Privileged administrators, privileged users, and Privileged Identity Manager administrators are to be on-boarded from IBM® Security Identity Manager into IBM Security Privileged Identity Manager.
The following scenarios demonstrate how Annie Lewis (Privileged Administrator) accomplishes the following goals:
User | Description |
---|---|
Annie Lewis (Privileged Administrator) |
|
James Smith (Privileged User) | These are employees who have a business need to access one or more privileged credentials that are managed by the IBM Security Privileged Identity Manager. |
Jake Smith (Privileged Identity Manager Administrator) | This administrator can provision ISPIM accounts for Annie Lewis (Privileged Administrator) and James Smith (Privileged User) through IBM Security Identity Manager by adding Annie Lewis and James Smith into the correct ISPIM system group when they take on the specified business roles. |
Annie Lewis (Privileged Administrator) needs an ISPIM account and an ISPIM administrative domain. Annie Lewis (Privileged Administrator) requires the account and administrative domain so that she can add her privileged accounts, for example root, to the credential vault so that she can share them with other privileged users. Annie Lewis (Privileged Administrator) contacts Jake Smith (Privileged Identity Manager Administrator) to set up the account and administrative domain that she needs.
Persona | Jake Smith (Privileged Identity Manager Administrator) |
Console | IBM Security Identity Manager Administrative console |
Tasks |
|
After Annie Lewis (Privileged Administrator) gets a domain that she can use to manage her accounts, Annie logs on to the IBM Security Privileged Identity Manager Administrative console to add her credential to the credential vault, create an ISPIM role, and create a shared access policy before James Smith (Privileged User) can check out the credential to install the DB2 database on a server.
Persona | Annie Lewis (Privileged Administrator) |
Console | IBM Security Privileged Identity Manager Administrative console IBM Security Privileged Identity Manager Service Center |
Tasks |
|
Persona | Jake Smith (Privileged Identity Manager Administrator) |
Console | IBM Security Identity Manager Administrative console |
Tasks | Reconcile the ISPIM service to sync Annie Lewis (Privileged Administrator) Pinnacle admins role in IBM Security Identity Manager.
|
Persona | James Smith (Privileged User) |
Console | IBM Security Identity Manager, Version 7.0: IBM Security Identity Manager Service Center IBM Security Identity Manager, Version 5.1 and 6.0: IBM Security Identity Manager Self-service console |
Tasks | Request access to Pinnacle admin
access.
An approval request is sent to Annie Lewis (Privileged Administrator). Note: After
the request is approved, James Smith (Privileged User) can
use IBM Security Access Manager for Enterprise Single Sign-On to
check out the administrative account, root, on Pinnacle and install the DB2
database on the Pinnacle server.
|
Persona | Annie Lewis (Privileged Administrator) |
Console | IBM Security Identity Manager, Version 7.0: IBM Security Identity Manager Service Center IBM Security Identity Manager, Version 5.1 and 6.0: IBM Security Identity Manager Self-service console |
Tasks | Approve the request from James Smith (Privileged User) to access Pinnacle admin access. |
Annie Lewis (Privileged Administrator) uses IBM Security Privileged Identity Manager to on-board credentials (with IBM Security Privileged Identity Manager Service Center), create roles, and set up shared access policies (with IBM Security Privileged Identity Manager administrative console).
Annie Lewis (Privileged Administrator) needs to set up a role called Linux Admins and defines that this will use shared credentials under IBM Security Privileged Identity Manager.
See "Manage Access Approval Workflows" and "Manage Groups" in the IBM Security Identity Manager documentation.
IBM Security Privileged Identity Manager Privileged Administrator or Privileged Administrator tasks:
IBM Security Privileged Identity Manager reports contains the shared access entitlements (role-based), and shared access history for privileged users. IBM Security Identity Manager reports contain a user's "individual" account entitlements (no shared access entitlements), including IBM Security Privileged Identity Manager account and role and group memberships.