Creating access

As a privileged administrator, you can create access to grant users the permission to use managed credentials.

1. In the Privileged Identity Manager Service Center home page, click Manage Access.
2. Click Add.
3. On the Access Information page, provide the following information, and click Next.

   Access Name

   Specify a name that identifies the access on IBM® Security Privileged Identity Manager. For example: Database administrators

   Description

   Optional. Specify information about what the access grants users to, or a remark. For example: Database administrators on production servers.

   Assignment Type

   Specify how the access is granted.

   By Request

   Users can request access to a resource, which is then granted according to the approval workflow. The access owner can also grant access to members.

   Approval Workflow

   Specify the approval process for the access. If no workflow is selected, access requests will be approved directly.

   Additional Information

   Specify more remarks about the approval process.

   By Access Owner

   The access owner grants access to users. An access owner is the person who creates the access.

   By Rule

   The users in the admin domain or subdomains that match an LDAP filter are automatically granted access. You can use the following person attributes in the filter.

   Table 1. Person attributes for an LDAP filter

   Attribute	Description
   cn	Full name.
   sn	Last name.
   givenname	First name.
   initials	Initials.
   uid	User ID.
   homepostaladdress	Home address.
   roomnumber	Office number.
   employeenumber	Employee number.
   title	Title.
   manager	Manager (LDAP Distinguished Name).
   postaladdress	Postal address.
   secretary	Administrative assistant (LDAP Distinguished Name).
   mail	Email address.
   telephonenumber	Telephone number.
   mobile	Mobile telephone number.
   pager	Pager.
   homephone	Home telephone number.
   eraliases	Aliases.

   For example: (&(title=supervisor)(eraliases=engineering))

4. On the Members page, select the list of members to add, and click Next. The Assignment Type that you choose in step 3, determines the available options on the page.
5. On the Entitlements page, select the set of privileged credentials, credential pools, or filter a list of credentials that access members are entitled to on the resource.

   Credential

   Specify entitlements for a set of credentials.

   Credential pool

   Specify entitlements for a set of credential pools.

   Filter

   Assign entitlements dynamically for credentials or credential pools that meet a set of criteria. All specified criteria must match. The entitlement will include newly added credentials or credential pools that match the filter.

   The filter only supports exact match and start with match. For example, enter abc for the exact match of the string, abc* for a string that is starting with abc, abc1, and abc2.

   Create a filter for

   Define whether the filter applies to credentials or credential pools.

   Select all in the current domain

   Selects all credentials or credential pools in the current administrative domain.

   Entitlement Name

   Specify a name for the filter. This field is required.

   Login ID

   The credential or credential pool name.

   Resource Name

   The name of the resource that is assigned to the credential or credential pool.

   Resource Tag

   The tag of the resource that is assigned to the credential or credential pool. A tag is used for grouping resources.

6. Click Save.