 3.0
Red Hat Enterprise Linux Advanced Server 4.0
Red Hat Enterprise Linux Enterprise Server 3.0
Red Hat Enterprise Linux Enterprise Server 4.0
Solaris Solaris 9, Solaris 10
SUSE Linux SLES 8, SLES 9
Adapters are available at the following IBM Passport Advantage

Web site:
http://www.ibm.com/software/sw-lotus/services/cwepassport.nsf/wdocs/
passporthome
Installation and configuration guides for adapters can be found at the following
Tivoli Identity Manager information center Web site:
http://publib.boulder.ibm.com/tividd/td/IdentityManager5.0.html
Installation images and fix packs
IBM Tivoli Identity Manager installation files and fix packs can be obtained using
the IBM Passport Advantage Web site, or by another means, such as a CD or DVD
as provided by your IBM sales representative.
The Passport Advantage Web site provides packages, referred to as eAssemblies,
for various IBM products. The IBM Tivoli Identity Manager Installation and
Configuration Guide provides full instructions for installing and configuring IBM
Tivoli Identity Manager and the prerequisite middleware products.
The procedure that is appropriate for your organization depends on the following
conditions:
v Operating system used by IBM Tivoli Identity Manager
Product overview 21
v Language requirements for using the product
v Type of installation you need to perform:
eAssembly for the product and all prerequisites
The IBM Tivoli Identity Manager installation program enables you to
install IBM Tivoli Identity Manager, prerequisite products, and required
fix packs as described in the IBM Tivoli Identity Manager Installation and
Configuration Guide. This type of installation is recommended if your
organization does not currently use one or more of the products
required by IBM Tivoli Identity Manager.
eAssembly for a manual installation
You can install IBM Tivoli Identity Manager separately from the
prerequisites, and you can install separately any of the prerequisite
products that are not installed. In addition, you must verify that each
prerequisite product is operating at the required fix or patch level.
Known limitations, problems, and workarounds
IBM Tivoli Identity Manager has these known software limitations, problems, and
workarounds.
As limitations and problems are discovered and resolved, the IBM Software
Support team updates the online knowledge base. By searching the knowledge
base, you can find workarounds or solutions to problems that you experience. The
following link launches a customized query of the live Support knowledge base for
items specific to version 5.0:
Tivoli Identity Manager Version 5.0 tech notes
To create your own query, go to the Advanced search page on the IBM Software
Support Web site.
Product installation, upgrade, and removal limitations, problems
and workarounds
You might encounter these IBM Tivoli Identity Manager Server installation,
upgrade, or product removal problems, and use these workarounds:
v Problem: The dollar sign ($) has special meaning in the installer frameworks
used by IBM Tivoli Identity Manager Server and non-Windows operating
platforms. The installer framework or operating system might do variable
substitution for the value. For example, on UNIX-like platforms, $$ will be
replaced with the process ID. For installers based on ISMP (InstallShield
Multiplatform), $$ are replaced with a single $.
Workaround: Avoid using $ as a value in any field in a IBM Tivoli Identity
Manager Server installation or configuration page.
v Problem: If you uninstall and then quickly reinstall IBM Tivoli Identity Manager
Server, the performance of the graphical user interface degrades significantly
and might become unusable. The performance of the WebSphere Application
Server might also degrade. Although no messaging engine problem is the cause,
the symptom is a message such as:
CWSIT0019E: No suitable messaging engine is available on bus itim_bus
Workaround: Remove the WebSphere Application Server transaction log files. In
the WAS_PROFILE_HOME/tranlog/cell_name/node_name/server_name/
transaction/tranlog/ directory, the files are named log1 and log2.
Additionally, in the WAS_PROFILE_HOME/tranlog/cell_name/node_name/
server_name/transaction/partnerlog/ directory, the files are named log1 and log2.
22 Product overview
The cause of the problem is that after reinstallation, transaction recovery may
not be able to complete properly. The cause is a problem in the transaction log.
The messaging engine detects this condition as identifiers in the transaction log
that remain from the previous IBM Tivoli Identity Manager Server installation,
and that differ from the current database.
v Problem: When user groups are migrated from Version 4.6 of IBM Tivoli Identity
Manager Express, a help desk assistant at IBM Tivoli Identity Manager Version 5
is able to change the role of a group member, but not the IBM Tivoli Identity
Manager account.
Workaround: At IBM Tivoli Identity Manager Express Version 4.6, groups and
roles were not separated. A help desk user could assign any user to any group
by changing the users personal profile, because groups and roles were treated
as the same. At Version 4.6, however, a help desk user could not update or
request a IBM Tivoli Identity Manager account. To provide change permission,
create a new access control item that targets IBM Tivoli Identity Manager
accounts and grants that permission.
v Problem: After an upgrade from IBM Tivoli Identity Manager Express Version
4.6 to IBM Tivoli Identity Manager Version 5, a manager who clicks Manage
users to manage a specific subordinate will observe these results:
All the users in IBM Tivoli Identity Manager are displayed.
The details of the subordinates were read only.
Workaround: Immediately after upgrading from Version 4.6 to Version 5, as
system administrator, adjust the views and access control items for managers, to
produce the correct results:
views IBM Tivoli Identity Manager Express Version 4.6 provided independent
view settings for manager tasks. These independent tasks no longer exist
in IBM Tivoli Identity Manager Version 5. Instead, managers use the
same tasks as help desk assistants. In this scenario, the Change
Subordinates Profile task no longer exists. After the upgrade, you must
enable Change User in the manager view. This also applies to the other
manager-specific tasks from IBM Tivoli Identity Manager Express
Version 4.6 such as requesting, changing, or deleting an account.
access control items
The *default* access control items in IBM Tivoli Identity Manager
Express Version 4.6 allowed managers to search for all users, but the
logic in the manager-specific tasks, such as Change Subordinates Profile,
displayed only the managers subordinates. Since those special tasks no
longer exist in IBM Tivoli Identity Manager Version 5, you must adjust
the access control items so that managers can search only for their
subordinates.
v Problem: After an upgrade from IBM Tivoli Identity Manager Express Version
4.6 to IBM Tivoli Identity Manager Version 5, for the users created previously on
Version 4.6, the Identity Manager login ID field is also displayed in a users
profile in the Personal Information page at Version 5. However, for the default
System Administrator which is a system generated person, the attribute Identity
Manager login ID is not displayed. Creating a new person on the upgraded
Version 5 does not display the Identity Manager login ID.
Workaround: Upgrade disables the default identity policy for ITIM Service,
which is responsible for populating the erpersonuid (Identity Manager Login ID)
attribute when a user is created. To hide the field for the users created
previously on Version 4.6, use the Form Designer to hide the TIM Account
Product overview 23
userID in the Person form. To enable all previous and new end-users to see the
field, enable the IBM Tivoli Identity Manager Express Version 4.6 identity policy
that copies the userID to that attribute.
The Identity Manager login ID field was used in IBM Tivoli Identity Manager
Express Version 4.6 because the IBM Tivoli Identity Manager Express account
was hidden, and users needed a field that displayed their user ID. After
upgrading to Version 5, the IBM Tivoli Identity Manager accounts are no longer
hidden and there is no need for the field. Users can find their user ID by
looking at the IBM Tivoli Identity Manager accounts.
The identity policy might not function if you migrate a deployment from
single-server deployment of IBM Tivoli Identity Manager Express Version 4.6 to
a cluster environment at Version 5, because a cluster environment uses an
in-memory cache to avoid ID collisions that would be unique to each cluster
member.
v Problem: Middleware configuration errors occur if you use InstallShield
MultiPlatform to install IBM Tivoli Identity Manager on RedHat Enterprise
Linux Version 5.0, which provides 64-bit JVM. For example, an error message
might be:
The installer is unable to run in graphical mode.
Try running the installer with the -console or -silent flag.
Additionally, some X display programs might not work.
Workaround: During installation on RedHat Enterprise Linux Version 5.0, the
InstallShield MultiPlatform middleware configuration tool requires 32-bit JVM,
including the 32-bit version of libXmu.so.6, which must reside in the /usr/lib
directory. These 32-bit libraries are not installed by default. Before installing IBM
Tivoli Identity Manager, obtain the following files and write them to the
/usr/lib directory:
64-bit zLinux systems
libXmu-1.0.2-5.s390.rpm
64-bit X86 systems
libXmu-1.0.2-5.i386.rpm
v Problem: When you upgrade IBM Tivoli Identity Manager Version 5.0, you
might perform tasks similar to this scenario:
1. Create a new organization and create users in the new organization.
2. Create a hosted ITIM service and provide at least one of the newly created
users with an account on the service. For example, the newly created users
account might have the user ID of helpdeskuser.
3. Add helpdeskuser to the Help Desk Assistant group.
4. Log out and log in as helpdeskuser.
5. Navigate to Manage users in the portfolio and search for users.
Although users exist, the search by the Help Desk member displays no users.
The default search page does not automatically search the logged in users
organization.
Workaround: Use the Advanced search feature to select to the new organization
and perform the search. The users are then found and listed.
v Problem: After an upgrade from a previous version of Tivoli Identity Manager,
errors can occur when you attempt to view requests made before the upgrade.
Additionally, a similar error occurs in viewing requests if you create identically
named services and then delete them.
24 Product overview
Workaround: Pending a fix, a method in the service search returns items from
the recycle bin. To correct this, remove all service entries from the recycle bin.
For example, to remove a service entry, complete these steps:
1. Use the ldap browser to connect to the directory server.
2. Expand the entries under ou=recycleBin, ou=itim, <tenant_dn>, where the
value of <tenant_dn> is the actual DN.
3. Delete the entry matching objectClass=erServiceItem attribute under
ou=recycleBin, ou=itim, <tenant_dn>.
v Problem: Problems might arise from an improper configuration of the JDBC
driver at upgrade time for IBM Tivoli Identity Manager. At upgrade time, the
IBM Tivoli Identity Manager installation prompts for the location of the JDBC
driver for IBM Tivoli Identity Manager to use in connecting to the database. If
the administrator does not reference an Oracle 10.x JDBC driver (ojdbc14.jar),
problems can occur when users attempt to reconcile services following an Oracle
upgrade from Version 9.x to 10.x. The error produces a message similar to this:
CTGIMU552E An error occurred while communicating with the server.
Workaround: IBM Tivoli Identity Manager requires the JDBC driver to be
matched with the database server level; therefore, the driver needs to be
updated with the Oracle 10.x driver. Replace the ojdbc14.jar file in
ITIM_HOME/lib with the JAR file provided by the Oracle Version 10.x
installation, and then restart the WebSphere Application Server. The JDBC driver
level used by the WebSphere Application Server is printed in the SystemOut.log
at server startup.
This is an example log record in SystemOut.log for the Oracle 9.x JDBC driver,
which is the wrong driver:
[12/6/07 10:32:02:369 EST] 00000156 DSConfigurati I
DSRA8205I: JDBC driver name : Oracle JDBC driver
[12/6/07 10:32:02:372 EST] 00000156 DSConfigurati I
DSRA8206I: JDBC driver version : 9.2.0.7.0
This is an example log record in SystemOut.log for the Oracle 10.x JDBC driver,
which is the correct driver:
[12/6/07 10:54:41:913 EST] 00000024 InternalOracl I
DSRA8205I: JDBC driver name : Oracle JDBC driver
[12/6/07 10:54:41:918 EST] 00000024 InternalOracl I
DSRA8206I: JDBC driver version : 10.2.0.1.0
v Problem: If there are two or more nodes that contain node.xml files on the
WebSphere Application Server, errors can occur when the IBM Tivoli Identity
Manager installation program checks in alphabetic order for the existence of the
NODE_NAME directory as the node that the WebSphere Application Server
should use as the target server to deploy IBM Tivoli Identity Manager to.
For example, you might see an error message similar to this one:
Server name is not valid
This is a critical failure. Although the installation process will continue, the
installation will later fail.
On the WebSphere Application Server, the node.xml file is in this directory:
WAS_HOME/config/cells/CELL_NAME/nodes/
NODE_NAME/servers/SERVER_NAME/
where:
WAS_HOME
The installation directory, such as /opt/IBM/WebSphere/AppServer/
profiles/AppSrv01.
Product overview 25
CELL_NAME
The cell name, such as tivmvs12Node01Cell.
NODE_NAME
The node name, such as tivmvs12Node01.
SERVER_NAME
The server name, such as server1.
Workaround: To work around the error, complete these tasks:
1. Back up in your sequence of completing the installation panels to the
previous panel.
2. Temporarily rename the node.xml files that exist in the wrong nodes, to
allow the installation program to find the correct node.xml file.
3. Continue forward in the installation panels, passing the Server Name is not
valid error message to continue the installation.
4. Rename the files back to their original names when installation is complete.
To rename a node.xml file, for example, type:
Windows systems:
rename node.xml node.xml.original
UNIX/Linux systems:
mv node.xml node.xml.original
v Problem: When running the manual uninstallation of IBM Tivoli Identity
Manager Version 5.0 from the ITIM_HOME\itim\itimUninstallerData directory,
the messages Preparing SILENT Mode Installation... and Installation
Complete appear. These messages are not indicative of the proper function of the
uninstaller.
Limitation: This is a known limitation of the InstallAnywhere platform that is
used to customize the manual uninstallation of IBM Tivoli Identity Manager.
v Problem: After upgrading from IBM Tivoli Identity Manager version 4.6 and
viewing requests in the Identity Manager console, the following warning is
issued in the trace log: Unable to parse erworkflow attribute value for view
requests -- using default query.
This message occurs because the formatting of the users view requests
preferences was changed between releases. This trace entry indicates that the
preferences cannot be parsed, and is replaced with the default query.
Limitation: This is a onetime occurrence for each user as they use the view
requests function after the upgrade. The message can safely be ignored. The user
preferences are updated, using the default query as a starting point.
v Problem: Passwords might be displayed in the clear in the itim_install.stderr
installation log file.
Limitation: This is a onetime installation log file. After a successful installation
the log can be deleted.
v Problem: The script files changeCipher and
startIncrementalSynchronizerCMD_WAS are not working correctly.
Workaround: To use the scripts changeCipher.sh, changeCipher.bat,
startIncrementalSynchronizerCMD_WAS.sh and
startIncrementalSynchronizerCMD_WAS.bat, you must first set the ITIM_HOME
and WAS_HOME variables in the scripts.
26 Product overview
IBM Tivoli Identity Manager Server limitations, problems, and
workarounds
These are IBM Tivoli Identity Manager Server problems, workarounds, and
limitations:
v Problem: APARS that were fixed in IBM Tivoli Identity Manager Version 4.6 and
in IBM Tivoli Identity Manager Express Version 4.6 are still pending resolution
for IBM Tivoli Identity Manager Version 5.0.
Limitation: APARS pending resolution at Version 5.0 include:
IY86885, IY86991, IY88093, IY91022, IY91040, IY91106, IY91896, IY92097, IY92176,
IY92227, IY92688, IY92841, IY92851, IY93514, IY94096, IY94415, IY94425, IY94471,
IY94616, IY94708, IY94774, IY94978, IY94980, IY94986, IY95478, IY95684, IY95834,
IY96118, IY96257, IY96616, IY96967, IY97292, IY97340, IY97662, IY97665, IY97769,
IY98312, IY98464, IY98612, IY99084, IY99175, IY99208, IY99295, IY99300, IY99416,
IY99624, IY99659, IY99660, IY99813, IY99826, IZ00148, IZ00153, IZ00195, IZ00197,
IZ00311, IZ00318, IZ00812, IZ00815, IZ01021, IZ01059, IZ01074, IZ01107, IZ01112,
IZ01125, IZ01187, IZ01588, IZ01602, IZ01654, IZ01763, IZ01768, IZ01799, IZ01890,
IZ01953, IZ02057, IZ02355, IZ02621, IZ02744, IZ03822, IZ03983, IZ04263, IZ04631,
IZ47646, IZ04801, IZ05063, IZ05103, IZ05313, IZ05732, IZ05951, IZ06712, IZ07364,
IZ07571, IZ08011, IZ08157, IZ08190, IZ08287, IZ08459
v Problem: When you apply the IBM Tivoli Identity Manager Server Fix Pack for
LdapUpgrade, the Fix Pack application fails with error 80 if the TAM-ESSO
Tivoli Access Manager for Enterprise Single Sign-On Provisioning Adapter has
been integrated into IBM Tivoli Identity Manager Server. The process of
TAM-ESSO integration introduces new attributes into the IBM Tivoli Identity
Manager Server system object classes erAccountItem and erServiceItem.
LdapUpgrade will fail with the message Error in loading schema - LDAP:
error code 80-Other. The NamingException should be logged in
ITIM_HOME/install_logs/ldapUpgrade.stdout file.
Limitation: To resolve the error, complete these manual steps:
1. Click OK when the Error in loading schema message occurs.
2. After the Fix Pack application is done, update the ITIM_HOME/config/
ldap/er-schema.dsml file by modifying IBM Tivoli Identity Manager Server
object classes, erAccountItem and erServiceItem.
a. After the object-identifier1.3.6.1.4.1.6054.1.2.2 object-identifier of
erAccountItem, add the entries below:
<attribute ref="vgoAdminID" required="false" />
<attribute ref="vgoAdminPWD" required="false" />
<attribute ref="vgoApplicationDescription" required="false" />
<attribute ref="vgoApplicationID" required="false" />
<attribute ref="vgoApplicationPWD" required="false" />
<attribute ref="vgoCredAttribute1" required="false" />
<attribute ref="vgoCredAttribute2" required="false" />
<attribute ref="vgoSSOUserID" required="false" />
b. After the object-identifier1.3.6.1.4.1.6054.1.2.6object-identifier of
erServiceItem, add the entries below:
<attribute ref="vgoApplicationIDMeta" required="false" />
<attribute ref="vgoSSOUserIDMeta" required="false" />
<attribute ref="vgoApplicationDescriptionMeta" required="false"/>
<attribute ref="vgoCredAttribute1Meta" required="false" />
<attribute ref="vgoCredAttribute2Meta" required="false" />
<attribute ref="vgoApplicationUserIDMeta" required="false" />
c. Run ITIM_HOME/bin/ldapUpgrade.
v Problem: The forms designer provides the ability to edit the Person form
template. During an editing session, under the personal tab, you can replace the
Product overview 27
initials text field with the password pop-up widget. The field will then contain
initials of a person which are encrypted because of change in widget. However,
a correct error message does not appear after you create the Person instance, and
then put incorrect initials in the text field.
Limitation: To avoid issues with popup blocking software, the password pop-up
widget does not launch a new window.
v Problem: During a change or modify operation, the password widget used in
custom form pages can cause display of a blank password field, rather than a
sequence of asterisks (***).
However, if the widget is part of the first tab in a notebook or first step in a
wizard, the field will be blank.
Limitation: Use of a blank value prevents a user from discovering the value of a
password by viewing the page source file.
v Problem: How to define default values for attributes not shown on an account
form using a form widget is not described.
Workaround: To use a form widget to define an account default when the
attribute is not on the form, complete the following steps:
1. Select Configure System > Design Forms task to add the attribute to the
account form.
2. Select a widget for the attribute and save the form.
3. Select Manage Services > Manage Default task to define the default value.
You can use the widget configured for the attribute on the form to define the
default value.
4. Remove the attribute from the account form, using the Configure System >
Design Forms task and save the form.
v Problem: Errors occur if a semicolon is used within a password on the Windows
operating system.
Workaround: When you define a password, do not use a semicolon.
v Problem: If you start an activity as a user, and while the activity is pending,
delete the service to which the activity applies, the activity remains in the
activity list for the user, and an error message occurs if you attempt to view the
target activity.
Limitation: Cleanup of pending activities does not immediately occur for
running workflows that reference a service, when the service is deleted. The
information is not easily available (if at all) to the running workflows. The
workflow runs to completion, or until an error occurs.
For example, if a workflow is assigned to account creation for a given service
and an account on that service is requested, the workflow starts. If the service is
deleted during the run, the account request workflow continues to run,
including any required approvals, and other operations. When the workflow
attempts to create the account on the deleted service, the workflow fails because
the service no longer exists.
v Problem: In a key=value pair in a property file such as CustomLabels.properties
file, you must specify a key name that is entirely lowercase. Otherwise, an error
occurs.
Limitation: Because the method that fetches the schema class for an attribute
will return only lowercase characters, you must specify in any properties file, a
key name that is entirely lowercase.
v Problem: If you suspend and then restore an account, the e-mail notification of
account restoration does not contain the account password. This occurs if the
28 Product overview
person initiating the restore is the owner of the account, or if the password was
not changed as part of the restore operation (the account is restored with the
same password as before).
Limitation: This notification behavior is working as designed. The person who
owns the restored account, and did not change the password, still knows the
existing password.
v Problem: Using LDAP Data Interchange Format (LDIF) files to import
backed-up directory information can cause problems if the system is not
stopped, or workflows are incomplete.
Workaround: When you use LDIF files to import backed-up directory
information, ensure that the application servers have been stopped. If the LDIF
import modifies workflows or operations, ensure that all workflows are
complete before you perform the import operation. For more information about
importing LDIF files, refer to your directory server documentation.
v Problem: When you create a service and add an attribute, there might be
attribute with the same name that already exists, but does not yet have any user
data stored. If you add a duplicate attribute with same name in other service
type, the change to attribute with the duplicate name will affect data in other
service profiles.
For example, adding a single-valued attribute in the case where a previously
existing attribute is multi-valued, will change the attribute type to single-valued
in all service profiles in which this attribute exists. If no data exists, there is no
warning message.
Workaround: Before you create an attribute for a service, ensure that the new
attribute does not already exist in other service profiles.
v Problem: When configuring an entitlement parameter for a provisioning policy,
if the attribute value is defined to be of type JavaScript, but only a single string
is entered, such as my password, the string is automatically converted to type
Constant.
Limitation: A single string of type JavaScript is automatically converted to type
Constant, for an attribute of an entitlement parameter of a provisioning policy.
v Problem: When selecting objects for a partial export, other objects that the
selected objects depend on are automatically added to the export list by the
system. If you then remove a selected object, the objects that the selected object
depends on are not also automatically removed from the export list, nor can
they be removed manually.
Workaround: Either continue to export the list and ignore the extraneous objects,
or save the list, and then delete it and make a new partial export list without the
object that you wanted to remove. Then, perform the export.
v Problem: If a user has a IBM Tivoli Identity Manager account in multiple IBM
Tivoli Identity Manager groups, an e-mail notification that the user receives
might contain links to both the administrator and self-care user interfaces.
Workaround: Use either link. This is working as designed. Two links are
generated because of users membership in two different types of IBM Tivoli
Identity Manager groups (end user and non-end user) through the users IBM
Tivoli Identity Manager accounts.
v Problem: In some circumstances, when you click Test Connection for an AD
OrganizationalPerson identity feed service, and you have provided incorrect
information, an error message is displayed without the remaining content of the
page.
Workaround: Refresh your browser page, or exit the task and perform it again
using correct information.
Product overview 29
v Problem: To configure SSL connections between the IBM Tivoli Identity Manager
Server and adapters, the following two parameters are required to be defined in
the WebSphere Application Server as parameters to JVM.
javax.net.ssl.trustStore
javax.net.ssl.trustStorePassword
When you inquire for a process list by typing the ps -ef command, the password
of the Java Key Store is listed in the result output.
Workaround: Describe these parameters in a file, then specify the file with the
-Xoptionsfile option. Complete these tasks:
1. Create a file, then describe these parameters on the same line as follows:
-Djavax.net.ssl.trustStore=/usr/IBM/itim/itim50.jks
-Djavax.net.ssl.trustStorePassword=password
2. Specify the file name with the -Xoptionsfile option as a parameter to JVM.
a. Open the WebSphere Application Server Administrative Console.
b. Select Server Application Server servername Process Definition
Java Virtual Machine.
c. Add the-Xoptionsfile option as follows:
-Xoptionsfile=/usr/IBM/itim/jksProps.txt
d. Restart the WebSphere Application Server.
v Problem: A filter change to a lifecycle rule does not take effect immediately
when running it manually. Lifecycle rule operations can take an extended period
of time to finish for the entire result set returned from the evaluation of the
lifecycle rule filter, primarily due to the manual workflow activities associated
with the operation.
Additional information: For lifecycle rules that are associated with profiles or
categories, execution is dependent on the enrole.profile.timeout property, defined
in minutes, in the enRole.properties file. Even if the filter that is present in the
lifecycle rule is modified and run manually, it takes the previous filter the
maximum time of the refresh interval to elapse, specified in minutes for the
enrole.profile.timeout property. Once this period is over, the modified value for
the filter is then used during lifecycle execution.
v Problem: Owners of disabled IBM Tivoli Identity Manager accounts still receive
notification e-mails targeted to them as the participant of a request for
information or approval request.
Limitation: This is a current limitation.
v Problem: When you have access control items for default Person and custom
Person (derived from inetOrgPerson) entities in IBM Tivoli Identity Manager, the
access control item for the default Person entity also affects the custom Person
entity. For example, a custom Person entity that is defined as customPerson
inherits from inetOrgPerson. Any access control item that applies to the
inetOrgPerson entity also applies to the customPerson entity, in addition to
access control items defined for the customPerson entity.
Note: The behavior of the access control items was changed in IBM Tivoli
Identity Manager at Version 4.6 to enforce the inheritance. An access control item
defined for an objectclass not only applies to entities of the objectclass, but also
to entities belonging to objectclasses that inherit this objectclass directly or
indirectly.
Workaround: Define an access control item exclusively for inetOrgPerson to
allow for the access control item to apply only to the default person entity. Set
the following access control item target filter:
(!(objectclass=customPerson))
30 Product overview
v Problem: To allow some users to change a users role, you might configure
access control items for both Person and custom Person objects with Read and
Write access on erRoles (as well as Search/Modify operations). An additional
access control item would allow users to search for organizational roles.
However, when a user then attempts to modify the erRole attribute, you might
find that IBM Tivoli Identity Manager does not allow the modification.
Workaround: For an organizational role, create an additional access control item
that grants Modify rights to users.
To assign an organizational role to a person or remove the person from an
organizational role, define appropriate access control items that give a user all of
the following permissions and operations:
Write attribute permission for the erRoles attribute of the Person to be
modified.
Modify operation on the Person to be modified.
Modify operation for the organizational role that is to be removed from or
added to the Person.
v Problem: To provide a role for a service owner, you must change the Category
owner field on the service form to Static Organizational Role. However, it is not
recommended to change the owner type (from Person to Static Organizational
Role and vice versa) for a service profile when one or more service instances
have been defined for that profile.
Workaround: If you want to specify Static Organizational Role on the service
form for a profile that already has existing services, remove the service owner of
all services of the profile. For example, if you want to specify Static
Organizational Role for a WinLocal service, you must remove all service owners
of all Winlocal services.
v Problem: If you use the Form Designer to configure a date on a form, you can
configure the attribute and see the value correctly displayed, as long as it is not
set to null in LDAP.
Workaround: The DateInput Type allows users to select a default or an
alternative date. The Default date input type allows the user to specify that the
attribute value never expires, by selecting Never in the administrative console,
or No date selected in the self-service console. The Alternative Date date input
type does not allow the user to specify that the attribute value never expires,
and should be used if the attribute value must expire at some point in time.
For a default date, a null or empty value for the attribute is interpreted as the
attribute never expires, and is displayed on the administrative console with
Never selected, and on the self-service console with No date selected
selected.
v Problem: When you preview a change to a provisioning policy, the list size of
the display of the affected accounts is limited by the combination of two
properties in ui.properties file: enrole.ui.pageSize and enrole.ui.pageLinkMax.
The account list size limit is determined by the value of enrole.ui.pageSize
property multiplied by the value of enrole.ui.pageLinkMax property plus 1
(one).
For example, by default, if enrole.ui.pageSize=50 and enrole.ui.pageLinkMax=10,
the maximum affected account list size would be calculated as:
50 x 10 + 1 = 501
Workaround: If you have a large number of affected accounts to preview for a
change in a provisioning policy, increase these two properties appropriately.
Product overview 31
Start by increasing only the enrole.ui.pageLinkMax value, because increasing the
value of enrole.ui.pageSize will affect other parts of the IBM Tivoli Identity
Manager user interface.
v Problem: A provisioning policy preview will time out if the preview summary
page is idled for more than 10 minutes after evaluation completion, or if you
navigate away from the preview summary page for more than 10 minutes.
When the preview times out, navigating to obtain detail from the summary page
is not possible. If timeout occurs, you can only click Close on the summary
page.
Workaround: To prevent timeout, avoid idling or navigating away from the
preview summary page for more than 10 minutes. To correct the problem after it
occurs, resubmit the preview request.
v Problem: If an access definition for a group on a service is referenced by a
recertification policy and the access definition is undefined for the group, the
recertification policy is not fully updated with the removal of the access
definition. The target of the recertification policy will be listed in the user
interface as null or None, due to an improper update of the recertification policy
for the access removal. Although the recertification policy user interface will
show the target as None, running the recertification policy will continue to
recertify accounts which make use of the group for which the access was
defined.
Workaround: Edit the recertification policy by using the user interface for the
policy which referenced the access definition to be deleted:
1. First, remove the access to be deleted from the recertification policy with
which it is associated. If the access definition is removed before removing the
target from the recertification policy, the recertification policy pages can be
used to work around the issue.
2. Once the recertification policy is opened in edit mode, navigate to the Access
Target tab and remove the target listed as None.
3. Save the recertification policy to properly update the policy.
If None is the only target for the recertification policy, you might want to delete
the recertification policy entirely, because it is not used for other access
definitions.
A similar issue can occur when you modify an access definition to deselect
Display in an Access list. If this option is not selected in the access definition,
the recertification policy that references that access definition will not be
searchable by access name.
v Problem: When you manage identities, no default operations appear for a
Person object at the Entity Level. Operations do appear at the Entity Type level.
However, when they are changed, the operations still indicate they are
system-defined operations.
Limitation: This is an existing limitation. By design, operations that are defined
at the Entity Type Level are not shown, when the Entity Level is selected. A
system-defined entity operation indicates it is system-defined, even after a user
has modified the operation.
v Problem: When you configure IBM Tivoli Identity Manager Integration for
Maximo Service Request Manager Version 7.1, the Maximo Web service issues
call failures when IBM Tivoli Identity Manager attempts to provision more than
10,000 users. One to two dozen Maximo users do not get created due to the call
failures. However, the users are created when the requests for them are
resubmitted.
Limitation: This is an existing limitation. For more information, refer to APAR
IZ23893.
32 Product overview
v Problem: If you remove a cluster node from a cluster and then add the cluster
node back to the cluster, the Tivoli Identity Manager administrative console does
not start.
Workaround: Add the ITIM_Home/data directory again to the classpath on the
server associated with the node.
v Problem: When using the GUI to submit an attribute with leading or trailing
spaces, the IBM Tivoli Identity Manager server deletes the leading or trailing
spaces for that attribute value. This occurs for all attributes except for the
password attribute.
Limitation: This is an existing limitation.
WebSphere Application Server limitations, problems, and
workarounds
You might encounter these WebSphere Application Server problems, and use these
workarounds:
v Problem: The WebSphere Application Server and the DB2 Universal Database

are installed on the same Windows machine. The WebSphere Application Server
and the DB2 Universal Database services are set up to start automatically. After
rebooting the machine, the WebSphere Application Server and DB2 Universal
Database are successfully started, but a user or account cannot be created or
modified.
Workaround: The messaging engine did not start because the WebSphere
Application Server started before the DB2 Universal Database started. When the
WebSphere Application Server starts, the messaging engine for IBM Tivoli
Identity Manager is started, if the DB2 Universal Database is available at that
time.
After rebooting the machine, manually ensure that the messaging engine for
IBM Tivoli Identity Manager started successfully. On the WebSphere Application
Server Administrative Console, select Service Integration > Buses > itim_bus >
Messaging engines from the Topology section. If the messaging engine is not
started, start it from this page.
v Problem: On the Sun Solaris 10 operating system, the WebSphere Application
Server JVM produces a core error while attempting to resize the JVM heap
during a garbage collection.
Workaround: Set both the minimum and maximum JVM heap sizes (Xms and
Xmx) to the same value.
Database server limitations, problems, and workarounds
You might encounter these IBM Tivoli Identity Manager database server problems,
and use these workarounds:
v Problem: IBM Tivoli Identity Manager does not install on a Windows system
configured in the Russian language. Specifically, DB2 Universal Database cannot
determine the Windows Administrator user if the user ID is spelled in Russian.
Workaround: Before you attempt to start the IBM Tivoli Identity Manager
installation program or the middleware configuration utility, open the operating
system user management utility and change the Russian spelling of the user
Administrator and the group Administrators to the English spelling. Try the
installation again.
v Problem: IBM Tivoli Identity Manager does not work with SQL Server JDBC
Driver 1.2 when FIPS is enabled.
Workaround: disable FIPS. IBM Tivoli Identity Manager works with SQL Server
JDBC Driver 1.2 when FIPS is disabled. Microsoft has accepted this problem as a
defect in the SQL Server 2005 JDBC driver 1.2.
Product overview 33
v Problem: IBM Tivoli Identity Manager does not work with SQL Server if the
database is case sensitive (CS).
Workaround: Ensure that Microsoft SQL Server 2005 or at least the database is
installed with the codepage set to case insensitive (CI).
Directory server limitations, problems, and workarounds
You might encounter these IBM Tivoli Identity Manager directory server problems,
and use these workarounds:
v Problem: In some Linux environments, a potentially ignorable error message
might occur during a service profile import operation. You might observe the
following socket failure error message in the ibmslapd.log file on the IBM Tivoli
Directory Server:
07/22/07 16:06:11 GLPCOM001E Creation of socket failed; errno 4 (Interrupted system call).
07/22/07 16:06:11 GLPCOM001E Creation of socket failed; errno 4 (Interrupted system call).
07/22/07 16:06:11 GLPCOM001E Creation of socket failed; errno 4 (Interrupted system call).
Workaround: If either the Tivoli Identity Manager or the LDAP operation
succeeded, ignore these messages, which are written to the ibmslapd.log file, but
do not affect the requested operation. If the operation failed, contact Tivoli
Identity Manager level 2 support for assistance.
v Problem: The LDAP server can hang after several days of continuous activity, or
during intervals with large numbers of concurrent users.
Workaround: On the directory server, set the environment variable
LDAP_WAITQ=NO before you start the LDAP server. Setting the value of LDAP_WAITQ
to NO changes the behavior of the LDAP server to use the version 6.0 method of
handling requests. For more information, refer to APAR IO07991.
Directory Integrator limitations, problems, and workarounds
You might encounter these IBM Tivoli Directory Integrator problems, and use these
workarounds:
v Problem: IBM Tivoli Directory Integrator Version 6.1 is known to stop under
heavy load from a high number of user deletion requests. For example,
attempting to delete 1,000 or more users at a time can cause IBM Tivoli
Directory Integrator to stop.
Workaround: Try deleting fewer users at a time to avoid the problem. For more
information, refer to APAR IO09039.
Browser limitations, problems, and workarounds
You might encounter these browser limitation, or browser problems, and use these
workarounds:
v Problem: When you click Manage Services > Select a Service, and then search
for a service, the Services table returns a list of services. If the hyperlinked name
of a service in the table is very long, the rightmost characters in the name might
overrun the right column boundary in the table.
Limitation: This is a browser limitation, in which a long service name will fail to
wrap within the column boundary.
v Problem: If you are using the Mozilla Version 1.7 browser, you can create a
subordinate node, such as a Location, from the menu on the main Organization
node. The new node appears under the main Organization node. However, if
you collapse the main Organization, and then create a second node, such as an
additional Location, the Organization subtree expands in the display, but the
second node does not appear in the tree.
Workaround: Collapse the node for the Organization subtree, and then expand it
again. The additional node appears.
34 Product overview
v Problem: Using the Mozilla Version 1.7 browser, the last row of the Users table
might overlap with the summary line after you reconcile a service and then list
all the users of the service. For example, complete these tasks:
1. Click Manage Services > Select a Service, and then click Search for available
services. In the Services table, select a service. Then, click Reconcile Now in
the popup menu.
2. After the reconciliation completes successfully, click Manage Users > Select a
User. Then, click Search for available users. Assuming there are sufficient
users to fill the table, the last row of the Users table overlaps the summary
line.
Limitation: This is a known limitation of the browser.
v Problem: Using the Internet Explorer browser, when you intend to select the
Browse button in some activities, pressing the Enter key does not cause the next
action to occur. For example, pressing Enter does not cause the Browse key to
display a Choose File page during the reconciliation step of service creation.
Workaround: Press the space bar instead the Enter key to select the Browse
button. This is a known limitation of the browser.
v Problem: Display is blocked for security reasons if you attempt to open the
About information page for IBM Tivoli Identity Manager using the Internet
Explorer browser with Enhanced Security Configuration (ESC) enabled. The
About page provides the server name, product build number and date, and
other product information.
Workaround: To view the page, add the about:blank site to the browsers list of
trusted sites. However, this is not recommended because adding about:blank as
a trusted site will reduce the security of the system.
v Problem: When you are managing activities, and want to view and lock your
activities, a graphic image of a lock does not consistently appear adjacent to the
activity that you lock for IBM Tivoli Identity Manager, viewed with the Mozilla
browser at Version 1.7.x.
Workaround: To view the lock symbol, open the browser to another tab, and
then return to the page on which you view locked activities.
v Problem: Clicking the Back button on the browser during data entry in the user
interface might cause a loss of the data that you enter. For example, clicking
Back and then Forward causes data that you entered in fields to be lost.
Limitation: Do not use the Back and Forward selections provided by the
browser; use only the selections provided in the application window to navigate
from one window to another.
v Problem: A user cannot open multiple browser sessions with the IBM Tivoli
Identity Manager Server on the same system.
Limitation: IBM Tivoli Identity Manager does not support using the same
browser on the same machine to start multiple sessions with the server.
v Problem: The tab sequence for pages containing radio buttons is not always
correct in Internet Explorer.
Limitation: When tabbing to a group of radio buttons, focus should move to the
currently selected radio button. However, in some cases, focus will incorrectly
move to the closest radio button in the group, rather than the currently selected
radio button.
v Problem: Using the Firefox browser, you might have difficulty selecting multiple
items in some selection boxes using the shift-down key combination. One
example is the Organizational Roles field located in the person form. This
problem does not occur on Internet Explorer.
Product overview 35
Workaround: Select multiple items by clicking items while holding down the
control (Ctrl) key, or by clicking shift-down quickly and repeatedly, or by
selecting the first item and shift-clicking another item, which will select both
items and all items in between.
v Problem: Using the Internet Explorer browser at version 6 with SP2, the Submit
and Cancel buttons might become disabled when you enter an incorrect file
name during data import and then attempt to import the file. For example, this
might occur when you click Configure System > Import Data and then attempt
to upload a file that is not correctly specified. This problem does not occur with
a Mozilla browser, or with a later version of Internet Explorer.
Workaround: Repeat the operation, entering a valid name for the file that you
want to import.
v Problem: The title of the JavaScript dialog box appears as [JavaScript
Application] instead of IBM IBM Tivoli Identity Manager 5.0 when exiting out
of the launchpad installer.
Limitation: This is a known limitation with titles of JavaScript dialog boxes
when using the Mozilla or Firefox browser. This issue does not occur on
Windows operating systems.
v Problem: Internet Explorer 7, running on a non English Windows operating
system can render drop down list with truncated contents.
Limitation: This is a known limitation that does not occur with the FireFox
browser or Internet Explorer running on English version operating systems.
Accessibility limitations, problems, and workarounds
You might encounter these IBM Tivoli Identity Manager accessibility limitations, or
accessibility problems. If so, use these workarounds:
v Problem: A separating symbol used as part of a breadcrumb between the trail of
tasks, which is the > character, is read as greater than by screen reader such as
JAWS. The screen reader encounters the symbol when it reads a task title on a
window that IBM Tivoli Identity Manager provides. For example, the screen
reader might read Home > View or Change Profile as the words Home greater
than View or Change Profile.
Limitation: The use of the separator symbol > is coded as the greater than
character. An equivalent visual character that avoids causing a screen reader to
read the symbol is not available in this release.
v Problem: No logout occurs when you tab to and then press ENTER on the
logout button, at the top right corner of the main IBM Tivoli Identity Manager
console page.
Additionally, a screen reader such as JAWS does not read the logout button as a
link.
Workaround: Press the Tab one additional time, before you press ENTER.
Otherwise, the cell in which the logout button exists is selected, not the button
itself. There is no workaround for a screen reader such as JAWS. However, a
visually impaired person is unlikely to tab through all the frames. It is more
likely that the person will invoke a list of links (click Ins-F7) and select Log out.
v Problem: A screen reader such as JAWS reads read-only buttons as available on
the Mozilla Firefox browser. For example, the screen reader reads greyed out
Change or Delete buttons as available. However, using Internet Explorer at
Version 6.0, service pack 2 or above, the screen reader correctly determines that
read-only buttons are unavailable.
Limitation: For purposes of correctly reading unavailable buttons, the Internet
Explorer browser reads correctly for visually-impaired users.
36 Product overview
v Problem: JAWS does not read file input fields correctly, using Internet Explorer.
A file input consists of a text field and a browse button. Using Internet Explorer,
JAWs reads both widgets when the focus is on the text field, but says nothing
when the focus is on the Browse button. For example, the screen reader fails to
read a Browse button, when it should read the button as Browse button, to
activate press spacebar.
These problems are not observed using the Mozilla FireFox browser.
Limitation: For purposes of correctly reading empty fields and Browse buttons,
the Mozilla FireFox browser reads correctly for visually-impaired users.
However, other reading problems might exist, which are solved by a different
browser.
v Problem: A screen reader such as JAWS reads some fields such as scheduling
start and end date entry fields as though they were read-only, rather than fields
that allow selecting a new date from the calendar control. Additionally, a screen
reader will read fields that are populated by a Search or a Browse button as
read-only, rather than fields that can be changed by clicking Search or Browse.
For example, if you select a person in the search results and then click OK, the
program returns to the page that has the target field, and the name of the
selected person now appears in the read-only text field. A similar problem is
clicking Clear to clear the value in the read-only text field.
Limitation: There is no workaround. The user must understand when to click
the appropriate button from the additional information in page text or help that
is provided.
v Problem: Using the middle pane of the Form Designer applet, it is not possible
to use the keyboard to switch between the property dialog page and the
attributes. For example, using Enter and Tab keys does not switch the focus.
Workaround: Start your edit activity by clicking the launch in new page link.
Because there are no level one (that is, main) headings on IBM Tivoli Identity
Manager console pages, you cannot use the reading function that the Freedom
Scientific JAWS application provides. Users using screen readers should read the
screen using the paragraph, line, or full page reading functions of JAWS. The
most important frames that readers use include:
Task Switcher to switch between active tasks in the console.
Portfolio area to access the list of tasks to perform.
Work area, which is the current, active page.
v Problem: Occasionally, certain browser readers that are used by sight-impaired
users may read a control twice on a IBM Tivoli Identity Manager Version 5 page
in the graphical user interface. This occurs, for example, using the JAWS browser
reader.
Workaround: Ignore the second reading. The IBM Tivoli Identity Manager
Version 5 graphical user interface does not have more than one control with the
same name on the same page.
Report limitations, problems, and workarounds
You might encounter these IBM Tivoli Identity Manager report problems, and use
these workarounds.
v Problem: After you perform a data synchronization and then run a report for
account operations with a status of Pending, the report does not show pending
requests to create accounts.
When the report runs, the actual service provisioning process is in a
pending/scheduled state and no account create process exists in workflow
tables. The account create process is invoked when a scheduled service provision
Product overview 37
process runs. However, because there is no pending create account process in the
case of a scheduled account creation, the report is not able to capture that
process as a pending request in the report.
Workaround: A partial workaround exists. To view account create requests for
service types other than Tivoli Identity Manager accounts, select Create account
as the request type and then select the root process type as ANY or service
provision process. Selecting ANY as root process type will show all account
creation requests where root processes may be different from one another.
v Problem: After you install Japanese from the language pack, viewing a report
shows erroneous characters after selecting English at the Tivoli Identity Manager
logon. However, if you select Japanese as the language at the logon, the report is
correctly displayed.
Workaround: This problem occurs if you run a Japanese language report and
have set the locale to English, because the default English font does not support
DBCS characters. To view reports generated in a double-byte character set
(DBCS) language, specify a font that is capable of displaying DBCS characters.
This workaround applies for locales other than English when DBCS characters
are not supported by the respective font.
Complete these tasks:
1. Open the ITIM_HOME/data/enRoleFonts.properties file.
2. Comment out the $LOCALE=$font_name line for the English font. For example,
if characters in the report are Japanese, and $LOCALE = en, comment out
en=sans-serif.
3. Add a new line for the $LOCALE=$DBCS_character_support_font_name. The
following fonts are supported:
Japanese
Simplified_Chinese
Traditional_Chinese
Korean
v Problem: For languages such as Arabic or Korean, the date and time data
remains in English, in reports formatted in Portable Document Format (PDF).
Limitation: This is a Java limitation. The date and time format for Arabic and
Korean languages are displayed incorrectly, based on their locale.
v Problem: Life cycle rule reports do not generate correctly. The life cycle rule
operation appears to have root process of LC. In an account operation report, all
account operations which are performed for the life cycle rule are displayed with
the root process as LC.
Workaround: Change a statement and add a statement in the
ITIM_HOME/data/reportingLabels.properties file. Complete these steps:
1. Open the ITIM_HOME/data/reportingLabels.properties file in any text editor.
If you have a language pack installed, the file that you edit is the
ITIM_HOME/data/reportingLabels_languagecode.properties file, where
languagecode is a locale-specific code, such as en for English.
2. Edit the following statement, replacing ls with lc.
rootprocessview.type.ls=life Cycle Rule Execution
After the change, the line reads:
rootprocessview.type.lc=life Cycle Rule Execution
For languages other than English, the language of the text following the
equal sign will vary.
3. Add a new label by adding the following line:
38 Product overview
process.type.lc=Life Cycle Rule Execution
For languages other than English, the language of the text following the
equal sign will vary.
4. Save the file and quit the text editor.
5. Run the report again.
v Problem: The CrystalTestWAS script indicates a connectivity problem between
the IBM Tivoli Identity Manager Server machine and the Crystal Enterprise
machine. More specifically, the CrystalTestWAS.sh script runs from a UNIX
setup that hosts the Tivoli Identity Manager Server fails to connect to the Crystal
Management server installed on a Windows machine. The error is similar to this
message:
com.crystaldecisions.enterprise.ocaframework.OCAFrameworkException$AllServersDown:
All the servers with CMS, cluster and kind cms are down or disabled
As a result of this error, Crystal Reports can not be executed from Tivoli Identity
Manager, and Tivoli Identity Manager also cannot import new Crystal Report
templates.
Workaround: If the connection type of the Crystal Enterprise user
(crystalEnterpriseUser property in the ITIM_HOME/data/crystal.properties
file) is chosen as Concurrent User, the access to the Crystal Enterprise system
for the concurrent user will depend on the number of other users that are
currently connected to the Crystal system. This sometimes leads to a situation in
which the Crystal Enterprise user used by Tivoli Identity Manager is unable to
connect to the Crystal system because of a connection limit being reached at the
Crystal server. As a result, this type of error may appear while running the
CrystalTestWAS script.
Complete these steps:
1. Log on to the Windows system where Crystal Enterprise 10 system is
installed. Click Start Programs Crystal Enterprise 10 Crystal
Configuration Manager. A page listing all the Crystal Report services is
opened. Select all the services that are currently running, and restart them.
2. Log on to the UNIX system that hosts Tivoli Identity Manager as the
non-root Crystal user that was used to install Crystal Enterprise client
components on the UNIX system. Go to the directory of client components
(crystalHome property in the ITIM_HOME/data/crystal.properties file), and
run env.sh.
3. Make sure that all the properties specified in the ITIM_HOME/data/
crystal.properties file are correct.
4. Run the ITIM_HOME/bin/unix/CrystalTestWAS.sh script again.
v Problem: Generating a Tivoli Common Reporting Server Approval and
Rejections report might have performance problems when large amounts of data
are involved.
Limitation: This is a know limitation when using like in the query.
Other limitations, problems, and workarounds
You might encounter these additional problems, and use these workarounds:
v Problem: When high contrast is enabled on Windows XP, the display of the IBM
Tivoli Identity Manager workflow designer applet is not reformatted to the high
contrast scheme. When you turn on High Contrast, the applet window outline is
converted to high contrast. However, the interior fields of the applet display do
not match the high contrast changes.
Workaround: Refresh the browser to reload the workflow designer, which will
update the applet with the high contrast settings.
Product overview 39
v Problem: Active users experience unexpected results when the date and time is
changed on the operating system on which IBM Tivoli Identity Manager is
installed.
Workaround: As an administrator, if you change the date and time on the
operating system on which IBM Tivoli Identity Manager is installed, always
ensure that no users are currently logged into the IBM Tivoli Identity Manager
Server. Users that are logged on can experience unpredictable results if the
change is significant.
v Problem: The help panel for the user advanced search displays additional fields.
Limitation: The help panel displays information about additional fields that are
not displayed on the search page. These fields are specific to an LDAP account
and can be added using the Add another search filed link.
Note: The Account type information incorrectly states that the type cannot be
changed. The account type can be changed.
v Problem: The help panel for the Form designer interface page lists Tungsten
Theme as the default menu theme.
Limitation: The correct name is Default Theme.
v Problem: The contextual help for the Separation of Duty Policy Violations page
indicates that there is a Person Name column in the policy table. However, the
table does not include that column.
Limitation: This is a known limitation in the contextual help content.
Technical overview
You can use IBM Tivoli Identity Manager to manage the identity records that
represent people in a business organization. This section introduces the product
architecture and main components.
Tivoli Identity Manager is an identity management solution that centralizes the
process of provisioning resources, such as provisioning accounts on operating
systems and applications to users.
Tivoli Identity Manager gives you the ability to add business processes and
security policies to basic user management, including approvals for user requests
to access resources. In addition, Tivoli Identity Manager provides a uniform way to
manage user accounts and to delegate administration, including self-service and a
help desk user interface.
Users, authorization, and resources
An administrator uses the entities that IBM Tivoli Identity Manager provides for
users, authorization, and resources to provide both initial and ongoing access in a
changing organization.
40 Product overview
Identities
An identity is the subset of profile data that uniquely represents a person
in one or more repositories, and includes additional information related to
the person.
Accounts
An account is the set of parameters for a managed resource that defines
your identity, user profile, and credentials.
Users A user is an individual who uses IBM Tivoli Identity Manager to manage
their accounts.
Access control items
An access control item is data that identifies the permissions that users
have for a given type of resource. You create an access control item that
allows you to specify a set of operations and permissions, and then
identify which groups use the access control item.
Groups
A group is used to control user access to functions and data in IBM Tivoli
Identity Manager. Membership in a IBM Tivoli Identity Manager group
provides a set of default permissions and operations, as well as views, that
group members need.
Policies
A policy is a set of considerations that influence the behavior of a managed
resource (called a service in IBM Tivoli Identity Manager) or a user. A
policy represents a set of organizational rules and the logic that IBM Tivoli
Identity Manager uses to manage other entities, such as user IDs, and
applies to a specific managed resource as a service-specific policy.
Adapters
An adapter is a software component that provides an interface between a
managed resource and the IBM Tivoli Identity Manager Server.
Services
A service represents a managed resource, such as an operating system, a
database application, or another application that IBM Tivoli Identity
Manager manages. For example, a managed resource might be a Lotus
Notes

application. Users access these services by using an account on the

service.
Identities
Accounts
Access
control
item
Service
Users
Group
Identity
policy
Adapter
Password
policy
Other
policies
Workflow
People Authorization Workflows/policies Resources
Figure 1. Users, authorization, and resources
Product overview 41
Main components
Main components in the IBM Tivoli Identity Manager solution include the IBM
Tivoli Identity Manager Server and required and optional middleware components,
including adapters that provide an interface to managed resources.
In a cluster configuration, main components include:
For more information on configuration alternatives, refer to the IBM Tivoli Identity
Manager Installation and Configuration Guide.
Components include:
Database server products
IBM Tivoli Identity Manager stores transactional and historical data in a
database server, a relational database that maintains the current and
historical states of data.
Directory server products
IBM Tivoli Identity Manager stores the current state of the managed
identities in an LDAP directory, including user account and organizational
data.
IBM Tivoli Directory Integrator
IBM Tivoli Directory Integrator synchronizes identity data residing in
different directories, databases, and applications. IBM Tivoli Directory
Integrator synchronizes and manages information exchanges between
applications or directory sources.
WebSphere Application Server
WebSphere Application Server is the primary component of the WebSphere
environment. WebSphere Application Server runs a Java virtual machine,
providing the runtime environment for the application code. The
application server provides communication security, logging, messaging,
and Web services.
WebSphere Application Server Network Deployment
Tivoli Identity Manager cell
Tivoli Identity Manager cluster
Application Server
Tivoli Identity Manager Server
JDBC driver
}
}
}
IBM HTTP Server
WebSphere Web
Server plug-in
Deployment Manager
JDBC driver
}
Tivoli Identity Manager
database
LDAP
data store
Figure 2. Main components
42 Product overview
HTTP server and WebSphere Web Server plug-in
An HTTP server provides administration of IBM Tivoli Identity Manager
through a client interface in a web browser. IBM Tivoli Identity Manager
requires the installation of a WebSphere Web Server plug-in with the HTTP
server. The WebSphere Application Server installation program can
separately install both the IBM HTTP Server and WebSphere Web Server
plug-in.
IBM Tivoli Identity Manager adapters
An adapter is a software component that provides an interface between a
managed resource and IBM Tivoli Identity Manager. An adapter functions
as a trusted virtual administrator for the managed resource, performing
such tasks as creating accounts, suspending accounts, and other functions
that administrators typically perform.
People overview
People, such as employees and contractors, need to use the resources that an
organization provides. A person who has a IBM Tivoli Identity Manager account is
a IBM Tivoli Identity Manager user.
Users need different degrees of access to resources for their work. Some users need
to use a specific application. Other users need to administer the system that links
users to the resources that their work requires.
IBM Tivoli Identity Manager manages users identities (user IDs), accounts, access
entitlements on those accounts, and user credentials such as passwords.
Users
A person who is managed by IBM Tivoli Identity Manager is a user; a user who
has a IBM Tivoli Identity Manager account is called a IBM Tivoli Identity Manager
user, and can use IBM Tivoli Identity Manager to manage their accounts or
perform other administrative tasks.
Users need different degrees of access to resources for their work. Some users need
to use a specific application. Other users need to administer the system that links
users to the resources that their work requires. A IBM Tivoli Identity Manager user
is assigned to a specific group that provides access to specific views and allows the
user to perform specific tasks in IBM Tivoli Identity Manager .
As an administrator, you create users either by importing identity records or by
using IBM Tivoli Identity Manager .
Identities
An identity is the subset of profile data that uniquely represents a person or entity
and that is stored in one or more repositories.
For example, an identity might be represented by the unique combination of a
persons first, last (family) name, and full (given) name, and employee number. An
identity profile might also contain additional information such as phone numbers,
manager, and e-mail address.
Accounts
An account is the set of parameters for a managed resource that defines an
identity, user profile, and credentials.
Product overview 43
An account defines login information (your user ID and password, for example)
and access to the specific resource with which it is associated.
In IBM Tivoli Identity Manager, accounts are created on services, which represent
the managed resources such as operating systems (UNIX), applications (Lotus
Notes), or other resources.
Accounts are either active or inactive. Accounts must be active to log in to the
system. An account becomes inactive when it is suspended, which might occur if a
request to recertify your account usage is declined and the recertification action is
suspend. Suspended accounts still exist, but they cannot be used to access the
system. System administrators can restore and reactivate a suspended account as
long as the account has not been deleted.
Access
Access is your ability to use a specific resource, such as a shared folder or an
application.
In IBM Tivoli Identity Manager, access can be created to represent access to access
types such as shared folders, applications (such as Lotus Notes), e-mail groups, or
other managed resources.
An access differs from an account in that an account is a form of access; an account
is access to the resource itself.
Access is the permission to use the resource, and access entitlement defines the
condition that grants access to a user with a set of attribute values of a users
account on the managed resource. In IBM Tivoli Identity Manager, an access is
defined on an existing group on the managed service. In this case, the access is
granted to a user by creating an account on the service and assigning the user to
the group. Access entitlement can also be defined as a set of parameters on a
services account that uses a provisioning policy.
When a user requests new access, by default an account is created on that service.
If an account already exists, the account is modified to fulfill the access
entitlement, for example by assigning the account to the group that grants access
to an access type. If one account already exists, the account is associated with the
access. If multiple accounts already exist, you must select the user ID of the
account to which you wish to associate your access.
An access is often described in terms that can be easily understood by business
users.
Passwords
A password is a string of characters that is used to authenticate a users access to a
system. A user ID and password are the two elements that grant access to a
system.
As an administrator, you can manage user passwords and the passwords that are
set for the users that are used by IBM Tivoli Identity Manager .
Forgotten password information:
When a user forgets a IBM Tivoli Identity Manager password and needs to reset it,
the user must verify his or her credentials with the system. To do so, the user
responds to a set of forgotten password questions with answers that the user
44 Product overview
previously specified. The answer that the user types must match exactly what that
user typed when he or she defined that answer, including the case of the letters.
As the system administrator, you define how many questions must be answered,
and whether the questions are predefined.
v If you predefine the forgotten password questions, the user will need to specify
only the answers.
v If you do not predefine the questions, the user must specify both the forgotten
password questions and the answers.
If the system configuration changes, for instance from undefined questions to
predefined questions, the user will need to specify new forgotten password
questions and answers.
Password synchronization:
Password synchronization is the process of assigning and maintaining one
password for all accounts that a user owns, which reduces the number of
passwords that a user must remember.
You can configure the system to automatically synchronize passwords for all
accounts owned by a user. Then, the user only has to remember one password. For
example, a user has two accounts: a IBM Tivoli Identity Manager account and a
Lotus Notes account. If the user changes or resets the password for the IBM Tivoli
Identity Manager account, the Lotus Notes password is automatically changed to
the same password as the IBM Tivoli Identity Manager password. Passwords
might also be synchronized when you provision an account or restore a suspended
account.
If password synchronization is enabled, a user cannot specify different passwords
for his or her accounts.
Note: When you provision an account or restore an account that was suspended,
you must specify a password for the account. If password synchronization is
enabled, you are not prompted for a password. Instead the account is
automatically given the same password as the users existing accounts.
Password strength rules:
A password strength rule is a rule or requirement to which a password must
conform. For example, password strength rules might specify that the minimum
number of characters of a password must be five and the maximum number of
characters must be ten.
You can define password strength rules in a password policy.
Resources overview
Resources are the applications, components, processes, and other functions that
users need to complete their work assignments.
IBM Tivoli Identity Manager uses a service to manage user accounts and access to
resources by using adapters to provide trusted communication of data between the
resources and IBM Tivoli Identity Manager.
Product overview 45
Services
A service represents a managed resource, such as an operating system, a database
application, or another application that IBM Tivoli Identity Manager manages. For
example, a managed resource might be a Lotus Notes application.
Users access these services by using an account on the service.
Services are created from service types, which represent a set of managed resources
that share similar attributes. For example, there is a default service type that
represents Linux machines. These service types are either installed by default when
IBM Tivoli Identity Manager is installed, or they are installed when you import the
service definition files for the adapters for those managed resources.
Accounts on services identify the users of the service. Accounts contain the login
and access information of the user and allow the use of specific resources.
Most services use IBM Tivoli Identity Manager to provision accounts, which
usually involves some workflow processes that must be completed successfully.
However, manual services generate a work order activity that defines the manual
intervention that is required to complete the request or to provision the account for
the user.
A service owner owns and maintains a particular service in IBM Tivoli Identity
Manager. A service owner should be either a person or a static organizational role.
In case of a static organizational role, all the members of the organizational role are
considered service owners. If that static organizational role contains other roles,
then all members of those roles are also considered service owners.
Service types:
A service type is a category of related services that share the same schemas. It
defines the schema attributes that are common across a set of similar managed
resources.
Service types are used to create services for specific instances of managed
resources. For example, you might have several Lotus

Domino

servers that users

need access to; you might create one service for each Lotus Domino server using
the Lotus Domino service type.
Service prerequisite:
If a service has another service defined as a service prerequisite, a user can only
receive a new account if they have an existing account on the service prerequisite.
For example, Service B has a service prerequisite, Service A. If a user requests an
account on Service B, in order to receive an account, the user must first have an
account on Service A.
Service definition file:
A service definition file, which is also known as an adapter profile, defines the type of
managed resource that IBM Tivoli Identity Manager can manage. The service
definition file creates the service types on the IBM Tivoli Identity Manager Server.
The service definition file is a JAR file that contains the following information:
46 Product overview
v Service information, including definitions of the user provisioning operations
that can be performed for the service, such as add, delete, suspend, or restore.
v Service provider information, which defines the underlying implementation of
how the IBM Tivoli Identity Manager Server communicates with the managed
resource. Valid service providers are Tivoli Directory Integrator and DSMLv2.
v Schema information, including the LDAP classes and attributes.
v Account forms and service forms, along with a properties file for accounts and
supporting data such as service groups that defines the labels for the attributes
on these forms, which are displayed in the user interface for creating services
and requesting accounts on those services.
Manual services:
A manual service is a type of service that requires manual intervention to complete
the request. For example, a manual service might be defined for setting up voice
mail for a user.
Manual services generate a work order activity that defines the manual
intervention that is required.
You might create a manual service when IBM Tivoli Identity Manager does not
provide an adapter for a managed resource for which you want to provision
accounts.
When you create a manual service, you add new schema classes and attributes for
the manual service to your LDAP directory.
Adapters
An adapter is a software component that provides an interface between a managed
resource and IBM Tivoli Identity Manager.
An adapter functions as a trusted virtual administrator for the managed resource,
performing such tasks as creating accounts, suspending accounts, and other
functions that administrators typically perform.
An adapter consists of the service definition file and the executable code for
managing accounts.
Adapters are deployed in one of two ways:
Agent-based adapter
An agent-based adapter must reside on the managed resource, in order to
administer accounts. For example, the Lotus Notes adapter for AIX

is an
agent-based adapter.
Agentless adapter
An agentless adapter can reside on a remote server, in order to administer
accounts. For example, the UNIX/Linux adapter is an agentless adapter.
Adapters are created from one of two technologies:
Adapter Development Kit (ADK)
Adapters that are created using the ADK are either agent-based adapters or
agentless adapters. The ADK is the base component of the adapters and
contains the runtime library, filtering and event notification functionality,
protocol settings, and logging information. The ADK is the same across the
adapters.
Product overview 47
IBM Tivoli Directory Integrator
Adapters that are created using IBM Tivoli Directory Integrator are either
agent-based or agentless adapters. These adapters are implemented as
assembly lines, each of which is a single path of data transfer and
transformation. IBM Tivoli Directory Integrator can pass data from one
assembly line to the next assembly line.
Several agentless adapters are automatically installed when you install IBM Tivoli
Identity Manager. You can install additional agentless or agent-based adapters.
Adapter communication with managed resources
Communication between IBM Tivoli Identity Manager and managed resources has
several solutions.
Linux and UNIX managed resources use agentless adapters that are created using
IBM Tivoli Directory Integrator. Other managed resources use ADK adapters.
Figure 3 illustrates how communication links between software products and
components can be configured.
System security overview
An organization has critical needs to control user access, and to protect sensitive
information.
WebSphere
Application
Server
Web
browser
UNIX
managed
resource
LDAP
managed
resource
Tivoli
Identity
Manager
Server
Other
adapters
Tivoli
Directory
Integrator
SSL
SSL
SSH
SSH
SSL
A
d
a
p
t
e
r
= One-way or two-way SSL
= Secure Shell protocol
KEY:
S
S
L S
S
L
S
S
L
Figure 3. Secure communication in the IBM Tivoli Identity Manager environment
48 Product overview
Given agreement on security requirements for business needs, a system
administrator configures the groups, views, access control items, and forms that
IBM Tivoli Identity Manager provides for security of its data.
Security model characteristics
An organization defines a security model to meet its business needs. The model
serves as a basis to define the requirements and actual implementation of a
security system.
Some characteristic objectives of a security model include:
v Verifying the identity of users, provided by authentication systems that include
password strength and other factors.
v Enabling authorized users to access resources, provided by authorization
systems that define request or role-based processes, and related provisioning.
Resources, for example, include accounts, services, user information, and IBM
Tivoli Identity Manager functions.
A security model also requires additional provisioning processes to select the
resources that users are permitted to access.
v Administering which operations and permissions are granted for accounts and
users.
v Delegating a users list of activities to other users, on a request or assignment
basis.
v Protecting sensitive information, such as user lists or account attributes.
v Ensuring the integrity of communications and data.
Business requirements
A business needs agreement on its security requirements before implementing the
processes that IBM Tivoli Identity Manager provides.
For example, requirement definitions might answer these questions:
v What groups of IBM Tivoli Identity Manager users are there?
v What information does each user group need to see?
v What tasks do the users in each group need to do?
v What roles do users perform in the organization?
v Which access rights need definition?
v What working relationships exist that require some users to have different
authority levels?
v How can prevention and auditing provide remedies for activity that does not
comply with established policies?
To meet common business needs, a business might frequently have several groups,
such as a manager, a help desk assistant, an auditor group, and customized groups
that perform a more expanded or limited set of tasks.
Resource access from a users perspective
To provide security of data for a user who works within a range of tasks on
specific business resources, IBM Tivoli Identity Manager might provide one or
more roles, and membership in one or more groups.
For example, a user in a business unit often has a title, or role that has a
responsibility, such as buyer. The user might also be a member of a group that
provides a view of tasks that the user can do, such as regional purchasing, as
illustrated in Figure 4 on page 50:
Product overview 49
Each role has a related provisioning policy and workflow to grant the user to
access one or more resources, such as accounts.
Each group has a view of specific tasks, and one or more access control items that
grant specific operations and permissions to perform the tasks. By using a form
designer applet, you can also modify the user interface that a user sees, perhaps
removing unnecessary fields for account, service, or user attributes.
Groups:
A group is used to control user access to functions and data in IBM Tivoli Identity
Manager.
Group members have an account on the IBM Tivoli Identity Manager service.
Membership in an IBM Tivoli Identity Manager group provides a set of default
permissions and operations, as well as views, that group members need. Your site
might also create customized groups.
Additionally, some users might be members of a service group that grants specific
access to a certain application or other functions. For example, a service group
might have members that work directly with data in an accounting application.
Predefined groups, views, and access control items:
IBM Tivoli Identity Manager provides predefined groups, which have associated
views and access control items.
Two user interfaces, or consoles, are available:
v Self-service console for all users, for self-care activities such as changing personal
profile information, such as a telephone number.
v Administrative console, for selected users who belong to one or more groups
that enable a range of administrative tasks.
Figure 4. Securing data for user access to resources
50 Product overview
A IBM Tivoli Identity Manager user with no other group membership has a basic
privilege to use IBM Tivoli Identity Manager.
This set of users need only a self-service console for self-care capabilities. The users
are not in a labeled group such as a Help Desk Assistant group.
The predefined groups are associated with predefined views and access control
items, to control what members can see and do, as illustrated in Figure 5
The predefined groups are:
Administrator
The administrator group has no limits set by default views or access
control items and can access all views and perform all operations in IBM
Tivoli Identity Manager. The first system administrator user is named itim
manager.
Auditor
Members of the auditor group can request reports for audit purposes.
Help Desk Assistant
Members of the Help Desk Assistant group can request, change, suspend,
restore, and delete accounts. Members can request, change, and delete
access, and also can reset others passwords, profiles, and accounts.
Additionally, members can delegate activities for a user.
Manager
Members of the Manager group are users who manage the accounts,
profiles, and passwords of their direct subordinates.
Service Owner
Members of the Service Owner group manage a service, including the user
accounts and requests for that service.
Views:
Figure 5. Predefined groups, views, and access control items
Product overview 51
A view is a set of tasks that a particular type of user can see, but not necessarily
perform, on the graphical user interface. For example, it is a task portfolio of the
everyday activities that a user needs to use IBM Tivoli Identity Manager.
On both the self-service console and the administrative console, you can specify
the view that a user sees.
Access control items:
An access control item is data that identifies the permissions that users have for a
given type of resource. You create an access control item that allows you to specify
a set of operations and permissions, and then identify which groups use the access
control item.
An access control item defines these items:
v The entity types to which the access control item applies
v Operations that users might perform on entity types
v Attributes of the entity types that users might read or write
v The set of users that are governed by the access control item
IBM Tivoli Identity Manager provides default access control items.
You can also create a customized access control item that allows you to specify a
set of operations and permissions, and then identify which groups are governed by
the access control item. For example, a customized access control item might limit
the ability of a specific Help Desk Assistant group to change information for other
users. Access control items can also specify relationships such as Manager or
Service Owner.
When you create customized reports, you must also manually create report access
control items and entity access control items for the new report, to permit users
who are not administrators, such as auditors, to run and view data in the custom
report.
After you create an access control item or change an existing access control item,
run a data synchronization to ensure that other Tivoli Identity Manager processes,
such as the reporting engine, use the new or changed access control item.
Forms:
A form is a user interface window that is used to collect and display values for
account, service, or user attributes.
IBM Tivoli Identity Manager includes a form designer, which runs as a Java applet,
that you use to modify existing user, service and account forms. For example, you
might add the fax number attribute and an associated entry field to capture that
number for a particular account, or you might remove an account attribute that
your organization does not want a user to see. If you remove an attribute from a
form, it is completely removed; that is, even system administrators cannot see the
attribute.
You can only see those attributes that are on the form and that you have read or
write access to (as granted by access control items). Using the form designer, you
can also customize forms for other elements in the organization tree, such as
location or organization unit.
52 Product overview
Organization tree overview
Business organizations have a variety of configurations that contain their
subordinate units, including services and employees.
For a given set of business needs, you can configure IBM Tivoli Identity Manager
to provide a hierarchy of services, organizations, users, and other elements in a
tree that corresponds to the needs of a user population.
Note: This release provides enhanced menus to search for a specific user, but not a
graphic organization tree for that purpose.
In this release, you cannot browse and create entities by navigating the
organization tree. The association to a business unit within the organization tree is
specified during the creation of the entity.
Nodes in an organization tree
An organization tree has nodes that include organizations and subordinate
business units, as well as other elements.
An organization tree can have these nodes:
Organization
Identifies the top of an organizational hierarchy, which might contain
subsidiary entities such as organization units, business partner
organization units, and locations. The organization is the parent node at
the top of the node tree.
Organization Unit
Identifies a subsidiary part of an organization, such as a division or
department. An organization unit can be subordinate to any other
container, such as organization, organization unit, location, and business
partner organization.
Business Partner Organization Unit
Identifies a business partner organization, which is typically a company
outside your organization that has an affiliation, such as a supplier,
customer, or contractor.
Location
Identifies a container that is different geographically, but contained within
an organization entity.
Admin Domain
Identifies a subsidiary part of an organization as a separate entity with its
own policies, services, and access control items, including an administrator
whose actions and views are restricted to that domain.
Entity types associated with a business unit
Different types of entities can be associated with a business unit in an organization
tree.
The association to a business unit is specified when the entity is created. Normally,
an entity can not change the business unit association after it is created. The only
exception is the User entity. IBM Tivoli Identity Manager supports the transfer of
users between different business units.
The following entity types can be associated to a business unit in the organization
tree:
Product overview 53
v User
v ITIM group
v Service
v Role
v Identity policy
v Password policy
v Provisioning policy
v Service selection policy
v Recertification policy
v Account and access request workflow
v Access control item
Entity searches of the organization tree
This release provides menus to search for a specific user, but not a graphic
organization tree to navigate to locate a specific user.
To locate a specific user using search menus, use the advanced search filter to
search by user type such as Person or Business Partner Person. In the search, you
can also select a business unit and its subunits, and the status of the user, such as
Active. Additionally, you can add other fields to qualify the search, including an
LDAP filter statement.
Policies overview
A policy is a set of considerations that influence the behavior of a managed
resource (called a service in IBM Tivoli Identity Manager) or a user.
A policy represents a set of organizational rules and the logic that Tivoli Identity
Manager uses to manage other entities, such as user IDs, and applies to a specific
managed resource as a service-specific policy.
Tivoli Identity Manager enables your organization to use centralized security
policies for specified user groups. You can use Tivoli Identity Manager policies to
centralize user access for disparate resources in an organization and implement
additional policies and features that streamline operations associated with users
access to resources.
Tivoli Identity Manager supports the following types of policies:
v Adoption policies
v Identity policies
v Password policies
v Provisioning policies
v Recertification policies
v Separation of duty policies
v Service selection policies
A policy can apply to one or multiple service targets, which can be identified
either by a service type or by listing the services explicitly. These policies do not
apply to services that represent identity feeds.
v Adoption policies apply to services. A global adoption policy applies to all
services of a service type.
54 Product overview
v Identity policies, password policies, and provisioning policies can apply to all
service types, all services of a service type, or specific services.
v Recertification policies cannot act on all service types, but you can add all the
different services for a specific recertification policy.
v Separation of duty policies do not apply directly to service types, and apply
only to role membership for users.
v Service selection policies apply to only one service type.
Policy types and navigation
Table 12. Policy types and navigation
Type of policy Navigation
Adoption Manage Policies > Manage Adoption
Policies
Identity Manage Policies > Manage Identity Policies
Password Manage Policies > Manage Password
Policies
Provisioning Manage Policies > Manage Provisioning
Policies
Recertification Manage Policies > Manage Recertification
Policies
Separation of duty Manage Policies > Manage Separation of
Duty Policies
Service selection Manage Policies > Manage Service
Selection Policies
Account defaults
Account defaults define default values for an account during new account creation.
The default can be defined at the service type level that applies to all services of
that type, or at the service level, which only applies to the service.
Policy enforcement
Global policy enforcement is the manner in which Tivoli Identity Manager globally
allows or disallows accounts that violate provisioning policies.
When a policy enforcement action is global, the policy enforcement for any service
is defined by the default configuration setting. You can specify one of the following
policy enforcement actions to occur for an account that has a noncompliant
attribute.
Note: If a service has a specific policy enforcement setting, that setting is applied
to the noncompliant accounts. The global enforcement setting does not apply.
Policy enforcement can also be set for a specific service.
Mark The existing user account on the old service is marked as disallowed, and
a new account is not created on the new service.
Suspend
The existing user account on the old service instance is suspended, and a
new account is not created on the new service.
Alert An alert is sent to the recipient administrator to confirm removal of the old
Product overview 55
account on old services, and a new account is created on new service if the
user does not have account on new service, and entitlement is automatic.
Correct
Existing accounts are removed on the old service, and a new account is
created on new service if the user does not have account on new service
and entitlement is automatic.
To work with global policy enforcement, go to the navigation tree and select
Configure System > Configure Global Policy Enforcement.
Note: To set service policy enforcement, go to the navigation tree and select
Manage Services.
Workflow overview
A workflow defines a sequence of activities that represent a business process. You
can use workflows to customize account provisioning and access provisioning, and
lifecycle management.
A workflow is a set of steps or activities that define a business process. You can
use the IBM Tivoli Identity Manager workflows to customize account provisioning
and lifecycle management. For example, you can add approvals and information
requests to account or access provisioning processes, and you can integrate
lifecycle management processes (such as adding, removing, and modifying people
and accounts in Tivoli Identity Manager) with external systems.
Tivoli Identity Manager provides these major types of workflows:
Operation workflows
Use operation workflows to customize the lifecycle management of
accounts and people, or a specific service type, such as all Linux systems.
Operation workflows add, delete, modify, restore, and suspend system
entities, such as accounts and people. You can also add new operations
that your business process requires, such as approval for new accounts. For
example, you might specify an operation workflow that defines activities
to approve the account, including notifications and manager approvals.
Account request and access request workflows
Use account request and access request workflows to ensure that resources
such as accounts or services are provisioned to users according to the
business policies of your organization.
Note: The term entitlement workflow was previously used for this workflow
type in Tivoli Identity Manager Version 4.6.
v An account request workflow can be bound to an entitlement for an access
or an account.
In provisioning policies, an entitlement workflow for accounts adds
decision points to account requests, such as adding or modifying an
account. If the request is approved, the processing continues; if the
request is rejected, the request is cancelled.
The account request workflow is invoked during account provisioning
requests, including adding and modifying an account, made by a Tivoli
Identity Manager user or made during account auto provisioning. An
account request workflow can be also invoked during an access request
if there is no access request workflow defined.
56 Product overview
v An access request workflow is bound to an access by the access definition,
rather than by a provisioning policy. This workflow can specify the steps
and approvals that authorize access to resources in a request.
The access request workflow is invoked only for access requests that are
made by a Tivoli Identity Manager user, but not if the access is
provisioned for the user as a result of an external or internal account
request. An external account request is an account request made by a
Tivoli Identity Manager user. An internal account request is an account
request made by the Tivoli Identity Manager system; for example, an
auto account provisioning which gives the user a default or mandatory
group that maps to an access.
Features overview
IBM Tivoli Identity Manager delivers simplified identity management capabilities
in a solution that is easy to install, deploy, and manage.
IBM Tivoli Identity Manager provides essential password management, user
provisioning, and auditing capabilities.
Improved user interface
IBM Tivoli Identity Manager introduces a new dual user interface that shows users
only what they need to do their job.
The interfaces are separate and users access them through different Web addresses.
IBM Tivoli Identity Manager has two types of user interfaces, a self-care interface
and an administrative console interface.
Self-care user interface
The self-care user interface provides a simpler subset of personal tasks that
apply only to the user.
Administrative console user interface
The administrative console user interface provides an advanced set of
administrative tasks, and has new multitasking capabilities.
Administrative console user interface
The administrative console provides a powerful set of tools for managing the
organization.
Persona-based console customization
The administrative console user interface contains the entire set of
administrative tasks, such as managing roles, policies, and reports. This
persona-based console provide sets of tasks, each tailored for the needs of
the default administrative user types:
v System administrator
v Service owner
v Help desk assistant
v Auditor
v Manager
System administrators can easily customize which tasks the different types
of users can perform. To control user access to accounts and tasks, for
Product overview 57
example, use a default set of user groups, access control items, and views.
You can also customize user access by defining additional user groups,
views, and access control items.
Multitasking control
Wizards within the administrative console user interface expedite the
administrative tasks of adding users, requesting accounts, and creating
new services. The administrator can concurrently manage several tasks.
Advanced search capability
The administrative console user interface also provides a powerful
advanced search feature.
Self-care user interface
Using the IBM Tivoli Identity Manager self-care interface, users can update their
personal information and passwords, view requests, complete and delegate
activities, and request and manage their own accounts and access.
The self-care user interface provides a central location for users to perform a
variety of simple, intuitive tasks.
From the self-care home page, the following task panels are available, depending
on the authority the system administrator has granted.
Action Needed
A list of tasks that require completion.
My Password
A list of tasks to change passwords. If password synchronization is
enabled, users can enter one password that is synchronized for all of their
accounts. A user can reset a forgotten password by successfully responding
to forgotten password questions, if forgotten password information is
configured in the system.
My Access
A list of tasks to request and manage access to folders, applications, roles,
and other resources.
My Profile
A list of tasks to view or update personal information.
My Requests
A list of tasks to view requests that a user has submitted.
My Activities
A list of activities that require user action. Users can also delegate
activities.
Recertification
IBM Tivoli Identity Manager Server recertification simplifies and automates the
process of periodically revalidating users, accounts and accesses.
The recertification process automates validating that users, accounts and accesses
are still required for a valid business purpose. The process sends recertification
notification and approval events to the participants that you specify.
58 Product overview
Reporting
IBM Tivoli Identity Manager reports reduce the time to prepare for audits and
provide a consolidated view of access rights and account provisioning activity for
all managed people and systems.
A report is a summary of IBM Tivoli Identity Manager activities and resources. You
can generate reports based on requests, user and accounts, services, or audit and
security.
Report data is staged through a data synchronization process, which gathers data
from the IBM Tivoli Identity Manager directory information store and prepares it
for the reporting engine. Data synchronization can be run on demand, or it can be
scheduled to occur regularly.
The following categories of reports are available:
Requests
Reports that provide workflow process data, such as account operations,
approvals, and rejections.
User and Accounts
Reports that provide user and accounts data, such as individual access and
accounts, pending recertifications, and suspended individuals.
Services
Reports that provide service data, such as reconciliation statistics, list of
services, and summary of accounts on a service.
Audit and Security
Reports that provide audit and security data, such as access control
information, audit events, and noncompliant accounts.
Static and dynamic roles
IBM Tivoli Identity Manager provides static and dynamic roles.
In static organizational roles, assigning a person to a static role is a manual
process.
In the case of a dynamic role, the scope of access can be to an organizational unit
only, or to the organizational unit and its subunits. Dynamic organizational roles
use valid LDAP filters to set a users membership in a specific role. For example, a
dynamic role might use an LDAP filter to provide access to specific resources to
users who are members of an auditing department named audit123. For example,
type:
(departmentnumber=audit123)
Dynamic organizational roles are evaluated at the following times:
v When a new user is created in the Tivoli Identity Manager system
v When a users information, such as title or department membership, changes
v When a new dynamic organizational role is created
Self-access management
IBM Tivoli Identity Manager allows users and administrators the ability to request
and manage access to resources such as shared folders, email groups, or
applications.
Product overview 59
Access differs from an account. While an account exists as an object on a managed
service, an access is an entitlement to use a resource, such as a shared folder, on
the managed service. The ability to access a resource is based on the attributes of
the group to which the user account belongs. The users access to a resource is
therefore dependent on the account and its group mapping. When an account is
suspended, their access becomes inactive; similarly, when an account is restored,
their access becomes active again. When an account is deleted, access to the
resource for that user is deleted. When a group is removed from the service, the
user access that maps to that group is also removed.
An administrator will typically configure the access to resources on a service
depending on the need for a particular user group. Users can request or delete
access, which allows them to manage their access to the resources they use without
the need to understand the underlying technology such as account attributes.
Provisioning features
IBM Tivoli Identity Manager provides support for provisioning, the process of
providing, deploying, and tracking a service or component in your enterprise.
When implemented as one of a suite of security products, Tivoli Identity Manager
plays a key role to ensure that resources are accessible only to authorized persons,
safeguarding the accuracy and completeness of information processing methods
and granting authorized users access to information and associated assets.
Overview
Tivoli Identity Manager provides an integrated software solution for managing the
provisioning of services, applications, and controls to employees, business partners,
suppliers, and others associated with your organization across platforms,
organizations, and geographies. You can use its provisioning features to control the
setup and maintenance of user access to system and account creation on a
managed resource. The two main types of information are person data and account
data. Person data represents the people whose accounts are being managed. Account
data represents the credentials of the persons and the managed resources to which
the persons have been granted access.
At its highest level, an identity management solution automates and centralizes the
process of provisioning resources, such as operating systems and applications, to
people in, or affiliated with, an organization. Organizational structure can be
altered to accommodate the provisioning policies and procedures. However, the
organization tree used for provisioning resources does not necessarily reflect the
managerial structure of an organization.
Administrators at all levels can use standardized procedures for managing user
credentials. Some levels of administration can be reduced or eliminated, depending
on the breadth of the provisioning management solution. Furthermore, you can
securely distribute administration capabilities, manually or automatically, among
various organizations. For example, a domain administrator can serve only the
people and resources in that domain. This user can perform administrative and
provisioning tasks, but is not authorized to perform configuration tasks, such as
creating workflows.
Tivoli Identity Manager supports distributed administration capabilities, which
include the secure distribution of provisioning tasks, whether manual or automatic,
among various organizations. When you distribute administrative tasks in your
60 Product overview
organization, you improve the accuracy and effectiveness of administration and
improve the balance of the organizations work load.
Tivoli Identity Manager addresses provisioning of enterprise services and
components in the following areas:
v Account access management
v Workflow and life cycle automation
v Provisioning policies
v Role-based access control
v Separation of duty capabilities
v Self-regulating user administration
v Customization
Account access management and the provisioning system
With an effective account access management solution, your organization can track
precisely who has access to what information across the organization. Access
control is a critical function of a centralized, single-point provisioning system.
Besides protecting sensitive information, access controls expose existing accounts
that have unapproved authorizations or are no longer necessary. Orphan accounts
are active accounts that cannot be associated with valid users. For orphan accounts
on a managed resource, the account owner cannot be automatically determined by
the provisioning system. To control orphan accounts, the provisioning system links
together account information with authoritative information about the users who
own the accounts. Authoritative user identity information is typically maintained
in the databases and directories of human resources.
Improperly configured accounts are active accounts that are associated with valid
users but have been granted improper authorization because the organization
permitted local administrators to add or modify users outside of Tivoli Identity
Manager. The ability to control improper accounts is much more difficult, and
requires a comparison of what should be with what is at the account authority
level. The existence of an account does not necessarily expose its capabilities.
Accounts in sophisticated IT systems include hundreds of parameters defining the
authorities, and these details can be controlled by your provisioning system.
New users can be readily identified using the data feed that you establish from the
human resources directory, and the access request approval capability initiates the
processes that approve (or reject) resource provisioning for them.
Workflow and life cycle automation
When a user becomes affiliated or employed with an organization, the life cycle of
the user begins. Your business policies and processes, whether manual or
semi-automated, provision the user with access to certain resources based on role
and responsibilities. Over time, when users role and functions change, your
business policies and processes can provision the resources that should be available
to the user. Eventually, the user becomes unaffiliated with the organization,
associated accounts are suspended and later deleted, and the users life cycle in the
organization is finished. You can use workflows to customize how accounts are
provisioned and to customize the life cycle management of users and accounts,
such as adding, removing, and modifying users and accounts. A complete
Product overview 61
provisioning workflow system automatically routes requests to the proper
approvers and preemptively escalates to alternate approvers if actions are not
taken on the requests.
You can define two types of workflows in Tivoli Identity Manager: entitlement
workflows that apply to provisioning activities, and operational workflows that
apply to entity types. An entitlement workflow defines the business logic that is tied
specifically to the provisioning actions of provisioning policies. A provisioning
policy entitlement ties provisioning actions to entitlement workflows. For example,
an entitlement workflow is used to define approvals for managing accounts. An
operational workflow defines the business logic for the life cycle processes for entity
types and entities. You can use workflow programming tools to automate key
aspects of the provisioning life cycle, specifically the approval processes that your
organization uses. A workflow object in the organization tree can contain one or
more participants and escalation participants. A participant is a signature authority
that approves or rejects a provisioning request.
Provisioning policies and auditing
An organizational role entity is assigned to one or more identities when you
implement role-based access control for the resources that are managed by Tivoli
Identity Manager. An organizational role is controlled by a provisioning policy,
which represents a set of organizational rules and supplies the logic that the Tivoli
Identity Manager Server uses to manage resources such as applications or
operating systems.
If a role is a member of another organizational role in a provisioning policy, then
that role member also inherits the permissions of provisioning policy.
A provisioning policy maps people in organizational roles to services that represent
corresponding resources in Tivoli Identity Manager, and sets the entitlements that
people have when accessing the services. The provisioning policies you implement
must reflect your organizational identity management policies in your security
plan. To implement effective provisioning policies, you must analyze and
document existing business approval processes in your organization, and
determine what adjustments should be made to those processes to implement an
automated identity management solution. A provisioning policy provides a key
part of the framework for the automation of identity life cycle management.
Tivoli Identity Manager provides APIs that interface to information about
provisioning policies defined in Tivoli Identity Manager, and interface to the access
granted to an individual task. These APIs can be used effectively to generate audit
data. When a provisioning policy is defined, the reconciliation function enables the
enforcement of the policy rules and keeps the participating systems (both the Tivoli
Identity Manager Server and the repositories of the managed resources) from
potentially becoming a single point of failure.
When two or more provisioning policies are applied, a join directive defines how to
handle attributes. Two or more policies might have overlapping scope, and the join
directive specifies what actions to take when this overlap occurs.
Provisioning policies can be mapped to a distinct portion or level of the
organizational hierarchy. For example, policies can be defined at a specific
organization unit affecting organization roles for that unit only. Service selection
policies extend the function of a provisioning policy by enabling the provisioning
of accounts based on person attributes. A service selection policy is enforced when
62 Product overview
it is defined as a target of a provisioning policy. Using a JavaScript script to
determine which service to use, the service selection policy defines provisioning
based on the instructions in the script. The logic in the JavaScript typically uses
person object attributes to determine which service to use, which is often the
persons location in the organization tree.
Role-based access control
Role-based access control (RBAC) uses roles and provisioning policies to evaluate,
test, and enforce your business processes and rules for granting access to users.
Key administrators create provisioning policies and assign users to roles and that
define sets of entitlements to resources for these roles. RBAC tasks establish
role-based access control to resources, which extends the identity management
solution to use software-based processes and reduce user manual interaction in the
provisioning process.
Role-based access control evaluates changes to user information to determine if the
changes alter the role membership for the user. If a change is needed, policies are
reviewed and changes to entitlements are put in place immediately. Similarly, a
change in the definition of the set of resources in a policy can also trigger a change
to associated entitlements. Role-based access control includes the following
features:
v Mandatory and optional entitlements, where optional entitlements are not
automatically provisioned but can be requested by a user in a group
v Prerequisite services, where specific services must be granted before certain
access rights are set
v Entitlement defaults and constraints, where each characteristic of an entitlement
can be set to a default value, or its range can be constrained, depending on the
capabilities of the entitlement to be granted
v A single account with multiple authorities governed by different policies
v Private, filtered views of information about users and available resources
v User authentication approaches that are consistent with internal security policies
v Distribution of provisioning system components securely over WAN and
Internet environments, including the crossing of firewalls
v User IDs that use consistent, user-defined algorithms
Self-regulating user administration
When your organization starts to provision resources across all internal
organizations, you have implemented the self-regulating user administration
capability and can realize the advantages and benefits of provisioning users across
organizational boundaries. In this environment, a change in a users status is
automatically reflected in access rights across organization boundaries and
geographies. You can reduce provisioning costs, streamline the access and approval
processes, and realize the full potential of implementing role-based access control
for end-to-end access management in your organization. You can reduce
administrative costs through automated procedures for governing user
provisioning, improve security by automating security policy enforcement, and
streamline and centralize user life cycle management and resource provisioning for
large user populations.
Product overview 63
Incremental provisioning and other customization options
Your team can use business plans and requirements to decide how much to
customize Tivoli Identity Manager. For example, a large enterprise might require a
phased roll-out plan for workflows and custom adapters that is based on a time
line for incrementally provisioning applications that are widely used across
geographies. Another customization plan might provide for two or more
applications to be provisioned across an entire organization, after successful
testing. User-application interaction can be customized, and procedures for
provisioning resources might be changed to accommodate automated provisioning.
You can deprovision to remove a service or component. For example, deprovisioning
an account means that the account is deleted from a resource.
Resource provisioning
Depending on business needs, IBM Tivoli Identity Manager provides the
alternatives to provision resources to authorized users on request-based, role-based,
or a hybrid models.
Request-based access to resources
On a request basis, IBM Tivoli Identity Manager provides a process to grant,
modify, and remove access to resources throughout a business, and to establish an
effective audit trail using automated reports.
In request-based provisioning, users and their managers search for and request
access to specific applications, privilege levels, or resources with a system. The
requests are validated by workflow-driven approvals and audited for reporting
and compliance purposes.
For example, users, or their managers, can request access to new accounts.
Additionally, managers or other administrators are alerted to unused accounts and
given the option to delete the accounts through a recertification process. These
periodic reviews of user access rights ensure that previously-approved access is
removed, if it is no longer needed.
Roles and access control
An organizational role supports different access control and access provisioning
models in a customer deployment.
An organizational role can map to IBM Tivoli Identity Manager access entitlements
in a provisioning policy so that specific Tivoli Identity Manager groups can be
authorized or automatically provisioned for users that are members of the role.
If a role is a member of another organizational role in a provisioning policy, then
that role member also inherits the permissions of provisioning policy.
Tivoli Identity Manager groups can be used to define views and access control for
different types of entities that are managed in Tivoli Identity Manager.
A hybrid provisioning model
The hybrid model of provisioning resources combines request and role-based
approaches, which are both supported by IBM Tivoli Identity Manager.
For a subset of employees or managed systems, a business might want to automate
access with role-based assignment, and also handle all other access requests or
exceptions through a request-based model. Some businesses might start with
64 Product overview
manual assignment, and evolve toward a hybrid model, with an intention of a
fully role-based deployment at a future time.
Other companies might find it impractical for business reasons to achieve complete
role-based provisioning, and target a hybrid approach as a desired goal. Still other
companies might be satisfied with only request-based provisioning, and not wish
to invest additional effort to define and manage role-based, automated
provisioning policies.
About this information
This information center describes how to install, configure, and administer IBM
IBM Tivoli Identity Manager.
Intended audience
This information center is designed for the system and security administrators in
an organization that uses IBM Tivoli Identity Manager.
Readers are expected to understand system and security administration concepts.
Additionally, the readers must understand administration concepts for the
following types of products:
v Database server
v Directory server
v Application server
v Messaging support
v Web server
Publications
Read the descriptions of the product library and the related publications to
determine which publications you might find helpful. After you determine the
publications you need, refer to the instructions for accessing publications online.
IBM Tivoli Identity Manager library
You can obtain the product documentation from the Tivoli Identity Manager
information center.
The information center is available at http://publib.boulder.ibm.com/infocenter/
tivihelp/v2r1/topic/com.ibm.itim.doc/welcome.htm.
Administration information is presented in HTML. The following information is
provided in PDF files:
v IBM Tivoli Identity Manager Quick Start Guide
v IBM Tivoli Identity Manager Installation and Configuration Guide
v IBM Tivoli Identity Manager Message Reference
v IBM Tivoli Identity Manager Database and Schema Reference
v IBM Tivoli Identity Manager Performance Tuning Guide
v Adapter Installation and Configuration Guides for adapters that are supported
for use with this version of Tivoli Identity Manager
Related publications
You can obtain related publications from these IBM Web sites.
Product overview 65
v The Tivoli Software Library provides a variety of Tivoli publications such as
white papers, datasheets, demonstrations, IBM Redbooks, and announcement
letters. The Tivoli Software Library is available on the Web at:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
v The Tivoli Software Glossary includes definitions for many of the technical terms
related to Tivoli software. The Tivoli Software Glossary is available at
http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm
Accessing publications online
The publications for this product are available online in Portable Document Format
(PDF) or Hypertext Markup Language (HTML) format, or both in the Tivoli
software library.
The Tivoli software library is located at http://publib.boulder.ibm.com/tividd/td/
tdprodlist.html.
To locate product publications in the library, click the first letter of the product
name or scroll until you find the product name. Then, click the product name.
Product publications can include release notes, installation guides, users guides,
administrators guides, and developers references.
Note: To ensure proper printing of PDF publications, select the Fit to page check
box in the Adobe

Acrobat Print window (which is available when you click File

Print).
Ordering publications
You can order many Tivoli publications online or by telephone.
You can order publications from http://www.elink.ibmlink.ibm.com/public/
applications/publications/cgibin/pbi.cgi.
You can also order by telephone by calling one of these numbers:
v In the United States: 800-879-2755
v In Canada: 800-426-4968
In other countries, see the Web site http://www.elink.ibmlink.ibm.com/public/
applications/publications/cgibin/pbi.cgi.
Tivoli technical training
For Tivoli software training information, refer to the IBM Tivoli Education Web
site.
The Web site address is http://www.ibm.com/software/tivoli/education/.
Support information
If you have a problem with your IBM software, you want to resolve it quickly. IBM
provides several ways for you to obtain the support you need.
About this task
Online
Go to the IBM Software Support site at http://www.ibm.com/software/
support/probsub.html and follow the instructions.
66 Product overview
IBM Support Assistant
The IBM Support Assistant (ISA) is a free local software serviceability
workbench that helps you resolve questions and problems with IBM
software products. The ISA provides quick access to support-related
information and serviceability tools for problem determination. To install
the ISA software, go to http://www.ibm.com/software/support/isa, log in
and follow the instructions for downloading the IBM Support Assistant
that is appropriate for your operating system. After you have downloaded
and installed the IBM Support Assistant, locate the plug-in that is specific
to IBM Tivoli Identity Manager 5.0.
Conventions used in this information
This information uses several conventions for special terms and actions and for
operating system-dependent commands and paths.
Typeface conventions
This information uses these typeface conventions.
Bold
v Lowercase commands and mixed case commands that are otherwise
difficult to distinguish from surrounding text
v Interface controls (check boxes, push buttons, radio buttons, spin
buttons, fields, folders, icons, list boxes, items inside list boxes,
multicolumn lists, containers, menu choices, menu names, tabs, property
sheets), labels (such as Tip, and Operating system considerations:)
v Keywords and parameters in text
italic
v Words defined in text
v Emphasis of words (words as words)
v New terms in text (except in a definition list)
v Variables and values you must provide
Monospace
v Examples and code examples
v File names, programming keywords, and other elements that are difficult
to distinguish from surrounding text
v Message text and prompts addressed to the user
v Text that the user must type
v Values for arguments or command options
Definitions for HOME and other directory variables
The following table contains default definitions that are used in this information to
represent the HOME directory level for various product installation paths.
You can customize the HOME directory for your specific implementation. If this is
the case, you need to make the appropriate substitution for the definition of each
variable represented in this table.
The default value of path varies for these operating systems:
v For Windows systems, drive:\Program Files is the default path.
v For Linux, Solaris, and HP-UX (UNIX) systems, /opt is the default path.
v For AIX systems, /usr is the default path.
Product overview 67
Table 13. HOME and other directory variables
Path variable Default definition Description
DB_HOME
Windows
path\IBM\SQLLIB
Linux, AIX, HP-UX, and
Solaris path/ibm/db2/V9.1
The directory that
contains the DB2
database for IBM
Tivoli Identity
Manager.
DB_INSTANCE_HOME
Windows
drive\IBM\SQLLIB
Linux, AIX, and HP-UX
/home/dbinstancename
Solaris /export/home/
dbinstancename
The directory that
contains the DB2
database instance
for IBM Tivoli
Identity Manager.
ITIM_HOME
Windows
path\IBM\itim
Linux, AIX, HP-UX, and
Solaris path/IBM/itim
The base directory
that contains the
IBM Tivoli Identity
Manager code,
configuration, and
documentation.
ITIM_UNINSTALL_HOME
Windows
path\IBM\itim\
itimUninstallerData
Linux, AIX, HP-UX, and
Solaris path/IBM/itim/
itimUninstallerData
The directory that
contains the IBM
Tivoli Identity
Manager
uninstallation
program
information.
WAS_HOME
Windows
path\IBM\WebSphere\
AppServer
Linux, AIX, HP-UX, and
Solaris path/IBM/WebSphere/
AppServer
The WebSphere
Application Server
home directory
ITDS_HOME
Windows
path\IBM\LDAP\V6.x
Linux, AIX, HP-UX, and
Solaris path/ibm/ldap/V6.x
The directory that
contains the
directory server
code.
The version
number in the
path is 6.0 or 6.1
depending on the
version of the IBM
Tivoli Directory
Server you are
using.
68 Product overview
Table 13. HOME and other directory variables (continued)
Path variable Default definition Description
ITDS_INSTANCE_HOME
Windows
drive\
ibmslapd-
instance_owner_name
Linux, AIX, and HP-UX
/home/
instance_owner_name/
idsslapd-
instance_owner_name
Solaris /export/home/
instance_owner_name/
idsslapd-
instance_owner_name
An example of
instance_owner_name is ldapdb2,
which is used by the IBM Tivoli
Identity Manager installation
program.
The directory that
contains the Tivoli
Directory Server
instance.
ITDI_HOME
Windows
path\TDI\V6.1.1
Linux, AIX, HP-UX, and
Solaris path/IBM/TDI/V6.1.1
The directory that
contains the Tivoli
Directory
Integrator Server
code.
TIVOLI_COMMON_DIRECTORY
Windows
path\IBM\tivoli\
common
Linux, AIX, HP-UX, and
Solaris path/IBM/tivoli/
common
The central
location for all
serviceability-
related files, such
as logs and
first-failure capture
data.
Note: If you
installed another
Tivoli product on
this system before
you installed IBM
Tivoli Identity
Manager, your
Tivoli Common
directory will be in
the following
directory:
Windows:
path\ibm\tivoli\
common\cfg\
log.properties
Other systems:
/etc/ibm/tivoli/
common/cfg/
log.properties
Product overview 69
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the users responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not grant you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing 2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.
This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
70 Product overview
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged, should contact:
IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758
USA
Such information may be available, subject to appropriate terms and conditions,
including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurements may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
All statements regarding IBMs future direction or intent are subject to change or
withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
Trademarks
The following terms are trademarks of International Business Machines
Corporation in the United States, other countries, or both:
AIX
DB2
developerWorks
Domino
IBM
Lotus
Lotus Notes
Passport Advantage
RACF
Redbooks
SP
Product overview 71
System p
System z
Tivoli
WebSphere
Adobe, Acrobat, and Portable Document Format (PDF) are either registered
trademarks or trademarks of Adobe Systems Incorporated in the United States,
other countries, or both.
Intel is a trademark of Intel Corporation in the United States, other countries, or
both.
Java and all Java-based trademarks are trademarks of Sun
Microsystems, Inc. in the United States, other countries, or both.
Linux is a trademark of Linus Torvalds in the United States, other countries, or
both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other
countries.
Other company, product, or service names may be trademarks or service marks of
others.
Accessibility
Accessibility features help a user who has a physical disability, such as restricted
mobility or limited vision, to use software products successfully. With this product,
you can use assistive technologies to hear and navigate the interface. You also can
use the keyboard instead of the mouse to operate all features of the graphical user
interface.
IBM strives to provide products with usable access for everyone, regardless of age
or ability. This product uses standard Microsoft Windows navigation keys.
For additional information, see the Accessibility features for IBM Tivoli Identity
Manager topic in the information center.
72 Product overview
Index
A
access 44
access control 52
accessibility 72
accounts 44
active, inactive 44
created on account types 44
adapters 47, 48
adoption policies 54
API 12, 13
approval workflow process 3
audit trail tracking 3
authorization 52
C
compliance
separation of duty 10
compliance, corporate
features 3
corporate compliance
features overview 3
E
entitlement workflow 56
F
features 9
fix packs 21
forgotten password information 45
forms 52
G
group management 11
groups 50
I
identity 43
identity governance 8
identity policies 54
installation images 21
L
login
initial user ID and password 1
login (continued)
URL 1
N
new 9
O
operation workflow 56
organization
overview 53
entity types 53
overview
organization 53
entity types 53
self-access management 60
P
password
forgotten 45
password policies 54
password policy and compliance 3
password synchronization 45
passwords
strength rules 44, 45
synchronization 45
people 43
planning
groups 50
policies
adoption 54
identity 54
password 54
provisioning 54
recertification 54
separation of duty 10, 54
service selection 54
policy enforcement 3
provisioning
overview 60
provisioning policies 54
provisioning policy 3
R
recertification 11
recertification policies 54
recertification policy 3
reports 12
requirements
browser 19
database server 16
directory integrator 18
directory server 17
hardware 14, 15
Java Runtime Environment 15
JRE 15
report server 19
software 14, 15
supported adapter levels 20
Tivoli Reporting Server 19
web application server 16
roles
classification 9
hierarchies 9
owners 9
relationships 9
S
separation of duty 10
separation of duty policies 54
service definition file 46
service selection policies 54
service types 46
services 46, 47
T
Tivoli Common Reporting 12
Tivoli Reporting Server
requirements 19
U
user recertification 11
users 43
V
views
default 52
W
workflow extensions 13
workflows
entitlement 56
operation 56
73