IBM Tivoli Identity Manager is a key part of IBM's identity management solution. It provides system administrators with an efficient way to manage the user lifecycle: it helps reduce the amount of time that administrators spend on the basic user provisioning tasks of account creation, modification, and removal. ITIM also enables the consistent application of company security policies. Processes can be put in place for managing when user accounts are added or removed, including any approvals required beforehand. It can also enforce the same password guidelines across all managed systems or synchronize the same password to all of a user's accounts.
A user is created within ITIM to contain information about the user and act as the owner of that user's accounts in other systems (also called resources). A service is configured with the details necessary to connect to each resource. Once the user is set up, all the accounts for that user can be managed from ITIM. This is illustrated in Figure 1.
Figure 1. Managing multiple resources
As illustrated, one of the systems that can be managed is an LDAP directory. An LDAP directory is a user directory -- that is, a specialized database of user information -- that is based on the Lightweight Directory Access Protocol (LDAP). LDAP is an open standard defining a communication protocol for use by directory clients and servers.
In this tutorial, you'll set up ITIM to retrieve existing accounts from a local LDAP directory implemented on IBM Tivoli Directory Server into ITIM. You'll also create LDAP accounts within ITIM, and modify policies for the creation of user IDs.
People inside and outside a company need access to various company systems. In some cases, multiple systems can share user accounts; for instance, multiple Web applications can use the same LDAP directory. Even so, most users will still require multiple accounts to access all the systems that they need. These accounts may include IDs within the operating system of specific machines, database records, user directories, or access management solutions such as those provided by Tivoli Access Manager.
Identity management is incorporated into the security architecture of IBM solutions. The requirements for identity management come out of various business considerations, which include:
- Cost reduction: The administrative overhead of managing user accounts, including timely creation and removal and password resets, can be significant.
- Compliance: As security guidelines are defined, they need to be put into practice in a consistent manner. This includes password rules, account approvals, and the scheduled recertification of the need for an account.
- Productivity: The time it takes to create all the accounts for a new employee can hurt the productivity of the administrators and the new user. The same is true for resetting forgotten passwords. Another productivity inhibitor is the time spent by users updating passwords across all systems when they expire.
- Auditing: A user's ability to access a system may need to be tracked -- to prove that an account was removed from a system after the user left the company, for example. In some cases, there are regulatory requirements that influence the need for auditing.
Adapters are available that allow Tivoli Identity Manager to work with a number of systems, such as Tivoli Directory Server and other LDAP directories, Linux™ and UNIX®, Lotus Notes, Tivoli Access Manager, and Active Directory. ITIM also includes the Tivoli Directory Integrator product, which provides more generic data integration and synchronization between directories, databases, and applications.
The examples in this tutorial were developed using version 4.6 of Tivoli Identity Manager Express. It is built upon WebSphere Application Server Express, DB2 Express, Tivoli Directory Server, and Tivoli Directory Integrator.
Service oriented architecture (SOA) is an architectural style for building distributed systems that deliver application functionality as services to be used by end-user applications or for building other services. It enables customers to create sophisticated applications and solutions swiftly and easily by assembling them from new and existing services. Each business function in a company can be implemented as a service that can then be integrated with other services to fulfill the company's business requirements. Companies in every industry are seeking ways to respond more quickly and effectively to changing market conditions. To achieve this level of business flexibility, many companies are implementing SOA by developing service-oriented applications. The SOA lifecycle is illustrated in Figure 2.
Figure 2. The SOA lifecycle
Getting started with SOA is easy with the IBM SOA Foundation -- an integrated, open-standards-based set of software, best practices, and patterns for service oriented architectures. (See the Resources section for a link.) The software that comprises the IBM SOA Foundation supports each of the four stages of the SOA lifecycle: model, assemble, deploy, and manage. Underpinning all of these lifecycle stages are governance and processes that provide guidance and oversight for the SOA project.
The IBM Tivoli Identity Manager product supports the manage phase of the SOA lifecycle. It is part of the IT services management portion of the SOA reference architecture, providing companies with tools for managing their users across the various systems within their SOA implementation.
Figure 3. SOA Reference Architecture