Skip to main content

If you don't have an IBM ID and password, register here.

By clicking Submit, you agree to the developerWorks terms of use.

The first time you sign into developerWorks, a profile is created for you. This profile includes the first name, last name, and display name you identified when you registered with developerWorks. Select information in your developerWorks profile is displayed to the public, but you may edit the information at any time. Your first name, last name (unless you choose to hide them), and display name will accompany the content that you post.

All information submitted is secure.

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerworks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

By clicking Submit, you agree to the developerWorks terms of use.

All information submitted is secure.

User provisioning with Tivoli Identity Manager

Manage user accounts across multiple computers with ease

Christopher Hockings (hockings@au1.ibm.com), Advanced Customer Engineering Team Member
Christopher  Hockings
Christopher Hockings is a member of the Advanced Customer Engineering team working in the Tivoli Security Business Unit (part of the IBM Software Group). He is an expert in providing architecture and integration solutions for customers using the Tivoli Access Manager product suite. This includes building specialized development modules for customers based on the Access Manager product suite. Chris was a member of the DASCOM team when it was acquired by IBM. He has attained bachelor of engineering and bachelor of information technology degrees from Queensland University of Technology in Australia.

Summary:  The process of creating user accounts and permissions for employees on a diverse array of computers can potentially consume much of an IT department's time and resources. In this tutorial, you'll learn how IBM Tivoli Identity Manager, working in conjunction with other Tivoli products, can help streamline the user provisioning process. You'll build a sample application that automatically creates user accounts with appropriate permissions based on data entered into a human resources database. The resulting environment also helps the establishment of single sign-on authentication for the newly provisioned users.

Date:  12 Sep 2003
Level:  Intermediate PDF:  A4 and Letter (395 KB | 16 pages)Get Adobe® Reader®

Comments:  

Before you start

About this tutorial

This tutorial provides an implementation solution for provisioning of users to a company's intranet platforms. The solution makes use of the Tivoli Security products to provide an integrated solution for doing so. Specifically, it highlights an integration scenario common to many customers environment, where a HR repository controls the lifecycle of a user within an organization, and the Tivoli security portfolio provides the provisioning framework for accounts on internal systems.

In many internal customer environments, a single HR repository holds the master definition of a user. The advantage of deploying Tivoli Identity Manager (TIM) architecture is that it provides this repository. However, in many situations, the HR repository is not controlled directly by an organization's identity management team (IMT). This causes the IMT to require a feed of user data from this repository on registration and de-registration of the user. This tutorial presents a practical solution to such a scenario using IBM products as follows:

  • Tivoli Identity Manager (TIM) - responsible for provisioning of user accounts for a newly created user.
  • IBM Directory Integrator (IDI) - provides a feed of the data from the HR database to the Identity Manager solution.
  • Tivoli Access Manager (TAM) - the end point for provisioning of accounts for a particular user.
  • IBM Directory Server (IDS) - used as the LDAP repository for TIM and TAM as well as for the purposes of simulating a HR feed to the TIM server through IDI.

Although this tutorial presents a solution for a single scenario, it introduces concepts that can be applied to varying customer problems around user provisioning. By the end of the tutorial, you should have a good understanding of the value of the Tivoli Security portfolio for solving varying customer requirements for user provisioning.


Should I take this tutorial?

Anyone interested in the integration capabilities of the Tivoli Security products (using TIM and IDI specifically) may be interested in taking this tutorial. It provides you with an overview of many of the concepts surrounding identity management and user provisioning, and provides an example implementation that makes use of the Tivoli Security portfolio.

You should have the following skills before you start this tutorial:

  • Tivoli Access Manager installation and configuration: This will allow you to implement a simple agent that provisions user accounts within TAM.
  • Tivoli Identity Manager installation: This tutorial requires you to install and configure the TIM product.
  • Simple programming skills: The TIM and IDI products require a basic understanding of JavaScript coding. Although this tutorial has minimal coding requirements, if you want to extend the capabilities of the tutorial's sample implementation, these skills will be required.
  • TIM agent installation and configuration: You should have some knowledge of installing and configuring TIM agent software.

Prerequisites

In order to successfully complete the steps as demonstrated in this tutorial, you will need the following:

  • A client machine hosting the software for providing the HR data feed to the TIM infrastructure, which includes the following components:
    • IBM Directory Server: This is IBM's LDAP Directory product. Within the solution two instances of the IBM Directory Server are deployed: One for simulating the HR feed for TIM, and the other for the directory to be used by the TIM and TAM products. .
    • IBM Directory Integrator: To obtain this software, please consult your Tivoli sales specialist.
  • IBM Tivoli Identity Manager infrastructure. To obtain this software, contact your local Tivoli sales representative. This infrastructure includes the following software:
    • IBM Directory Server is the user data store for TIM and TAM.
    • IBM WebSphere MQ is for user provisioning workflow within TIM.
    • IBM WebSphere hosts the TIM application.
  • Tivoli Access Manager 4.1 Agent is also required within this tutorial for showing the provisioning capabilities of the TIM product. Agent software can be obtained from your Tivoli sales team.
  • You'll also need Access Manager Infrastructure, which includes the following:
    • IBM Tivoli Access Manager Base and Policy Server
    • IBM Tivoli Access Manager WebSEAL

Note that the TIM and TAM infrastructure will share the IBM Directory for user and group storage.


Assumptions

In order to limit the scope of the solution while demonstrating as many concepts as possible, we've made a number of assumptions about our hypothetical environment:

  • The customer uses an HR database store that can alert other components when updates occur. In this tutorial, we'll use the IDS for the HR store, and use the changelog functionality provided by IDS to notify the Identity Manager solution when an update occurs.
  • Many customers will have their own solution for data feeds out of their HR systems. In this tutorial we use IDS and IDI to simulate the creation of an account and subsequent HR feed to the TIM product.

1 of 10 | Next

Comments



Help: Update or add to My dW interests

What's this?

This little timesaver lets you update your My developerWorks profile with just one click! The general subject of this content (AIX and UNIX, Information Management, Lotus, Rational, Tivoli, WebSphere, Java, Linux, Open source, SOA and Web services, Web development, or XML) will be added to the interests section of your profile, if it's not there already. You only need to be logged in to My developerWorks.

And what's the point of adding your interests to your profile? That's how you find other users with the same interests as yours, and see what they're reading and contributing to the community. Your interests also help us recommend relevant developerWorks content to you.

View your My developerWorks profile

Return from help

Help: Remove from My dW interests

What's this?

Removing this interest does not alter your profile, but rather removes this piece of content from a list of all content for which you've indicated interest. In a future enhancement to My developerWorks, you'll be able to see a record of that content.

View your My developerWorks profile

Return from help

static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Tivoli
ArticleID=136162
TutorialTitle=User provisioning with Tivoli Identity Manager
publish-date=09122003
author1-email=hockings@au1.ibm.com
author1-email-cc=

Tags

Help
Use the search field to find all types of content in My developerWorks with that tag.

Use the slider bar to see more or fewer tags.

Popular tags shows the top tags for this particular content zone (for example, Java technology, Linux, WebSphere).

My tags shows your tags for this particular content zone (for example, Java technology, Linux, WebSphere).

Use the search field to find all types of content in My developerWorks with that tag. Popular tags shows the top tags for this particular content zone (for example, Java technology, Linux, WebSphere). My tags shows your tags for this particular content zone (for example, Java technology, Linux, WebSphere).