Skip to main content

By clicking Submit, you agree to the developerWorks terms of use.

The first time you sign into developerWorks, a profile is created for you. Select information in your profile (name, country/region, and company) is displayed to the public and will accompany any content you post. You may update your IBM account at any time.

All information submitted is secure.

  • Close [x]

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerworks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

By clicking Submit, you agree to the developerWorks terms of use.

All information submitted is secure.

  • Close [x]

developerWorks Community:

  • Close [x]

Hello World: Tivoli Identity Manager

Manage user accounts in an LDAP directory

Wes Wardell, Staff Software Developer, IBM
Author photo
Wes Wardell is currently working in the SOA Advanced Technology Design Center in the IBM Toronto Lab. In 2005, he co-authored one of IBM's Redbooks about IBM Tivoli Identity Manager version 4.5.1. He holds a degree in computing and computer electronics from Wilfrid Laurier University, Canada.

Summary:  Welcome to the eleventh tutorial in the "Hello, World" series, which provides high-level overviews of various IBM® software products. This tutorial offers an introduction to Tivoli® Identity Manager Express V4.6. It includes practical, hands-on exercises in which you will set up Tivoli Identity Manager Express to manage accounts in an LDAP user directory.

View more content in this series

Date:  12 Mar 2007
Level:  Introductory PDF:  A4 and Letter (1306 KB | 32 pages)Get Adobe® Reader®

Activity:  36984 views

Configure identity policy

Now that Mindy exists as a user in ITIM, she can be made the owner of any of the LDAP accounts that were pulled in during reconciliation; alternately, a new LDAP account can be created for her. If you decide to create a new account, what should the user ID be? As an administrator, you may have special requirements for user IDs -- you may use the user's full name or e-mail address, for instance. In ITIM, the user ID is governed by an identity policy. An identity policy defines the attributes from the ITIM user account that are used by a service in creating a user ID.

An identity policy can be defined for each service, but there is also a global identity policy that applies in the absence of a service-level identity policy. By default, the global identity policy dictates that the Requested user ID field determine the user ID. While creating Mindy, you entered MyUserId into this field, so this would be used when creating the LDAP account. Mindy's LDAP entry would thus be as follows:


In this section, you'll define an identity policy for the My LDAP directory service that uses the Full name attribute for the user ID instead of the Requested user ID attribute.

Would you like to see these steps demonstrated for you?

Show me Show me

  1. Select Manage Policies > Manage Identity Policies to open the Manage Identity Policies page.
  2. Click Search to list the existing policies. At this point, the list is likely empty, so you'll get a message to that effect. Click the Close Message link. Note that the global identity policy does not appear in this list; you can click Change global rule to change its policy.
  3. Click Create to create a new identity policy.
  4. Under the General tab, enter Fullname LDAP identity policy in the Name field, as shown in Figure 19. Then select Services.

    Figure 19. Create identity policy
    Create identity policy

  5. One or more services need to be associated with this policy. Under the Services tab, click Add.
  6. Click Search to retrieve the list of services. Select the check box next to My LDAP directory service, as shown in Figure 20, and then click OK.

    Figure 20. Select service for identity policy
    Select service for identity policy

  7. The service should now be listed under the Services tab. Select the Rule tab. You'll see the screen illustrated in Figure 21.
  8. To match the existing LDAP accounts, make the ID based on the user's full name. Select Full name from the First attribute drop-down list. You should also select Existing case from the Apply case drop-down list. Click OK to complete the creation of the identity policy. (If you read the description under this tab, you'll learn that duplicate user IDs are resolved automatically by appending numbers to the end of the ID.)

    Figure 21. User ID creation rule
    User ID creation rule

  9. After reading the success message, click Close.

7 of 13 | Previous | Next


Zone=Service management, Security, Tivoli
TutorialTitle=Hello World: Tivoli Identity Manager