Skip to main content

By clicking Submit, you agree to the developerWorks terms of use.

The first time you sign into developerWorks, a profile is created for you. Select information in your profile (name, country/region, and company) is displayed to the public and will accompany any content you post. You may update your IBM account at any time.

All information submitted is secure.

  • Close [x]

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerworks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

By clicking Submit, you agree to the developerWorks terms of use.

All information submitted is secure.

  • Close [x]

developerWorks Community:

  • Close [x]

Hello World: Tivoli Identity Manager

Manage user accounts in an LDAP directory

Wes Wardell, Staff Software Developer, IBM
Author photo
Wes Wardell is currently working in the SOA Advanced Technology Design Center in the IBM Toronto Lab. In 2005, he co-authored one of IBM's Redbooks about IBM Tivoli Identity Manager version 4.5.1. He holds a degree in computing and computer electronics from Wilfrid Laurier University, Canada.

Summary:  Welcome to the eleventh tutorial in the "Hello, World" series, which provides high-level overviews of various IBM® software products. This tutorial offers an introduction to Tivoli® Identity Manager Express V4.6. It includes practical, hands-on exercises in which you will set up Tivoli Identity Manager Express to manage accounts in an LDAP user directory.

View more content in this series

Date:  12 Mar 2007
Level:  Introductory PDF:  A4 and Letter (1306 KB | 32 pages)Get Adobe® Reader®

Activity:  36984 views


IBM Tivoli Identity Manager is a key part of IBM's identity management solution. It provides system administrators with an efficient way to manage the user lifecycle: it helps reduce the amount of time that administrators spend on the basic user provisioning tasks of account creation, modification, and removal. ITIM also enables the consistent application of company security policies. Processes can be put in place for managing when user accounts are added or removed, including any approvals required beforehand. It can also enforce the same password guidelines across all managed systems or synchronize the same password to all of a user's accounts.

A user is created within ITIM to contain information about the user and act as the owner of that user's accounts in other systems (also called resources). A service is configured with the details necessary to connect to each resource. Once the user is set up, all the accounts for that user can be managed from ITIM. This is illustrated in Figure 1.

Figure 1. Managing multiple resources
ITIM manages multiple resources

As illustrated, one of the systems that can be managed is an LDAP directory. An LDAP directory is a user directory -- that is, a specialized database of user information -- that is based on the Lightweight Directory Access Protocol (LDAP). LDAP is an open standard defining a communication protocol for use by directory clients and servers.

In this tutorial, you'll set up ITIM to retrieve existing accounts from a local LDAP directory implemented on IBM Tivoli Directory Server into ITIM. You'll also create LDAP accounts within ITIM, and modify policies for the creation of user IDs.

How does Tivoli Identity Manager fit into IBM solutions?

People inside and outside a company need access to various company systems. In some cases, multiple systems can share user accounts; for instance, multiple Web applications can use the same LDAP directory. Even so, most users will still require multiple accounts to access all the systems that they need. These accounts may include IDs within the operating system of specific machines, database records, user directories, or access management solutions such as those provided by Tivoli Access Manager.

Identity management is incorporated into the security architecture of IBM solutions. The requirements for identity management come out of various business considerations, which include:

  • Cost reduction: The administrative overhead of managing user accounts, including timely creation and removal and password resets, can be significant.
  • Compliance: As security guidelines are defined, they need to be put into practice in a consistent manner. This includes password rules, account approvals, and the scheduled recertification of the need for an account.
  • Productivity: The time it takes to create all the accounts for a new employee can hurt the productivity of the administrators and the new user. The same is true for resetting forgotten passwords. Another productivity inhibitor is the time spent by users updating passwords across all systems when they expire.
  • Auditing: A user's ability to access a system may need to be tracked -- to prove that an account was removed from a system after the user left the company, for example. In some cases, there are regulatory requirements that influence the need for auditing.

Adapters are available that allow Tivoli Identity Manager to work with a number of systems, such as Tivoli Directory Server and other LDAP directories, Linux™ and UNIX®, Lotus Notes, Tivoli Access Manager, and Active Directory. ITIM also includes the Tivoli Directory Integrator product, which provides more generic data integration and synchronization between directories, databases, and applications.

The examples in this tutorial were developed using version 4.6 of Tivoli Identity Manager Express. It is built upon WebSphere Application Server Express, DB2 Express, Tivoli Directory Server, and Tivoli Directory Integrator.

How does Tivoli Identity Manager fit into SOA?

Service oriented architecture (SOA) is an architectural style for building distributed systems that deliver application functionality as services to be used by end-user applications or for building other services. It enables customers to create sophisticated applications and solutions swiftly and easily by assembling them from new and existing services. Each business function in a company can be implemented as a service that can then be integrated with other services to fulfill the company's business requirements. Companies in every industry are seeking ways to respond more quickly and effectively to changing market conditions. To achieve this level of business flexibility, many companies are implementing SOA by developing service-oriented applications. The SOA lifecycle is illustrated in Figure 2.

Figure 2. The SOA lifecycle
The SOA lifecycle

Getting started with SOA is easy with the IBM SOA Foundation -- an integrated, open-standards-based set of software, best practices, and patterns for service oriented architectures. (See the Resources section for a link.) The software that comprises the IBM SOA Foundation supports each of the four stages of the SOA lifecycle: model, assemble, deploy, and manage. Underpinning all of these lifecycle stages are governance and processes that provide guidance and oversight for the SOA project.

The IBM Tivoli Identity Manager product supports the manage phase of the SOA lifecycle. It is part of the IT services management portion of the SOA reference architecture, providing companies with tools for managing their users across the various systems within their SOA implementation.

Figure 3. SOA Reference Architecture
SOA Reference Architecture

2 of 13 | Previous | Next


Zone=Service management, Security, Tivoli
TutorialTitle=Hello World: Tivoli Identity Manager