Red paper

advertisement
Redpaper
Ivy Chiu
Axel Buecker
Utilizing Group Sharing Account User
Management using the IBM Tivoli Identity
Manager Adapter for Tivoli Access
Manager for Enterprise Single Sign-On
Introduction
In the 5.1 release of the IBM® Tivoli® Identity Manager Adapter for Tivoli Access Manager for
Enterprise Single Sign-On, a group sharing account management feature has been
introduced. This allows multiple users who have a Wallet to have access to credentials for a
shared application account, without having ownership of the shared application account.
Each share account has only one owner who is responsible for performing password resets
on the account when required. This can help eliminate the number of accounts that are
needed on a particular target system, and shared account users do not need to know the
password of the shared account.
This version of the adapter integrates Tivoli Identity Manager 5.1 and Tivoli Access Manager
Enterprise Single Sign-On 8.1. It utilizes the IBM Tivoli Directory Integrator functionality to
facilitate communication between Tivoli Identity Manager and the Tivoli Access Manager
Enterprise Single Sign-On IMS™ Server to provide user management functionality such as
create, delete, and change password operations for Tivoli Access Manager for Enterprise
Single Sign-On users. It also leverages the workflow extension capabilities of Tivoli Identity
Manager to provide application credentials management. This includes create, delete, and
change passwords for application credentials in the user's Wallet.
Important: The group sharing account user management differs from privileged identity
management in that it does not provide individual accountability. If you have to address
this individual accountability, you can learn more about the IBM Privileged Identity
Management offering in the IBM Redpaper™ publication Centrally Managing and Auditing
Privileged User Identities by Using the IBM Integration Services for Privileged Identity
Management, REDP-4660.
© Copyright IBM Corp. 2010. All rights reserved.
ibm.com/redbooks
1
This Redpaper publication focuses on the group sharing account management in the
following sections:
򐂰
򐂰
򐂰
򐂰
“Architecture overview” on page 2
“Group sharing account management” on page 3
“Group sharing account deployment” on page 5
“Scenarios ” on page 12
Architecture overview
The Tivoli Identity Manager Adapter for Tivoli Access Manager for Enterprise Single Sign-On
implementation is based on the Tivoli Directory Integrator framework for Tivoli Identity
Manager Adapters. It consists of Tivoli Directory Integrator AssemblyLines. When an initial
request is made by Tivoli Identity Manager to the adapter, the AssemblyLines are loaded into
the Tivoli Directory Integrator server. As a result, subsequent service requests do not require
those same AssemblyLines to be reloaded. The AssemblyLines utilize the Tivoli Directory
Integrator components to undertake user management-related tasks on the IMS Server. It
does this remotely by using SOAP over SSL as the trusted IMS Bridge agent. Figure 1
depicts the architecture flow.
Figure 1 Architecture overview
This integration also provides a set of Tivoli Identity Manager workflow extensions that
enhance the integration between Tivoli Identity Manager and IMS Server. This allows the
management of the Tivoli Access Manager for Enterprise Single Sign-On user’s account
credentials for specific application services to achieve single sign-on via Tivoli Identity
Manager user provisioning.
In this release of the adapter, the following workflow extensions are designed to support the
management of application credentials in a user’s wallet. It includes add, delete, and change
password operations.
createAccountWithTAMESSO
Enables provisioning of application account credential
into the user's Wallet.
createITIMAccountWithTAMESSO Enables provisioning of Tivoli Identity Manager
account credential into the user's Wallet.
2
Utilizing Group Sharing Account User Management
changePasswordWithTAMESSO
Enables change password of application account
credential in the user's Wallet.
deleteAccountWithTAMESSO
Enables de-provisioning of application account
credential from the user's Wallet.
The workflow extensions that are specifically required for configuring group sharing account
management are:
򐂰 changeSharedAccountPasswordWithTAMESSO
This enables password propagation for a group sharing account to the Wallets of
shared users.
򐂰 isSharedRole
This determines shared role membership for new shared account users.
Group sharing account management
The group sharing account management uses Tivoli Identity Manager roles to determine who
possesses a particular shared account, while at the same time leveraging the existing Tivoli
Identity Manager Adapter for Tivoli Access Manager for Enterprise Single Sign-On to provide
provisioning capabilities to the shared account users’ Wallets. Figure 2 shows the general
flow of the process between the Tivoli Identity Manager server, the IMS Server, and the
Access Agent during the provisioning of a group sharing account.
Figure 2 General process flow between Tivoli Identity Manager server, IMS Server, and Access Agent
Tivoli Identity Manager, the IMS Server, and Access Agent communicate as follows:
1. A Tivoli Identity Manager user is added to a Tivoli Identity Manager role to get access to a
shared account.
2. The shared account owner is notified by email to reset the password for this shared
account.
3. The shared account owner changes the password for the shared account. The Tivoli
Identity Manager Adapter for Tivoli Access Manager for Enterprise Single Sign-On
populates and updates the password for the shared account in the Wallets of those users
who are members of this Tivoli Identity Manager role.
Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access
4. Access Agent synchronizes and downloads the Wallet from the IMS Server.
5. The user's local Wallet now contains the latest shared account user ID and password. The
user can access the application with these credentials.
Supported deployment
Group sharing accounts have the following unique features that should be taken into
consideration before deploying the group sharing account management into your own
environment:
򐂰 Individual accountability is not required for the group sharing account.
򐂰 Users of the group shared account are not required to know the account password.
The following example scenarios show the distinction between a typical supported
deployment and an unsupported one.
Supported customer deployment
The help desk team requires a generic email account that all team members can use to
respond to support requests. All team members need access to this email account, but there
is no need for audit records about individuals using the account at particular times and what
they are doing with it.
The email account can be shared between multiple users at the same time via separate
desktop clients. The help desk team members do not need to know the password of the
account and they cannot change it.
The help desk manager is the only person who can change the password of the shared
account. He approves access to the shared account for individual team members.
This scenario is a prime example of when the Tivoli Identity Manager Adapter for Tivoli
Access Manager for Enterprise Single Sign-On group sharing account management can
be used.
Unsupported customer deployment
The UNIX® administrator team needs a shared account for the administration of UNIX
systems. All team members need access to UNIX systems, and they need to be able to
change the password for the shared account. Also, there is a requirement to ensure that audit
records are created of when an account is used and what has been done with this account at
a specific time.
The Tivoli Identity Manager Adapter for Tivoli Access Manager for Enterprise Single Sign-On
cannot be deployed in this scenario because individual team members cannot change the
password of the shared account. No individual audit records can be generated for each team
member using the shared account. All activities are logged against the shared account
user name.
4
Utilizing Group Sharing Account User Management
Group sharing account deployment
The following sections outline all deployment considerations:
򐂰 “Prerequisite information” on page 5
򐂰 “Configure the group sharing account mapping” on page 6
򐂰 “Configure an application service” on page 6
򐂰 “Configure the isSharedRole workflow extension” on page 7
򐂰 “Configure the changeSharedAccountPasswordWithTAMESSO workflow extension” on
page 10
Prerequisite information
To configure the group sharing account management, see the following sections for the
actions that need to be completed.
The name of the application service
To use the Tivoli Identity Manager Adapter for Tivoli Access Manager for Enterprise Single
Sign-On to manage the application credential inside a Wallet, the service name of this
application is required, which can be found under Manage Services on the Tivoli Identity
Manager administrative console.
The name of the account to be shared
This account is the application credential to be managed in the Wallet. It can be found under
Manage Services  Accounts on the Tivoli Identity Manager administrative console.
Watch out: This account type cannot be a Tivoli Access Manager for Enterprise Single
Sign-On account.
The name of the owner of this account
The owner of the account is a Tivoli Identity Manager user who has this application credential
listed under her name on the Tivoli Identity Manager administrative console.
The email address of the shared account owner
The email address of the owner can be found under Manage Users  Change User 
Contact Information on the Tivoli Identity Manager administrative console.
The name of a Tivoli Identity Manager role that controls the access to
this shared account
Create a Tivoli Identity Manager role from Manage Roles  Create Role, define the role
name, and assign the owner of this account to be the owner of this role.
Watch out: Only one role owner is allowed.
Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access
The Tivoli Access Manager for Enterprise Single Sign-On authentication
service ID
The authentication service ID can be found by using AccessStudio. Import data from IMS by
clicking File  Import data from IMS. After the import is complete, select View 
Authentication Services to view the list of services.
Configure the group sharing account mapping
To share the access of an account of a specific service between users, and to have this
account provisioned into a user's Wallet, it is necessary to map the account, the application
service, and the role that controls the access to this account to a specific Tivoli Access
Manager for Enterprise Single Sign-On service. This is done by configuring the group sharing
accounts mapping under the service form of a Tivoli Access Manager for Enterprise Single
Sign-On service (Figure 3).
Figure 3 Group sharing account mapping
The adapter’s schema and service form have been changed to allow the details of the group
sharing accounts mapping to be configured in the service form:
<ServiceName> | <Account Name> | <Role Name>
This mapping entry defines a group sharing account for a specific Tivoli Identity Manager
service and a Tivoli Identity Manager role associated with this group sharing account. Use the
pipe character (|) for separating values (TAM Service|SSO_account|Role_Name, for
example). This is a multi-valued attribute.
Configure an application service
It is necessary to define the service prerequisite and the TAM E-SSO Authentication Service
ID for the application service being managed.
The service prerequisite is used to map the relationship between a Tivoli Access Manager for
Enterprise Single Sign-On service and its managed application service. As a prerequisite, all
application services in Tivoli Identity Manager can only be provisioned after Tivoli Access
Manager for Enterprise Single Sign-On user accounts are provisioned in the IMS Server.
Otherwise, sign-on automation does not work.
The TAM E-SSO Authentication Service ID is required for the adapter to map the application
account to the correct application service on IMS. As a prerequisite, all application services in
Tivoli Identity Manager are required to have a TAM E-SSO Authentication Service ID defined
in its service form. Otherwise, sign-on automation does not work.
6
Utilizing Group Sharing Account User Management
Figure 4 illustrates that TAM E-SSO 81 is the prerequisite service for the ITIM Service, and
that the ITIM Service has a TAM E-SSO Authentication Service ID of dir_itim.
Figure 4 TAM E-SSO Authentication Service ID
Configure the isSharedRole workflow extension
To configure the workflow for the isSharedRole, define the workflow extension for the modify
operation for person.
There are two important nodes that need to be inserted into this workflow, which are the
isSharedRole node and the Email node. The isSharedRole node is a conditional branch,
whereas the Email node is an action. The outcome of the isSharedRole condition determines
whether an email is sent.
The isSharedRole workflow extension needs to be inserted between the Start and the
ModifyPerson node. Whenever a Tivoli Identity Manager role is assigned to or removed from
a person, this extension checks whether the role is defined under the group sharing accounts
mapping in the Tivoli Access Manager for Enterprise Single Sign-On service form. It has two
data outputs:
򐂰 The string attribute sendEmail returns true or false
򐂰 The entity attribute Recipient returns the owner of the sharedRole.
isSharedRole takes different actions depending on the outcome of the validation, as
described below:
򐂰 If this Tivoli Identity Manager role does not match any of the roles that are defined under
the group sharing account mapping, then no action is taken.
򐂰 If this Tivoli Identity Manager role is matched and it is being assigned to a user, then an
email is sent to Recipient, who is the owner of this sharedAccount (that is, the owner of the
Tivoli Identity Manager role).
򐂰 If this Tivoli Identity Manager role is matched and it is being removed from a user, then an
email is sent to Recipient, the owner of this sharedAccount, and at the same time it
triggers the adapter to remove the sharedAccount from this user's Wallet.
Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access
To be able to notify the sharedAccount owner to take action, an Email node must be inserted
between the ISSHAREDROLE and MODIFY PERSON workflow node. Again, this Email node
takes different actions depending on the outcome of the isSharedRole validation:
򐂰 If this Tivoli Identity Manager role does not match any of the roles defined under the group
sharing account mapping, then no email is sent.
򐂰 If this Tivoli Identity Manager role is matched, then an email is sent to Recipient to notify
that a password change is required.
To configure the workflow for isSharedRole, complete the following steps:
1. Log on to Tivoli Identity Manager:
a. Select Configure System  Manage Operations.
b. For the operation level, select Entity type level.
c. Select Person as the entity type (Figure 5).
Figure 5 Entity type level  Person  modify
2. Click the modify operation to make the next changes. The operation diagram in Figure 6
illustrates the completed workflow after the changes have been made.
Figure 6 Operational workflow - modify
3. Remove the transition from Start to MODIFYPERSON.
4. Add a new extension between the Start node and the MODIFYPERSON node (Figure 7).
Figure 7 Add a new extension
8
Utilizing Group Sharing Account User Management
5. Double-click the new Extension node. A pop-up window (Figure 8) displays all the
extensions registered using workflowextensions.xml.
Figure 8 Define the isSharedRole extension
6. Select isSharedRole for the extension name and type ISSHAREDROLE in the Activity ID
field.
7. Set the split type to be OR.
8. Click Ok to close the Properties window.
9. Attach the transitions to the newly added extension.
10.Click Properties.
11.Click Add next to Relevant Data.
12.Create a new sendEmail relevant data entry. Enter sendEmail in the ID field. Ensure that
the type is String and the default value is false. Click Ok to finish.
13.Create a new recipient Relevant Data entry. Enter recipient in the ID field. Ensure that
the type is Person and the entity is Person. Click Ok to finish.
14.Click Ok to close the Properties window.
Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access
15.Add a new mail node between ISSHAREDROLE and MODIFYPERSON (Figure 9).
Figure 9 Java™ script for the mail node
16.Double-click the new Mail node. A pop-up window displays the properties of the
mail node.
17.In the Activity ID field, type emailAccountOwner and select Custom from the Recipient
drop-down menu. Click the ellipses button (…) to add a new script with the following
JavaScript:
var recipientObj = recipient.get();
var recipientDN = recipientObj.dn;
return new Participant(ParticipantType.USER, recipientDN);
18.Click Ok to close the Custom Participant dialog, then click Ok close the Mail Properties
dialog.
19.Add the following script to the transition line between ISSHAREDROLE and
emailAccountOwner:
(sendEmail.get()=="true");
20.Add the following script to the transition line between ISSHAREDROLE and
MODIFYPERSON:
(sendEmail.get()!="true");
21.Click the MODIFYPERSON node, and set the join type to OR. Click Ok to finish.
22.Click Update and then click Ok at the bottom of the dialog.
23.Click Close to close the Operations window.
Configure the changeSharedAccountPasswordWithTAMESSO workflow
extension
To configure the workflow for changeSharedAccountPasswordWithTAMESSO, redefine the
workflow extension for the changePassword operation for account.
10
Utilizing Group Sharing Account User Management
Update the changePassword node between the start and end nodes.
changeSharedAccountPasswordWithTAMESSO is a simple wrapper of the existing
changePassword extension.
Watch out: The shared account type cannot be a Tivoli Access Manager for Enterprise
Single Sign-On account.
First, the extension validates that the account is a Tivoli Access Manager for Enterprise
Single Sign-On account. The extension then tries to find matches for this shared account
from the accounts defined under the group sharing account mapping in the Tivoli Access
Manager for Enterprise Single Sign-On service form. If this is not a shared account, then only
the normal password change extension executes. If the shared account is identified, then the
extension looks for Tivoli Access Manager for Enterprise Single Sign-On accounts for all
users who are members of the role that controls access to the shared account. It then
sends a request to the adapter to update the password of the shared account in these
users’ Wallets.
To configure the workflow for changeSharedAccountPasswordWithTAMESSO, complete
these steps:
1. Log on to Tivoli Identity Manager, then:
a. Select Configure System  Manage Operations.
b. For the operation level, select Entity level.
Watch out: If all account types are to be integrated with the Tivoli Access
Manager for Enterprise Single Sign-On service, select Entity type level as the
operation level.
c. Select Account as the entity type.
d. Select the type of account to be integrated with the Tivoli Access Manager for
Enterprise Single Sign-On service (Figure 10).
Watch out: If the Tivoli Identity Manager account is to be integrated with the Tivoli
Access Manager for Enterprise Single Sign-On service, select Identity Manager
User as the entity type.
Figure 10 Entity type level  Account  changePassword
Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access
2. Click Add to create a changePassword operation if one does not already exist. The
operation diagram displays. Provide the same changes as those shown in Figure 11.
Figure 11 Operational workflow - changePassword
3. Double-click the CHANGEPASSWORD node. A pop-up window (Figure 12) displays all
the extensions registered using workflowextensions.xml.
4. Select changeSharedAccountPasswordWithTAMESSO for the extension name.
5. Click Ok to close the property window.
6. Click Update and then click Ok at the bottom of the dialog.
7. Click Close to close the Operations window.
Figure 12 Define the changeSharedAccountPasswordWithTAMESSO extension
Scenarios
In this section we focus on a help desk related deployment scenario.
12
Utilizing Group Sharing Account User Management
Assumptions
The Tivoli Identity Manager Adapter for Tivoli Access Manager for Enterprise Single Sign-On
is installed and the following workflows are configured as described in the adapter's
installation guide:
򐂰 createAccountWithTAMESSO
This enables provisioning of the application account credential into the user's Wallet.
򐂰 deleteAccountWithTAMESSO
This enables de-provisioning of the application account credential from the user's Wallet.
򐂰 changeSharedAccountPasswordWithTAMESSO
This enables password propagation for the group sharing account to shared users’
Wallets.
򐂰 isSharedRole
This determines shared role membership for new shared account users.
Supported scenarios
Below is our list of example scenarios that illustrate the capabilities of group sharing
account management:
򐂰
򐂰
򐂰
򐂰
򐂰
򐂰
򐂰
Granting access to a group sharing account
Removing access from a group sharing account
Changing the owner of a group sharing account
Creating a new group sharing account
Deleting an existing group sharing account
Assigning multiple users to a group sharing account
Assigning a user to a number of group sharing accounts
Watch out: If you are using this guide to assist in deployment and configuration, note
the order in which the steps are executed in each scenario.
Background information
Company A deployed the latest Tivoli Identity Manager Adapter for Tivoli Access Manager for
Enterprise Single Sign-On and is ready to use the group sharing account management for its
help desk team. People on the help desk team will be sharing access to a Tivoli Access
Manager account called helpDesk_A. The owner of this account will be the help desk team
lead, Alice, who is responsible for the password reset.
To be able to have access to a group sharing account, all users are required to have a Tivoli
Access Manager for Enterprise Single Sign-On account.
The Tivoli Identity Manager administrator must create the Tivoli Identity Manager role
HelpDeskRole_A to control access to the helpDesk_A account. A role owner must be
assigned to this role to receive email notifications when role membership changes.
Only one role owner is permitted for the group sharing account management configuration.
The role owner must be the same person who owns the group sharing account. As identified
above, Alice is assigned as the owner of this role.
Whenever there is a request for a person to access the shared account, this person needs
to be added to the HelpDeskRole_A role. This triggers an email to be sent to the role
owner, Alice.
Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access
Alice receives an email requesting that the helpDesk_A account password be changed. Alice
resets the password for this account.
The change password operation triggers the adapter to provision the account with the new
password to the new role member's Wallet. At the same time, it updates the password for
helpDesk_A in all existing role members’ Wallets. Until the password change is completed,
the new user is not able to use the shared account.
The group sharing account is visible only under the owner's account list. For all other
members sharing this account, there is no such account displayed in their account list in Tivoli
Identity Manager.
The following steps are performed to set up the group sharing account for the help
desk team:
1. The Tivoli Identity Manager administrator verifies that Alice has a TAM E-SSO Service A
account and that she has an email address (Figure 13 and Figure 14).
Figure 13 Alice is a Tivoli Identity Manager user
Figure 14 Alice has a Tivoli Access Manager for Enterprise Single Sign-On account
2. The Tivoli Identity Manager administrator creates the group sharing account helpDesk_A
for the TAM Service in Tivoli Identity Manager and assigns Alice as the owner (Figure 15
and Figure 16 on page 15).
Figure 15 New group sharing account helpDesk_A
14
Utilizing Group Sharing Account User Management
Figure 16 Alice is the owner of the helpDesk_A account
3. The Tivoli Identity Manager administrator creates a Tivoli Identity Manager role called
HelpDeskRole_A to control access to the helpDesk_A shared account and assigns Alice
to be the owner of this role. Alice also needs to be added as a member of this role
(Figure 17, Figure 18, and Figure 19 on page 16).
Figure 17 Creating the HelpDeskRole_A role - the owner is Alice
Figure 18 Adding Alice as a member of the HelpDeskRole_A role
Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access
Figure 19 HelpDeskRole_A is created
4. The Tivoli Identity Manager administrator configures the email notification in the modify
operation workflow for the person entity type to send an email to the role owner
(Figure 20).
Figure 20 Email notification to role owner
16
Utilizing Group Sharing Account User Management
5. The Tivoli Identity Manager administrator configures the TAM Service to have TAM
E-SSO service A as a prerequisite service. At the same time, the TAM E-SSO
Authentication Service ID needs to be defined (Figure 21).
Figure 21 Service setup for TAM Service
6. The Tivoli Identity Manager administrator configures the TAM E-SSO service A to define
the group sharing account mapping as following TAM
Service|helpDesk_A|HelpDeskRole_A (Figure 22).
Figure 22 Define the group sharing account mapping
Granting access to a group sharing account
Cathy joins Company A as a new member of the help desk team. As part of the new
employee process, a Tivoli Identity Manager administrator creates the following accounts
for Cathy:
򐂰 A Tivoli Identity Manager account
򐂰 A Tivoli Access Manager for Enterprise Single Sign-On account
Cathy's job responsibilities require that she has access to the group sharing account
helpDesk_A. The Tivoli Identity Manager administrator knows that the access to this group
Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access
sharing account is controlled by the Tivoli Identity Manager HelpDeskRole_A role. The Tivoli
Identity Manager administrator completes the following steps to grant Cathy access to the
helpDesk_A account:
1. The Tivoli Identity Manager administrator assigns Cathy to be a member of the
HelpDeskRole_A role (Figure 23 and Figure 24).
Figure 23 Add user members to HelpDeskRole_A
Figure 24 Cathy’s personal information
By adding Cathy to the HelpDeskRole_A role, the system triggers an email to be sent to
Alice. This email requests that Alice change the password for the helpDesk_A group
sharing account.
18
Utilizing Group Sharing Account User Management
2. Alice changes the password of the helpDesk_A group sharing account using the Tivoli
Identity Manager administrative console (Figure 25).
Figure 25 Alice changes helpDesk_A account password
The password change on the helpDesk_A group sharing account triggers the Tivoli Identity
Manager Adapter for Tivoli Access Manager for Enterprise Single Sign-On to provision the
helpDesk_A account to Cathy's Wallet. Also, as both Alice and Bob are part of the
HelpDeskRole_A role, the adapter updates the password in both Alice's and Bob's Wallets.
Cathy cannot use the sharing account until the password change is completed.
Figure 26 illustrates that the helpDesk_A account has been provisioned into Cathy's Wallet.
Figure 26 Cathy’s Wallet
Although the helpDesk_A account has been provisioned to Cathy's Wallet, it does not appear
in the list of accounts when displaying her account list in Tivoli Identity Manager. This is due
to the fact that Cathy is never the owner of the account (Figure 27).
Figure 27 Cathy’s Identity Manager account list
Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access
The account only appears under that account owner’s account list. In this case, the group
sharing account is displayed under Alice's account list in Tivoli Identity Manager (Figure 28).
Figure 28 Alice’s Identity Manager account list
Removing access from a group sharing account
Bob has decided to move from the help desk team to another team within Company A. While
Bob was a member of the help desk team he was assigned access to the helpDesk_A group
sharing account. This was done by assigning Bob to be a member of the HelpDeskRole_A
role. As part of the employee transfer process, a Tivoli Identity Manager administrator needs
to execute the following steps:
1. The Tivoli Identity Manager Administrator removes Bob from the HelpDeskRole_A role
(Figure 29).
Figure 29 Removing Bob from role membership
This action triggers an email to be sent to Alice, who is the owner of both the helpDesk_A
account and the HelpDeskRole_A role. The email requests that Alice change the
password for the helpDesk_A shared account.
20
Utilizing Group Sharing Account User Management
The removal of Bob from HelpDeskRole_A also causes the Tivoli Identity Manager
Adapter for Tivoli Access Manager for Enterprise Single Sign-On to remove the
helpDesk_A account from Bob's Wallet (Figure 30).
Figure 30 Bob’s Wallet
2. Alice changes the password of the helpDesk_A group sharing account via the Tivoli
Identity Manager administrative console (Figure 31).
Figure 31 Alice changes the helpDesk_A account password
This step is just a precaution, because an existing member was removed from the
HelpDeskRole_A role. The change password operation on the helpDesk_A account
causes the adapter to update the passwords in the Wallets of all existing role members,
including both Alice and Cathy.
Watch out: If the password change is not completed, there is a chance that Bob might
still have access to the helpDesk_A credential within his local Wallet. After the local
AccessAgent synchronizes the Wallet with the IMS Server, Bob no longer has access
to the helpDesk_A account. Complete a password change every time that the owner of
a group sharing account receives an email requesting it to be done.
Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access
Changing the owner of a group sharing account
Alice has been promoted to another department in Company A and is leaving the help desk
team. As Alice will no longer be the team lead for the help desk team, she can no longer be
the owner of the helpDesk_A group sharing account and the HelpDeskRole_A role. Dan will
be taking over the help desk team lead and needs to become the owner of the helpDesk_A
group sharing account and the HelpDeskRole_A role.
The Tivoli Identity Manager administrator completes the steps in this section to remove Alice
as the owner of the helpDesk_A group sharing account and the HelpDeskRole_A role, then
assigns the ownership of both to Dan.
Important: In this example, Dan is already a member of the HelpDeskRole_A role and
Dan's Wallet already contains the helpDesk_A group sharing account. If this is not the
case, Dan needs to be added as a member before he can take ownership of the group
sharing account and the role. This is because the adopt account operation in Tivoli Identity
Manager does not automatically cause the Tivoli Identity Manager Adapter for Tivoli
Access Manager for Enterprise Single Sign-On to populate the group sharing account into
Dan's Wallet.
Alternatively, after Dan becomes the owner of the HelpDeskRole_A role, he must force a
password change operation to occur on the helpDesk_A account. This causes the adapter to
provision the helpDesk_A account to Dan's Wallet.
1. The Tivoli Identity Manager administrator assigns the ownership of the helpDesk_A group
sharing account to Dan using the Tivoli Identity Manager administrative console
(Figure 32).
Figure 32 Assign helpDesk_A account to user Dan
This means that Alice is no longer the owner of the helpDesk_A group sharing account.
Important: The helpDesk_A account still remains in Alice's Wallet because she is still a
member of the helpDeskRole_A role.
Dan is now the owner of the helpDesk_A account (Figure 33).
Figure 33 Dan is the owner of the helpDesk_A account
22
Utilizing Group Sharing Account User Management
2. The Tivoli Identity Manager administrator removes Alice (Figure 34), then assigns Dan to
be the only owner of the HelpDeskRole_A role (Figure 35). As Dan was already a member
of the help desk team, he is already a member of this role.
Figure 34 Change the owner of the helpDeskRole_A role
Alice is no longer the owner of HelpDeskRole_A role. Dan is now the owner and a
member of the HelpDeskRole_A role.
Important: The helpDesk_A account still remains in Alice's Wallet, as she is still a
member of the helpDeskRole_A role.
Figure 35 New owner of role helpDeskRole_A
3. The Tivoli Identity Manager administrator then removes Alice as a member from the
HelpDeskRole_A role (Figure 36).
Figure 36 Change membership of helpDeskRole_A role
Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access
This triggers an email to be sent to Dan, who is now the owner of both the helpDesk_A
account and the HelpDeskRole_A role. The adapter removes the helpDesk_A account
from Alice's Wallet (Figure 37).
Figure 37 Alice’s Wallet
4. As a precaution, Dan changes the password of the helpDesk_A account using the Tivoli
Identity Manager administrative console.
Important: If the password change is not completed, there is a chance that Alice might
still have access to the helpDesk_A credential within her local Wallet. After the local
AccessAgent synchronizes the Wallet with the IMS Server, Alice no longer has access
to the helpDesk_A account. Complete a password change every time that the owner of
a group sharing account receives an email requesting it to be done.
Figure 38 Dan changes the helpDesk_A account password
This causes the adapter to update the password for the helpDesk_A account in both Dan and
Cathy's Wallet.
Creation of a new group sharing account
The group sharing account feature is designed to support multiple group sharing accounts of
various services. This means that a group of users can share access to an account for a
Tivoli Access Manager service, while at the same time another group of users can share
24
Utilizing Group Sharing Account User Management
access to an account for a Lotus® Notes® service. This is done by defining the group sharing
account mapping in the service form of the Tivoli Access Manager for Enterprise Single
Sign-On. This attribute is a multi-valued attribute.
The group sharing account also supports multiple Tivoli Access Manager for Enterprise
Single Sign-On services. This means that the Tivoli Identity Manager Adapter for Tivoli
Access Manager Enterprise Single Sign-On can manage multiple group sharing accounts for
users with multiple Wallets. This is done by defining a Tivoli Access Manager for Enterprise
Single Sign-On service as the prerequisite service for an application service.
The following scenario outlines the creation of a new group sharing account of the same
Tivoli Access Manager service. The information provided can be applied to any application
service.
In Company A, some existing users already have the helpDesk_A shared account in their
Wallet. By creating the new helpDesk_B group sharing account and the Tivoli Identity
Manager HelpDeskRole_B role, existing team members can be added to the
HelpDeskRole_B role to gain access to the helpDesk_B shared account.
Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access
After reviewing the help desk team responsibilities, Dan requires a new group sharing account
for the TAM Service. Dan submits a request to create a Tivoli Access Manager account with
the name helpDesk_B. He also requests that the Tivoli Identity Manager HelpDeskRole_B role
be created. This role will be used to manage access to the helpDesk_B shared account.
Because Dan submitted the request, he will be assigned as the owner for both the
HelpDesk_B account and the HelpDeskRole_B role. To create the new group sharing account,
the Tivoli Identity Manager administrator completes the following steps:
1. The Tivoli Identity Manager administrator creates the HelpDeskRole_B role and assigns
Dan as its owner. Dan is also added as a member of this role (Figure 39 and Figure 40).
Figure 39 Creating HelpDeskRole_B role - the owner is Dan
Figure 40 Adding Dan as a member of the HelpDeskRole_B role
Dan is now the only owner and a member of the HelpDeskRole_B role.
26
Utilizing Group Sharing Account User Management
2. The Tivoli Identity Manager administrator then creates the helpDesk_B group sharing
account and assigns Dan as the owner (Figure 41 and Figure 42).
Figure 41 New helpDesk_B group sharing account
Figure 42 Dan is the owner of the helpDesk_B account
The createAccountWithTAMESSO workflow is triggered when the helpDesk_B group
sharing account is created. This causes the adapter to look for Dan's Tivoli Access
Manager for Enterprise Single Sign-On account. It then provisions the helpDesk_B
account to Dan's Wallet.
Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access
The adapter uses the prerequisite service attribute to identify Dan's Wallet to provision the
group sharing account to it. In this case, TAM E-SSO Service A is defined as the
prerequisite service for the TAM Service. The helpDesk_B group sharing account is now
added to Dan's Wallet for TAM E-SSO Service A (Figure 43).
Figure 43 Dan’s Wallet
3. The Tivoli Identity Manager administrator updates the TAM ESSO Service A service form
by adding the following line to the Group Sharing Account mapping field:
TAM Service|helpDesk_B|HelpDeskRole_B (Figure 44).
Figure 44 Add the group sharing account mapping
This modification ensures that when any new members are added to the HelpDeskRole_B
role, the isSharedRole workflow that occurs during a modify operation for a person is
triggered. The workflow invokes an email notification to be sent to Dan. Therefore, Dan
changes the password for the HelpDesk_B group sharing account to grant new members
access to this account. New members cannot access the group sharing account until the
password change is completed.
Deletion of an existing group sharing account
After a few months, Dan identifies that the helpDesk_B shared account is no longer needed.
Dan submits a request to a Tivoli Identity Manager administrator requesting that the
28
Utilizing Group Sharing Account User Management
helpDesk_B group sharing account is removed. The Tivoli Identity Manager administrator
completes the following steps.
Important: Access to the group sharing account is not revoked from all users until all steps
have been completed.
1. The Tivoli Identity Manager administrator deletes all members from HelpDeskRole_B
(Figure 45).
Figure 45 Remove role members
This causes the Tivoli Identity Manager Adapter for Tivoli Access Manager for Enterprise
Single Sign-On to delete the helpDesk_B account credentials from the Wallets of all the
deleted role members. It also triggers an email to be sent to Dan. The helpDesk_B
account is not removed from Dan's Wallet, as he is the owner of the account. Only when
the helpDesk_B account is deleted from Tivoli Identity Manager is it removed from
Dan's Wallet.
2. The Tivoli Identity Manager administrator deletes HelpDeskRole_B.
The HelpDeskRole_B role is successfully deleted. The adapter takes no action during the
deletion of a role.
3. The Tivoli Identity Manager administrator removes the group sharing account mapping
from the TAM E-SSO Service A service form for the helpDesk_B account (Figure 46).
Figure 46 Delete the group sharing account mapping
4. The Tivoli Identity Manager administrator deletes the helpDesk_B account from Tivoli
Identity Manager (Figure 47).
Figure 47 Delete the helpDesk_B account
Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access
The helpDesk_B account is successfully deleted. The deleteAccountWithTAMESSO workflow
triggers the helpDesk_B account to be removed from Dan's Wallet (Figure 48).
Figure 48 Dan’s Wallet
Assigning multiple users to a group sharing account
To assign a group sharing account to a user, the user is added to the role that is associated
with this shared account.
When a Tivoli Identity Manager administrator assigns multiple users to a role that is
associated with a shared account in one request, an email notification is sent to the account
owner. The owner can assign all users access to this shared account via a single password
change request.
The email notification does not identify the users added or removed from the role. The
notification only indicates that a role membership change has occurred and that a password
change is required on the shared account.
Assigning a user to a number of group sharing accounts
To assign a group sharing account to a user, the user is added to the role that is associated
with this shared account.
In regards to the group sharing account configuration, the Tivoli Identity Manager
administrator must not assign multiple roles to a user in a single request because only one
email notification is sent to the owner to request a password change. This email only
identifies the shared account for the first role assigned.
The Tivoli Identity Manager administrator can assign only one role, associated with a group
sharing account, per request for a user.
Conclusion
In this Redpaper publication we introduced the new group sharing account management
functionality added to the IBM Tivoli Identity Manager Adapter for Tivoli Access Manager for
Enterprise Single Sign-On. We included a brief overview of the group sharing account
management functionality, outlining both supported and unsupported customer deployments.
We also provided detailed deployment instructions to ensure a clear understanding of how
the functionality is deployed.
In conclusion, we discussed the capabilities of the group sharing account management
functionality by using detailed use cases for supported scenarios. The group sharing account
30
Utilizing Group Sharing Account User Management
management functionality eliminates the number of accounts that are needed on a target
system. It can help reduce the cost of maintaining an excessive number of user accounts by
allowing multiple users to share a single account, yet still achieve full functionality.
The team who wrote this paper
This paper was produced by a team of specialists from around the world working at the
International Technical Support Organization, Austin Center.
Ivy Chiu is a software developer at the IBM Australian Development Lab (ADL), Gold Coast.
She is an IBM Certified Deployment Professional for IBM Tivoli Identity Manager V5.1. She
has four years of experience specializing in the testing and development of IBM Tivoli Identity
Manager Adapters. She holds a degree in Information Technology from the Queensland
University of Technology, Australia.
Axel Buecker is a Certified Consulting Software IT Specialist at the ITSO, Austin Center. He
writes extensively and teaches IBM classes worldwide on areas of software security
architecture and network computing technologies. He holds a degree in Computer Science
from the University of Bremen, Germany. He has 24 years of experience in a variety of areas
related to workstation and systems management, network computing, and e-business
solutions. Before joining the ITSO in March 2000, Axel worked for IBM in Germany as a
Senior IT Specialist in Software Security Architecture.
Thanks to the following people for their contributions to this project:
Anthony Ferguson, Brian Matthiesen, Eng Kiat Koh, Zoran Radenkovic
IBM
Now you can become a published author, too!
Here's an opportunity to spotlight your skills, grow your career, and become a published
author—all at the same time! Join an ITSO residency project and help write a book in your
area of expertise, while honing your experience using leading-edge technologies. Your efforts
will help to increase product acceptance and customer satisfaction, as you expand your
network of technical contacts and relationships. Residencies run from two to six weeks in
length, and you can participate either in person or as a remote resident working from your
home base.
Learn more about the residency program, browse the residency index, and apply online at:
ibm.com/redbooks/residencies.html
Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access
Comments welcome
Your comments are important to us!
We want our papers to be as helpful as possible. Send us your comments about this paper or
other IBM Redbooks® publications in one of the following ways:
򐂰 Use the online Contact us review Redbooks form found at:
ibm.com/redbooks
򐂰 Send your comments in an email to:
redbooks@us.ibm.com
򐂰 Mail your comments to:
IBM Corporation, International Technical Support Organization
Dept. HYTD Mail Station P099
2455 South Road
Stay connected to IBM Redbooks
򐂰 Find us on Facebook:
http://www.facebook.com/IBMRedbooks
򐂰 Follow us on Twitter:
http://twitter.com/ibmredbooks
򐂰 Look for us on LinkedIn:
http://www.linkedin.com/groups?home=&gid=2130806
򐂰 Explore new Redbooks publications, residencies, and workshops with the IBM Redbooks
weekly newsletter:
https://www.redbooks.ibm.com/Redbooks.nsf/subscribe?OpenForm
򐂰 Stay current on recent Redbooks publications with RSS Feeds:
http://www.redbooks.ibm.com/rss.html
32
Utilizing Group Sharing Account User Management
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult
your local IBM representative for information on the products and services currently available in your area.
Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product, program, or service that does
not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to
evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The
furnishing of this document does not give you any license to these patents. You can send license inquiries, in
writing, to:
IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A.
The following paragraph does not apply to the United Kingdom or any other country where such
provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION
PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of
express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made
to the information herein; these changes will be incorporated in new editions of the publication. IBM may make
improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time
without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any
manner serve as an endorsement of those websites. The materials at those websites are not part of the
materials for this IBM product and use of those websites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without
incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products and cannot confirm the
accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the
capabilities of non-IBM products should be addressed to the suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate them
as completely as possible, the examples include the names of individuals, companies, brands, and products.
All of these names are fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrate programming
techniques on various operating platforms. You may copy, modify, and distribute these sample programs in
any form without payment to IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating platform for which the sample
programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore,
cannot guarantee or imply reliability, serviceability, or function of these programs.
© Copyright International Business Machines Corporation 2010. All rights reserved.
Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by
GSA ADP Schedule Contract with IBM Corp.
33
This document REDP-4707-00 was created or updated on December 7, 2010.
®
Send us your comments in one of the following ways:
򐂰 Use the online Contact us review Redbooks form found at:
ibm.com/redbooks
򐂰 Send your comments in an email to:
redbooks@us.ibm.com
򐂰 Mail your comments to:
IBM Corporation, International Technical Support Organization
Dept. HYTD Mail Station P099
2455 South Road
Poughkeepsie, NY 12601-5400 U.S.A.
Redpaper ™
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines
Corporation in the United States, other countries, or both. These and other IBM trademarked terms are
marked on their first occurrence in this information with the appropriate symbol (® or ™), indicating US
registered or common law trademarks owned by IBM at the time this information was published. Such
trademarks may also be registered or common law trademarks in other countries. A current list of IBM
trademarks is available on the web at http://www.ibm.com/legal/copytrade.shtml
The following terms are trademarks of the International Business Machines Corporation in the United States,
other countries, or both:
IBM®
IMS™
Lotus Notes®
Lotus®
Notes®
Redbooks®
Redpaper™
Redbooks (logo)
Tivoli®
®
The following terms are trademarks of other companies:
Java, and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other
countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Other company, product, or service names may be trademarks or service marks of others.
34
Utilizing Group Sharing Account User Management
Download