Tivoli Identity Manager (Tim)

The TIM Server is a J2EE application based on the Java application server. It also includes a Web server. The definition of all objects in IBM Tivoli Identity Manager is stored in the directory tree, while the relational database mainly stores transaction records and other data that cannot exist in the directory tree.
The TIM server will submit the deployment request of the ID to the proxy program of IBM Tivoli Identity Manager. It will modify the user ID on the managed resources (such as the operating system, database, and application. They can also integrate users with IBM Tivoli Identity Manager as the core.

User identity management mechanism of tim
Define Organizational Structure
The organizational structure of an enterprise can be defined in Tim. The organizational unit includes

Role-Based Access
Tim provides real role-based access control capabilities. The relationship between users and roles is constantly maintained. Each role has its own permission definition. If a user is assigned a role, this user has the permissions defined by the role. After the permission definition of this role is changed, all users granted this role will automatically have the permissions after the role is changed.
This function greatly simplifies the management of user permissions by the system administrator. All permission definitions only need to target a very limited number of roles, instead of a large number of general users, which significantly reduces the workload of system administrators to maintain user access permissions.

Tim allows administrators to define the access permissions of roles for each attribute of managed resources. For example, we can define a role that has read/write permissions on several attributes of the NT user (such as the user password and the maximum storage space), and define another role, you do not have read/write permissions on these attributes. Therefore, when a user needs to acquire the user identity setting permission for a certain resource, multiple steps such as group, role, and approval process must be considered.

Approval process
Tim provides a fully functional, graphical, workflow management environment. Management personnel can easily create and maintain complex workflows in this environment. In this management environment, the administrator can configure the approval conditions and approval personnel for each step in the workflow, the upgrade conditions and personnel, and the input conditions and input personnel for additional information.

Drag-and-drop workflow designer
Tim provides an intuitive drag-and-drop workflow designer. Workflow designers can easily create the entire workflow through simple drag and drop. This graphic workflow designer can be used to complete every step of a workflow, for example, request approval, input of additional user information, upgrade, and subworkflow.
Support data collection process
Tim provides management personnel with the ability to enter additional user information throughout the workflow. For example, the Personnel Department needs to enter the user's employee number and department information, and the finance department needs to enter the user's account information.
Workflow Reuse
The workflow defined in Tim can be used for one or more id deployment policies. Therefore, each workflow can be reused on multiple managed resources (for example: operating system, database, and email system ).
Dynamically decide the approver
Tim provides enhanced authorization management capabilities. The workflow approver can assign a role rather than a fixed user. Therefore, after a new user is added to the approval role, the user automatically has the approval permission for the specific workflow.

Regular deployment
New employees or contractors should have the permissions granted to them from the effective date of their contract until the last day of their contract. Of course, many jobs need to be prepared several days or weeks in advance. The scheduled deployment feature provided by Tim allows the deployed user ID to access the corresponding system within the specified period (for example, contract validity period, the User ID's permission to access the corresponding system is canceled. Regular deployment requests can ensure that new employees or partners enter the working status as soon as possible, create value for the company, and timely and effectively protect the various resources of the company.

 

 

Tim is divided into two web interfaces: Management Interface and user self-help interface. The management interface allows you to perform centralized management of automatic synchronization tasks and identities for most identity data from the source to the destination. The user self-help interface allows you to modify personal information and apply for an account.

In the following example, we will illustrate the roles and components that Tim plays in automatic identity synchronization.

Background: A company has many existing personnel information systems, including file-based identity information. This information is huge and needs to be managed in multiple places. In addition, many business systems, such as ERP, are using this identity information. The information read by these systems is stored in different directory services (LDAP ), identity information used in different directory services is highly repetitive. As enterprises continue to grow, identity information has many problems, such as inconsistency and integrity. For example, if an employee leaves, because this information exists in many data sources, these systems are managed by different administrators, so if the identity information cannot be cleared in time, this vulnerability may cause serious security risks.

Based on the above situation, Iam can effectively solve these problems. For example, solution 1 is as follows:

1. Use the HR and other information sources as authoritative identity sources, including some identity files, and submit various data sources to the database through EAI in a unified standard data exchange format, such: in Oracle and CSV files.

2. Use TDI to dynamically detect changes to these data sources and synchronize identity data to Tim.

3. Create the corresponding personnel entity in Tim and trigger the automatic supply policy to create an account node in enterprise LDAP.

4. Use TDI to automatically synchronize the identity information in enterprise LDAP to other directory services.

5. Compare the identity information synchronized from iam with the data in the original directory service for detection.

6. After a period of operation and data stability, the application systems are directly connected to the enterprise central Directory LDAP to remove the legacy LDAP.

 

 

 

Some concepts of Tim are involved in this solution, such as entity, operation, provisioning policy, and service. The following describes the concepts.

Entity

In Tim, entity is a general term for storing identity entities, including person and account. After we customize the LDAP schema and import it to the TDS, we can create a new entity, which corresponds to the schema. In the future, we can store the identity information in the tim, tim is particularly good at dealing with the relationship between people and accounts. This is one of the characteristics.

Operation

Operation is a type of operation, such as ADD, modify, delete, suspend, restore, and changepasswod. These operations are classic operations on identity information, and operation functions in Tim are very powerful, you can define workflow in a graphical way and write complex processing logic in Javascript. For example, we can perform some calculations to meet the requirements before adding new personnel to Tim. In addition, the scalability in this area is also good. We can define the Java class by ourselves, and then use the javascript API of Tim to encapsulate custom JS functions.

Service

Service can be understood as a bridge between Tim and external data sources. For example, if we want to use Tim to create an account on an LDAP server in the future, we need to use service. in addition to LDAP service, IDI feed service is also used in this solution. This means that IDI can be used to directly push identity information to Tim.

Provisioning policy

Supply policy is a core component of Tim, So Tim can only automatically create accounts in various target sources. In the supply policy, we need to associate with a specific service, define the correspondence between personnel and account attributes, and write some processing logic. Set automatic synchronization here.

 

The processing sequence is as follows:

1. Create an Idi feed service and set relevant information (external TDI Al will use this information)

2. Import the schema defined by our information to go To the TDS and create the entity. Here we create the person

3. Some simple attribute processing logic can be written in person's operation.

4. Import the LDAP adapter to tim so that we can create our LDAP service.

5. Create an automatic supply policy and set the correspondence between personnel and account attributes.

6. We use the default account operation without any processing logic.

 

By the way, the adapter is an independent component that allows Tim to connect to different data sources. The method of work is to use RMI. There will be a lot of adapter downloads on the official website. For example, the adapter connecting to LDAP is implemented using assemble line, and the target source account is implemented by Al. Of course, for this adapter, We need to install the corresponding dispatcher on the designated TDI server. In actual projects, the Al here may require some processing logic to meet the special requirements of customers. Therefore, it is critical to familiarize yourself with TDI.