Author: gnuhpc
Source: http://www.cnblogs.com/gnuhpc/
1. Role-Based permission control: Role-Based Access Control (RBAC)
2. Two organizational components: people and resources
While the latter includes application and OS
3. Basic system logic architecture
Person <-> authorization <-> resources
4. Basic System Architecture
• Itim server storage security management business and centralized user and Resource Management
-Directory server stores user information and organizational structure information
-Database server stores temporary and historical data during running.
• Web Server (which can be a server with itim, providing J2EE platform and Web Services)
• Tivoli Identity Manager adapters (used to communicate with the itim central server, which can be Agent-based or agentless. The former is installed and runs on the managed server, the latter is used on the IBM Tivoli Directory Integrator (TDI) server (SSL secure connection is required ))
5. The agent communicates with each other through the DARPA agent Markup Language (DAML). This is an SSL-Oriented XML communication format.
6. Distribution deployment diagram:
7. Several Ideas about deployment
Set the priority of the service, which is regarded as a high priority for services that are frequently used by a large number of users for account change operations.
The provisioning type can be set to automatic or manual. The former is highly efficient, but may generate unnecessary accounts, while the latter is less time-sensitive.
Considering capacity: Number of users, number of online users at the same time, system storage capacity, and how long it takes to complete an action
Consider the release time: the offline time required for enterprise requirements.
Simplicity and cost: simplify deployment as much as possible.
Consider the topology: deploy the core server after the basic security settings to ensure security.
Consider the security process: design according to the company's security regulations.
Features: customizes services according to company requirements.
Considering user identity import: identity feeds
Central user integration: centralized user repository the central user integration requires less reading and writing, but the Read and Write frequency of TDS in Tim is basically the same. Therefore, TDS is not a component that implements this function.
Consider service and adapter: Which agents are required, how to deploy, what features are deployed, and what connections are used.
Account consideration: whether to create a User Logon account in itim to manage the account to be managed. Is there a naming standard for the account name.
Password consideration: whether the password is to be synchronized, how the password strength policy is, and how the password is modified.
Audit Requirements: How long should audit information be stored online? offline? What kind of audit is in line with the company's process.
Consider the approval process: whether to customize the approval process based on the user type.
Consider the organizational structure: User Roles and so on.
Customization: customizes the interface according to company requirements.
Author: gnuhpc
Source: http://www.cnblogs.com/gnuhpc/