ITIM - Imx - Scenarios

IBM Tivoli Identity Manager Express 򔻐򗗠򙳰
Information Center - Scenario Topics

Note:
Before using this information and the product it supports, read the information in “Notices” on page 27.
Second Edition (April 2006)

This edition replaces all previous editions for version 4.6 of Tivoli Identity Manager Express and applies to all
subsequent releases and modifications until otherwise indicated in new editions.
This product includes Adaptx, a free XSLT Processor. (C) 1998-2002 Keith Visco and Contributors.
© Copyright International Business Machines Corporation 2006. All rights reserved.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Scenarios . . . . . . . . . . . . . . 1 Creating a service for Windows Server Active
Creating an example account for a service . . . . 1 Directory . . . . . . . . . . . . . . 13
Creating a user who needs an account . . . . . 1 Testing the identity feed reconciliation . . . . 15
Verifying that the test user can log on . . . . . 1 Troubleshooting the identity feed reconciliation 15
Creating the service . . . . . . . . . . . 2 Configuring a manual service . . . . . . . . 16
Setting account defaults . . . . . . . . . 3 Creating a test service owner . . . . . . . 17
Requesting an account on the new service . . . 4 Creating a manual service type . . . . . . . 17
Verifying that the user has the account . . . . 4 Customizing an account form . . . . . . . 19
Troubleshooting an account request . . . . . . 5 Creating an access control item for a manual
Creating an account request workflow . . . . . . 6 service . . . . . . . . . . . . . . . 21
Creating users to test an account request Creating a manual service . . . . . . . . 21
workflow . . . . . . . . . . . . . . 6 Creating default values to reduce user effort . . 22
Creating an account request workflow . . . . . 8 Creating an account request workflow for a
Testing the account request workflow . . . . . 9 manual service . . . . . . . . . . . . 22
Troubleshooting an account request workflow . . 10 Testing a request for a manual service . . . . 23
Creating an identity feed for Windows Server Active
Directory . . . . . . . . . . . . . . . 12 Notices . . . . . . . . . . . . . . 27
Ensuring that the global identity policy attributes Trademarks . . . . . . . . . . . . . . 28
are appropriate . . . . . . . . . . . . 13
© Copyright IBM Corp. 2006 iii

iv IBM Tivoli Identity Manager Express: Information Center - Scenario Topics
Scenarios
These scenarios explore some of the first steps as well as some of the more
advanced tasks that you can perform using Tivoli® Identity Manager Express.
As a prerequisite, install the Tivoli Identity Manager Express Server and verify that
its components are running. Additionally, obtain a system administrator user ID
(itim manager) and password (which is initially secret).
Creating an example account for a service

In this scenario, you create an example service for the Linux® service type, which
is a pre-installed service type. Then, you create an account on the service. If you do
not have a Linux server in your environment, substitute another service type that
is installed when you install the Tivoli Identity Manager Express Server.
Creating a user who needs an account

The first step in this scenario is to create a Tivoli Identity Manager Express user for
whom you later request an account.
To create the user, log on as an administrator and complete these steps:

1. In the navigation tree, click Manage Users.
2. In the Select a User window, in the Users table, click Create.
3. In the Create a User window, complete these fields on the Personal Information
page:
Last Name
Type testuser.
Full Name
Type j testuser.
Requested user ID
Type mytestuserID.
Skip the remaining fields on this page and also on the Corporate Information
and the Communications Information pages, and then click Continue.
4. In the Create a New Password window, click Allow me to type a password. In
the Password and Confirm password fields, type secret, and then click
Submit.
5. On the Success window, click Close.
Verifying that the test user can log on

The next step in this scenario is to verify that the Tivoli Identity Manager Express
user can log on.
To verify that the test user can log on, complete these steps:
1. In the navigation tree, click Log Out as administrator.
2. From the Login window, in the User ID field, type mytestuserID and in the
Password field, type secret. Click Log In.
This is the user ID that is provided in the Identity Manager login ID field in
the new user’s Personal Information page.
© Copyright IBM Corp. 2006 1

3. If the test user does not exist, complete these tasks:
a. Log on as an administrator.
b. In the navigation tree, click View Requests > View All My Requests.
c. In the Request type field of the Requests table, click the appropriate New
user request.
d. Examine the General page for the completion status and other result details.
e. Create another test user, after correcting the problem that appears in the
result details.
4. If forgotten password questions are enabled, the Specify Forgotten Password
Information window prompts you for the forgotten password information.
Optionally, type the information, and then click OK. To skip the window, click
Cancel.
5. In the navigation tree, click Change My Personal Profile to examine the
previously-entered profile information for the test user.
6. Log out as the test user and continue the steps in this scenario.
Creating the service

The next step in this scenario is to create the service using one of the default
service types. To successfully compete this task, you need to test the connection to
the managed resource.
To create the service, complete these steps:

1. Log on as an administrator.
2. In the navigation tree, click Manage Services.
3. In the Select a Service window, in the Services table, click Create.
4. On the Select Type of Service page, select the POSIX Linux profile, and then
click Next. If you do not have a Linux server, select a different service type.
5. On the Service Information page, specify the following values to define an
instance of this service type:
Service Name
Type Linux myhost
Description
Type the following description of the service: A first service
instance.
Tivoli Directory Integrator location
Accept the default, which is blank, indicating that you will use the
Tivoli Directory Integrator Server that the installation process provides
when you install Tivoli Identity Manager Express.
Managed resource location
Type the host name or IP address for the Linux resource.
Administrator name
Specify the administrative user ID for the Linux server. For example,
type root.
Password
Type the administrative password for the Linux server. For example,
type root.
Delete home directory when the account is deleted?
In this example, do not select this check box. If you select this check
2 IBM Tivoli Identity Manager Express: Information Center - Scenario Topics

box, the user’s home directory on the managed resource is deleted
when the Tivoli Identity Manager Express account is deleted.
Use a shadow file?
Accept the default (selected) for this check box, if you want
UNIX-based adapters to use an access-restricted ASCII system file that
stores encrypted passwords of users and related information. If you
select this check box, the shadow file must also be enabled on the
operating system.
Owner
In this example, do not specify a service owner. The service owner
manages a service, including the user accounts and requests for that
service.
Service prerequisite
Leave this field blank. You use this field to specify an existing service
instance or function that the Linux service instance requires. If a service
has another service defined as a service prerequisite, a user can only
receive a new account if they have an existing account on the service
prerequisite.
6. Click Test connection to ensure that the data in the required fields is valid and
that you can connect to the server.
You can create a service without ensuring a connection to the managed
resource. However, if your entries are incorrect, your subsequent attempts to
create an account on the managed resource will fail.
7. Click Next to go to the next page.
8. In the Reconciliation page, accept the default of Never, and then click Finish.
This example delays reconciliation until a later time because it assumes that
only your user ID and the test user ID exist. Reconciliation immediately
attempts to match the user accounts on the managed resource with any existing
Tivoli Identity Manager Express identity records, using an attribute such as
user ID. Because only your user ID and the test user ID exist, the reconciliation
might unnecessarily create orphan accounts in Tivoli Identity Manager Express
for any user accounts on the managed resource that have no match.
Click Close again if you need to close any remaining windows for this task.
Setting account defaults

The next step in this scenario is to set account default values. In this case,
specifying a default value helps identify the correct user who needs an account.
To set account defaults, complete these steps:

1. From the navigation tree, select Manage Services.
2. In the Select a Service window, click Search to find the service named Linux
myhost that you created. To ensure that this is the correct service instance,
click the name to see details about the instance.
3. In the Services table, click the arrow to the right of the service named Linux
myhost, and then click Account defaults.
4. On the Select an Account Attribute window, click Add.
5. On the Add an Account Attribute window, select the Gecos (comments)
attribute. Then, click Add default.
6. On the Gecos (comments) window, on the User attribute field, click Search.
Scenarios 3
7. On the Select a User Attribute window, select the Full Name attribute, and
then click OK.
The benefit of providing this account default is that the value of the user’s
name appears on account information.
8. On the Manage Account Defaults window, click OK.
9. On the Select an Account Attribute window, click OK.
Requesting an account on the new service

The next step in this scenario is to request an account for the test user on the new
service that you created.
To request an account, complete these steps:

2. In the Select a User page, in the User attribute field, type all or part of the
user ID that you created. For example, type test because the user that you
created contains these letters.
3. In the Search by list, select Full name, and then click Search.
4. In the Users table, click the arrow to the right of the name of the user (j
testuser) for whom you want to create the account, and then click Request
accounts.
5. In the Select a Service window, click Search to display all the available
services.
6. In the Services table, select the service named Linux myhost, and then click
Continue.
7. On the Account information, accept the default value in the User ID field. Do
not specify any other account attributes, and then click Continue.
8. On the Password window, select Allow me to type a password. Then, type
and confirm secret as the password, and then click Submit.
9. On the Success window, click Close. Continue clicking Close to return to the
Home window.
10. To determine the status of your request, complete these steps:
a. In the navigation tree, click View Requests > View All My Requests.
b. In the View All My Requests window, in the Requests table, examine the
Status field for the status of an Account add request that has a timestamp
and service instance that matches your earlier request.
c. After you determine the request status, click Close.
Verifying that the user has the account

The next step in this scenario is to verify that the user has an account on the
managed resource.
Before logging in as the test user on the managed resource, you determined in a
previous step in this scenario that your account request was successful.
To test whether you successfully obtained an account on the managed resource, log
on as the new user to the managed resource.

Troubleshooting an account request
If you were unsuccessful in creating an account for the user that you created, you
can troubleshoot the problem on the computer where Tivoli Identity Manager
Express Server is installed, and also on the computer where the managed resource
is installed.
For example, the following problems might occur:

v If the managed resource or the intermediate servers are not running at the time
that you request the account, the account request might fail.
v Request transmission requires a brief interval of time in which a request for an
account goes to and returns from the Tivoli Identity Manager Express Server, the
intermediate Tivoli Directory Integrator Server, and the managed resource,
where the account is created. If you check for a new account too soon after your
request, the account creation process might not be complete.
After taking steps to correct the problem, repeat the process to request an account.
For example, restart the managed resource and repeat your request for a test
account.
To troubleshoot on the Tivoli Identity Manager Express Server, determine the

account request status on the Tivoli Identity Manager Express Server, logon with
your administrator user ID, and complete these steps:
1. View your request by taking these steps:
If the account request failed, complete these steps:
1) In the Requests table, click the request name in the Request type field.
2) In the General window, a Result details or a Reason for failure field
might contain a message such as CTGIMD810E The adapter returned an
error status for an add request.
3) Locate additional information on why the adapter returned an error
message. For example, there might be information in the
TIVOLI_COMMON_DIRECTORY/trace.log file. There might also be
information in the msg.log file.
Additionally, you might examine the ITDI_HOME/solDir/ibmdi.log file.
You can also set the log4jrootCategory property in the
ITDI_HOME/solDir/log4j.properties file to obtain additional
information.
4) Correct the error and submit the account request again.
c. If this is a UNIX-based adapter and you chose to use a shadow file when
you created the service, ensure that shadow utility is running on the
operating system. To determine whether the utility is storing encrypted
passwords, type the following at an operating system prompt:
cat /etc/shadow
You should see encrypted entries in the file.
2. Test server connectivity by taking these steps:
v If you did not accept the default, which is blank, for the Tivoli Directory
Integrator Server location, ensure that you entered the correct address of the
Scenarios 5
Tivoli Directory Integrator Server and also for the managed resource. Test the
connection. Correct the values in the address fields if you receive an error
such as this message:
The following error occurred. Error: CTGRI0001E
The application could not establish a connection to
mybox.mylablab.city.company.com.
To locate this field, complete these steps:
a. In the navigation tree, click Manage Services.
b. In the Select a Service window, in the Services table, select the service.
c. On the Service Information page, in the Tivoli Directory Integrator
location field, specify the correct address.
v Ensure that the necessary servers are running:
– Tivoli Directory Server
On Windows systems, click Start > Programs > Control Panel >
Administrative Tools > Services. In the list of services, determine if the
Tivoli Directory Server entry has a status of started. If not, start the
service.
– WebSphere Application Server
Start the WebSphere Application Server administrative console. On a
browser, enter this Web address:
http://hostname:9060/admin
The value of hostname is the fully qualified host name or the IP address of
the computer on which the WebSphere Application Server is running. The
value 9060 is the default port number for the WebSphere administrative
HTTP transport.
For more information on steps to verify that these servers are running, refer
to the IBM Tivoli Identity Manager Express Installation and Configuration Guide.
Creating an account request workflow

Tivoli Identity Manager Express provides a global account request workflow that
contains no activities. In this scenario, you design a workflow that is associated
with a specific service, and insert an activity that specifies that a manager must
approve requests for new accounts.
Creating users to test an account request workflow

The first step in this scenario is to create two test users to validate that a workflow
can process an account request.
To test this scenario, you need these users:

v cmanager
This manager approves an account request.
v juser
This user requests an account.
To create these users, complete these steps:

1. Create the cmanager user.
a. In the navigation tree, click Manage Users.
b. In the Select a User window, in the Users table, click Create.
c. On the Personal Information page, complete these fields, and then click
Continue:
Last name
Type Manager.
First name
Type Chuck.
Initials
Leave this field blank for this test user.
Full name
Type Chuck Manager.
Requested user ID
Type cmanager.
Home address
Shared secret
Leave this field blank for this test user. (When you specify password
retrieval that provides a link to a Web site to obtain the password,
the user provides a shared secret to access the Web site.)
Groups
Accept the default, which is blank. In the next step in this scenario,
you create the juser user and select Chuck Manager as the manager.
Chuck Manager then obtains automatic membership in the manager
group.
d. Skip entering information in the Business Information and Contact
Information windows for this test user, and click Continue.
e. On the Password window, select Allow me to type a password. Then, type
f. On the Success window, click Close.
2. Create the juser user.
a. In the navigation tree, click Manage Users.
b. In the Select a User window, in the Users table, click Create.
c. In the Personal Information window, complete these fields, and then click
Continue:
Last name
Type User.
First name
Type Judith.
Initials
Full name
Type Judith User.
Requested user ID
Type juser.
Home address
Shared secret
retrieval that provides a link to a Web site to obtain the password,
the user provides a shared secret to access the Web site.)
Scenarios 7
Groups
Accept the default, which is blank.
d. In the Business Information window, in the Manager field, click Search.
e. In the Select Users window, in the User Attribute field, type chuck. In the
Search by window, select Full Name, and click Search.
f. In the Select Users window, in the Users table, select Chuck Manager, and
click OK.
Selecting Chuck Manager as the manager causes Chuck Manager to obtain
membership in the Manager group.
g. Skip entering information in the Contact Information window for this test
user and click Continue.
h. On the Password window, select Allow me to type a password. Then, type
i. On the Success window, click Close.
Creating an account request workflow

The next step in this scenario is to create a workflow that is used whenever an
account is requested for the service that you created.
In the previous scenario, you created the service named Linux myhost. In this
scenario, you will create an account request workflow for that service.
To design an account request workflow, complete these steps:

1. From the navigation tree, select Design Workflow > Manage Account Request
Workflows.
2. In the Manage Account Request Workflows window, in the Account Request
Workflows table, click Create.
3. In the Manage Account Request Workflows window, on the General page, type
the following information for your workflow:
Name Type VPN approval.
Description
Type Linux service enables Virtual Private Network account access
4. In the Manage Account Request Workflows window, select the Services tab. On
the Services page, click Add, and then complete these steps:
a. In the Services window, select the POSIX Linux profile from the Service
Type list, and then click Search.
b. In the Services table, select the Linux myhost service, which is the service
that you created in the previous scenario.
c. Click OK.
5. In the Manage Account Request Workflows window, select the Activities tab.
On the Activities page, complete these steps:
a. Select Create an approval activity, and then click Go.
b. In the Approval Activity window, specify the following information:
Activity name
Type Manager Approval for VPN accounts.
Approver type
Select Manager.

Escalation time (Days)
Type 10. The request escalates to the specified escalation participant
when this interval of time expires.
Escalation participant type
Select Administrator.
c. In the Approval Activity window, click OK.
6. In the Manage Account Request Workflows window, click OK again.
Testing the account request workflow

To test whether a workflow enables approval of an account request, you need to
validate whether a user can request a new account, and the approver type that you
selected, which in this example is the manager, can approve the request. Then, as
the account user, you need to log on to the managed resource to test whether you
can access the new account.
Before you begin, log off as administrator.
To test whether the workflow is valid, complete these steps:

1. Request an account as Judith User by logging on with the juser user ID. This is
the user ID that is provided in the Identity Manager login ID field in the new
user’s Personal Information page. Complete these steps:
a. If forgotten password questions are enabled, the Specify Forgotten Password
Optionally, type the information, and then click OK. To skip the window,
click Cancel.
b. In the navigation tree, click Manage My Accounts -> Request an Account.
c. In the Select a Service window, click Search.
d. In the Select a Service window, select the Linux myhost service in the
Services table, and then click Next.
e. If additional tabs are available before you reach the Password window, click
Next to skip to the Password window.
f. On the Password window, select Allow me to type a password. Then, type
and confirm secret as the password, and then click Finish.
g. On the Success window, click Close.
h. Log out as juser.
Allow an interval of time (several minutes) to elapse before taking the next
steps, to ensure that processing has time to place the request for an account in
the activity queue.
2. Approve an account request as Chuck Manager by logging on with the
cmanager user ID. This is the user ID that is provided in the Identity Manager
login ID field in the new user’s Personal Information page. Complete these
steps:
a. On the Specify Forgotten Password Information window, optionally type
one or more required questions and answers to the forgotten password
information, and then click OK. To skip the window, click Cancel.
b. You should immediately see an activity in your to-do list. Click the activity
name. If you have more than one approval, it may be in a grouped
approval list.
v If the approval request is in a group, a Grouped Approval window
appears.
Scenarios 9
1) In the Grouped Approval window, select the check box for one or
more activities that you want to approve. In the Comments field, add
any comments that are necessary, and then click Approve.
2) After a confirmation approval message appears, click Close.
v If there is only one request in your queue, an Approval Details window
appears:
1) In the Approval Details window, in the Requested for and the
Requested by fields, click the user name to ensure that this is a
request that you want to approve. Review the information, and then
click Close.
2) In the Approval Details window, click Approve.
3) On the Success window, click Close.
c. Log out as cmanager.
3. Check the status of an account request as the requestor by logging on as juser,
and completing these steps:
b. In the View All My Requests window, in the Requests table, click the
calendar icons next to the Start date and End date fields to set the starting
and ending times of the interval. Then, click Search.
c. Examine the Status field for the status of an Account add request that has a
timestamp and service instance that matches the account request.
The status column for the request indicates a value of Success, Pending, or
Failed. For example, you might find that the request has a status of
Pending.
d. To determine who must respond to a pending request, click the item in the
Request type field. For example, click Account add.
e. In the Activities window, click the item in the Activity field. For example,
click my_activity.
f. In the Approval Details window, read the field values for any additional
information such as the due date before the request is escalated to another
participant. Then, repeatedly click Close to exit the request status windows.
4. Verify that the Judith User has an account on the managed resource by
completing these steps:
b. In the View All My Requests window, in the Requests table, determining
that the request indicates success.
c. Logging on as juser on the managed resource
Troubleshooting an account request workflow

If you were unsuccessful in creating an account request workflow, you can
troubleshoot the problem on the computer where Tivoli Identity Manager Express
Server is installed, and also on the computer where the managed resource is
installed.

v If you created an approval activity with an incorrect value for the approver, the
account request might go to an unintended recipient.
v If the managed resource or the intermediate servers are not running at the time
you request the account, the account request might fail.

v Request transmission requires a brief interval of time in which a request for an
account goes to and returns from the Tivoli Identity Manager Express Server, the
intermediate Tivoli Directory Integrator Server, and the managed resource,
where an account is created. If you check for a new account too soon after your
request, the account creation process might not be complete.
After taking steps to correct the problem, repeat the process to request an account.
For example, restart the managed resource, and repeat your request for a test
account.
To troubleshoot on the managed resource, log on to the managed resource, using

the administrator user ID and password.
To troubleshoot on the Tivoli Identity Manager Express Server, logon with your
administrator user ID, and complete these steps:
1. View your request by taking these steps:
If the account request failed, complete these steps:
1) In the Requests table, click the request name in the Request type field.
2) In the General window, a Result details or a Reason for failure field
might contain a message such as CTGIMD810E The adapter returned an
error status for an add request.
3) Examine the Requested changes page for possible values that do not
match the intended approver type.
4) Locate additional information on why the adapter returned an error
message. For example, there might be information in the
TIVOLI_COMMON_DIRECTORY/trace.log file. There might also be
information in the msg.log file.
Additionally, you might examine the ITDI_HOME/solDir/ibmdi.log file.
You can also set the log4jrootCategory property in the
ITDI_HOME/solDir/log4j.properties file to obtain additional
information.
5) Correct the error and submit the account request again.
c. If this is a UNIX-based adapter and you chose to use a shadow file when
you created the service, ensure that shadow utility is running on the
operating system. To determine whether the utility is storing encrypted
passwords, type the following at an operating system prompt:
cat /etc/shadow
You should see encrypted entries in the file.
2. Test server connectivity by taking these steps:
v If you did not accept the default, which is blank, for the Tivoli Directory
Integrator Server location, ensure that you entered the correct address of the
Tivoli Directory Integrator Server and also for the managed resource. Test the
connection. Correct the values in the address fields if you receive an error
such as this message:
The following error occurred. Error: CTGRI0001E
The application could not establish a connection to
mybox.mylablab.city.company.com.
To locate this field, complete these steps:
Scenarios 11
a. In the navigation tree, click Manage Services.
b. In the Select a Service window, in the Services table, select the service.
c. On the Service Information page, in the Tivoli Directory Integrator
location field, specify the correct address.
Administrative Tools > Services. In the list of services, determine if the
Tivoli Directory Server entry has a status of started. If not, start the
service.
Start the WebSphere Application Server administrative console. On a
browser, enter this Web address:
The value of hostname is the fully qualified host name or the IP address of
the computer on which the WebSphere Application Server is running. The
value 9060 is the default port number for the WebSphere administrative
HTTP transport.
For more information on steps to verify that these servers are running, refer
to the IBM Tivoli Identity Manager Express Installation and Configuration Guide.
Creating an identity feed for Windows Server Active Directory

In this scenario, you load identity information from Windows Server Active
Directory into Tivoli Identity Manager Express, creating Tivoli Identity Manager
Express users.
The following actions are taken when loading data:

v Data from the Windows Server Active Directory repository for a given
individual, such an office number, is transferred to the value of an equivalent
attribute for the Tivoli Identity Manager Express user.
v Data that indicates a person is a manager adds the equivalent Tivoli Identity
Manager Express user to a Manager group.
You first create a Windows Server Active Directory service. Then you ensure that
the global identity policy specifies the attributes that are necessary to create a
Tivoli Identity Manager Express user ID. Subsequently, you reconcile existing
identity records from the Windows Server Active Directory server to create Tivoli
Identity Manager Express users.
For some identity data, the use of the erRoles attribute allows additional changes
to Tivoli Identity Manager Express records. However, because erRoles is not an
attribute of the Windows Server Active Directory organizational person, the
mapping logic in Tivoli Identity Manager Express policies is not applicable to
Windows Server Active Directory feeds.
Required information for creating an identity feed

Before you begin to define an identity feed for Windows Server Active Directory,
collect or create the required information:
v Obtain your site requirements for the length, case sensitivity, and attributes of a
user ID. For example, the user ID might combine the first characters of the full
name of an employee with a numeric value, such as an employee number.

v Optionally, create a test user on the Windows Server Active Directory server.
Specify the full name of the user. In this example, the test user is named Pat
Testperson.
v Additionally, collect this information for the identity records and the Windows
Server Active Directory server:
– Administrative user ID and password of the administrator who is authorized
to access the Windows Server Active Directory server
– Host name or IP address and port number of the Windows Server Active
Directory computer on which the identity records exist
– Distinguished name and the domain of the container that holds the identity
records
– The attributes, such as cn, that uniquely identify the identity record as an
object
Ensuring that the global identity policy attributes are

appropriate
The first step in this scenario is to determine whether the attributes that the global
identity policy uses are appropriate for your site for the Tivoli Identity Manager
Express user ID.
Before you begin, obtain your site requirements for Tivoli Identity Manager
Express user IDs.
To specify the global identity policy that is appropriate for your site, complete
these steps:
1. From the navigation tree, select Manage Policies > Manage Identity Policies.
2. In the Work with Identity Policies window, in the Identity Policies table, click
Change global rule.
3. In the Manage Identity Policies window, examine the fields on the Rule page,
and change them as appropriate for your site requirements:
First attribute
Select an attribute, specify a character length, and specify which case to
use. For example, select Last name, specify a character limit such as a
20, and select Lower case.
Secondary attribute
Select an attribute, specify a character length, and specify which case to
use. For example, select Employee number, specify a limit such as 9,
and select Lower case.
4. Click OK to save the changes.
Creating a service for Windows Server Active Directory

The next step in this scenario is to create a service for Windows Server Active
Directory identity information.
To create the service, complete these steps:

1. From the navigation tree, click Manage Services.
2. In the Select a Service window, in the Services table, click Create.
3. In the Select the Type of Service page, select AD OrganizationalPerson identity
feed as the service type, and then click Next.
Scenarios 13
4. In the Service Information page, specify the appropriate values for the service
instance:
Service Name
Type a name for the service instance. For example, type AD Feed.
URL Type the address of the computer on which the identity records exist.
The syntax is:
ldap://address:portnumber
The value of address is either the IP address or the host name of the
Windows Server Active Directory server. The default value of
portnumber is 389. Your site might have a different port number or no
port number.
For example, type: ldap://ps2999
User ID
Identify the administrator who is authorized to access the Windows
Server Active Directory server, including the naming context of the
container that holds the identity records. The syntax is:
cn=administratorID,cn=users,domainname
The value of domainname is the distinguished name of the Windows
Server domain.
If the Windows® Server domain is dev.itim.ibm.com, the domainname
distinguished name will be dc=dev, dc=itim, dc=ibm, dc=com.
For example, type:
cn=administrator,cn=users,dc=dev,dc=itim,dc=ibm,dc=com
Password
Type the password for the administrator who is authorized to access
the Windows Server Active Directory server.
Naming Context
Type the distinguished name and the domain of the container that
holds the identity records. The identity feed uses this value to
communicate the information, using the Java™ Naming and Directory
Interface. For example, type:
cn=users,dc=dev,dc=itim,dc=ibm,dc=com
Name Attribute
Select cn from the drop-down list.
5. Click Test Connection to validate that the data in the fields is correct. Then,
click Next.
Testing the connection verifies the settings and server connectivity. If the
Universal Resource Locator data fails the connection test, contact the
administrator who is responsible for the computer on which the managed
resource runs. Then, examine the value of the URL field to ensure that it
contains the correct IP address or the host name of the Windows Server Active
Directory server.
6. In the Reconciliation page, select Perform a reconciliation now. Additionally,
select Daily as the interval at which subsequent reconciliations occur. In the At
this time field, accept the default daily time Then, click Finish.
The initial reconciliation occurs immediately. The process uses identity data on
the Windows Server Active Directory computer to create Tivoli Identity
Manager Express users.

Testing the identity feed reconciliation

The next step in this scenario is to test whether the reconciliation actually created
Tivoli Identity Manager Express users.
To test the identity feed reconciliation, complete these steps:

1. Validate that the reconciliation was successful by completing the following
steps. When you have determined the outcome of the request, click Close.
a. From the navigation tree, select View Requests > View All Requests by
Service.
b. In the View All Requests by Service window, click Search to find the
service.
c. In the Select a service window, click Search again.
d. In the Select a service window, in the Services table, select the Windows
Server Active Directory service, and click OK
e. Select the time period that you want to search, specifying a start date in the
Start Date field and an end date in the End Date field, and then click
Search.
The Requests table displays the requests that match the search criteria that
you specified. To sort the table by the contents of a particular column, click
the arrow in the column header.
f. In the Requests table, click the request that you made to reconcile the
Windows Server Active Directory identity records.
Examine the fields on the General page to ensure that this is your request. If
the request did not succeed, the Reason for failure field contains a message.
For example, the message might be:
CTGIMT201E No login or an invalid credential was supplied in the request.
2. Test whether you can find the Tivoli Identity Manager Express user, Pat
Testperson, that you created earlier in this scenario on the Windows Server
Active Directory resource. Complete these steps:
a. From the navigation tree, select Manage Users.
b. In the Select a User window, in the User attribute field, type Pat
Testperson. Then, click Search.
c. In the User table, click the target user, Pat Testperson.
d. In the Personal Information page, determine whether other data you might
have entered is correct.
e. Log out as administrator.
f. Using the new password, log on using the user ID that is provided for the
new user in the Identity Manager login ID field in the Personal Information
page. Ensure that you can view the Home page.
Troubleshooting the identity feed reconciliation

If you were unsuccessful in reconciling an identity feed, you can troubleshoot the
problem on the computer where Tivoli Identity Manager Express Server is
installed.
Scenarios 15
v The managed resource or the intermediate servers are not running at the time
you request the reconciliation.If the managed resource or the intermediate
servers are not running at the time that you run the reconciliation, the
reconciliation might fail.
v The naming context that you specified in the service does not match the
Windows Server Active Directory schema. If the naming context does not exist,
an error message occurs. However, there are no errors if the context exists, but
the Windows Server Active Directory contains no identities. In this case, the
identify feed indicates success, but no Tivoli Identity Manager Express users are
created or modified.
v You specify an incorrect value for the administrator user ID or password on the
Windows Server Active Directory computer.
Ensure that these servers are running:

v Windows Server Active Directory server
Administrative Tools > Services. In the list of services, determine if the Tivoli
Directory Server entry has a status of started. If not, start the service.
Start the WebSphere Application Server administrative console. On a browser,
enter this Web address:
The value of hostname is the fully qualified host name or the IP address of the
computer on which the WebSphere Application Server is running. The value
9060 is the default port number for the WebSphere administrative HTTP
transport.
For more information on steps to verify that these servers are running, refer to
the IBM Tivoli Identity Manager Express Installation and Configuration Guide.
For more information on steps to verify that these servers are running, refer to the
IBM Tivoli Identity Manager Express Release Notes.
Configuring a manual service

In this scenario, you configure a manual service that handles requests for voice
mail, which require an employee to perform a manual activity and indicate its
success.
Tasks in this scenario include creating a service type for the manual service and
customizing account and service forms. You then create the service and set its
default values. You create a workflow to specify participants who approve a
request, and you also create an access control item to provide read and write
permission for an attribute, which is a voice mail access number. After you assign
the service to a user who is the service owner, the service owner receives a request,
calls the telephone company to create the voice mail, and returns a result when the
action is successful. Finally, you test whether a user can determine that a request
succeeds in obtaining voice mail.
After a manual service participant completes a work order and any related
activities for a user, the service creates an account for the work order.

If you receive multiple work orders with the same user ID, complete the task for
only one of the work orders and mark it as successful. Return the remaining work
orders for the same user ID as failed. Otherwise, if multiple accounts exist for the
same user ID, reconciliation removes only one of the accounts.
Creating a test service owner

The first step in this scenario is to create a user to be the service owner. The
manual service owner must handle the user request.
To create the user, complete these steps:

1. As administrator, log on to Tivoli Identity Manager Express.
3. In the Select a User window, in the User table, click Create.
4. In the Personal Information window, complete these fields and then click
Continue:
Last name
Type Phoneperson.
First name
Type Jan.
Initials
Full name
Type Jan Phoneperson.
Requested user ID
Type jphoneperson.
Home address
Shared secret
retrieval that provides a link to a Web site to obtain the password, the
user provides a shared secret to access the Web site.)
Groups
Accept the default, which is blank.
5. Skip entering information in the Business Information and Contact Information
windows for this test user, and click Continue.
6. On the Password window, select Allow me to type a password. Then, type and
confirm secret as the password, and then click Submit.
Creating a manual service type

To create a manual service type, you need to add a new schema class to LDAP.
To create the service type by specifying a new LDAP schema class that has a
voiceMailAccessNumber attribute for the manual service, complete these steps:
1. In the navigation tree, click Configure System -> Manage Service Types.
2. On the Manage Service Types window, click Create.
3. Click the General tab, and then complete these fields:
Scenarios 17
Service Type Name
Enter VoiceMailAccount. Do not include spaces in the name. This
value becomes the service type name.
Description
Leave this field blank, which is read-only.
Service Provider
Select Manual.
4. Click the Service tab, and then complete these fields:
LDAP class
Enter VoiceMailService. Do not include spaces in the name. This is a
new LDAP class that you create during this scenario. Avoid using an
identical value in the LDAP class and the Service Type Name fields.
5. On the Account tab, complete this field:
LDAP class
Enter VoiceMailProfile. Do not include spaces in the name.
6. In the Attributes table, click Add.
7. In the Attribute name field, type each of these attributes, and then click OK
to add each attribute:
v voiceMailAccessNumber
Select Required and Directory String.
v telephoneNumber
Select Required and Directory String. This example uses a
telephoneNumber attribute that already exists. The operation to reference
the attribute with this service type succeeds, although you receive an error
such as this message when you create the service type:
CTGIMO111E Fail to add or update schema for attribute [telephoneNumber].
Reason: [LDAP: error code 20 - GLPSCH031E attribute type ’2.5.4.20’ already
exists, add operation failed. ].
You might receive a different error message about the telephoneNumber
attribute. Ignore the error message and continue.
Make no changes to other attributes that the account has, such as Password
and User ID.
The VoiceMailAccount service type initially has these attributes:
Table 1. Attributes in the example service type
Attribute Required
telephoneNumber Yes. Notice that this is a pre-existing attribute.
Password Remove this attribute, which is not needed for a voice mail
request.
User ID You cannot change this attribute. Accept the default.
voiceMailAccessNumber no
8. On the Attributes table, select the Password attribute and click Remove.
9. On the Manage Service Types window, click OK to create the service type.
11. On the navigation tree, click Configure System -> Manage Service Types.
Validate that a VoiceMailAccount item exists in the Service Type column.
12. Click Close.

Customizing an account form
The next step in this scenario is to format a request window that users will later
access. You need to specify the window’s contents.
The default account form might contain additional fields that display information
that users do not need, such as service information. As part of customizing the
user interface for a manual service, you remove unnecessary fields.
To customize the account form, complete these steps:

1. On the navigation tree, click Configure System -> Design Forms to launch the
Form Designer applet, which requires an interval of time to load.
If this is the first time that the Form Designer runs, the applet installs the Java
2 Runtime Environment on your workstation computer. When the Java2
Runtime Environment is installed, accept the defaults. Click Finish when the
installation wizard completes.
2. On the Design Forms window, double-click the Account folder to load the
profile tree. Loading profiles requires an interval of time.
3. In the list of profiles, double-click VoiceMailAccountAccountProfile. Loading
profile attributes requires an interval of time.
The VoiceMailAccountAccountProfile account form contains the attributes
from the service type:
Table 2. Attributes in the example Account form
Attribute name in Account Attribute specified in service
form profile Keep or delete?
$eruid User ID Keep
$telephonenumber telephoneNumber Keep
$voicemailaccessnumber voiceMailAccessNumber Keep
4. In the account template on the VoiceMailProfileAccountProfile window,

complete these steps to modify the list of attributes:
a. Change the format of the field names to make them more user friendly:
v $telephonenumber
Select the $telephonenumber attribute. Then, in the Properties section of
the window, click the Format tab. In the Label field, replace the value
$telephonenumber by typing Telephone number for voice mail.
v $voicemailaccessnumber
Select the $voicemailaccessnumber attribute. Then, in the Properties
section of the window, click the Format tab. In the Label field, replace the
value $voicemailaccessnumber by typing Voice mail access number.
Alternatively, if translation is important, do not change the labels of the
field names in the Form Designer. Instead, specify a value for the
voicemailaccessnumber attribute in the drive\IBM\itim\data\
CustomLabels.properties file. For example, specify this string value for the
voicemailaccessnumber attribute:
# Voice Mail Service attributes
voicemailaccessnumber=Voice mail access number
To display the value that you specified in the CustomLabels.properties file,
restart the Tivoli Identity Manager Express Server.
b. Reorder the attributes for ease of use by selecting an attribute and clicking
the up arrow icon in the Form Designer menu bar. If the attribute is not at
Scenarios 19
the top of the list, position the $eruid attribute uppermost, followed by the
$telephonenumber and $voicemailaccessnumber attributes. Alternatively,
you can right-click an attribute and click Move Up Attribute in the menu.
c. On the Form Designer task bar, click Form -> Save Form Template.
d. Click OK on the success message window.
5. Double-click the Service folder to open the Service template on the
VoiceMailProfileAccountProfile window.
The Service form contains these attributes:
Table 3. Attributes in the example Service form
Attribute name in Service Attribute specified in service
form profile Keep or delete?
$eruid User ID Delete
$erprerequisite Delete
$erpassword Delete
$owner Keep. The administrator
needs to know who the
service owner is.
$description Keep
$erservicename Keep
6. Complete these steps to modify the list of attributes:

a. Double-click VoiceMailAccountAccountProfile.
b. Delete the unnecessary attributes. Right-click the attribute, and then select
Delete Attribute in the drop-down menu.
c. Change the control type of the $owner attribute to a search capability for a
specific user as the service owner.
1) Select the Service Owner attribute. Run the mouse across the icons in the
Form Designer menu bar until you locate Search Control (a magnifying
glass icon). Click the Search Control icon.
2) In the Search Control Editor window, select User as the category and
click OK. The $owner attribute changes to indicate that it references the
Search Control control type. This control type causes a list of users to
appear when the administrator clicks the Search button next to this
field.
d. Order the attributes for ease of use by selecting an attribute and clicking the
up arrow icon in the menu bar.
Position the $erservicename attribute uppermost, followed by the
$description and $owner attributes. Alternatively, you can right-click an
attribute and click Move Up Attribute in the menu. This is the vertical
order that the field labels will appear in the window when you
subsequently create a service for this service type.
7. On the Form Designer task bar, click Form -> Save Form Template.
8. Click OK on the success message window.
9. Click Close to close the Form Designer applet.

Creating an access control item for a manual service
The next step in this scenario is to create an access control item for the manual
service. For example, the access control item grants permission to users to write a
value such as a telephone number or access number when they request a voice
mail account.
To create an access control item for the manual service, complete these steps:
1. In the navigation tree, click Set System Security > Create an Access Control
Item.
2. On the General tab, complete these fields, and then click Next:
Name Type MySiteVoiceMail_ACI.
Protection category
Select Account.
Object class
Select VoiceMailProfile.
3. On the Operations page, click Next to skip to the next tab.
4. On the Permissions page, grant Read and Write permission for the
telephonenumber and the voicemailaccess attributes. Then, click Next.
5. On the Membership page, check the Account owner check box to specify that
the access control item applies to only those accounts that are owned by the
user. Do not select other check boxes.
6. Click Finish to save the access control item.
Creating a manual service

The next step in this scenario is to create a manual service and specify its default
values.
To create a manual service, complete these steps:

2. In the Create a Service window, in the Services table, click Create.
3. In the Create a Service window, select VoiceMailAccount as the service type.
Then, click Next. The list of service types might span several pages.
4. In the General Information window, the field labels appear in the sequence that
you previously specified on the Service template. Complete these fields and
then click Next:
Service name
Type MySiteVoiceMailAccount.
Description
Type Local site.
Owner
Click Search. In the Select Users window, click Search again. In the
Users table, select Jan Phoneperson as the owner, and then click OK.
When the service is created, Jan Phoneperson automatically becomes a
member of the Service Owners group.
5. In the Participants window, in the Participant type field, select User. In the
User name field, click Search. In the Find Person window, type Jan
Phoneperson. In the Users table, select Jan Phoneperson, and then click OK.
6. Accept the defaults in the remaining fields and click Next.
Scenarios 21
If Pat does not respond within the escalation interval, the administrator will
receive the request in a to-do list. Alternatively, if you select a group, such as
Service Owner, an escalated request goes to request to all members of the
Service Owner group.
7. Skip the reconciliation window, and click Finish.
A reconciliation file for a manual service might serve the purpose of bulk
loading additional data that has a narrow scope, such as a set of matching user
IDs and pre-assigned access numbers for voice mail.
Creating default values to reduce user effort

The next step in this scenario is to set default values to reduce the tasks that users
must complete to request an account on the manual service. For example, you
might provide a default value for the user’s telephone number.
To specify default values, complete these steps:

2. In the Select a Service window, in the Service Type field, select
VoiceMailAccount from the list, and then click Search.
3. In the Services table, click the arrow icon to the right of the
MySiteVoiceMailAccount service, and then select Account defaults.
4. On the Select an Account Attribute window, click Add.
5. On the Select an Attribute to Default window, select Telephone number for
voice mail, and click Add Default.
6. On the Telephone number for voice mail window, complete these fields:
Prepend text
Enter the value 999- as your example area code.
User attribute
Click Search. Then, select the Telephone Number attribute, and then
click OK.
Append text
Leave this field blank.
7. Click OK to return to the Select an Account Attribute window.
Validate that the area code prefix 999-{Telephone Number} now appears in the
Template value field.
8. Click OK to save the account defaults.
Creating an account request workflow for a manual service

The next step in this scenario is to create a workflow that is used whenever an
account is requested for the manual service.
Only one account request workflow can be assigned to a service. To design a

workflow for the new manual voice mail service, complete these steps:
1. From the navigation tree, select Design Workflow > Manage Account Request
Workflows.

2. In the Manage Account Request Workflows window, in the Account Request
Workflows table, click Create.
3. In the Manage Account Request Workflows window, on the General page, type
the following information for your workflow:
Name Type Voice mail workflow.
Description
Type Provides voice mail for local site
4. In the Manage Account Request Workflows window, click the Services tab.
5. On the Services page, click Add, and then complete these steps:
a. In the Services page, click Search.
b. In the Services table, select the MySiteVoiceMailAccount service, and then
click OK.
6. In the Manage Account Request Workflows window, click the Activities tab,
and then complete these steps:
a. Select Create an approval activity, and then click Go.
b. In the Approval Activity window, specify the following information:
Activity name
Type Manager Approval for voice mail.
Approver type
Select Manager.
Escalation time (Days)
Type 10.
Escalation participant type
Select Service owner.
c. In the Approval Activities window, click OK.
7. In the Manage Account Request Workflows window, click OK again.
9. Log out as the administrator.
Testing a request for a manual service

In this step of the scenario, you test whether the user can determine that a request
for an account on a manual service was successful.
To test whether a request for an account on a manual service is successful, you

need a test user who submits a request, a manager who approves the request, and
a service owner, who completes the manual task and returns a successful result to
the requestor.
1. First, request the account by completing these steps:
a. Log on as juser, the test user that you created in an earlier scenario.
b. If forgotten password questions are enabled, the Specify Forgotten Password
click Cancel.
c. In the navigation tree, click Manage My Accounts -> Request an Account.
d. In the Select a Service window, click Search.
e. In the Services table, select the MySiteVoiceMailAccount service, and then
click Next.
Scenarios 23
f. In the Account Information window, enter values in these required fields,
and leave the remaining fields blank:
Telephone number for voice mail
Type 123-4567.
Voice Mail Access Number
Type 123456.
g. Click Finish.
h. On the Success window, click Close.
i. Log out.
2. Next, approve an account request by completing these steps:
a. Log on using the cmanager user ID that you created in an earlier scenario.
As Judith’s manager, Chuck must approve the request.
click Cancel.
c. In the to-do list, click the activity name named Manager approval for voice
mail.
v If the approval request is in a group, a Grouped Approval window
appears.
1) In the Grouped Approval window, select the check box for one or
more activities that you want to approve. Do not enter text in the
Comments field, and click Approve.
2) After a confirmation approval message appears, click Close.
v If there is only one request in your queue, an Approval Details window
appears:
1) In the Approval Details window, in the Requested for and the
Requested by fields, click the user name to ensure that this is a
request that you want to approve. Review the information, and then
click Close.
2) In the Approval Details window, click Approve. The request goes to
the service owner’s queue.
3) On the Success window, click Close.
d. Log out.
3. Complete the request and return a success indicator by completing these
service owner tasks:
a. Log on as the service owner, using the jphoneperson user ID.
click Cancel.
c. In the service owner’s to-do list, click the activity name named Manual
Service Account Add.
d. In the Work Order Details window, in the Requested for and the Requested
by fields, click the user name to ensure that this is a work order that you
want to complete. Review the information, and then click Close.
e. Complete the manual action required and enter a comment in the comments
field: Try your voice mail access now.
f. In the Work Order Details window, click Successful.

g. On the Success window, click Close.
h. Log out as service owner.
4. Validate the success of the request by logging on as the user who made the
request (juser, in this example), and completing these steps:
b. In the View All My Requests window, in the Requests table, click the
calendar icons next to the Start date and End date fields to set the starting
and ending times of the interval. Then, click Search.
c. Examine the Status field for the status of an Account add request that has a
timestamp and service instance that matches the account request.
The status column for the request indicates a value of Success, Pending, or
Failed. For example, you might find that the request has a status of
Pending.
d. To determine who must respond to a pending request, click the item in the
Request type field. For example, click Account add.
e. For more information, click Activities. In the Activities window, review the
outcome of activities in the table.
f. On the Success window, click Close.
Scenarios 25
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user’s responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.
This information could include technical inaccuracies or typographical errors.

Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
© Copyright IBM Corp. 2006 27

Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758
U.S.A.
Such information may be available, subject to appropriate terms and conditions,

including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled

environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurements may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of

those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
Trademarks
The following terms are trademarks or registered trademarks of International
Business Machines Corporation in the United States, other countries, or both:
AIX
DB2
IBM
IBM logo
SecureWay
Tivoli
Tivoli logo
Universal Database
WebSphere
Lotus is a registered trademark of Lotus Development Corporation and/or IBM

Corporation.
Domino is a trademark of International Business Machines Corporation and Lotus

Development Corporation in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other
countries.
Java and all Java-based trademarks and logos are

trademarks or registered trademarks of Sun Microsystems,
Inc. in the United States and other countries.
Other company, product, and service names may be trademarks or service marks
of others.
Notices 29

ITIM - Imx - Scenarios

Uploaded by

Copyright:

Available Formats

ITIM - Imx - Scenarios

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ITIM - Imx - Scenarios

Uploaded by

Copyright:

Available Formats

IBM Tivoli Identity Manager Express 򔻐򗗠򙳰

Information Center - Scenario Topics

Second Edition (April 2006)

© Copyright IBM Corp. 2006 iii

Creating an example account for a service

Creating a user who needs an account

To create the user, log on as an administrator and complete these steps:

Verifying that the test user can log on

© Copyright IBM Corp. 2006 1

Creating the service

To create the service, complete these steps:

2 IBM Tivoli Identity Manager Express: Information Center - Scenario Topics

Setting account defaults

To set account defaults, complete these steps:

Requesting an account on the new service

To request an account, complete these steps:

Verifying that the user has the account

4 IBM Tivoli Identity Manager Express: Information Center - Scenario Topics

For example, the following problems might occur:

To troubleshoot on the Tivoli Identity Manager Express Server, determine the

Creating an account request workflow

Creating users to test an account request workflow

To test this scenario, you need these users:

To create these users, complete these steps:

Creating an account request workflow

To design an account request workflow, complete these steps:

8 IBM Tivoli Identity Manager Express: Information Center - Scenario Topics

Testing the account request workflow

Before you begin, log off as administrator.

To test whether the workflow is valid, complete these steps:

Troubleshooting an account request workflow

For example, the following problems might occur:

10 IBM Tivoli Identity Manager Express: Information Center - Scenario Topics

To troubleshoot on the managed resource, log on to the managed resource, using

Creating an identity feed for Windows Server Active Directory

The following actions are taken when loading data:

Required information for creating an identity feed

12 IBM Tivoli Identity Manager Express: Information Center - Scenario Topics

Ensuring that the global identity policy attributes are

Creating a service for Windows Server Active Directory

To create the service, complete these steps:

14 IBM Tivoli Identity Manager Express: Information Center - Scenario Topics

Testing the identity feed reconciliation

To test the identity feed reconciliation, complete these steps:

Troubleshooting the identity feed reconciliation

For example, the following problems might occur:

Ensure that these servers are running:

Configuring a manual service

16 IBM Tivoli Identity Manager Express: Information Center - Scenario Topics

Creating a test service owner

To create the user, complete these steps:

Creating a manual service type

18 IBM Tivoli Identity Manager Express: Information Center - Scenario Topics

To customize the account form, complete these steps:

4. In the account template on the VoiceMailProfileAccountProfile window,

6. Complete these steps to modify the list of attributes:

20 IBM Tivoli Identity Manager Express: Information Center - Scenario Topics

Creating a manual service

To create a manual service, complete these steps: