Redpaper Ivy Chiu Axel Buecker Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access Manager for Enterprise Single Sign-On Introduction In the 5.1 release of the IBM® Tivoli® Identity Manager Adapter for Tivoli Access Manager for Enterprise Single Sign-On, a group sharing account management feature has been introduced. This allows multiple users who have a Wallet to have access to credentials for a shared application account, without having ownership of the shared application account. Each share account has only one owner who is responsible for performing password resets on the account when required. This can help eliminate the number of accounts that are needed on a particular target system, and shared account users do not need to know the password of the shared account. This version of the adapter integrates Tivoli Identity Manager 5.1 and Tivoli Access Manager Enterprise Single Sign-On 8.1. It utilizes the IBM Tivoli Directory Integrator functionality to facilitate communication between Tivoli Identity Manager and the Tivoli Access Manager Enterprise Single Sign-On IMS™ Server to provide user management functionality such as create, delete, and change password operations for Tivoli Access Manager for Enterprise Single Sign-On users. It also leverages the workflow extension capabilities of Tivoli Identity Manager to provide application credentials management. This includes create, delete, and change passwords for application credentials in the user's Wallet. Important: The group sharing account user management differs from privileged identity management in that it does not provide individual accountability. If you have to address this individual accountability, you can learn more about the IBM Privileged Identity Management offering in the IBM Redpaper™ publication Centrally Managing and Auditing Privileged User Identities by Using the IBM Integration Services for Privileged Identity Management, REDP-4660. © Copyright IBM Corp. 2010. All rights reserved. ibm.com/redbooks 1 This Redpaper publication focuses on the group sharing account management in the following sections: “Architecture overview” on page 2 “Group sharing account management” on page 3 “Group sharing account deployment” on page 5 “Scenarios ” on page 12 Architecture overview The Tivoli Identity Manager Adapter for Tivoli Access Manager for Enterprise Single Sign-On implementation is based on the Tivoli Directory Integrator framework for Tivoli Identity Manager Adapters. It consists of Tivoli Directory Integrator AssemblyLines. When an initial request is made by Tivoli Identity Manager to the adapter, the AssemblyLines are loaded into the Tivoli Directory Integrator server. As a result, subsequent service requests do not require those same AssemblyLines to be reloaded. The AssemblyLines utilize the Tivoli Directory Integrator components to undertake user management-related tasks on the IMS Server. It does this remotely by using SOAP over SSL as the trusted IMS Bridge agent. Figure 1 depicts the architecture flow. Figure 1 Architecture overview This integration also provides a set of Tivoli Identity Manager workflow extensions that enhance the integration between Tivoli Identity Manager and IMS Server. This allows the management of the Tivoli Access Manager for Enterprise Single Sign-On user’s account credentials for specific application services to achieve single sign-on via Tivoli Identity Manager user provisioning. In this release of the adapter, the following workflow extensions are designed to support the management of application credentials in a user’s wallet. It includes add, delete, and change password operations. createAccountWithTAMESSO Enables provisioning of application account credential into the user's Wallet. createITIMAccountWithTAMESSO Enables provisioning of Tivoli Identity Manager account credential into the user's Wallet. 2 Utilizing Group Sharing Account User Management changePasswordWithTAMESSO Enables change password of application account credential in the user's Wallet. deleteAccountWithTAMESSO Enables de-provisioning of application account credential from the user's Wallet. The workflow extensions that are specifically required for configuring group sharing account management are: changeSharedAccountPasswordWithTAMESSO This enables password propagation for a group sharing account to the Wallets of shared users. isSharedRole This determines shared role membership for new shared account users. Group sharing account management The group sharing account management uses Tivoli Identity Manager roles to determine who possesses a particular shared account, while at the same time leveraging the existing Tivoli Identity Manager Adapter for Tivoli Access Manager for Enterprise Single Sign-On to provide provisioning capabilities to the shared account users’ Wallets. Figure 2 shows the general flow of the process between the Tivoli Identity Manager server, the IMS Server, and the Access Agent during the provisioning of a group sharing account. Figure 2 General process flow between Tivoli Identity Manager server, IMS Server, and Access Agent Tivoli Identity Manager, the IMS Server, and Access Agent communicate as follows: 1. A Tivoli Identity Manager user is added to a Tivoli Identity Manager role to get access to a shared account. 2. The shared account owner is notified by email to reset the password for this shared account. 3. The shared account owner changes the password for the shared account. The Tivoli Identity Manager Adapter for Tivoli Access Manager for Enterprise Single Sign-On populates and updates the password for the shared account in the Wallets of those users who are members of this Tivoli Identity Manager role. Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access 4. Access Agent synchronizes and downloads the Wallet from the IMS Server. 5. The user's local Wallet now contains the latest shared account user ID and password. The user can access the application with these credentials. Supported deployment Group sharing accounts have the following unique features that should be taken into consideration before deploying the group sharing account management into your own environment: Individual accountability is not required for the group sharing account. Users of the group shared account are not required to know the account password. The following example scenarios show the distinction between a typical supported deployment and an unsupported one. Supported customer deployment The help desk team requires a generic email account that all team members can use to respond to support requests. All team members need access to this email account, but there is no need for audit records about individuals using the account at particular times and what they are doing with it. The email account can be shared between multiple users at the same time via separate desktop clients. The help desk team members do not need to know the password of the account and they cannot change it. The help desk manager is the only person who can change the password of the shared account. He approves access to the shared account for individual team members. This scenario is a prime example of when the Tivoli Identity Manager Adapter for Tivoli Access Manager for Enterprise Single Sign-On group sharing account management can be used. Unsupported customer deployment The UNIX® administrator team needs a shared account for the administration of UNIX systems. All team members need access to UNIX systems, and they need to be able to change the password for the shared account. Also, there is a requirement to ensure that audit records are created of when an account is used and what has been done with this account at a specific time. The Tivoli Identity Manager Adapter for Tivoli Access Manager for Enterprise Single Sign-On cannot be deployed in this scenario because individual team members cannot change the password of the shared account. No individual audit records can be generated for each team member using the shared account. All activities are logged against the shared account user name. 4 Utilizing Group Sharing Account User Management Group sharing account deployment The following sections outline all deployment considerations: “Prerequisite information” on page 5 “Configure the group sharing account mapping” on page 6 “Configure an application service” on page 6 “Configure the isSharedRole workflow extension” on page 7 “Configure the changeSharedAccountPasswordWithTAMESSO workflow extension” on page 10 Prerequisite information To configure the group sharing account management, see the following sections for the actions that need to be completed. The name of the application service To use the Tivoli Identity Manager Adapter for Tivoli Access Manager for Enterprise Single Sign-On to manage the application credential inside a Wallet, the service name of this application is required, which can be found under Manage Services on the Tivoli Identity Manager administrative console. The name of the account to be shared This account is the application credential to be managed in the Wallet. It can be found under Manage Services Accounts on the Tivoli Identity Manager administrative console. Watch out: This account type cannot be a Tivoli Access Manager for Enterprise Single Sign-On account. The name of the owner of this account The owner of the account is a Tivoli Identity Manager user who has this application credential listed under her name on the Tivoli Identity Manager administrative console. The email address of the shared account owner The email address of the owner can be found under Manage Users Change User Contact Information on the Tivoli Identity Manager administrative console. The name of a Tivoli Identity Manager role that controls the access to this shared account Create a Tivoli Identity Manager role from Manage Roles Create Role, define the role name, and assign the owner of this account to be the owner of this role. Watch out: Only one role owner is allowed. Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access The Tivoli Access Manager for Enterprise Single Sign-On authentication service ID The authentication service ID can be found by using AccessStudio. Import data from IMS by clicking File Import data from IMS. After the import is complete, select View Authentication Services to view the list of services. Configure the group sharing account mapping To share the access of an account of a specific service between users, and to have this account provisioned into a user's Wallet, it is necessary to map the account, the application service, and the role that controls the access to this account to a specific Tivoli Access Manager for Enterprise Single Sign-On service. This is done by configuring the group sharing accounts mapping under the service form of a Tivoli Access Manager for Enterprise Single Sign-On service (Figure 3). Figure 3 Group sharing account mapping The adapter’s schema and service form have been changed to allow the details of the group sharing accounts mapping to be configured in the service form: <ServiceName> | <Account Name> | <Role Name> This mapping entry defines a group sharing account for a specific Tivoli Identity Manager service and a Tivoli Identity Manager role associated with this group sharing account. Use the pipe character (|) for separating values (TAM Service|SSO_account|Role_Name, for example). This is a multi-valued attribute. Configure an application service It is necessary to define the service prerequisite and the TAM E-SSO Authentication Service ID for the application service being managed. The service prerequisite is used to map the relationship between a Tivoli Access Manager for Enterprise Single Sign-On service and its managed application service. As a prerequisite, all application services in Tivoli Identity Manager can only be provisioned after Tivoli Access Manager for Enterprise Single Sign-On user accounts are provisioned in the IMS Server. Otherwise, sign-on automation does not work. The TAM E-SSO Authentication Service ID is required for the adapter to map the application account to the correct application service on IMS. As a prerequisite, all application services in Tivoli Identity Manager are required to have a TAM E-SSO Authentication Service ID defined in its service form. Otherwise, sign-on automation does not work. 6 Utilizing Group Sharing Account User Management Figure 4 illustrates that TAM E-SSO 81 is the prerequisite service for the ITIM Service, and that the ITIM Service has a TAM E-SSO Authentication Service ID of dir_itim. Figure 4 TAM E-SSO Authentication Service ID Configure the isSharedRole workflow extension To configure the workflow for the isSharedRole, define the workflow extension for the modify operation for person. There are two important nodes that need to be inserted into this workflow, which are the isSharedRole node and the Email node. The isSharedRole node is a conditional branch, whereas the Email node is an action. The outcome of the isSharedRole condition determines whether an email is sent. The isSharedRole workflow extension needs to be inserted between the Start and the ModifyPerson node. Whenever a Tivoli Identity Manager role is assigned to or removed from a person, this extension checks whether the role is defined under the group sharing accounts mapping in the Tivoli Access Manager for Enterprise Single Sign-On service form. It has two data outputs: The string attribute sendEmail returns true or false The entity attribute Recipient returns the owner of the sharedRole. isSharedRole takes different actions depending on the outcome of the validation, as described below: If this Tivoli Identity Manager role does not match any of the roles that are defined under the group sharing account mapping, then no action is taken. If this Tivoli Identity Manager role is matched and it is being assigned to a user, then an email is sent to Recipient, who is the owner of this sharedAccount (that is, the owner of the Tivoli Identity Manager role). If this Tivoli Identity Manager role is matched and it is being removed from a user, then an email is sent to Recipient, the owner of this sharedAccount, and at the same time it triggers the adapter to remove the sharedAccount from this user's Wallet. Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access To be able to notify the sharedAccount owner to take action, an Email node must be inserted between the ISSHAREDROLE and MODIFY PERSON workflow node. Again, this Email node takes different actions depending on the outcome of the isSharedRole validation: If this Tivoli Identity Manager role does not match any of the roles defined under the group sharing account mapping, then no email is sent. If this Tivoli Identity Manager role is matched, then an email is sent to Recipient to notify that a password change is required. To configure the workflow for isSharedRole, complete the following steps: 1. Log on to Tivoli Identity Manager: a. Select Configure System Manage Operations. b. For the operation level, select Entity type level. c. Select Person as the entity type (Figure 5). Figure 5 Entity type level Person modify 2. Click the modify operation to make the next changes. The operation diagram in Figure 6 illustrates the completed workflow after the changes have been made. Figure 6 Operational workflow - modify 3. Remove the transition from Start to MODIFYPERSON. 4. Add a new extension between the Start node and the MODIFYPERSON node (Figure 7). Figure 7 Add a new extension 8 Utilizing Group Sharing Account User Management 5. Double-click the new Extension node. A pop-up window (Figure 8) displays all the extensions registered using workflowextensions.xml. Figure 8 Define the isSharedRole extension 6. Select isSharedRole for the extension name and type ISSHAREDROLE in the Activity ID field. 7. Set the split type to be OR. 8. Click Ok to close the Properties window. 9. Attach the transitions to the newly added extension. 10.Click Properties. 11.Click Add next to Relevant Data. 12.Create a new sendEmail relevant data entry. Enter sendEmail in the ID field. Ensure that the type is String and the default value is false. Click Ok to finish. 13.Create a new recipient Relevant Data entry. Enter recipient in the ID field. Ensure that the type is Person and the entity is Person. Click Ok to finish. 14.Click Ok to close the Properties window. Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access 15.Add a new mail node between ISSHAREDROLE and MODIFYPERSON (Figure 9). Figure 9 Java™ script for the mail node 16.Double-click the new Mail node. A pop-up window displays the properties of the mail node. 17.In the Activity ID field, type emailAccountOwner and select Custom from the Recipient drop-down menu. Click the ellipses button (…) to add a new script with the following JavaScript: var recipientObj = recipient.get(); var recipientDN = recipientObj.dn; return new Participant(ParticipantType.USER, recipientDN); 18.Click Ok to close the Custom Participant dialog, then click Ok close the Mail Properties dialog. 19.Add the following script to the transition line between ISSHAREDROLE and emailAccountOwner: (sendEmail.get()=="true"); 20.Add the following script to the transition line between ISSHAREDROLE and MODIFYPERSON: (sendEmail.get()!="true"); 21.Click the MODIFYPERSON node, and set the join type to OR. Click Ok to finish. 22.Click Update and then click Ok at the bottom of the dialog. 23.Click Close to close the Operations window. Configure the changeSharedAccountPasswordWithTAMESSO workflow extension To configure the workflow for changeSharedAccountPasswordWithTAMESSO, redefine the workflow extension for the changePassword operation for account. 10 Utilizing Group Sharing Account User Management Update the changePassword node between the start and end nodes. changeSharedAccountPasswordWithTAMESSO is a simple wrapper of the existing changePassword extension. Watch out: The shared account type cannot be a Tivoli Access Manager for Enterprise Single Sign-On account. First, the extension validates that the account is a Tivoli Access Manager for Enterprise Single Sign-On account. The extension then tries to find matches for this shared account from the accounts defined under the group sharing account mapping in the Tivoli Access Manager for Enterprise Single Sign-On service form. If this is not a shared account, then only the normal password change extension executes. If the shared account is identified, then the extension looks for Tivoli Access Manager for Enterprise Single Sign-On accounts for all users who are members of the role that controls access to the shared account. It then sends a request to the adapter to update the password of the shared account in these users’ Wallets. To configure the workflow for changeSharedAccountPasswordWithTAMESSO, complete these steps: 1. Log on to Tivoli Identity Manager, then: a. Select Configure System Manage Operations. b. For the operation level, select Entity level. Watch out: If all account types are to be integrated with the Tivoli Access Manager for Enterprise Single Sign-On service, select Entity type level as the operation level. c. Select Account as the entity type. d. Select the type of account to be integrated with the Tivoli Access Manager for Enterprise Single Sign-On service (Figure 10). Watch out: If the Tivoli Identity Manager account is to be integrated with the Tivoli Access Manager for Enterprise Single Sign-On service, select Identity Manager User as the entity type. Figure 10 Entity type level Account changePassword Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access 2. Click Add to create a changePassword operation if one does not already exist. The operation diagram displays. Provide the same changes as those shown in Figure 11. Figure 11 Operational workflow - changePassword 3. Double-click the CHANGEPASSWORD node. A pop-up window (Figure 12) displays all the extensions registered using workflowextensions.xml. 4. Select changeSharedAccountPasswordWithTAMESSO for the extension name. 5. Click Ok to close the property window. 6. Click Update and then click Ok at the bottom of the dialog. 7. Click Close to close the Operations window. Figure 12 Define the changeSharedAccountPasswordWithTAMESSO extension Scenarios In this section we focus on a help desk related deployment scenario. 12 Utilizing Group Sharing Account User Management Assumptions The Tivoli Identity Manager Adapter for Tivoli Access Manager for Enterprise Single Sign-On is installed and the following workflows are configured as described in the adapter's installation guide: createAccountWithTAMESSO This enables provisioning of the application account credential into the user's Wallet. deleteAccountWithTAMESSO This enables de-provisioning of the application account credential from the user's Wallet. changeSharedAccountPasswordWithTAMESSO This enables password propagation for the group sharing account to shared users’ Wallets. isSharedRole This determines shared role membership for new shared account users. Supported scenarios Below is our list of example scenarios that illustrate the capabilities of group sharing account management: Granting access to a group sharing account Removing access from a group sharing account Changing the owner of a group sharing account Creating a new group sharing account Deleting an existing group sharing account Assigning multiple users to a group sharing account Assigning a user to a number of group sharing accounts Watch out: If you are using this guide to assist in deployment and configuration, note the order in which the steps are executed in each scenario. Background information Company A deployed the latest Tivoli Identity Manager Adapter for Tivoli Access Manager for Enterprise Single Sign-On and is ready to use the group sharing account management for its help desk team. People on the help desk team will be sharing access to a Tivoli Access Manager account called helpDesk_A. The owner of this account will be the help desk team lead, Alice, who is responsible for the password reset. To be able to have access to a group sharing account, all users are required to have a Tivoli Access Manager for Enterprise Single Sign-On account. The Tivoli Identity Manager administrator must create the Tivoli Identity Manager role HelpDeskRole_A to control access to the helpDesk_A account. A role owner must be assigned to this role to receive email notifications when role membership changes. Only one role owner is permitted for the group sharing account management configuration. The role owner must be the same person who owns the group sharing account. As identified above, Alice is assigned as the owner of this role. Whenever there is a request for a person to access the shared account, this person needs to be added to the HelpDeskRole_A role. This triggers an email to be sent to the role owner, Alice. Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access Alice receives an email requesting that the helpDesk_A account password be changed. Alice resets the password for this account. The change password operation triggers the adapter to provision the account with the new password to the new role member's Wallet. At the same time, it updates the password for helpDesk_A in all existing role members’ Wallets. Until the password change is completed, the new user is not able to use the shared account. The group sharing account is visible only under the owner's account list. For all other members sharing this account, there is no such account displayed in their account list in Tivoli Identity Manager. The following steps are performed to set up the group sharing account for the help desk team: 1. The Tivoli Identity Manager administrator verifies that Alice has a TAM E-SSO Service A account and that she has an email address (Figure 13 and Figure 14). Figure 13 Alice is a Tivoli Identity Manager user Figure 14 Alice has a Tivoli Access Manager for Enterprise Single Sign-On account 2. The Tivoli Identity Manager administrator creates the group sharing account helpDesk_A for the TAM Service in Tivoli Identity Manager and assigns Alice as the owner (Figure 15 and Figure 16 on page 15). Figure 15 New group sharing account helpDesk_A 14 Utilizing Group Sharing Account User Management Figure 16 Alice is the owner of the helpDesk_A account 3. The Tivoli Identity Manager administrator creates a Tivoli Identity Manager role called HelpDeskRole_A to control access to the helpDesk_A shared account and assigns Alice to be the owner of this role. Alice also needs to be added as a member of this role (Figure 17, Figure 18, and Figure 19 on page 16). Figure 17 Creating the HelpDeskRole_A role - the owner is Alice Figure 18 Adding Alice as a member of the HelpDeskRole_A role Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access Figure 19 HelpDeskRole_A is created 4. The Tivoli Identity Manager administrator configures the email notification in the modify operation workflow for the person entity type to send an email to the role owner (Figure 20). Figure 20 Email notification to role owner 16 Utilizing Group Sharing Account User Management 5. The Tivoli Identity Manager administrator configures the TAM Service to have TAM E-SSO service A as a prerequisite service. At the same time, the TAM E-SSO Authentication Service ID needs to be defined (Figure 21). Figure 21 Service setup for TAM Service 6. The Tivoli Identity Manager administrator configures the TAM E-SSO service A to define the group sharing account mapping as following TAM Service|helpDesk_A|HelpDeskRole_A (Figure 22). Figure 22 Define the group sharing account mapping Granting access to a group sharing account Cathy joins Company A as a new member of the help desk team. As part of the new employee process, a Tivoli Identity Manager administrator creates the following accounts for Cathy: A Tivoli Identity Manager account A Tivoli Access Manager for Enterprise Single Sign-On account Cathy's job responsibilities require that she has access to the group sharing account helpDesk_A. The Tivoli Identity Manager administrator knows that the access to this group Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access sharing account is controlled by the Tivoli Identity Manager HelpDeskRole_A role. The Tivoli Identity Manager administrator completes the following steps to grant Cathy access to the helpDesk_A account: 1. The Tivoli Identity Manager administrator assigns Cathy to be a member of the HelpDeskRole_A role (Figure 23 and Figure 24). Figure 23 Add user members to HelpDeskRole_A Figure 24 Cathy’s personal information By adding Cathy to the HelpDeskRole_A role, the system triggers an email to be sent to Alice. This email requests that Alice change the password for the helpDesk_A group sharing account. 18 Utilizing Group Sharing Account User Management 2. Alice changes the password of the helpDesk_A group sharing account using the Tivoli Identity Manager administrative console (Figure 25). Figure 25 Alice changes helpDesk_A account password The password change on the helpDesk_A group sharing account triggers the Tivoli Identity Manager Adapter for Tivoli Access Manager for Enterprise Single Sign-On to provision the helpDesk_A account to Cathy's Wallet. Also, as both Alice and Bob are part of the HelpDeskRole_A role, the adapter updates the password in both Alice's and Bob's Wallets. Cathy cannot use the sharing account until the password change is completed. Figure 26 illustrates that the helpDesk_A account has been provisioned into Cathy's Wallet. Figure 26 Cathy’s Wallet Although the helpDesk_A account has been provisioned to Cathy's Wallet, it does not appear in the list of accounts when displaying her account list in Tivoli Identity Manager. This is due to the fact that Cathy is never the owner of the account (Figure 27). Figure 27 Cathy’s Identity Manager account list Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access The account only appears under that account owner’s account list. In this case, the group sharing account is displayed under Alice's account list in Tivoli Identity Manager (Figure 28). Figure 28 Alice’s Identity Manager account list Removing access from a group sharing account Bob has decided to move from the help desk team to another team within Company A. While Bob was a member of the help desk team he was assigned access to the helpDesk_A group sharing account. This was done by assigning Bob to be a member of the HelpDeskRole_A role. As part of the employee transfer process, a Tivoli Identity Manager administrator needs to execute the following steps: 1. The Tivoli Identity Manager Administrator removes Bob from the HelpDeskRole_A role (Figure 29). Figure 29 Removing Bob from role membership This action triggers an email to be sent to Alice, who is the owner of both the helpDesk_A account and the HelpDeskRole_A role. The email requests that Alice change the password for the helpDesk_A shared account. 20 Utilizing Group Sharing Account User Management The removal of Bob from HelpDeskRole_A also causes the Tivoli Identity Manager Adapter for Tivoli Access Manager for Enterprise Single Sign-On to remove the helpDesk_A account from Bob's Wallet (Figure 30). Figure 30 Bob’s Wallet 2. Alice changes the password of the helpDesk_A group sharing account via the Tivoli Identity Manager administrative console (Figure 31). Figure 31 Alice changes the helpDesk_A account password This step is just a precaution, because an existing member was removed from the HelpDeskRole_A role. The change password operation on the helpDesk_A account causes the adapter to update the passwords in the Wallets of all existing role members, including both Alice and Cathy. Watch out: If the password change is not completed, there is a chance that Bob might still have access to the helpDesk_A credential within his local Wallet. After the local AccessAgent synchronizes the Wallet with the IMS Server, Bob no longer has access to the helpDesk_A account. Complete a password change every time that the owner of a group sharing account receives an email requesting it to be done. Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access Changing the owner of a group sharing account Alice has been promoted to another department in Company A and is leaving the help desk team. As Alice will no longer be the team lead for the help desk team, she can no longer be the owner of the helpDesk_A group sharing account and the HelpDeskRole_A role. Dan will be taking over the help desk team lead and needs to become the owner of the helpDesk_A group sharing account and the HelpDeskRole_A role. The Tivoli Identity Manager administrator completes the steps in this section to remove Alice as the owner of the helpDesk_A group sharing account and the HelpDeskRole_A role, then assigns the ownership of both to Dan. Important: In this example, Dan is already a member of the HelpDeskRole_A role and Dan's Wallet already contains the helpDesk_A group sharing account. If this is not the case, Dan needs to be added as a member before he can take ownership of the group sharing account and the role. This is because the adopt account operation in Tivoli Identity Manager does not automatically cause the Tivoli Identity Manager Adapter for Tivoli Access Manager for Enterprise Single Sign-On to populate the group sharing account into Dan's Wallet. Alternatively, after Dan becomes the owner of the HelpDeskRole_A role, he must force a password change operation to occur on the helpDesk_A account. This causes the adapter to provision the helpDesk_A account to Dan's Wallet. 1. The Tivoli Identity Manager administrator assigns the ownership of the helpDesk_A group sharing account to Dan using the Tivoli Identity Manager administrative console (Figure 32). Figure 32 Assign helpDesk_A account to user Dan This means that Alice is no longer the owner of the helpDesk_A group sharing account. Important: The helpDesk_A account still remains in Alice's Wallet because she is still a member of the helpDeskRole_A role. Dan is now the owner of the helpDesk_A account (Figure 33). Figure 33 Dan is the owner of the helpDesk_A account 22 Utilizing Group Sharing Account User Management 2. The Tivoli Identity Manager administrator removes Alice (Figure 34), then assigns Dan to be the only owner of the HelpDeskRole_A role (Figure 35). As Dan was already a member of the help desk team, he is already a member of this role. Figure 34 Change the owner of the helpDeskRole_A role Alice is no longer the owner of HelpDeskRole_A role. Dan is now the owner and a member of the HelpDeskRole_A role. Important: The helpDesk_A account still remains in Alice's Wallet, as she is still a member of the helpDeskRole_A role. Figure 35 New owner of role helpDeskRole_A 3. The Tivoli Identity Manager administrator then removes Alice as a member from the HelpDeskRole_A role (Figure 36). Figure 36 Change membership of helpDeskRole_A role Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access This triggers an email to be sent to Dan, who is now the owner of both the helpDesk_A account and the HelpDeskRole_A role. The adapter removes the helpDesk_A account from Alice's Wallet (Figure 37). Figure 37 Alice’s Wallet 4. As a precaution, Dan changes the password of the helpDesk_A account using the Tivoli Identity Manager administrative console. Important: If the password change is not completed, there is a chance that Alice might still have access to the helpDesk_A credential within her local Wallet. After the local AccessAgent synchronizes the Wallet with the IMS Server, Alice no longer has access to the helpDesk_A account. Complete a password change every time that the owner of a group sharing account receives an email requesting it to be done. Figure 38 Dan changes the helpDesk_A account password This causes the adapter to update the password for the helpDesk_A account in both Dan and Cathy's Wallet. Creation of a new group sharing account The group sharing account feature is designed to support multiple group sharing accounts of various services. This means that a group of users can share access to an account for a Tivoli Access Manager service, while at the same time another group of users can share 24 Utilizing Group Sharing Account User Management access to an account for a Lotus® Notes® service. This is done by defining the group sharing account mapping in the service form of the Tivoli Access Manager for Enterprise Single Sign-On. This attribute is a multi-valued attribute. The group sharing account also supports multiple Tivoli Access Manager for Enterprise Single Sign-On services. This means that the Tivoli Identity Manager Adapter for Tivoli Access Manager Enterprise Single Sign-On can manage multiple group sharing accounts for users with multiple Wallets. This is done by defining a Tivoli Access Manager for Enterprise Single Sign-On service as the prerequisite service for an application service. The following scenario outlines the creation of a new group sharing account of the same Tivoli Access Manager service. The information provided can be applied to any application service. In Company A, some existing users already have the helpDesk_A shared account in their Wallet. By creating the new helpDesk_B group sharing account and the Tivoli Identity Manager HelpDeskRole_B role, existing team members can be added to the HelpDeskRole_B role to gain access to the helpDesk_B shared account. Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access After reviewing the help desk team responsibilities, Dan requires a new group sharing account for the TAM Service. Dan submits a request to create a Tivoli Access Manager account with the name helpDesk_B. He also requests that the Tivoli Identity Manager HelpDeskRole_B role be created. This role will be used to manage access to the helpDesk_B shared account. Because Dan submitted the request, he will be assigned as the owner for both the HelpDesk_B account and the HelpDeskRole_B role. To create the new group sharing account, the Tivoli Identity Manager administrator completes the following steps: 1. The Tivoli Identity Manager administrator creates the HelpDeskRole_B role and assigns Dan as its owner. Dan is also added as a member of this role (Figure 39 and Figure 40). Figure 39 Creating HelpDeskRole_B role - the owner is Dan Figure 40 Adding Dan as a member of the HelpDeskRole_B role Dan is now the only owner and a member of the HelpDeskRole_B role. 26 Utilizing Group Sharing Account User Management 2. The Tivoli Identity Manager administrator then creates the helpDesk_B group sharing account and assigns Dan as the owner (Figure 41 and Figure 42). Figure 41 New helpDesk_B group sharing account Figure 42 Dan is the owner of the helpDesk_B account The createAccountWithTAMESSO workflow is triggered when the helpDesk_B group sharing account is created. This causes the adapter to look for Dan's Tivoli Access Manager for Enterprise Single Sign-On account. It then provisions the helpDesk_B account to Dan's Wallet. Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access The adapter uses the prerequisite service attribute to identify Dan's Wallet to provision the group sharing account to it. In this case, TAM E-SSO Service A is defined as the prerequisite service for the TAM Service. The helpDesk_B group sharing account is now added to Dan's Wallet for TAM E-SSO Service A (Figure 43). Figure 43 Dan’s Wallet 3. The Tivoli Identity Manager administrator updates the TAM ESSO Service A service form by adding the following line to the Group Sharing Account mapping field: TAM Service|helpDesk_B|HelpDeskRole_B (Figure 44). Figure 44 Add the group sharing account mapping This modification ensures that when any new members are added to the HelpDeskRole_B role, the isSharedRole workflow that occurs during a modify operation for a person is triggered. The workflow invokes an email notification to be sent to Dan. Therefore, Dan changes the password for the HelpDesk_B group sharing account to grant new members access to this account. New members cannot access the group sharing account until the password change is completed. Deletion of an existing group sharing account After a few months, Dan identifies that the helpDesk_B shared account is no longer needed. Dan submits a request to a Tivoli Identity Manager administrator requesting that the 28 Utilizing Group Sharing Account User Management helpDesk_B group sharing account is removed. The Tivoli Identity Manager administrator completes the following steps. Important: Access to the group sharing account is not revoked from all users until all steps have been completed. 1. The Tivoli Identity Manager administrator deletes all members from HelpDeskRole_B (Figure 45). Figure 45 Remove role members This causes the Tivoli Identity Manager Adapter for Tivoli Access Manager for Enterprise Single Sign-On to delete the helpDesk_B account credentials from the Wallets of all the deleted role members. It also triggers an email to be sent to Dan. The helpDesk_B account is not removed from Dan's Wallet, as he is the owner of the account. Only when the helpDesk_B account is deleted from Tivoli Identity Manager is it removed from Dan's Wallet. 2. The Tivoli Identity Manager administrator deletes HelpDeskRole_B. The HelpDeskRole_B role is successfully deleted. The adapter takes no action during the deletion of a role. 3. The Tivoli Identity Manager administrator removes the group sharing account mapping from the TAM E-SSO Service A service form for the helpDesk_B account (Figure 46). Figure 46 Delete the group sharing account mapping 4. The Tivoli Identity Manager administrator deletes the helpDesk_B account from Tivoli Identity Manager (Figure 47). Figure 47 Delete the helpDesk_B account Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access The helpDesk_B account is successfully deleted. The deleteAccountWithTAMESSO workflow triggers the helpDesk_B account to be removed from Dan's Wallet (Figure 48). Figure 48 Dan’s Wallet Assigning multiple users to a group sharing account To assign a group sharing account to a user, the user is added to the role that is associated with this shared account. When a Tivoli Identity Manager administrator assigns multiple users to a role that is associated with a shared account in one request, an email notification is sent to the account owner. The owner can assign all users access to this shared account via a single password change request. The email notification does not identify the users added or removed from the role. The notification only indicates that a role membership change has occurred and that a password change is required on the shared account. Assigning a user to a number of group sharing accounts To assign a group sharing account to a user, the user is added to the role that is associated with this shared account. In regards to the group sharing account configuration, the Tivoli Identity Manager administrator must not assign multiple roles to a user in a single request because only one email notification is sent to the owner to request a password change. This email only identifies the shared account for the first role assigned. The Tivoli Identity Manager administrator can assign only one role, associated with a group sharing account, per request for a user. Conclusion In this Redpaper publication we introduced the new group sharing account management functionality added to the IBM Tivoli Identity Manager Adapter for Tivoli Access Manager for Enterprise Single Sign-On. We included a brief overview of the group sharing account management functionality, outlining both supported and unsupported customer deployments. We also provided detailed deployment instructions to ensure a clear understanding of how the functionality is deployed. In conclusion, we discussed the capabilities of the group sharing account management functionality by using detailed use cases for supported scenarios. The group sharing account 30 Utilizing Group Sharing Account User Management management functionality eliminates the number of accounts that are needed on a target system. It can help reduce the cost of maintaining an excessive number of user accounts by allowing multiple users to share a single account, yet still achieve full functionality. The team who wrote this paper This paper was produced by a team of specialists from around the world working at the International Technical Support Organization, Austin Center. Ivy Chiu is a software developer at the IBM Australian Development Lab (ADL), Gold Coast. She is an IBM Certified Deployment Professional for IBM Tivoli Identity Manager V5.1. She has four years of experience specializing in the testing and development of IBM Tivoli Identity Manager Adapters. She holds a degree in Information Technology from the Queensland University of Technology, Australia. Axel Buecker is a Certified Consulting Software IT Specialist at the ITSO, Austin Center. He writes extensively and teaches IBM classes worldwide on areas of software security architecture and network computing technologies. He holds a degree in Computer Science from the University of Bremen, Germany. He has 24 years of experience in a variety of areas related to workstation and systems management, network computing, and e-business solutions. Before joining the ITSO in March 2000, Axel worked for IBM in Germany as a Senior IT Specialist in Software Security Architecture. Thanks to the following people for their contributions to this project: Anthony Ferguson, Brian Matthiesen, Eng Kiat Koh, Zoran Radenkovic IBM Now you can become a published author, too! Here's an opportunity to spotlight your skills, grow your career, and become a published author—all at the same time! Join an ITSO residency project and help write a book in your area of expertise, while honing your experience using leading-edge technologies. Your efforts will help to increase product acceptance and customer satisfaction, as you expand your network of technical contacts and relationships. Residencies run from two to six weeks in length, and you can participate either in person or as a remote resident working from your home base. Learn more about the residency program, browse the residency index, and apply online at: ibm.com/redbooks/residencies.html Utilizing Group Sharing Account User Management using the IBM Tivoli Identity Manager Adapter for Tivoli Access Comments welcome Your comments are important to us! We want our papers to be as helpful as possible. Send us your comments about this paper or other IBM Redbooks® publications in one of the following ways: Use the online Contact us review Redbooks form found at: ibm.com/redbooks Send your comments in an email to: redbooks@us.ibm.com Mail your comments to: IBM Corporation, International Technical Support Organization Dept. HYTD Mail Station P099 2455 South Road Stay connected to IBM Redbooks Find us on Facebook: http://www.facebook.com/IBMRedbooks Follow us on Twitter: http://twitter.com/ibmredbooks Look for us on LinkedIn: http://www.linkedin.com/groups?home=&gid=2130806 Explore new Redbooks publications, residencies, and workshops with the IBM Redbooks weekly newsletter: https://www.redbooks.ibm.com/Redbooks.nsf/subscribe?OpenForm Stay current on recent Redbooks publications with RSS Feeds: http://www.redbooks.ibm.com/rss.html 32 Utilizing Group Sharing Account User Management Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those websites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. © Copyright International Business Machines Corporation 2010. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. 33 This document REDP-4707-00 was created or updated on December 7, 2010. ® Send us your comments in one of the following ways: Use the online Contact us review Redbooks form found at: ibm.com/redbooks Send your comments in an email to: redbooks@us.ibm.com Mail your comments to: IBM Corporation, International Technical Support Organization Dept. HYTD Mail Station P099 2455 South Road Poughkeepsie, NY 12601-5400 U.S.A. Redpaper ™ Trademarks IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. These and other IBM trademarked terms are marked on their first occurrence in this information with the appropriate symbol (® or ™), indicating US registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the web at http://www.ibm.com/legal/copytrade.shtml The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both: IBM® IMS™ Lotus Notes® Lotus® Notes® Redbooks® Redpaper™ Redbooks (logo) Tivoli® ® The following terms are trademarks of other companies: Java, and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product, or service names may be trademarks or service marks of others. 34 Utilizing Group Sharing Account User Management