Configure identity policy
Now that Mindy exists as a user in ITIM, she can be made the owner of any of the LDAP accounts that were pulled in during reconciliation; alternately, a new LDAP account can be created for her. If you decide to create a new account, what should the user ID be? As an administrator, you may have special requirements for user IDs -- you may use the user's full name or e-mail address, for instance. In ITIM, the user ID is governed by an identity policy. An identity policy defines the attributes from the ITIM user account that are used by a service in creating a user ID.
An identity policy can be defined for each service, but there is also a global
identity policy that applies in the absence of a service-level identity policy.
By default, the global identity policy dictates that the Requested user ID field
determine the user ID. While creating Mindy, you entered
MyUserId into this field, so this would be used when
creating the LDAP account. Mindy's LDAP entry would thus be as follows:
In this section, you'll define an identity policy for the My LDAP directory service that uses the Full name attribute for the user ID instead of the Requested user ID attribute.
- Select Manage Policies > Manage Identity Policies to open the Manage Identity Policies page.
- Click Search to list the existing policies. At this point, the list is likely empty, so you'll get a message to that effect. Click the Close Message link. Note that the global identity policy does not appear in this list; you can click Change global rule to change its policy.
- Click Create to create a new identity policy.
- Under the General tab, enter
Fullname LDAP identity policyin the Name field, as shown in Figure 19. Then select Services.
Figure 19. Create identity policy
- One or more services need to be associated with this policy. Under the Services tab, click Add.
- Click Search to retrieve the list of services. Select the check box
next to My LDAP directory service, as shown in Figure 20, and then click
Figure 20. Select service for identity policy
- The service should now be listed under the Services tab. Select the Rule tab. You'll see the screen illustrated in Figure 21.
- To match the existing LDAP accounts, make the ID based on the user's full
name. Select Full name from the First attribute drop-down list. You
should also select Existing case from the Apply case drop-down list.
Click OK to complete the creation of the identity policy. (If you read
the description under this tab, you'll learn that duplicate user IDs are
resolved automatically by appending numbers to the end of the ID.)
Figure 21. User ID creation rule
- After reading the success message, click Close.