Privileged administrators, privileged users, and Privileged Identity Manager
administrators are to be on-boarded from IBM® Security Identity Manager
into IBM Security Privileged Identity Manager.
The following scenarios demonstrate how Annie Lewis (Privileged Administrator) accomplishes
the following goals:
- Add privileged accounts, for example root on
a Linux host named Pinnacle, to the credential
vault.
- Define a policy to authorize who can use the privileged accounts
that she creates.
- Approve the request for using her privileged accounts.
The following sections describe additional information for an integration scenario:
Table 1. Types of users to be on-boarded | User |
Description |
|---|
| Annie Lewis (Privileged Administrator) |
- These employees own or are responsible for one or more privileged IDs on one or
more systems.
- Use IBM Security Privileged Identity Manager to
manage and control the sharing of privileged credentials with co-workers.
|
| James Smith (Privileged User) |
These are employees who have a business need to access one
or more privileged credentials that
are managed by the IBM Security Privileged Identity Manager. |
| Jake Smith (Privileged Identity Manager
Administrator) |
This administrator can provision ISPIM accounts for Annie Lewis (Privileged Administrator) and James Smith (Privileged User) through IBM Security Identity Manager by adding
Annie Lewis and James Smith into the correct ISPIM system group when they take
on the specified business roles. |
Annie Lewis (Privileged Administrator) needs
an ISPIM
account and
an ISPIM administrative domain. Annie Lewis (Privileged Administrator) requires
the account and administrative domain so that she can add her privileged
accounts, for example root, to the credential vault
so that she can share them with other privileged users. Annie Lewis (Privileged Administrator) contacts Jake Smith (Privileged Identity Manager
Administrator) to set
up the account and administrative domain that she needs.
Table 2. Create an ISPIM administrative domain and ISPIM
account| Persona |
Jake Smith (Privileged Identity Manager
Administrator) |
| Console |
IBM Security Identity Manager Administrative console |
| Tasks |
- Create an ISPIM administrative domain for Annie Lewis (Privileged Administrator) where
she can manage her shared credentials. For example: Annie domain. See Administrator domains and Creating groups.
- Create an ISPIM
account for Annie Lewis (Privileged Administrator) on
the ISPIM service.
For example: Annie Lewis.
- Associate the Annie Lewis (Privileged Administrator) ISPIM
account with the Privileged
Administrator Group and Annie domain.
- Create an account request workflow for the ISPIM service. See Adding an entitlement workflow.
|
After Annie Lewis (Privileged Administrator) gets
a domain that she can use to manage her accounts, Annie logs on to
the IBM Security Privileged Identity Manager Administrative console to
add her credential to the credential vault, create an ISPIM role, and create a
shared access policy before James Smith (Privileged User) can
check out the credential to install the DB2 database on a server.
Table 3. Create
a shared access policy| Persona |
Annie Lewis (Privileged Administrator) |
| Console |
IBM Security Privileged Identity Manager Administrative console
IBM Security Privileged Identity Manager Service Center
|
| Tasks |
- Add a shared access credential
that requires check-out. See Credentials in the credential vault.
- Link the credential to the ISPIM administrative domain. In this
setup: Annie domain.
- Specify the shared access credential
in the User ID field. For example: root.
- Specify the managed resource. For example, set resource name as Pinnacle.
- Specify the check-out duration. For example: 1
week.
- Create an ISPIM role to
represent the administrators who can check out the credential. For
example: Pinnacle admins. See Creating roles.
- Create a shared access policy to allow all members of the created ISPIM role to check out the
created credential. For example: Pinnacle admin
access policy. See Creating shared access policies.
- Add the Pinnacle admins role
as members of the Pinnacle admin
access policy.
- Set Entitlement as credential then specify
the shared access credential.
In this setup: root.
on the Pinnacle system
|
Table 4. Assign
Privileged Administrator as access owner| Persona |
Jake Smith (Privileged Identity Manager
Administrator) |
| Console |
IBM Security Identity Manager Administrative console |
| Tasks |
Reconcile the ISPIM service to sync Annie Lewis (Privileged Administrator) Pinnacle admins role in IBM Security Identity Manager. - Specify the group name. In this setup: Organization / Annie domain / Pinnacle admins.
- Enable Annie's Pinnacle admins in IBM Security Identity Manager as an access
and common access. Specify the shared access policy name Pinnacle admin
access.
- Assign Annie Lewis (Privileged Administrator) as
the Access Owner.
|
James Smith (Privileged User) must
check-out the administrative account,
root, on
Pinnacle admin
access to install the IBM
DB2 database for the reservation application.
Table 5. Check out the administrative account| Persona |
James Smith (Privileged User) |
| Console |
IBM Security Identity Manager,
Version 7.0: IBM Security Identity Manager Service
Center
IBM Security Identity Manager,
Version 5.1 and 6.0: IBM Security Identity Manager Self-service console
|
| Tasks |
Request access to Pinnacle admin
access.
An approval request is sent to Annie Lewis (Privileged Administrator). Note: After
the request is approved, James Smith (Privileged User) can
use IBM Security Access Manager for Enterprise Single Sign-On to
check out the administrative account, root, on Pinnacle and install the DB2
database on the Pinnacle server.
|
Table 6. Grant access
to the Pinnacle Server| Persona |
Annie Lewis (Privileged Administrator) |
| Console |
IBM Security Identity Manager,
Version 7.0: IBM Security Identity Manager Service
Center
IBM Security Identity Manager,
Version 5.1 and 6.0: IBM Security Identity Manager Self-service console
|
| Tasks |
Approve the request from James Smith (Privileged User) to access Pinnacle admin
access. |
Setting up
a request and approval workflow for ISPIM roles on IBM Security Identity Manager
Annie Lewis (Privileged Administrator) uses IBM Security Privileged Identity Manager to on-board
credentials (with IBM Security Privileged Identity Manager Service
Center), create roles, and set up shared access policies (with IBM Security Privileged Identity Manager administrative
console).
Annie Lewis (Privileged Administrator) needs
to set up a role called Linux Admins and defines
that this will use shared credentials under IBM Security Privileged Identity Manager.
To
configure a request and approval workflow for ISPIM roles on
IBM Security Identity Manager, the following
steps occur:
- On the IBM Security Identity Manager administrative
console, Jake Smith (Privileged Identity Manager
Administrator) sets
up the ISPIM Service and reconciles the Linux Admin role
into IBM Security Identity Manager.
- On the IBM Security Identity Manager administrative
console, Jake Smith (Privileged Identity Manager
Administrator) enables
the Linux Admin role as a comon access and
makes Annie Lewis (Privileged Administrator),
the access owner, as an approver of the request.
See "Manage
Access Approval Workflows" and "Manage Groups" in the IBM Security Identity Manager documentation.
- On the IBM Security Identity Manager administrative
console, James Smith (Privileged User) requests
access to the Linux Admin role.
- On the IBM Security Identity Manager administrative
console, Annie Lewis (Privileged Administrator) approves
the access request from James Smith (Privileged User).
Note: Approval
workflows for the Linux Admin role are not
associated on IBM Security Privileged Identity Manager.
If you do this, access approvals are required from both IBM Security Identity Manager and IBM Security Privileged Identity Manager.
Tasks that
remain the same with or without integration with IBM Security Identity Manager
IBM Security Privileged Identity Manager Privileged
Administrator or Privileged Administrator tasks:
- On-boarding of credentials into the credential vault
- Management of credential settings
- Management of automatic password resets on credentials
- Setting up shared access roles and policies
Privileged user tasks:
- Manual check-in and check-out with self service console
- Automatic check-in and check-out with session recording through AccessAgent.
Reports
IBM Security Privileged Identity Manager reports contains
the shared access entitlements (role-based), and shared access history
for privileged users.
IBM Security Identity Manager reports
contain a user's "individual" account entitlements (no shared
access entitlements), including IBM Security Privileged Identity Manager account and
role and group memberships.