Iam
-
Upload
saravanan-purushothaman -
Category
Documents
-
view
18 -
download
7
description
Transcript of Iam
Tivoli Security Focus Areas
Trusting Identities
Customers, partners, employees (known)
Managing Access
Securing Services
Protecting Data
IBM
H C R U6
IBM
Payroll
Online banking
Loan applications
Retail sales
Tivoli IAM #1 in this space
© 2010IBM Corporation2
Criminals, competitors, hackers (unknown)
Retail sales
Inventory
COMPLIANCE
Manage those you know.
Protect against those you don’t.
Prove that you’re in control.
ISS Threat Mitigation#1 in this space
Getting started with Identity and Access Assurance
Single Sign On
& Password Management
User Provisioning / Role Management
Tivoli Identity Manager
HR Systems/
Accounts on 70 different types of systems managed. Plus, In-House Systems &
portals
Accounts on 70 different types of systems managed. Plus, In-House Systems &
portals
Databases
OperatingSystems
DatabasesDatabases
OperatingSystemsOperatingSystems
ApplicationsApplications
Networks &Physical Access
Tivoli Identity Manager
HR Systems/
Accounts on 70 different types of systems managed. Plus, In-House Systems &
portals
Accounts on 70 different types of systems managed. Plus, In-House Systems &
portals
Databases
OperatingSystems
DatabasesDatabases
OperatingSystemsOperatingSystems
ApplicationsApplications
Networks &Physical Access
Accounts on 70 different types of systems managed. Plus, In-House Systems &
portals
Accounts on 70 different types of systems managed. Plus, In-House Systems &
portals
Databases
OperatingSystems
DatabasesDatabases
OperatingSystemsOperatingSystems
ApplicationsApplications
Accounts on 70 different types of systems managed. Plus, In-House Systems &
portals
Accounts on 70 different types of systems managed. Plus, In-House Systems &
portals
DatabasesDatabases
OperatingSystemsOperatingSystems
DatabasesDatabases
OperatingSystemsOperatingSystems
ApplicationsApplications
Networks &Physical Access
ID stores
© 2010IBM Corporation3
Access Attestation Security log management & reporting
Cisco Secure
ACS
Cisco Secure
ACS
Business Applications
Authoritative Identity Source
(Human Resources, Customer Master, etc.)
TIM Trusted Identity Store
Accounts
jcd0895
jdoe03
doej
John C. Doe
Sarah K. Smith
smiths17
Sarah_s4
ackerh05
nbody
Sarah’s Manager
RecertificationRequest
Access Revalidated and Audited
11
22
33
44
55
ID stores
Typical Enterprise
Web
Security Policy
Repository
Identity Repository
(Person & Account)
HTTP (incl. SOAP/
HTTP) Connection
Web Services
Connection
HR
System
Desktop/Client
Connection
© 2010IBM Corporation
Windows
Apps
Windows
Apps
Web
App
Web
App
Web
App
Portal
HTTP Server
Internet
Enterprise
Dir
Windows
Apps
Other
Apps
WS
Gateway
Consumer
Business
Employee/
Staff
Portal
HTTP Server
ESB
(SOA)
Tivoli Identity Manager (TIM)
Web
Security Policy
Repository
Identity Repository
(Person & Account)
HTTP (incl. SOAP/
HTTP) Connection
Web Services
Connection
User
HR
System
Desktop/Client
Connection
Identity
Synchronisation
Provisioning
Reconciliation
Workflow & Lifecycle
Entitlement Policy
User Self-
service
Identity
StoreReporting
Provisioning Engine
Admin.
Admin
Auditor
Tivoli Identity Manager (TIM)
© 2010IBM Corporation
Windows
Apps
Windows
Apps
Web
App
Web
App
Web
App
Portal
HTTP Server
Internet
Enterprise
Dir
Windows
Apps
Other
Apps
WS
Gateway
Consumer
Business
Employee/
Staff
Portal
HTTP Server
ESB
(SOA)
Tivoli Access Manager for e-business (TAMeb)
Web
Security Policy
Repository
Identity Repository
(Person & Account)
HTTP (incl. SOAP/
HTTP) Connection
Web Services
Connection
User
HR
System
Desktop/Client
Connection
Identity
Synchronisation
Provisioning
Reconciliation
Workflow & Lifecycle
Entitlement Policy
User Self-
service
Identity
StoreReporting
Provisioning Engine
Admin.
Admin
Auditor
Tivoli Identity Manager (TIM)
Tivoli Access Manager for e-business (TAMeb)
Management Domain
Web
Policy
MgmtAdmin(s)
© 2010IBM Corporation
Windows
Apps
Windows
Apps
Web
App
Web
App
Web
App
Portal
HTTP Server
Internet
Enterprise
Dir
Windows
Apps
Other
Apps
WS
Gateway
Consumer
Business
Employee/
Staff
Portal
HTTP Server
Web Authentication and
Authorization
ESB
(SOA)
Web Authentication and
Authorization
Web Single Signon
Web Single Signon
Tivoli Federated Identity Manager (TFIM)
Web
Security Policy
Repository
Identity Repository
(Person & Account)
HTTP (incl. SOAP/
HTTP) Connection
Web Services
Connection
User
HR
System
Desktop/Client
Connection
Identity
Synchronisation
Provisioning
Reconciliation
Workflow & Lifecycle
Entitlement Policy
User Self-
service
Identity
StoreReporting
Provisioning Engine
Admin.
Admin
Auditor
Tivoli Identity Manager (TIM)
Tivoli Access Manager for e-business (TAMeb)
Tivoli Federated Identity Manager (TFIM)Management Domain
Web
Policy
Mgmt
Fed
SSO
Conf.Admin(s)
© 2010IBM Corporation
Windows
Apps
Windows
Apps
Web
App
Web
App
Web
App
Portal
HTTP Server
Internet
Enterprise
Dir
Windows
Apps
Other
Apps
WS
Gateway
Consumer
Business
Employee/
Staff
Portal
HTTP Server
Web Authentication and
Authorization
ESB
(SOA)
Web Authentication and
Authorization
Web Single Signon
Web Single Signon
FedSSO
A&AFedSSO
A&A
Identity
Mapping
Tivoli Security Policy Manager (TSPM)
Web
Security Policy
Repository
Identity Repository
(Person & Account)
HTTP (incl. SOAP/
HTTP) Connection
Web Services
Connection
User
HR
System
Desktop/Client
Connection
Identity
Synchronisation
Provisioning
Reconciliation
Workflow & Lifecycle
Entitlement Policy
User Self-
service
Identity
StoreReporting
Provisioning Engine
Admin.
Admin
Auditor
Tivoli Identity Manager (TIM)
Tivoli Access Manager for e-business (TAMeb)
Tivoli Federated Identity Manager (TFIM)
Tivoli Security Policy Manager (TSPM)
Management Domain
Web
Policy
Mgmt
Fed
SSO
Conf.
WS
Policy
MgmtAdmin(s)
Policy
Enforce
© 2010IBM Corporation
Windows
Apps
Windows
Apps
Web
App
Web
App
Web
App
Portal
HTTP Server
Internet
Enterprise
Dir
Windows
Apps
Other
Apps
WS
Gateway
Consumer
Business
Employee/
Staff
Portal
HTTP Server
Web Authentication and
Authorization
ESB
(SOA)
Web Authentication and
Authorization
Web Single Signon
Web Single Signon
FedSSO
A&AFedSSO
A&A
Identity
Mapping
Policy
Enforce
Tivoli Access Manager for Enterprise Single Sign-on
Web
Security Policy
Repository
Identity Repository
(Person & Account)
HTTP (incl. SOAP/
HTTP) Connection
Web Services
Connection
User
HR
System
Desktop/Client
Connection
Identity
Synchronisation
Provisioning
Reconciliation
Workflow & Lifecycle
Entitlement Policy
User Self-
service
Identity
StoreReporting
Provisioning Engine
Admin.
Admin
Auditor
Tivoli Identity Manager (TIM)
Tivoli Access Manager for e-business (TAMeb)
Tivoli Federated Identity Manager (TFIM)
Tivoli Access Manager for Enterprise Single Signon (TAM E-SSO)
Tivoli Security Policy Manager (TSPM)
Management Domain
Web
Policy
Mgmt
Fed
SSO
Conf.
WS
Policy
MgmtAdmin(s)
SSO
Policy
Mgmt
Policy
Enforce
© 2010IBM Corporation
Windows
Apps
Windows
Apps
Web
App
Web
App
Web
App
Portal
HTTP Server
Internet
Enterprise
Dir
Windows
Apps
Other
Apps
WS
Gateway
Consumer
Business
Employee/
Staff
Portal
HTTP Server
Web Authentication and
Authorization
ESB
(SOA)
Web Authentication and
Authorization
Enterprise Single Signon
User Authentication
Web Single Signon
Web Single Signon
FedSSO
A&AFedSSO
A&A
Identity
Mapping
Policy
Enforce
Tivoli Compliance Insight Manager (TCIM)
Web
Security Policy
Repository
Identity Repository
(Person & Account)
HTTP (incl. SOAP/
HTTP) Connection
Web Services
Connection
User
HR
System
Desktop/Client
Connection
Identity
Synchronisation
Provisioning
Reconciliation
Workflow & Lifecycle
Entitlement Policy
User Self-
service
Identity
StoreReporting
Provisioning Engine
Admin.
Admin
Auditor
Tivoli Identity Manager (TIM)
Tivoli Access Manager for e-business (TAMeb)
Tivoli Federated Identity Manager (TFIM)
Tivoli Access Manager for Enterprise Single Signon (TAM E-SSO)
Tivoli Compliance Insight Manager (TCIM)
Tivoli Security Policy Manager (TSPM)
Management Domain
Web
Policy
Mgmt
Fed
SSO
Conf.
WS
Policy
MgmtAdmin(s)
SSO
Policy
Mgmt
Policy
Enforce
© 2010IBM Corporation
Windows
Apps
Windows
Apps
Web
App
Web
App
Web
App
Portal
HTTP Server
Internet
Enterprise
Dir
Windows
Apps
Other
Apps
WS
Gateway
Consumer
Business
Employee/
Staff
Portal
HTTP Server
Web Authentication and
Authorization
ESB
(SOA)
Web Authentication and
Authorization
Enterprise Single Signon
User Authentication
Web Single Signon
Web Single Signon
FedSSO
A&AFedSSO
A&A
Identity
Mapping
Audit Log Consolidation
Log
Collect
Log
Collect
Log
Collect
Log
Collect
Log
Collect
Log
Collect
Log
Collect
Log
Collect
Log
Collect
Audit Policy Compliance Reporting
Policy
Enforce
Auditor Auditor
Tivoli Identity Manager automates, audits, and corrects user access rights across your IT infrastructure
Tivoli Identity Manager
Identitychange
(add/del/mod)
Approvals gathered
Accounts updated
Accounts on 70 different types of systems managed. Plus, In-House Systems &
portals
DatabasesDatabasesDatabases
ApplicationsApplications
Access policy
evaluated
Detect and correct local privilege settings
Cost
Complexity
Reduce Costs
• Self-service password reset
• Automated user provisioning
Simplify Complexity
© 2010IBM Corporation1
HR Systems/ Identity Stores
Databases
OperatingSystems
DatabasesDatabases
OperatingSystemsOperatingSystems
Networks &Physical Access
Compliance
• Consistent security policy
• Quickly integrate new users & apps
Address Compliance
• Closed-loop provisioning
• Access rights audit & reports
• Know the people behind the accounts and why they have the access they do
• Fix non-compliant accounts
• Automate user privileges lifecycle across entire IT infrastructure
• Match your workflow processes
A phased approach to automating user provisioning with TIM delivers increasing improvements in efficiency and control
Ongoing Operational
LaborPublish Service Catalog
User Initiates Access Request
Approvals Gathered
Periodic Recertification
Access Provisioned
Recertify
Investments
SimplifyComplexity
© 2010IBM Corporation1
One Time Policy Design
Define Coarse Roles Plus
Optional Access
Define Role Based Access Control
Model & Policies
Update to User Attribute Initiates Access Change
Major Changes Automated, Minor Ones Requested
Access Auto Provisioned, Approvals for Exceptions
Recertify Exceptions
Only
Automatic Provisioning and Rights Verification
Improve security and compliance readiness through TIM automated security policy enforcement, audit, and reporting
30% or more of all accounts are ‘orphans’
Gartner Group
Business Applications
Authoritative
Accounts
jcd0895
jdoe03
John C. Doe
Sarah_s4
nbody1
EnsureCompliance
© 2010IBM Corporation1
Web ApplicationsDatabases
Infrastructure
Authoritative Identity Source
(Human Resources, Customer Master, etc.)
TIM Trusted Identity Store
doej
Sarah K. Smith
smiths17
ackerh05
Flag/Alert/Correct/Suspend
User Entitlement• Policies• Approvals• Recertifications
Compare local privileges to policy
Eliminate orphan accounts
1
2
3
Audit Reports
TIM v5.x marks a major milestone in the evolution of identity management
TIM v4.6
TIM Express
v4.6
TIM for z/OS
v4.6
TIM “Quick
Start Tools”
TIM v5.0
TIM v5.1
© 2010IBM Corporation1
2002 2008 +2003 2004 2005 2006 2007
Invest and Integrate
Ready for Primetime
Serve the
Segments
Simplification
for the Masses
Identity
Governance
Access360
Acquisition
TIM v4.5
TIM Provides a User Based Console View
• Console designed with more than just system administrators in mind
– Predefined groups, views and security settings (ACIs) optimized for different
user types
– TIM administrators
– Help desk assistants
– Service owners
– Managers
– Auditors
– End Users
• Capability to customize default user views and security settings or to
create additional views unique for users in your organization
© 2010IBM Corporation1
create additional views unique for users in your organization
– Intuitive user interface only shows users what they need to do their jobs
• Service owner dashboard provides quick overview of transaction and
adapter status for TIM managed resources
• Manager view is scoped to allow operations for subordinates (profiles,
accounts, accesses)
TIM – Examples of user type based views
The Service Owner sees a ‘Dashboard’
© 2010IBM Corporation1
Manager’s view of their team
TIM – Support for an Auditor User Type
• Auditor user type
– Auditors are able to run and view reports
– Report ACIs provided to allow other non-
administrators, such as an auditor, to run reports that
access the audit trail
– “See all, do nothing”
© 2010IBM Corporation1
Simplified Policy, Workflow, and Configuration reduces setup time and training
• Wizards helps users build:
– Approvals
– Request for Information Nodes
– Email Nodes
– Identity Policies
– Identity Feeds
– Service Definitions
© 2010IBM Corporation2
• No need for programming or scripting for simple configuration options
– Defaults to “simple” configuration
– Toggle to “advanced” option to meet complex needs
Policy Simulation and Draft Mode Takes the Guesswork out of Role and Provisioning Policy Updates
© 2010IBM Corporation2
Role hierarchy simplifies and expands automation of user access
Customer challengeAdministration of user access can be increasingly complex and time consuming through the direct user-permission
mapping
TIM capabilitiesEstablish parent/child role relationship and apply inheritance through role membership
Add or remove roles as members to other rolesParent roles can have multiple children
Physician = parent roleCardiologist, Radiologist = child roles
Child roles can have multiple parentsCardiologist = child rolePhysician, Health care practitioner, Employee = parent roles
Inheritance flows to all objects that use roles Provisioning policyApprovals
© 2010IBM Corporation2
ApprovalsRole owners
Physician
Cardiologist Radiologist Oncologist
Open Patient Record
Record operations & procedures
View patient chronic condition & allergies
View patient procedure& medication history
IT/ Application Roles
Business Roles
Separation of duties enhance security and complianceCustomer challenge
Avoiding business conflicts that could heighten their risk exposuree.g. same person making purchases is also allowed to approve them
What is Separation of duties (SoD)?Ability to exclude users from having access rights that create a business conflict
TIM capabilitiesProvides preventative and detective control over role conflicts by creating/modifying/deleting SoD policies that exclude
users from having membership to conflicting rolesUser cannot be a member of Role A and Role BUser may not have membership to more than X roles within a accounts receivable process
Upon assigning or requesting access TIM will detect if a conflicting rule is in place and prevents a violation from occurringApproval workflow process allows for exemptions when a violation occurs Violation and exemptions auditing via reports, which helps prevent or highlight inappropriate use of privileges
© 2010IBM Corporation2
Separation of duty policy status improves visibility to risk exposure
• Administrative Dashboard
– Provides status of number of Violations and approved Exceptions
• Violations can occur though assignment of role through non-interactive process such as an automated identity feed or when an exception is revoked.
• Violations can be approved/removed to accept/remove the risk
– Drill down to review SoD violation or exception status
– Trigger evaluation to re-examine current status – detective control
© 2010IBM Corporation2
TIM access recertification facilitates complianceCustomer challenge
Compliance – enabling an access validation process to those who can responsibly and accurately make that decision
TIM capabilities3 types of recertification policies to validate continued need for resourcesAccount recertification policies
Account recertification policies target accounts on specific servicesAccess recertification policies
Access recertification policies target specific accesses (i.e. business translation of a group – AD group UK3g8saleww_R = sales pipeline portlet)
User recertification policies (new in v5.1)A type of certification process that combines recertification of a user's role, account and group membership into a
single activity
© 2010IBM Corporation2
NEW
User recertification delivers consumable compliance
User recertification activity presents an approver with a single recertification approval activity for multiple resources associated with a given user:
Static role membershipAccountsGroups (whether defined as an Access or not)
Recertifier specifies a separate decision for each resource and submits a consolidated response
The impact of recertification decisions can be previewed prior to submission
Incremental progress can be saved as a draft
A User Recertification Policy defines a user population, schedule, resource targets, and workflow
© 2010IBM Corporation2
schedule, resource targets, and workflowWorkflow can be defined using either Simple or
Advanced modesSimple workflow options include approval participant,
rejection notification recipient (if any), rejection action, due date, overdue behavior (new), and notification templates
Self Service Available Tasks / Flows
� Change Passwords
� Configure Forgotten Password Information
� Request Account / Request Account (Advanced)
� Delete Account
� View / Change Account
� Request Access
� View Access
© 2010IBM Corporation
� View Access
� Delete Access
� View / Change Profile
� View My Requests
� Approve and Review Requests (To-do List)
� Delegate Activities
� Change Expired Password
� Forgotten Password
Self Service Console Features
� The user interface can be customized / branded
– Integrate with View configuration to filter the list of tasks available to the user
– UI can be customized to better fit with the
� Provides Self Service functions for TIM Users– Users can work on their own accounts, their own profile, their own accesses, their own to-dos,
their own passwords
© 2010IBM Corporation
– UI can be customized to better fit with the theme of the exiting corporate look and feel
Manual Services support the same functions as a “non-manual” Serviceaccount add, delete, modify, suspend, restore, change password, adopt, reconcile,
account defaults, etc.
Manual Service Account requests generate a “To Do” Activity work item to a participantAdd/delete/modify/suspend/restore/change password
The “To Do” Activity Workflow is automatically defined for the Manual Service when it is
TIM Manual Services Overview
© 2010IBM Corporation3
The “To Do” Activity Workflow is automatically defined for the Manual Service when it is created
The participant performs the necessary “work” and then responds to the work item (SUCCESS/FAIL/WARNING)
Quickly produce comprehensive audit reports
• Predefined reports with filtering and security
• Centralized view of people and privileges
EnsureCompliance
© 2010IBM Corporation3
• Track access privileges by person
• Track access privileges by information resource
• Acrobat format for easy viewing
and CSV format for custom analysis
Achieve quick value without user provisioning in TIM today
Reconciliation
Who has access to what? Identify orphan and dormant accounts – big security exposures! 1Recertification
2
© 2010IBM Corporation3
Recertification
Does this user still need this account or access entitlement? Establish an automated process for review and enforcement.
2
Reporting
Prove it. Show auditors who has access to what and how they got it.
3
Tivoli Identity Manager Information Resources
• IBM Tivoli Identity Manager Product Page
• IBM Tivoli Identity Manager Data Sheet
• TIM 5.1 Announcement Letter
• IBM Tivoli Identity Manager 5.1 Information Center
© 2010IBM Corporation3
• IBM Tivoli Identity Manager 5.1 Information Center
• IBM IAM Governance Whitepaper
Deliver effective governance for identity and access management
Tivoli integration Breadth and Depth is key to achieving rapid customer value
Industry leading adapters accelerate time to value
HP/Compaq Tru64 Unix*HP-UX
HP-UX NIS*IBM AIXIBM i5/OS
OpenVMS*RedHat Enterprise LinuxSun Solaris
Sun Solaris NIS*SuSE Linux Enterprise ServerWindows Local 2000, 2003,
IBM RACF zOS*IBM Tivoli Access Manager* CA ACF2* CA Top Secret
Entrust PKI*RSA ACE/Server** CA SiteminderCisco ACS
Amdocs ClarifyCRM 12.0 on
AIX using DB2*Documentum eServer *Lotus Notes/DominoWindows AD/ Exchange 2000, 2003 Novell e-Directory (NDS)Novell GroupWiseOracle E-Business SuitePeopleSoft (People Tools) SAP UME 6 *SAP R/3 Siebel* Peregrine Service CenterRemedyQuickplace*
IBM DB2/UDB Informix Dynamic ServerOracleMicrosoft SQL Server 2000, 2005 Sybase* RDBMS Based Apps
Applications & Messaging
Relational Database
Ready for Tivoli
Authentication & Security
Operating Systems
SimplifyComplexitySimplifyComplexity
Easily Integrate with Homegrown and Niche Applications
� Effectively meet the need to integrate with any home grown applications
� Wizard based approach to quickly build custom TIM adapters
Select connector type and connect to the target system
Discover and map attributes to manage
Choose TIM operations and publish adapter to TIM
SimplifyComplexitySimplifyComplexity
Broadest Support for Prepackaged Adapters Fast, adaptable tooling for custom Adapters
© 2010IBM Corporation3
Windows Local 2000, 2003, XP
Quickplace*LDAP-based Applications (IBM TDS, Sun One)* Command Line-based ApplicationsUniversal Provisioning * JDEdwards* Tandem•IBM Rational Clearcase
Citrix Password ManagerCyber-Ark Network Vault for PasswordsEncentuate TCI for EnterpriseProtocom SecureLogin Password
Management ActivIdentity Trinity Secure Sign-onPasslogix v-GO Provisioning ManagerEurekify Sage Discovery and AuditSecurIT R-Man
� Reduce development time by 75%
Requires fewer specialized skills
Based on Eclipse framework and leverages Tivoli Directory Integrator
Deepest support for critical infrastructure and business applications that go beyond a ‘check-box’
RACF
Operating systems
Series i
Series z (RACF)
Unix/Linux (AIX)
Unix/Linux (HP-UX)
Unix/Linux (RHEL)
Unix/Linux (Solaris)
Unix/Linux (SLES)
Windows AD
TIM standard adapters (not complete)Others
Exchange
Groupwise
Lotus Notes/Domino
Novell
Oracle eBS
PeopleTools
RSA AuthMan (ACE)
SAP R/3 (ABAP)
© 2010IBM Corporation3
Windows (WinLocal)
Databases
DB2
Oracle
SQL Server
Sybase
Infrastructure
LDAP
SAP Netweaver
SAP GRC
TAM Combo
TopSecret
Cisco UCM
TAM ESSO
Siebel (JDB)
ITIM configuration import / export
Tivoli Identity Manager features an import / export capability for a number of configuration items
Promotion of configuration from one environment to anotherCan also be used for backing up configuration items
© 2010IBM Corporation4
Quick Wins
Request-based User Provisioning with Approval WorkflowStreamline and accelerate the process of granting, modifying, and removing user accounts throughout your IT
infrastructure, while maintaining an effective audit trail for your internal controls. TIM automates the process of end users (or their managers, for example) requesting access to new accounts, notifying required approvers of the request, gathering necessary approvals and information, and provisioning the approved accounts. Supervisors or security administrators can immediately remove unneeded account access as a user switches jobs or unnecessary access can be automatically removed during the recertification process.
© 2010IBM Corporation4
recertification process.
User Self-Care and Password ManagementDecrease help desk calls by providing Web self-care interfaces to perform password and personal information
changes. TIM’s intuitive Web interface provides users the opportunity to update personal information and synchronize their passwords across all their accounts, or reset a forgotten password by successfully answering challenge/response questions.
Quick Wins
Out-of-the-Box Reporting and Recertification of User Access RightsReduce the time and cost associated with preparing for audits and revalidating user accounts. Automate and streamline your process of validating that each user account is still needed for a valid business
purposeRecertification notification and approval events that can be sent to managers, application owners, or security
administrators.TIM offers the following reports to assist with audit and compliance demands:
Approval process reportRequest report
© 2010IBM Corporation4
Request reportRejected requests reportPending request reportAccount reportSuspended person reportDormant account reportActive account reportServices reportReconciliation report
Suggested implementation projects
To be discussed, depends on customer priorities (ROI, compliance, automation)
© 2010IBM Corporation4
Top 10 reasons to choose IBM Tivoli Identity Manager
ITIM provides a built-in, sophisticated workflow engine with drag and drop workflow capabilities within Web console, easy to customize workflows, highly customizable via scripts, API integration with other systems, etc.
ITIM supports millions of users in customers’ deployments, across thousands of managed systems.
IBM is the market leader in Access Management as well as Identity Management.
Comprehensive Administrative Control via industry-leading out-of-the-box Adapters
ITIM provides management efficiency through policy simulation and ‘what-if’ modelling of changes (that simulates the effect of policy changes before they are enacted), reporting errors, or potential problems, and enables these to be resolved before they affect live operations.
ITIM is the only product to definitively and proactively detect access rights compliance issues. ITIM has flexible, risk-based options (flag, suspend, alert, or correct) to meet compliance goals without impacting business productivity.
© 2010IBM Corporation4
ITIM provides the ability to customize the language presented to both end users and administrators based on user preferences. This includes challenge and response questions, as well as email notifications.
ITIM is the only user provisioning product to have achieved Common Criteria Evaluation Assurance Level 3 (EAL 3) certification.
IBM supports a secure interface with RACF on z/OS. ITIM also runs as a server platform on native z/OS
This no need to learn any proprietary language to develop workflows in ITIM. TIM uses standard javascript.
Only vendor that delivers breadth of security and compliance capabilities to address
infrastructure, applications, information, people and identities
Integrates with all types of business data (structured, semi-structured, and unstructured) for
addressing information & data security needs and all major application types (web, legacy,
and ESB for SOA) for securing business process
Open security platform and leadership in Web Services security, policy management and
federated identity
Breadth and Depth of Solution
Extensive Integration
Open Standards
Product Leadership
Why IBM?
© 2010IBM Corporation4
Analyst attested leadership in markets for user and infrastructure security and compliance
software and services.
Leadership in mainframe security with RACF, zOS security, identity & access and
compliance enabling clients to leverage System z as the enterprise security hub
Security integration with key ITIL processes out of the box: Incident, Problem, Change,
Release, SLA, Configuration, Availability.
IBM offers full breadth of end-to-end asset and service management solutions that
operate on a common web services infrastructure.
Product Leadership
Best in class System z security
A core element of IBM Service Management
Breadth of Service Management offering
IBM Security
– The only security vendor in the market with
end-to-end coverage of the security foundation
– 15,000 researchers, developers and SMEs on
security initiatives
– 3,000+ security & risk management patents
– 200+ security customer references and 50+
© 2010IBM Corporation4
– 200+ security customer references and 50+
published case studies
– 40+ years of proven success securing the
zSeries environment
– 600+ security certified employees
(CISSP,CISM,CISA,..)
IPSIPS
AuditAudit•• SIEMSIEM
EnforceEnforce•• authenticationauthentication
•• authorizationauthorization
AdministerAdminister•• provision/manageprovision/manage
IBM Tivoli Access Manager
portfolio
IBM Tivoli Security Informationand Event Manager
IBM Internet Security Systems
© 2010IBM Corporation
SynchronizeSynchronize•• metameta--directorydirectory
StoreStore•• directorydirectory
•• LDAPLDAP
IBM Tivoli Directory Integrator
IBM Tivoli Identity Manager
IBM Tivoli Directory Server
SAP Architecture
ERP SCM CRM SRM PLM
SAP for Banking:• SAP Analytical Banking• SAP Transactional Banking (TRBK)• SAP Customer Centric Banking
SAP Retail
SAP NetWeaver™PEOPLE INTEGRATION
Business Solutions - Examples
© 2010IBM Corporation4
Co
mp
os
ite
Ap
pli
ca
tio
n F
ram
ew
ork
PEOPLE INTEGRATION
Multichannel access
Portal Collaboration
INFORMATION INTEGRATION
Bus. Intelligence
Master Data Mgmt
Knowledge Mgmt
PROCESS INTEGRATIONIntegration Broker
BusinessProcess Mgmt
APPLICATION PLATFORMJAVA
DB and OS Abstraction
ABAP
Lif
ec
yc
le M
an
ag
em
en
t
Source: SAP (c)
SAP ERP
SAPEBP
SAP Pain Points
No central security functionality for SAP and non-SAP components to manage user identities and access
Lack of integration with security standards (authentication methods, etc.)
Security islands in managing access control, centralized rules and audits capabilities
Multiple Identity Account Problem
Each SAP System has its own user data store, Each application brings its own ID
© 2010IBM Corporation5
SAPBW
SAPAPO
Each ID does not work with other IDs
Each ID adds cost and complexity
Each ID adds business risk to compliance with business, regulatory, legal and security requirements
SAP applications user repository not synchronized per default (e.g. NetWeaver vs R/3)
SAP…
Implementing SAP systems often means significant investment for a critical part of your business
SAP ERP
SAPEBP
Answering these questions helps to protect your investments:
Who has access to these systems?
How do you control access to critical data?
Do you know if authorized users are improperly exercising their access rights?
Are you able to efficiently provision user accounts not only to the SAP systems but across the entire enterprise with a single system?
© 2010IBM Corporation5
SAPBW
SAPAPO
SAP…
How do you audit and administer access to critical mainframe resources?
By implementing processes for
Managing users,
their access to IT resources,
and being able to prove what they’re doing with that access.
Identity & Access Management for SAP
SAP Value Proposition
• Provisioning:
– Quickly setup and/or recertify
SAP user account access.
Quickly locate and manage
invalid SAP user accounts.
Business Applications
Authoritative Identity Source
(Human Resources, Customer Master, etc.)
TIM Trusted Identity Store
Accounts
jcd0895
jdoe03
John C. Doe
Sarah_s4
ackerh05
nbody
Sarah’s Manager
RecertificationRequest
11
22
33
44
e.g. SAP HCM/HR
© 2010IBM Corporation5
• Productivity:
– Increase user productivity
through convenient yet secure
single sign-on support
• Access and Audit:
– Control access to SAP
consistently
Cisco Secure
ACS
Cisco Secure
ACS
doejSarah K. Smith
smiths17
ackerh05Sarah’s Manager
Access Revalidated and Audited
55
SAP HR HireITIM Approval Workflow and User Provisioning
SAP ERP Account
SAP – Tivoli Identity Management Integration
Tivoli Identity Manager provides extensive and compliant SAP User Provisioning capabilities for all SAP platforms
TIM integrates with business control solutions
Accounts on 70 Accounts on 70
TIM key features for SAP includeProvides SAP HR linkageSupports SAP CUAComplements SAP user administration with features
only provided by TIM like Closed Loop PolicyComplete SAP user attribute support (>200)Reconciliation of SAP accountsSAP ALE/IDoc support through TDI Integration
© 2010IBM Corporation5
Accounts on 70 different types
of systems managed.
Accounts on 70 different types
of systems managed.
OperatingSystems
Databases
Applications
Reconciliation of SAP accountsSAP ALE/IDoc support through TDI Integration
Additional SAP User Management capabilities through integration via
Central user store (Tivoli Directory Server)Real-time data synch (Tivoli Directory Integrator)
Tivoli Identity Manager integrates with business control solutions to ensure compliant provisioning and monitoring
HR event or self-
service request
initiates provisioning
event
TIM determines access
rights needed across
systems and collects
approvals
Business Controls
check for fine-
grained SOD
violations
Block request or seek
mitigating controls1 2
4
3
Tivoli Compliance
Insight Manager
(TCIM) monitors and
report on compliance
across whole IT
infrastructure
© 2010IBM Corporation5
Business Applications
Adapter
Compliant
provisioning
request
implemented
Periodic account
reconciliation for
continuous
compliance
5
6
Deep process-level
application
monitoring
SAP – Tivoli Access Management Integration
Tivoli Access Manager provides consistent secure access control
and security enforcement point to SAP resources and applications
TAMeb Key features inlcudepolicy-based, access control security solution for e-
business and enterprise applicationsSingle access control model for operating systems,
middleware, and applications including SAP
© 2010IBM Corporation5
OperatingSystems
Databases
IBM Tivoli
Access Manager
IBM Tivoli
Access Manager
LDAP
Access Manager for e-businessAccess Manager for Business IntegrationAccess Manager for Operating Systems
Access Manager for e-businessAccess Manager for Business IntegrationAccess Manager for Operating Systems
Access Manager for Enterprise Single Sign-on
Applications
Single access control model for operating systems, middleware, and applications including SAP
Authentication and Single Sign-On to SAP using SAP Login Ticket and Kerberos technology
Tivoli Access Manager for Enterprise Single Sign-On inlcudes integration for SAPGUI SSO supporting client desktop security
SAP – Tivoli Federated Identity Management Integration
IBM Tivoli Federated Identity Manager provides Inter-Enterprise User Lifecycle Management including SAP systems and applications
TFIM extends SAP Identity and Access Management to Partner and Customer IT-Infrastructure (multi domain IAM)
SAML Integration: Single Sign-On via SAML Browser ArtifactIntegrates with SAP NetWeaver AS-Java based applications (SAP J2EE Engine, SAP Portal)SAP Token Trust Module (STS - Secure Token Service for SAP Login Ticket)
© 2010IBM Corporation5
SAP Token Trust Module (STS - Secure Token Service for SAP Login Ticket)
FIM
Multi Protocol Federation Gateway
(TAM + TFIM)
Partners using WS-Federation
Partners using Liberty
Partners using SAML
Partners using WS-Security
SAP Platform
WebSphere Platform
MS .NET Platform
“Identity”
“Identity”
“Identity”
“Identity”
“Identity”
“Identity”
“Identity”IBM Tivoli is first vendor to receive SAP certification for SAP BC-AUTH-SAML interface.
SAP – Tivoli Compliance Management Integration
IBM Tivoli Compliance Insight Manager (TCIM)Watching users as they access systems and informationIntegrate SAP application security monitoring in an enterprise security compliance dashboard with in-depth
(privileged) user monitoring capabilities
SAP ERP and NetWeaver internal Security Audit Log data is read by an TCIM actuator, subsequently processed and standardized along with other enterprise wide security data (Firewalls, Operating Systems, database application, etc).
TCIM key features
© 2010IBM Corporation5
TCIM key featuresUnique ability to monitor user behaviorSAP supported on various platforms through Transaction Audit and
Security and via SAP Security Audit LogMonitor SAP application and transaction activityMap SAP log and audit trail collection to compliance management
modules and regulation-specific reportsCompare SAP transaction behavior to regulatory and company
policies
FIDUCIA simplifies user control and enhances security for SAP solutions with IBM Tivoli
Business ChallengeFiducia needed effective and centralized user management. Their goal is cost savings,
transparent user administration workflow and single sign-on to their systems. Their major systems to manage are SAP CUA and SAP HR.
SolutionIBM Tivoli Identity ManagerIBM Tivoli Access Manager for e-business
Business Benefits: Reduce support effort by implementing an identity management solution that can serve
© 2010IBM Corporation5
Reduce support effort by implementing an identity management solution that can serve on demand authorization requests
Eliminate user administration tasks effort on target systemsImplement provisioning workflow starting at SAP HR and include SAP target systems
Tivoli Security SAP Integrations
Tivoli Product Tivoli Security for SAP Integration Solution SAP Interface
Tivoli Access Manager for e-Business SAP Login Ticket, PAS, SNCAdapter for SAP NetWeaver AS JAVA (Portal)
Adapter for SAP Internet Transaction Server
Adapter for SAP NW AS ABAP (R/3, ERP, BW, etc)
Tivoli Access Manager for Enterprise Single Sign-On
Encentuate TAMESSO V8/Encentuate SAP SSO Profile SAPGUI
Tivoli Compliance Insight Manager Actuator for SAP NW AS ABAP (R/3, ERP, BW, etc) SAP Security Audit Log
Adapter for SAP Business Objects Enterprise XI
© 2010IBM Corporation5
Tivoli Directory Integrator Function Component for SAP NW AS ABAP (R/3, ..)
Connector for SAP NW AS ABAP User Registry
Connector for SAP HCM/HR BOR
Connector for SAP NWAS ABAP ALE/IDoc
SPML Connector for SAP NW AS JAVA SPML (Prototype)
SAP NW AS ABAP defined RFC/BAPI
JCo
ALE/IDoc
SAP NW AS JAVA UME, SPML 1.0
Tivoli Directory Server SAP NetWeaver AS JAVA (UME, Portal)
SAP NetWeaver AS ABAP User Registry
BC-USR-LDAP
UME
SAP LDAP Connector
Tivoli Federated Identity ManagerAdapter for SAP NW AS JAVA (Portal) BC-AUTH-SAML, SAML 1.0/1.1
Tivoli Identity ManagerAdapter for SAP NW AS ABAP (CUA)
Adapter for SAP NW AS JAVA (UME, Portal)
Adapter for SAP GRC Access Control (Virsa)
RFC/customized BAPI (TIVSECTY namespace)
SAP Security API
SAP GRC Access Enforcer, Web Services
STS Trust Module SAP Login Ticket
Certified in four main SAP Partner categories
Awarded with multiple SAP Awards of Excellence and 13 SAP Pinnacle Awards
IBM and SAP Partnership - Qualified, Awarded, Proven.
© 2010IBM Corporation6
IBM itself is one of the largest productive SAP users20.000+ SAP production users, mixed release levels, all on IBM hardwareImproved bookings efficiency by 40%Increase labor productivity by 15%Reduce server build cycle times by 30%
SAP Award of Excellence for IBM
2005: 2 awards for IBM 2006: 2 awards for IBM 2007: 3 awards for IBM 2008: 3 awards for IBM
Tivoli Directory Integrator
� A real-time, event driven, general-purpose, data integration environment consisting of:
� A rapid development GUI for building and maintaining transformation and synchronization rules
� A multi-threaded server that executes rules and monitors events
AIX TDI
© 2010IBM Corporation6
MQ
Directory
Main-frame
Linux
TDI
Directory
.net
WebServices Database
TDI
File
LotusDomino
Connecting data in systems
� Moves, copies and transforms data between systems
– Unique AssemblyLine methodology provides unparalleled speed of deployment, development and maintenance
– Maps between schemas and attributes of the connected systems
– The combined attribute flow and transformation rules create output for the target systems
© 2010IBM Corporation6
– The combined attribute flow and transformation rules create output for the target systems
– Supports JavaScript as scripting language for business logic and exception handling
Technology Architecture
Parsers
Connectors
HTML
CSV
XML
LDIF
SOAP
Directory
Queuing
Databases
Web Services
© 2010IBM Corporation6
TDI Rule Engine
Events AssemblyLines
Graphical Development and Testing Environment
SOAP
CustomIP protocols
Custom
Files
TDI as a bundled component
� Lotus Domino 8 & Lotus Connections
� WebSphere RFID Information Center
� Tivoli Identity Manager
� CCMDB & TADDM
� Tivoli Access Manager (TAMeb)
© 2010IBM Corporation6
� Tivoli Access Manager (TAMeb)
� Tivoli Directory Server
� Federated Identity Manager
...and more...and more
comingcoming
TDI Deployed Scenarios
� Directory & Password synchronization– IBM (Blue Pages, w3 intranet, ibm.com) + numerous clients
� SOA & Enterprise Service Bus on-ramp/off-ramp
– TDI + MQ
� Portal & WebSeal authentication extension
– TAMeb bundle and custom Portal deployments
� Web Services– FIM deployments, integration to ERP systems
� Database integration
© 2010IBM Corporation6
� Database integration
– Rational, CM/LM, WebSphere II at US Gov't Intel Agencies
� Custom Application Development– Dynamic Crisis Team Management (CWID) for US Home Security
� Service Desk integration
– CCMDB connection to Remedy and Peregrine
� Mail integration
� ...
Rapid Integration Development
XMLFile
XML
A collection of components
that form a continuous path
• Isolate a single data flow.
• Identify data access method(API, protocol, transport, format...)
• Click suitable components together(Quickly & easily create new ones as needed)
© 2010IBM Corporation6
SQLDatabase
FileSystemConnector
JDBCConnector
AssemblyLine
continuous path from source(s)
to target(s) is called an
AssemblyLine
Target solution
<?xml version="1.0" >
<DocRoot>
<Entry>
<department>School Of Nursingt>
<Title>Adjunct Instructor</Title>
<Birthday>1958-12-23 y>
© 2010IBM Corporation6
<Birthday>1958-12-23 y>
<affiliationcode>volunteere>
<degrees>BS</degrees>
<FullName>L Adowski, >
</Entry>
<Entry>
<department>FSA - Food And g
<Title>Service Employee</Title>
<Birthday>1977-02-08 >
<affiliationcode>staff>
<degrees>-</degrees>
<FullName>C Agocha, >
</Entry>
</DocRoot>
SQL Database LDAP Directory XML Document
Step1. Migrate SQL DB to XML
XMLDocument
© 2010IBM Corporation6
SQL database
JDBC Connector
FileSystem Connector
w/ XML Parser
Step 2. Join from LDAP
XMLDocument
© 2010IBM Corporation7
SQL database
JDBC Connector
FileSystem Connector
w/ XML Parser
LDAP directory
LDAP Connector
Axis Easy Web Service Server ConnectorAxis Easy Web Service Invoke
Axis Java-to-SoapInvoke Soap Web Service
Axis Soap-to-JavaComplex Types Generator
Wrap Soap
LDAP ConnectorLDAP Server Connector
Tivoli Access Manager ConnectorWindows Users and Groups Connector
Active Directory Changelog Connector v2IBM Directory Server Changelog Connector
Netscape/iPlanet Changelog ConnectorzOS LDAP Changelog Connector
BTree ConnectorJDBC Connector
Properties ConnectorSystemStore Connector
RDBMS Changelog Connector
AssemblyLine Connector
Active Correlation Technology ConnectorGeneric Log Adapter ConnectorRAC ConnectorEntry to CommonBaseEvent Function
TDI 6.1.1 Server
AssemblyLine
JMX ConnectorSNMP ConnectorSNMP Server ConnectorTCP ConnectorTCP Server Connector
Remedy/Peregrine /CCMDB tickets
Many Custom Components downloadablefrom OPAL or tdi-users.org or on request
PeopleSoft ConnectorSiebel ConnectorSAP ALE IDoc ConnectorSAP R/3 Business Object RepositorySAP R/3 User RegistrySAP R/3 RFC Functional Component
Script Connector
CCMDB
Netcool
RSS
© 2010IBM Corporation7
AssemblyLine ConnectorServer Notifications Connector
AssemblyLine Function Component
Domino Change Detection ConnectorDomino Users Connector
Lotus Notes Connector
Exchange Changelog ConnectorMailbox Connector
SendEMail Function Component
TIM DSMLv2 ConnectorDSMLv2 SOAP Connector
DSML v2 SOAP Server ConnectorGeneric JNDI Connector
ITIM Agent Connector
EMF SDOToXML Function ComponentEMF XMLToSDO Function Component
Timer Connector
CSV ParserDSML v1 ParserDSML v2 ParserFixed Record ParserHTTP ParserLDIF ParserLine Reader/WriterSOAP ParserScript ParserSimple ParserXML ParserXML Sax ParserXSL based XML Parser
JVM on Windows, Linux, AIX, iSeries, zOS, Sun, HP
Script ConnectorGeneric Java MethodParser FCScripted Function Component
Remote Command Line Function Componentz/OS TSO/E Command Line Function ComponentCommand Line Connector
Memory Queue FCMemQ ConnectorMemory Stream Connector
File System ConnectorFTP Client ConnectorURL ConnectorHTTP ClientHTTP Server Connector
IBM MQ Series ConnectorJMS Pub/Sub ConnectorMQe Password Store ConnectorSystem Queue Connector
File to file, database, directory, or other target
TDI
File connector Any connector
Read data and changes from source
LDAP
File, any format
File, other format
© 2010IBM Corporation7
TDI has the capability to detect changes in the source data each time it reads from it. For example, an HR report might not contain information about changes, only the entire snapshot of the entire employee database. TDI is able to determine the change from previous versions and only propagate added, changed and deleted records
RDBMS
Custom filtering, mapping, transformation, enrichment, augmenting BIRT’s own Javascript capabilities. Optionally adding in extra lookup connectors to add correlated data
As well as: HTTP, JMS/MQ, Web Services, SNMP, SMTP/email, TCP
Adapter framework for ITIM (Tivoli Identity Manager)
TDI
TDI logic and
connectors
Adapter AssemblyLines
Target system
The field and customers are enabled by being able to modify the adapters in the field
TIM services
© 2010IBM Corporation7
TIM operations
handler
TIM manages life cycle of users in the enterprise IT systems
TDI logic and
connectors
TDI logic and
connectors
Target system
Target system
Community Resources
Udover standard IBM sites (produkt-, dokumentation-, support-hjemmeside) findes :
� TDI ”RabbitHole” website med
Eksempler, dokumentation, links til videoer (hvor der vises hvordan connector/integration dannes), step by step learning TDI og meget mere.
http://www.tdi-users.org
Se især
– http://www.tdi-users.org/twiki/bin/view/Integrator/WebHome
– http://www.tdi-users.org/twiki/bin/view/Integrator/LearningTDI
– http://www.tdi-users.org/twiki/bin/view/Integrator/IsmPage (Service Management Integration)
� TDI Redbooks
– http://www.redbooks.ibm.com/cgi-bin/searchsite.cgi?query=Directory+AND+Integrator
� OPAL (Open Process Automation Library), søg på Directory Integrator
© 2010IBM Corporation7
Her lægges færdige connectorer og integrationer både af IBM, kunder og andre
– http://www-01.ibm.com/software/brandcatalog/portal/opal/
� TDI Newsgroup
– news://news.software.ibm.com/ibm.software.network.directory-integrator
� Discussions Google
– http://groups.google.com/group/ibm.software.network.directory-integrator/topics
– http://sites.google.com/site/tdi7islive/
TDI 90 day trial download
– https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?lang=en_US&source=swg-itdid
� !! Participate and Share !!
TIM 5.1 Server Support
• AIX V5.3, V6.1
• Sun Solaris 10 (SPARC)
• Windows Server 2003 R2 Standard Edition and Enterprise
Edition
• Windows Server 2008 R2 Standard Edition and Enterprise
Edition
• Red Hat Linux Enterprise 4 update 4 for Intel, System p,
and System z
© 2010IBM Corporation7
and System z
• Red Hat Linux Enterprise 5 for Intel, System p and System
z
• SUSE Linux Enterprise Server 10.0, 11.0 for Intel, System
p and System z
TIM 5.1 Middleware Support
Database�IBM DB2 Enterprise V9.5, fix pack 3b, V9.7 (for all supported operating systems except 32 bit Linux and Linux on System p)�IBM DB2 Enterprise V9.1 fix pack 4 �Oracle Database 10g Release 2�Oracle Database 11g�Microsoft SQL Server 2005 Enterprise Edition
WebSphere�IBM WebSphere Application Server Network Deployment V6.1, fix pack 23, V7.0
Directory Servers�IBM Tivoli Directory Server V6.1 and V6.2 fix pack 1�Sun Java System Directory Server Enterprise Edition 6.3
© 2010IBM Corporation7
�Sun Java System Directory Server Enterprise Edition 6.3
Upgrades TIM application upgrade from version 4.6 or 5.0 supported
Tivoli Directory Integrator�IBM Tivoli Directory Integrator V6.1.1 fix pack 6�IBM Tivoli Directory Integrator V7.0
TIM – Client support
Browsers Supported: Internet Explorer 7.0, 8.0Mozilla , Firefox 2.0, 3.0
© 2010IBM Corporation7
Skalering/failover/HAI denne konfiguration er der to eller flere application server instanser, som hver servicerer en separatITIM applikation under kontrol af WebSphere Network Deployment Manager.Der kan også være separate servere til at køre Directory Server (LDAP) ogRelational Database (RDBMS) software, samt eventuelt separate servere til directory – og databasereplikering. Sådanne konfigurationer kan anvendes til at skalere ITIM i større organisationer og/eller tilfailover/HA. Hvis der ønskes HA, vil det være passende med to WAS servere og to database/directory servere
© 2010IBM Corporation8
Desktop Password Reset Assistant for Identity Manager
DPRA Features:
• Provides Self Service Windows Password unlock
without a password change
• Provides Self Service password reset and password
synchronization with all accounts
© 2010IBM Corporation8
• Authentication using secure challenge response
features of Identity Manager
• Integration with TAM ESSO through the TAM ESSO
provisioning adapter (updates passwords in users
wallet)
• Translated and double byte support
• Customizable for logos and backgrounds
Windows
Directory
The combination of ITIM and the DPRA provides a comprehensive password management solution for end users
Scenario: Susan forgets her Windows passwordJust using TIM self service she would need to access a browser on
another workstation as she can not login to the system. With TIM and DPR Adapter, she can reset her password directly from her
locked workstation
Result: Susan has a positive user experience and Acme’s security policy is followed
User accounts
© 2010IBM Corporation8
SAP
Database
Mainframe
Custom
DPR Adapter ITIM
is followed
Tivoli Identity Manager – eksempel på et flow
Tivoli Identity Manager
Admin GUI End-user selvbetjening
En nyansat oprettes i HR-/lønsystem, hvorved denne automatisk detekteres og får basale adgange.�Den ansatte bestiller yderligere adgange i selvbetjenings interfacet, der efter godkendelse effektueres med det samme.
�Nye arbejdsopgaver: brugeren tildeles blot ny rolle
�Glemt Password : Brugeren requester selv nyt password. Ingen manuel håndtering
© 2010IBM Corporation8
HR/Løn System (Custom)
RACF(Forhandler-
systemet)
ActiveDirectory
SAPDatabases
Custom
�Hver 3. måned får system administrator besked om adgange på systemer, hvor der ikke er logget ind i 90 dage.
�Hvert halve år skal leder/applikationsejer attestere brugerens roller/adgange
�Audit understøttes af rapporter
�Nye systemer : Adgang tilknyttes rolle, hvorved relevante brugere får adgang
�Afgang: Ved deaktivering i HR/løn-system inaktiveres brugeren
Dette system vil således understøtte såvel interne som eksterne brugere
Many other ITIM integrations are possible
The IBM Tivoli Open Process Automation Library site lists a number of published integrations with IBM and third-party products.
http://catalog.lotus.com/wps/portal/topal
© 2010IBM Corporation8
ITIM References
Tivoli Identity Manager Information CentreContains all standard Tivoli Identity Manager documentationAlso contains the “Tivoli Identity Manager Tuning Guide”Available at the following URL:
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itim.doc/welcome.htm
Tivoli Identity Manager Design GuideAvailable at the following URL:
http://www.redbooks.ibm.com
© 2010IBM Corporation8
Tivoli Identity Manager Advance Design GuideAvailable at the following URL:
http://www.redbooks.ibm.com
Tivoli User CommunityAn active and lively community for Clients, Business Partners, and IT professionals. Free membership provides you with valuable resources, tools and networking capability. Log on to www.tivoli-ug.org or visit the ped in the IBM Pulse Expo
Tivoli TrainingIBM offers technical training and education services to help you acquire, maintain and optimize your IT skills. For a complete Tivoli Course Catalog and Certification Exams visit www.ibm.com/software/tivoli/education
Tivoli Services
For More Information
© 2010IBM Corporation8
Tivoli ServicesWith IBM Software Services for Tivoli, you get the most knowledgeable experts on Tivoli technology to accelerate your implementation. For a complete list of Services Offerings visit www.ibm.com/software/tivoli/services
Tivoli SupportIBM Software Premium Support provides an extra layer of proactive support, skills sharing and problem management, personalized to your environment.Visit www.ibm.com/software/support/premium/ps_enterprise.html
ITIM tools and utilities
There are a number of Identity Manager tools publicly available. They include:Adapter Development ToolDocumentation ToolGraphical Configuration EditorBusiness Intelligence and Reporting Tools (BIRT)
© 2010IBM Corporation8
ITIM Adapter Development Tool
• The ITIM Adapter Development Tool facilitates the creation of custom adapters
– Feature a graphical user interface designed specifically for adapter customization
– Can also be used to modify exiting RMI-based adapters
• It can be downloaded at the following URL:
© 2010IBM Corporation8
• It can be downloaded at the following URL: – http://catalog.lotus.com/wp
s/portal/topal/details?catalog.label=1TW10IM0H
Documentation Tool for ITIM
• The Documentation Tool for ITIM (also
known as DocTool) can produce instant
reports on ITIM configuration
– Can produce reports in HTML or XML
• It can be downloaded at the following URL:
– http://catalog.lotus.com/wp
© 2010IBM Corporation8
– http://catalog.lotus.com/wp
s/portal/topal/details?cata
log.label=1TW10IM0C
ITIM Graphical Configuration Editor
• The ITIM Graphical Configuration Editor
offers an alternative visual interface for
configuring ITIM
• It also features advance configuration
import/export features
• It can be downloaded at the following URL:
© 2010IBM Corporation9
• It can be downloaded at the following URL:
– http://catalog.lotus.com/wp
s/portal/topal/details?cata
log.label=1TW10IM0G