IBM® SECURITY PRIVIBM® SECURITY PRIVILEGED IDENTITY …Step User Interface (PIM Administrative...

IBM® SECURITY PRIVIBM® SECURITY PRIVIBM® SECURITY PRIVIBM® SECURITY PRIVILEGED IDENTITY ILEGED IDENTITY ILEGED IDENTITY ILEGED IDENTITY

MANAGER V2.0.2MANAGER V2.0.2MANAGER V2.0.2MANAGER V2.0.2

Integration with IBM Security Identity Manager (ISIM)

Version 1.0 March 2016

Configuration CookbookConfiguration CookbookConfiguration CookbookConfiguration Cookbook Chee Meng Low

Haan-Ming Lim

1111 | | | | P a g e

Contents 1. Introduction .......................................................................................................................................... 3

1.1. Illustration on how to set up ISPIM –ISIM tethering...................................................................... 4

1.1.1. Persona .................................................................................................................................. 4

1.1.2. Scenario ................................................................................................................................. 4

2. Jake sets up ISPIM Service at ISIM ......................................................................................................... 6

2.1. Set up ISPIM Service on ISIM ......................................................................................................... 6

2.2. Reconcile the service instance ...................................................................................................... 7

3. Jake sets up Provisioning Policy and account request workflow for ISPIM Accounts at ISIM ................ 9

3.1. Set up ISPIM Account Request workflow (Optional) ..................................................................... 9

3.2. Set up the provisioning policy for ISPIM accounts ....................................................................... 12

3.3. Set up ISPIM account defaults ..................................................................................................... 14

3.4. Set the Policy Enforcement Behavior setting .............................................................................. 18

4. Jake sets up ISIM Access for ISPIM domain and roles ......................................................................... 19

4.1. Set up Access Request Workflow ................................................................................................ 19

4.2. Set up Access Types for ISPIM Groups (Optional) ....................................................................... 21

4.3. Set up Access for ISPIM System Roles ......................................................................................... 22

4.4. Set up an ISPIM domain and enable access................................................................................. 24

4.5. Set up an ISPIM Shared Access Role and enable access .............................................................. 27

5. Adam requests for ISPIM Privileged Admin account ........................................................................... 30

6. Adam sets up Credentials and Shared Access Policies in ISPIM Domain ............................................. 33

7. Ben requests ISPIM Account and Shared Access Role ......................................................................... 35

8. Ben performs ISPIM Check-in-Check-out operations .......................................................................... 36

9. Jake exercises User Lifecycle Operations............................................................................................. 36

2222 | | | | P a g e

10. Jake sets up Re-Certification Campaign ........................................................................................... 36

11. Ben re-certifies his ISPIM Shared Access Role ................................................................................. 43

12. Jake sets up ISIM and ISPIM Reports at Cognos Server ................................................................... 43

13. Jake generates ISIM and ISPIM Reports for auditing ....................................................................... 43

13. Other Notes ..................................................................................................................................... 48

13.1. ISIM set up tips when integrated with ISPIM........................................................................... 48

13.2. IBM® Security Privileged Identity Manager set up tips when integrated with IBM® Security

Identity Manager ..................................................................................................................................... 49

3333 | | | | P a g e

Document HistoryDocument HistoryDocument HistoryDocument History

VersionVersionVersionVersion UpdatesUpdatesUpdatesUpdates Developer/IDDDeveloper/IDDDeveloper/IDDDeveloper/IDD DateDateDateDate

1.0 Created cookbook. Chee Meng Low/

Haan-Ming Lim

March 2016

For cookbook updates, contact one of the following authors: For cookbook updates, contact one of the following authors: For cookbook updates, contact one of the following authors: For cookbook updates, contact one of the following authors:

Chee Meng ([email protected])

Haan-Ming ([email protected])

4444 | | | | P a g e

1.1.1.1. InInInIntroductiontroductiontroductiontroduction

This cookbook describes scenarios to integrate the IBM® Security Privileged Identity Manager (ISPIM) with

IBM® Security Identity Manager (ISIM). The scenarios define specific goals and describe how to achieve

them.

1.1.1.1.1.1.1.1. IllustrIllustrIllustrIllustration on how to set up ation on how to set up ation on how to set up ation on how to set up ISPIM ISPIM ISPIM ISPIM ––––ISIMISIMISIMISIM tetheringtetheringtetheringtethering

Set up a basic configuration of IBM® Security Privileged Identity Manager (ISPIM) – IBM® Security

Identity Manager (ISIM) tethering by using the ISPIM v2.0.2 virtual appliance (VA) and ISIM v7.0.1 VA.

1.1.1.1.1.1.1.1.1.1.1.1. PersonaPersonaPersonaPersona

PersonaPersonaPersonaPersona UserUserUserUser RoleRoleRoleRole

Jake Overall System Administrator of IAM Systems in

JK Enterprises

Adam System Administrator for the Support

department. He is the owner, or administrator,

of various server systems in the department.

Ben Application Team Leader in Support

department. He needs occasional administrator

access to different server systems to upgrade

software, restart systems or collect logs.

1.1.2.1.1.2.1.1.2.1.1.2. ScenarioScenarioScenarioScenario

ScenarioScenarioScenarioScenario StepStepStepStep AdditionalAdditionalAdditionalAdditional

JK Enterprises has ISIM deployed for

identity management across the

enterprise, and has recently installed

ISPIM for management of shared

privileged credentials.

Jake wants ISIM to manage the lifecycle

of user accounts on ISPIM. He would

like requests for ISPIM Accounts,

System Roles (Privileged Admin) and

Shared Access Roles to be made

• Jake would like ISPIM Role requests

made at ISIM to be approved by the

respective ISPIM Role or Credential

Owner, such as a Privileged Admin

user at ISPIM, and optionally by

5555 | | | | P a g e

through ISIM approval workflows, and

to apply ISIM reporting and re-

certification on ISPIM accounts.

another such as the user’s manager.

This is achieved by associating

various ISPIM Roles to appropriate

ISIM approval workflows.

• The out-of-the-box Request Access

and Approval Workflow feature of

standalone ISPIM will not be used

and should be disabled. This is

because all ISPIM-related Access

Requests should go through the ISIM

user interface and workflows.

Jake wants to delegate the on-boarding

and management of Credential-to-Role

entitlements at ISPIM to a Privileged

Admin user in each major department.

He wants to use ISIM to set up separate

admin domain in ISPIM, one for each

department, such as for “Support” and

“Engineering”.

For each particular domain, Jake will provide

ISPIM Roles such as “SupportTeamLeads”

into the domain, associate each Role with an

ISIM approval workflow, and assign the

domain ownership to a user with “Privileged

Admin” system role like Adam.

Adam can then log on to ISPIM to administer

credentials and entitlements in his domain.

Adam and Ben can use the ISIM Service

Center to request for accounts on

ISPIM, likewise, for accounts to other

enterprise systems.

For example, Ben will request for ISPIM Roles

such as “SupportTeamLeads”, and Adam will

approve his request through the ISIM Service

Center.

Adam will use the ISPIM Service Center

to on-board Credentials and associated

objects like Resources and Identity

Providers. He will entitle these

Credentials to an appropriate ISPIM

Role in his domain.

ISIM cannot be used to on-board and

manage the Credentials that are managed by

ISPIM. ISIM has visibility and control on the

ISPIM Roles at ISPIM, but not on the actual

Credentials, and Credential-to-Role

entitlements that are managed by ISPIM.

Ben will either use Enterprise Single

Sign-On (ESSO) Agent or ISPIM Self-

Service User Interface (SSUI) to check-

out credentials that he is entitled to.

6666 | | | | P a g e

2.2.2.2. Jake sets up Jake sets up Jake sets up Jake sets up ISPIMISPIMISPIMISPIM Service at Service at Service at Service at ISIMISIMISIMISIM

2.1.2.1.2.1.2.1. Set up Set up Set up Set up ISPIMISPIMISPIMISPIM Service on Service on Service on Service on ISIMISIMISIMISIM

StepStepStepStep User InterfaceUser InterfaceUser InterfaceUser Interface (PIM Administrative Console)(PIM Administrative Console)(PIM Administrative Console)(PIM Administrative Console)

Create a service of

Service Type ISPIM ISPIM ISPIM ISPIM

ProfileProfileProfileProfile.

Specify the URL to the

ISPIM server.

For example, the URL to

the Load Balancer of an

ISPIM virtual appliance

(VA) cluster.

Note:Note:Note:Note:

ISIM requires “https”

for the Server URL of

the ISPIM server.

Therefore, it is

necessary for the CA

certificate of the ISPIM

server to be uploaded

into the trusted

certificate store of the

ISIM virtual appliance

7777 | | | | P a g e

first.

Under AuthenticationAuthenticationAuthenticationAuthentication,

configure an existing

ISPIM account with

System Admin system

role. For example, PIM PIM PIM PIM

ManagerManagerManagerManager for

authentication to the

ISPIM server.

2.2.2.2.2.2.2.2. ReconcileReconcileReconcileReconcile the service instancethe service instancethe service instancethe service instance

SSSSteptepteptep User InterfaceUser InterfaceUser InterfaceUser Interface (PIM Administrative Console)(PIM Administrative Console)(PIM Administrative Console)(PIM Administrative Console)

8888 | | | | P a g e

Run Reconcile NowReconcile NowReconcile NowReconcile Now on the

ISPIM Service instance.

Reconcile both the out-of-

the-box and existing ISPIM

organization structure,

system groups and roles

into corresponding groups

under the ISPIM service in

ISIM.

9999 | | | | P a g e

Run Manage GroupsManage GroupsManage GroupsManage Groups on the

same ISPIM service to verify

that the out-of-the-box

ISPIM groups are synced

over.

3.3.3.3. Jake sets up Provisioning Policy and Jake sets up Provisioning Policy and Jake sets up Provisioning Policy and Jake sets up Provisioning Policy and aaaaccount ccount ccount ccount rrrrequest equest equest equest wwwworkflow for orkflow for orkflow for orkflow for

ISPIMISPIMISPIMISPIM Accounts at Accounts at Accounts at Accounts at ISIMISIMISIMISIM

3.1.3.1.3.1.3.1. Set up ISet up ISet up ISet up ISPIMSPIMSPIMSPIM Account Request Account Request Account Request Account Request wwwworkflow (Optional)orkflow (Optional)orkflow (Optional)orkflow (Optional)

SSSSteptepteptep User InterfaceUser InterfaceUser InterfaceUser Interface (PIM Administrative Console)(PIM Administrative Console)(PIM Administrative Console)(PIM Administrative Console)

10101010 | | | | P a g e

If the default or other

existing Account Request

workflows are not suitable

for IBM® Security Privileged

Identity Manager (ISPIM)

Account Request

workflows, create a new

workflow just for the ISPIM

Service Profile.

Add one or more ActivitiesActivitiesActivitiesActivities

to the WorkflowWorkflowWorkflowWorkflow. For

example, Approval ActivityApproval ActivityApproval ActivityApproval Activity.

In this example, the

workflow consists of an

Approval ActivityApproval ActivityApproval ActivityApproval Activity (by the

ISIM admin) and an Email Email Email Email

ActivityActivityActivityActivity that sends an email

to a certain designated

user or role.

11111111 | | | | P a g e

Once submitted, the new

workflows are added to the

list of existing Account Account Account Account

Request WorkflowsRequest WorkflowsRequest WorkflowsRequest Workflows.

However, for this

workflows to be invoked on

an ISPIM Account Request,

it must be tied to certain

entitlements within a

Provisioning Policy for

ISPIM accounts.

12121212 | | | | P a g e

3.2.3.2.3.2.3.2. Set up Set up Set up Set up the pthe pthe pthe provisioning rovisioning rovisioning rovisioning ppppolicy for Iolicy for Iolicy for Iolicy for ISPIM SPIM SPIM SPIM aaaaccountsccountsccountsccounts


Create or edit the

provisioning policy for IBM®

Security Privileged Identity

Manager (ISPIM) Accounts.

13131313 | | | | P a g e

Specify the entitlement as

the ISPIM Service, with the

appropriate Account Request

Workflow.

Now, when the user requests

for an ISPIM Account, the

specified workflow is

triggered.

14141414 | | | | P a g e

3.3.3.3.3.3.3.3. Set up Set up Set up Set up ISPIMISPIMISPIMISPIM aaaaccount ccount ccount ccount ddddefaultsefaultsefaultsefaults


Populate some required and

useful attributes for the IBM®

Security Privileged Identity

Manager (ISPIM) accounts that

are created.

15151515 | | | | P a g e

16161616 | | | | P a g e

If the IBM® Security Identity

Manager (ISIM) is able to sync

password to ISPIM, then set

the Change password at next Change password at next Change password at next Change password at next

logonlogonlogonlogon flag to uncheckeduncheckeduncheckedunchecked. By

default, the user is assigned to

the Privileged UserPrivileged UserPrivileged UserPrivileged User group and

under the root Business UnitBusiness UnitBusiness UnitBusiness Unit in

ISPIM.

Do notnotnotnot miss this step as errors may arise when provisioning an ISPIM account to the

user.

17171717 | | | | P a g e

18181818 | | | | P a g e

3.4.3.4.3.4.3.4. Set the Policy Enforcement Behavior settingSet the Policy Enforcement Behavior settingSet the Policy Enforcement Behavior settingSet the Policy Enforcement Behavior setting

StepStepStepStep User InterfaceUser InterfaceUser InterfaceUser Interface (P(P(P(PIM Administrative Console)IM Administrative Console)IM Administrative Console)IM Administrative Console)

Choose the preferred option:

• Mark Mark Mark Mark invalidates ISPIM accounts

(when user access to ISPIM system

role is revoked) will only be

marked but will not be revoked.

• CorrectCorrectCorrectCorrect revokes the ISPIM account.

19191919 | | | | P a g e

4.4.4.4. Jake sets up IJake sets up IJake sets up IJake sets up ISIM SIM SIM SIM Access for Access for Access for Access for ISISISISPIM PIM PIM PIM domain and rolesdomain and rolesdomain and rolesdomain and roles

Jake sets up IBM® Security Identity Manager (ISIM) Access for IBM® Security Privileged Identity Manager

(ISPIM) groups, domain and roles, so that users can request for such access through the ISIM Service

Center.

4.1.4.1.4.1.4.1. Set up Access Request Set up Access Request Set up Access Request Set up Access Request WorkflowWorkflowWorkflowWorkflow


Set up one or more Access

Request Workflows for ISPIM

Shared Access Role access

requests.

Jake can set up different

variations of workflow, each

consisting one or more

approval or mail activity

involving certain participants

like Access Owner,

Administrator or Manager.

The following example

workflow can be applied to

all Access for any ISIM service

besides ISPIM.

Configure a simple workflow

and add an Approval by Approval by Approval by Approval by

Access OwnerAccess OwnerAccess OwnerAccess Owner activity.

20202020 | | | | P a g e

Add an Email ActivityEmail ActivityEmail ActivityEmail Activity to notify

the Administrator.

It is possible to create

workflows specific to ISPIM

Service Profile.

If multi-stage approval is

required, just stack the

Approval Activities in the

workflow’s activity definition.

Whenever a Role or Access is

defined, you can choose from

one of these workflows to be

applied.

21212121 | | | | P a g e

4.2.4.2.4.2.4.2. Set up Access Types for Set up Access Types for Set up Access Types for Set up Access Types for ISPIMISPIMISPIMISPIM Groups (Optional)Groups (Optional)Groups (Optional)Groups (Optional)

If necessary, create new Access Types to represent the various types of IBM® Security Privileged

Identity Manager (ISPIM) Accesses to be made available to IBM® Security Identity Manager (ISIM)

users.


In the following example, a PIM Access PIM Access PIM Access PIM Access

TypeTypeTypeType is added under ApplicationApplicationApplicationApplication, and 3

custom Access Types were added under

PIMPIMPIMPIM to represent accesses for PIM Group,

PIM Domain and PIM Role.

22222222 | | | | P a g e

4.3.4.3.4.3.4.3. Set up Access for ISet up Access for ISet up Access for ISet up Access for ISPIM SPIM SPIM SPIM System RolesSystem RolesSystem RolesSystem Roles


For each Privileged Identity

Manager (PIM) Group, also

known as System Role, to

be made available for

request, enable AccAccAccAccessessessess for

the corresponding GroupGroupGroupGroup

(of type ISPIM GroupISPIM GroupISPIM GroupISPIM Group)

under the IBM® Security

Privileged Identity Manager

(ISPIM) service.

The following example

shows how the AccessAccessAccessAccess is

configured for the

Privileged AdminPrivileged AdminPrivileged AdminPrivileged Admin Group.

Classify the Access Access Access Access under

the appropriate

AcAcAcAccessTypecessTypecessTypecessType, and specify an

Approval WorkflowApproval WorkflowApproval WorkflowApproval Workflow for

requests that belong to this

AccessAccessAccessAccess.

Jake, who is the admin,

would need to approve

these requests.

23232323 | | | | P a g e

Repeat the process for

other PIM GroupsPIM GroupsPIM GroupsPIM Groups where

necessary.

It is not necessary to

expose the Privileged UserPrivileged UserPrivileged UserPrivileged User

group as an Access, since

this group entitlement is

already defined in the

Account DefaultsAccount DefaultsAccount DefaultsAccount Defaults for an

ISPIM account.

24242424 | | | | P a g e

4.4.4.4.4.4.4.4. Set up an Set up an Set up an Set up an ISPIM ISPIM ISPIM ISPIM domain and enable accessdomain and enable accessdomain and enable accessdomain and enable access

Create a Privileged Identity Manager (PIM) Group of type “ISPIM admin domainISPIM admin domainISPIM admin domainISPIM admin domain” under the ISPIM

service.


Create a PIM domain SupportSupportSupportSupport

under the PIM Business Unit /JK /JK /JK /JK

EnterprisesEnterprisesEnterprisesEnterprises.

This creates a PIM Business Unit

/JK Enterprises/Support/JK Enterprises/Support/JK Enterprises/Support/JK Enterprises/Support within

PIM.

25252525 | | | | P a g e

If the domain owner assigned

through one of the following ways:

a)a)a)a) Through ITIM Manager, then add the owner user (which should also be a

member of the PIM Privileged AdminPIM Privileged AdminPIM Privileged AdminPIM Privileged Admin group) as a member of the group

created earlier.

b)b)b)b) Through workflows, then enable access for this PIM domain, with the

appropriate access type and approval workflow. The steps you take must be

similar to 4.3 Set up Access for ISPIM System Roles.

26262626 | | | | P a g e

27272727 | | | | P a g e

4.5.4.5.4.5.4.5. Set up an Set up an Set up an Set up an ISPIMISPIMISPIMISPIM Shared Access Role and enable accessShared Access Role and enable accessShared Access Role and enable accessShared Access Role and enable access

Create a Privileged Identity Manager (PIM) Group with type ISPIM roleISPIM roleISPIM roleISPIM role under the IBM® Security

Privileged Identity Manger (ISPIM) service.

StepStepStepStep User InterfaceUser InterfaceUser InterfaceUser Interface

Create a PIM Group

representing the

PIM Shared Access

Role of Support Support Support Support

Team LeadsTeam LeadsTeam LeadsTeam Leads in the

PIM Business Unit

/JK /JK /JK /JK

Enterprises/SupportEnterprises/SupportEnterprises/SupportEnterprises/Support.

28282828 | | | | P a g e

Select Enable AccessEnable AccessEnable AccessEnable Access

and set the Access Access Access Access

TypeTypeTypeType accordingly.

Select the

appropriate

Approval WorkflowApproval WorkflowApproval WorkflowApproval Workflow.

Since the approval

workflow involves

the Access OwnerAccess OwnerAccess OwnerAccess Owner,

the Access OwnerAccess OwnerAccess OwnerAccess Owner

property must be

set to Adam.

29292929 | | | | P a g e

Ensure that the PIM

Group that is

configured earlier is

listed under groups

of type ISPIM roleISPIM roleISPIM roleISPIM role

under the ISPIM

service.

30303030 | | | | P a g e

5.5.5.5. Adam requests for Adam requests for Adam requests for Adam requests for ISPIMISPIMISPIMISPIM Privileged Admin accountPrivileged Admin accountPrivileged Admin accountPrivileged Admin account

StepStepStepStep User InterfaceUser InterfaceUser InterfaceUser Interface (ISIM console)(ISIM console)(ISIM console)(ISIM console)

Adam logs on to IBM®

Security Identity

Manager (ISIM) Service

Center to request for a

Privileged Identity

Manager (PIM)

account, membership

to PIM Privileged

Administrator group,

and administrator

rights to the SupportSupportSupportSupport

PIM Domain.

31313131 | | | | P a g e

32323232 | | | | P a g e

Adam’s requests result

in a batchbatchbatchbatch request

involving multiple

required approvals.

Assuming that approval

workflow is already set

up, Adam should see a

PendingPendingPendingPending status with

pending activities.

The approving parties,

for example, Jake, can

log on to ISIM Manage Manage Manage Manage

Activities Activities Activities Activities to approve

the requests.

Expected ResultsExpected ResultsExpected ResultsExpected Results StepStepStepStep AdditionalAdditionalAdditionalAdditional

Once all requests have

been approved, Adam

would get an email

notification of his PIM

account creation and

password, and he would be

able to log in to PIM

consoles.

As a Privileged Administrator, Adam can log on

to ISPIM Admin and Service Center consoles,

under the designated PIM domain.

If Adam wants to be the

domain admin for more

PIM domains, he can

return to the ISIM Service

Center to request.

33333333 | | | | P a g e

6.6.6.6. Adam sets up Credentials and Shared Access Policies in Adam sets up Credentials and Shared Access Policies in Adam sets up Credentials and Shared Access Policies in Adam sets up Credentials and Shared Access Policies in ISPIM ISPIM ISPIM ISPIM DomainDomainDomainDomain

StepStepStepStep User InterfaceUser InterfaceUser InterfaceUser Interface (PIM Console)(PIM Console)(PIM Console)(PIM Console)

On-board Credentials

with associated

Resources and

Identity Providers

through IBM®

Security Privileged

Identity Manager

(ISPIM) Service

Center.

Grant the privileged

users access to

credentials through

ISPIM Service Center

Manage Access.

See IBM Security

Privileged Identity

Manager v2.0.2

Creating Access.

34343434 | | | | P a g e

35353535 | | | | P a g e

7.7.7.7. Ben requests Ben requests Ben requests Ben requests ISPIMISPIMISPIMISPIM Account and Shared Access RoleAccount and Shared Access RoleAccount and Shared Access RoleAccount and Shared Access Role

StepStepStepStep User InterfaceUser InterfaceUser InterfaceUser Interface (ISIM console)(ISIM console)(ISIM console)(ISIM console)

Log on to the IBM® Security

Identity Manager (ISIM)

Service Center to request for

IBM® Security Privileged

Identity Manager (ISPIM)

Account and for a PIM Role,

such as Support Team LeadsSupport Team LeadsSupport Team LeadsSupport Team Leads.

The approval process will

require Adam, who is the

Access Owner, to log in to

ISIM Service Center to

approve.

Once the request is

approved, Ben can proceed

to perform Check-in-Check-

out (CICO) operations.

If Ben requires more PIM

Roles, he can return to the

Service Center to request for

more.

If custom Access Types are

configured for PIM Access as

described earlier, Ben can

36363636 | | | | P a g e

zoom in to specific PIM

Access Types when required.

In the following example,

available Accesses are

filtered by the access type

PIM Shared Access RolePIM Shared Access RolePIM Shared Access RolePIM Shared Access Role.

8.8.8.8. Ben performs Ben performs Ben performs Ben performs ISPIMISPIMISPIMISPIM CheckCheckCheckCheck----inininin----CheckCheckCheckCheck----out operationsout operationsout operationsout operations

The steps taken are the same as standalone IBM® Security Privileged Identity Manager deployments.

9.9.9.9. Jake exercises User Lifecycle OperationsJake exercises User Lifecycle OperationsJake exercises User Lifecycle OperationsJake exercises User Lifecycle Operations

Jake performs the following operations:

StepStepStepStep AdditionalAdditionalAdditionalAdditional

Suspend an IBM® Security Identity

Manager (ISIM) User

Depending on the Policy Enforcement Configuration, check that the

expected result occurred.

Delete an ISIM User Depending on the Policy Enforcement Configuration, check that the


Remove an IBM® Security Privileged

Identity Manager (ISPIM) Privileged AdminPrivileged AdminPrivileged AdminPrivileged Admin

access from an ISIM or ISPIM User

Depending on the Policy Enforcement Configuration, check that the


10.10.10.10. Jake sets up ReJake sets up ReJake sets up ReJake sets up Re----CertificationCertificationCertificationCertification CampaignCampaignCampaignCampaign

StepStepStepStep User InterfaceUser InterfaceUser InterfaceUser Interface (PIM Admin Console)(PIM Admin Console)(PIM Admin Console)(PIM Admin Console);;;;

37373737 | | | | P a g e

Jake logs in to

IBM® Security

Identity Manager

(ISIM) Admin

Console to create

a new Re-

Certification Policy

for IBM® Security

Privileged Identity

Manager (ISPIM)

Shared Access

Roles.

38383838 | | | | P a g e

Jake searches and

adds the ISPIM

Accesses

representing the

Shared Access

Roles on PIM, and

selects all to add

as Access Targets

to the policy.

39393939 | | | | P a g e

Jake sets up the

re-certification

schedule.

Jake proceeds to

set up the re-

certification policy

details.

He specifies that

users should self-

certify their

accesses and that

their accesses will

be approved even

if there is no

response from the

user within 10

days.

Alternatively, Jake

can specify that

the access will be

automatically

revoked if there is

no response in 10

40404040 | | | | P a g e

days.

If necessary, Jake

can select

AdvancedAdvancedAdvancedAdvanced

configuration

mode to configure

more advanced

workflows through

the Workflow

Designer.

Jake proceeds

review and update

the email

templates for both

re-certification

and rejection.

41414141 | | | | P a g e

After saving the

policy, Jake can

run the policy

immediately, or

run the policy on

its next scheduled

date.

42424242 | | | | P a g e

Jake can bring up

the ISPIM service

groups and check

on the re-

certification status

for different

accesses

periodically.

43434343 | | | | P a g e

11.11.11.11. Ben reBen reBen reBen re----certifies his certifies his certifies his certifies his ISPIMISPIMISPIMISPIM Shared Access RoleShared Access RoleShared Access RoleShared Access Role


Ben receives an email

notification to re-certify his

PIM role.

Ben logs in to IBM® Security

Identity Manager (ISIM)

Service Center, clicks on

Manage ActivitiesManage ActivitiesManage ActivitiesManage Activities and sees a

pending “re-certification”

activity.

He enters the justification and

clicks ApproveApproveApproveApprove to re-certify his

need for continual access.

12.12.12.12. Jake Jake Jake Jake sets up sets up sets up sets up ISIM ISIM ISIM ISIM and and and and ISPIMISPIMISPIMISPIM Reports at Cognos ServerReports at Cognos ServerReports at Cognos ServerReports at Cognos Server

Jake refers to the guides on the deployment of the IBM® Security Identity Manager (ISIM) and IBM®

Security Privileged Identity Manager (ISPIM) reporting packages to the Cognos Server and configures

them to point to the respective ISIM and ISPIM databases.

13.13.13.13. Jake generates Jake generates Jake generates Jake generates ISIMISIMISIMISIM and and and and ISPIMISPIMISPIMISPIM Reports for auditingReports for auditingReports for auditingReports for auditing


44444444 | | | | P a g e

Jake logs in to Cognos

Reporting server.

He clicks on the ISIM ISIM ISIM ISIM

Reporting ModelReporting ModelReporting ModelReporting Model to see the

available out-of-the-box

ISIM reports.

45454545 | | | | P a g e

He proceeds to generate

reports related to Access

entitlements.

Jake selects the PIM PIM PIM PIM

Reporting ModelReporting ModelReporting ModelReporting Model. He

generates the following

out-of-the-box reports.

46464646 | | | | P a g e

He continues to generate a

report for Shared Access Shared Access Shared Access Shared Access

Credentials by RoleCredentials by RoleCredentials by RoleCredentials by Role.

Jake then generates

reports for privileged

accesses performed

through Enterprise Single

Sign-On Agent, and drill

down into a command log

captured from one of the

puTTy sessions.

47474747 | | | | P a g e

48484848 | | | | P a g e

13.13.13.13. Other NotesOther NotesOther NotesOther Notes

13.1.13.1.13.1.13.1. ISIMISIMISIMISIM set up tset up tset up tset up tipsipsipsips when integrated with when integrated with when integrated with when integrated with ISPIMISPIMISPIMISPIM

StepStepStepStep AdditionalAdditionalAdditionalAdditional

If IBM® Security Privileged Identity

Manager (ISPIM) virtual appliance is

configured to authenticate against

standalone registry:

• Enable Password Sync so that IBM® Security Identity Manager (ISIM)

password is synced to ISPIM.

• If external registry authentication is enabled at ISIM, make sure to

also set up a managed service for the user registry, so that the ISIM

password is synced to the external registry password, and also that

ISIM can perform password syncing to ISPIM. When configuring

against HR Feed, remember to set Accounts Defaults for ISIM

account to not require user to change password upon first logon.

• If ISIM password syncing to ISPIM is not enabled (or not working),

user’s initial ISPIM password can be retrieved from the email

notification sent out by ISPIM to user’s email.

Additional configuration, including ACI

manipulation, is required to delegate ISPIM

service management to a different user

(not ITIM Manager).

For example, a dedicated ISIM domain needs to be created for ISPIM, where

the ISPIM Service is created under, and the user needs to be made the

Service Owner.

Additional configuration, including ACI and

View manipulation, is required to delegate

management of respective ISPIM domains

and roles (through ISIM Admin Console) to

respective Domain Owner (Privileged Privileged Privileged Privileged

AdminAdminAdminAdmin) users.

For example, a dedicated ISIM View needs to be created for Privileged AdminPrivileged AdminPrivileged AdminPrivileged Admin

users, and ACIs granted for these users to manage the Roles created within

their respective ISPIM domain.

This configuration has not yet been tested in the lab.

Since ISIM Separation of Duty policies are

applied to ISIM Roles only, and not to

Accesses, additional configuration and

customization is required to configure ISIM

such that there is an ISIM Role

corresponding to each ISPIM Role.

In this case, users request for full-fledged ISIM Roles representing ISPIM

Roles, and rely on customized workflows to auto-create the corresponding

Service Groups. This configuration has not been tested in the lab.

49494949 | | | | P a g e

13.2.13.2.13.2.13.2. IBM® Security PrivileIBM® Security PrivileIBM® Security PrivileIBM® Security Privileged Identity Manager setged Identity Manager setged Identity Manager setged Identity Manager set up tips when integrated up tips when integrated up tips when integrated up tips when integrated

with IBM® Security Identity Managerwith IBM® Security Identity Managerwith IBM® Security Identity Managerwith IBM® Security Identity Manager


Do not enable the Request or Delete

Access panel on IBM® Security Privileged

Identity Manager (ISPIM) Self-Service User

Interface. The user can enable the View View View View

AccessAccessAccessAccess so that the user can see what

Accesses is granted.

This is to ensure all Access Requests go through IBM® Security Identity

Manager (ISIM). Access requests from ISPIM Self-Service User Interface goes

through ISPIM access workflows, which is usually not configured, leading to

automatic approval.

Disable Checkout SearchCheckout SearchCheckout SearchCheckout Search for any

Credentials, and also disable the global

default setting.

This is to prevent users from discovering and requesting for a Role through

ISPIM workflows, bypassing ISIM. Role requests from ISPIM Self-Service User

Interface goes through ISPIM access workflows, which is usually not

configured, leading to automatic approval.

Alter the Access Control Information (ACI)

to prevent Privileged Administrators from

being able to change ISPIM role

memberships through ISPIM. Users may

enable View Role MembershipView Role MembershipView Role MembershipView Role Membership.

This is to ensure that all role management activities occur at ISIM.

IBM® SECURITY PRIVIBM® SECURITY PRIVILEGED IDENTITY …Step User Interface (PIM Administrative...

Documents

Transcript of IBM® SECURITY PRIVIBM® SECURITY PRIVILEGED IDENTITY …Step User Interface (PIM Administrative...