[IBM Tivoli Identity Manager learning document] 4 basic concepts of tim

 

Author: gnuhpc
Source: http://www.cnblogs.com/gnuhpc/

 

1. logical entities in the system

The above isTimGraph of each concept in

Person:An individual in a system may exist in the system but has no account.

Person profiles:Records a set of attributes that describe a person in the system.

Identities:It refers to the profile subset that uniquely represents a person stored in one or more places. It also includes other information about the person, such as the phone number and email address. For example, we can use a specific combination of a person's surname, name, and full name to form an identity.

User:The user who uses Tim to manage accounts is called the TIM user. A Tim user is divided into a group, which has a set view and permissions and can perform specific actions in the tim.

Accounts:It refers to a set of parameters for a managed resource. It defines your identity, user profile, and credentials (certificate ). Specifically, an accounts defines logon information (such as your ID and password) and related resource access permissions. In Tim, accounts is built on the service. Accounts can be valid or stopped, and the suspended accounts can be stopped, but it still exists, and the system administrator can reactivate it.

Access control items: Refers to a set of data that sets the user's permissions on a certain type of resources. You can create an ACI to approve certain operations on a certain resource and have some permissions, and then set which groups can use this ACI.

Policies:It refers to a group of policies that allow users to think about managed resources (called a service in TIM) or users' behaviors.
Adapters:This is a software component that provides an interface between managed resources and Tim server.
Services:It refers to a managed resource, such as an operating system, a database application, or some other programs managed by Tim. For another example, a managed resource may be Lotus Notes. You can use an account on this service to access these services. Services are created from the service type. This type represents a group of managed resources with similar properties. For example, a service type that represents Linux. Accounts on the service defines the user of this service. Most services use Tim for accounts provision, which usually requires the workflow to be successfully completed. A service owner has a specific service in Tim. It may be a person or a static role. In the latter case, all members of this role are the owner of this service.

Resource user: A person with an Tim account is called a resource user.

Attributes:Describe the characteristics of an entity. For example, a user is an entity, which describes its name, phone number, and address.

Aliases:The entity name of a user. A user can have multiple aliases to map multiple user IDs.

The figure above shows the concepts and relationships involved in the secure access to system resources.
Groups:Is a group of users. Users can belong to one or more groups. A group is used to control user access. All members of the group have accounts in the service of Tim. A member of the group may have special permissions.
Five groups and their related views and ACI are pre-defined in Tim. A Tim user without a group has the most basic permission to use Tim.
Access:This indicates the permission to use a specific resource. An access is different from an account. An account is a type of permission. Access entitlement defines the circumstances in which the permissions of the managed resources are granted to the account of a user. In Tim, access is defined on managed resources in an existing group. In this case, by creating accounts on a service and placing relevant users in a group, you can grant access to a user. You can also use provisioning policy to set access entitlement.

Administrator: there are no restrictions by default. The first administrator in the system is called itim manager.
Auditor: members in the group have the right to submit a review.
Help Desk Assistant: Members in this group can apply for, modify, stop, store, delete accounts, passwords, and profile, and operate as a user.
MANAGER: Members in this group can manage their accounts, profiles, and passwords.
Service owner: Members in this group can manage a service.
Views:A group of operations that a specific user can view.

If a user in a business unit has permissions on a resource.
Roles:An organizational role is a method that provides users with the right to manage resources. It determines which resources are provided to users or set to users with similar responsibilities. A role's descriptive attributes, especially its names, are very important and often imply the purpose of this roles. For example, a role may be a manager, designer, or auditor. Tim supports two types of roles: static and dynamic. The former must be set manually, and the latter is set automatically based on some attributes, such as business title through a filter.
A user in a business unit has a role. To grant the user the permission to access one or more resources, we need to set a provisioning policy.

2. Policies and workflows

Then we will focus on policy and workflow ).
Policies: refers to a group of policies that give thoughts on the actions of managed resources (called a service in TIM) or users. A policy represents a group of organizational rules and logic. Tim uses it to manage other entities, such as user IDs, the policy is applied to a specific managed resource as a policy for a service. A policy can be applied to one or more service targets. It can be identified by a service type or explicitly list the target service.
Tim supports the following types of policies:
Adoption policies
Identity policies
Password policies
Provisioning policies
Recertification protocols ies
Service Selection policies
Account ults
Adoption policies
Explanation:

Adoption policies: adoption policy, which is used when determining the owner of an account and the orphan account (orphan accounts) without the owner account. It can be applied to multiple services of the same service type. You can use JavaScript to define this policy.
Identity policies ies: when applying for a new accounts, this policy is used to generate a default user ID.
Password policies: defines the strength rules of valid passwords.
Provisioning policies: Provides permissions for many types of managed resources. It uses the role of a user to define the account of the authorized user and its permissions.
Recertification protocols ies: Provides re-authentication rules.
Service Selection policies: it supports Service Selection and expands provisioning policies for account provisioning Based on the attributes of person.
Workflow: A workflow defines a series of activities that represent a business process.