IBM Security Privileged Identity Manager, Version 2.0

Creating shared access policies

As an administrator, you can create a policy to enable credentials to be checked out so that users can check out credentials by using the self-service interface.

Before you begin

Depending on how your system administrator customized your system, you might not have access to this task. To obtain access to this task or to have someone complete it for you, contact your system administrator.

Ensure that you created an access control item (ACI) for the protection category of Shared Access Policy. For more information about ACIs, see Access control item management.

Organizational roles and services that the shared access policy uses must be in place before you create the shared access policy.

If a role is a member of another organizational role in a shared access policy, then that role member also inherits the permissions of the shared access policy.

Procedure

To create a shared access policy, complete these steps:

  1. From the navigation tree, select Manage Shared Access > Manage Shared Access Policies.
  2. In the Shared Access Policies table, click Create.
  3. On the General page, complete these steps:
    1. Type the name of the policy.
    2. Optional: Type information about the policy in the Description field.
    3. Set the policy status. The status is set to Enable by default.
    4. Click Search to specify a business unit other than the default Organizational business unit.
    5. Select the scope that the policy uses for the business unit. The scope is set to This business unit and its subunits by default.
  4. Click the Members page and select the member type that you want to associate with the shared access policy. If you select Roles specified below, complete these steps to add one or more roles to the Roles table:
    1. Click Add.
    2. On the Organizational Role page, specify your search criteria and then click Search.
    3. In the Roles table, select one or more roles.
    4. Click OK.
  5. Click the Entitlements page and add one or more entitlements to the shared access policy:
    1. Click Add.
    2. On the Entitlements page, select the Entitlement Target Type.
    3. Depending on your selection, do the following.
      Credential
      Specify the information to limit the credential search. Leaving a field blank is the same as selecting all credentials.
      1. Type a login ID.
      2. Type the resource name.
      3. Click Search.
      4. Select the credentials that you want to add to the entitlement.
      Credential pool
      Specify the information to limit the credential pool search. Leaving a field blank is the same as selecting all credential pools.
      1. Type the pool name or a description of the pool.
      2. Type the resource name.
      3. Click Search.
      4. Select the credential pools that you want to add to the entitlement.
      Filtered
      Under Filter Creation:
      1. Select the type of filter that you want to create from the list.
        Credentials
        1. Use the Select all check box to entitle all credentials under the policy business unit. No additional information is needed. The information fields are deactivated.
        2. Type the name of the entitlement. If enabled, this field is a required field.
        3. Supply the filter information.
          1. Type the login ID.
          2. Type the resource name.
          3. Type the resource tag.
          Note: If you do not specify any filter information, the entitlement defaults to the all credentials entitlement. If you specified an entitlement name, it is overridden by the default All credentials name.
        Credential Pools
        1. Use the Select all check box to entitle all credential pools under the policy business unit. No additional information is needed. The information fields are deactivated.
        2. Type the name of the entitlement. If enabled, this field is a required field.
        3. Supply the filter information:
          1. Type the pool name.
          2. Type the resource name.
          3. Type the resource tag.
          Note: If you do not specify any filter information, the entitlement defaults to the all credential pools entitlement. If you specified an entitlement name, it is overridden by the default All credential pools name.
    4. Click OK. The credentials or credential pools are displayed in the Entitlements table.
    5. Click Cancel to return to the Entitlements page.
    6. Click Preview to see the list of credentials or credential pools that are returned by the filter criteria that you specified.
  6. Click Submit to save the policy.
  7. On the Success page, click Close.
Parent topic: Shared access policy management

Feedback