Support data attributes specification
You can specify support data attributes on the RSA Authentication Manager account form.
The following attributes are support attributes for the RSA Authentication Manager account form.
- Security Domain
Associates a user to a particular security domain. Each security domain contains policies such as password policy, lockout policy, or SecurID Token policy.
Security domains are organized in a hierarchical tree on the RSA Authentication Manager server. You can create a lower-level security domain under a top-level security domain and move users between security domains.
When you associate a user to a particular security domain from IBM® Security Identity Manager, the adapter creates the user account on the RSA Authentication Manager server. It also assigns the account to the specified security domain. Security domains represent areas of administrative responsibility within the RSA Authentication Manager enterprise.
- Identity Source
Directories that are integrated with RSA Authentication Manager are called identity sources. These directories store user data and group data. Information for other data, such as security domains, tokens, or roles, is stored in an internal database.
When you associate a user to a specific identity source from IBM Security Identity Manager, the adapter creates the user account on the RSA Authentication Manager server. It uses the specified identity source as the user data store. The adapter sets the value of the Identity Source attribute on the RSA Authentication Manager server.Note: The Identity Source attribute is non-modifiable.- User Group
User groups are collections of users, other user groups, or both. User group membership can be used to determine access permission in some applications.
User groups have the following characteristics:- User groups can be made up of multiple users or user groups.
- User groups can occur across security domains. For example, users in security domain A and users in security domain B can both be members of the same user group. Both sets of users can access the same protected resources.
- A user or user group can be a member of multiple user groups.
- Admin Roles
- An administrative role defines the permissions to be granted to
a user to accomplish administrative tasks. You can assign the following
administrative roles to a user from IBM Security Identity Manager:
- Auth Mgr Agent Admin
- Auth Mgr Help Desk
- Auth Mgr Privileged Help Desk
- Auth Mgr Realm Admin
- Auth Mgr Security Domain Admin
- Auth Mgr Token Administrator
- Auth Mgr Trust Admin
- Auth Mgr User Admin
- Request Approver
- Super Admin Role
- Token Distributor
- Trusted Realm Admin Role
Note: You can also create custom administrative roles on the RSA Authentication Manager server as required by your organization. For more information about creating administrative roles, see RSA Authentication Manager 7.1 Administrator's Guide - Tokens
- You can use tokens to authenticate your identity and to access
the network resources that are protected by the RSA Authentication Manager server. A token
generates unique one-time codes called tokencodes. To gain access
to protected resources, you must enter your personal identification
number (SecurID PIN) and the number that is displayed on your assigned
token (tokencode). The combination of the SecurID PIN and the tokencode
from your token is called the RSA SecurID token (Passcode).
Two types of SecurID tokens exist:
- Hardware token
- This type is a small physical device, such as a key chain or card, that generates tokencodes.
- Software token
- This type is a software-based token with an RSA SecurID application that is on the computer, Personal Digital Assistant (PDA), or cell phone of the user. After you install the application, the software token generates tokencodes, which are displayed on the device screen.
- Time-based tokens
- Time-based tokens automatically generate new tokencodes at regular intervals, generally after every 60 seconds.
- Event-based token
- Event-based tokens change tokencodes when the user performs an action, such as pressing a button on the token.
You can assign the following optional token attributes on the RSA Authentication Manager account form:
- Specifying the Security Domain attribute
- Assigns the token to the selected security domain. Click Search and select a security domain from the list. The adapter assigns the token to selected security domain on the RSA Authentication Manager server.
- Specifying the Clear SecurID PIN attribute
- Enables the creation of a new SecurID PIN on the RSA Authentication Manager server. You can create a SecurID PIN if
you forget your existing PIN.
When you select the Clear SecurID PIN check box from IBM Security Identity Manager, the adapter modifies the user account on the RSA Authentication Manager server. The adapter sets the value of the Clear SecurID PIN attribute on the RSA Authentication Manager server.
- Specifying the Clear Token PIN attribute
- Instructs the RSA Authentication Manager to clear any existing PIN assigned to the token. Do
not select this option if you are specifying the Token PIN field.
This attribute is send-only. Its value is not directly stored in IBM Security Identity Manager. Specifying this attribute can affect the value of the Is token PIN set? and the Force PIN change on next login attributes. You must complete a recon after changing any token attributes.
- Specifying the Replace With Next Available Token attribute
- Replaces the existing token with the next available token on the RSA Authentication Manager server. The server selects a suitable
replacement based on expiration date and modifies both the assigned and replacement
tokens’ status. Do not select this option if you are specifying a token in the
Replacement Token field.
This attribute is send-only. Its value is not directly stored in IBM Security Identity Manager. This attribute can affect the value of the Replacement Token attribute. You must complete a recon after changing any token attributes.
- Specifying the Require PIN during authentication attribute
- Indicates that the user must enter a PIN as well as a tokencode to authenticate.
When you select the Require PIN during authentication check box from IBM Security Identity Manager, the adapter modifies the user account. The adapter sets the value of the User Authentication Requirement attribute on the RSA Authentication Manager server.
- Specifying the Force PIN change on next login attribute
- Forces the user to change the token PIN the next time the token is used to log on to the RSA Authentication Manager server. This attribute must only be set for tokens that require a passcode for authentication.
- Specifying the Token PIN attribute
- Sets or clears the PIN for the token in the RSA Authentication Manager server.
This attribute is send-only. Its value is not directly stored in IBM Security Identity Manager. This attribute can affect the value of the Is token PIN set? and the Force PIN change on next login attributes. You must complete a recon after changing any token attributes.