Context

Tool mentors explain how a tool can perform tasks, which are part of ITUP processes and activities. The tasks are listed as Related Elements in the Relationships section.

You can see the details of how processes and activities are supported by this tool mentor, by clicking the links next to the icons:

•   Security Management
  •   Operate Security Protection Mechanisms

Details

IBM® Tivoli® Identity Manager provides a secure, automated and policy-based user management solution that enables businesses to address the challenge to do more with fewer resources and to effectively and securely manage user identities throughout their life-cycle, across both legacy and e-business environments. IBM Tivoli Identity Manager has at its disposal the facilities to provide security access controls using the utilization of provision policies, reconciliation, password resets and workflows.

Through centralized control, IBM Tivoli Identity Manager empowers organizations with the ability to provide security access controls by dictating what accounts should exist and under what guidelines or policies. These guidelines are defined by a set of provisioning policies, which assign entitlements on role-based memberships. Modification of role memberships provides a quick method of access control, as this action can provisions or de-provisions large numbers of identities across a wide variety of systems. In the event of unauthorized access, large or small, access control protection may be applied through the de-commission or modification of targeted accounts. Additionally, for end of life-cycle activities, IBM Tivoli Identity Manager, can revoke access to identities through entitlement removal. This effectively controls access to managed end-points through de-provision. See Chapter 17: Provisioning Policies in the IBM Tivoli Identity Manager Policy and Organization Administrator Guide version 4.5.1.

Security access controls are also implemented through the use of the system reconciliation feature. With this operation, the server can detect account creations, modifications, or deletions made on an endpoint machine and enforce changes if any non-compliances are found. For example, if a malicious user account becomes member of a group and its membership to the group is outside of policy, upon service reconciliation, those attributes modified will be rectified on the end point. The previous effectively provides access controls on the endpoint because actions can be taken in the form of suspension, removal, or correction of non-compliant accounts. See Chapter 32: Reconciliations in the IBM Tivoli Identity Manager Policy and Organization Administrator Guide version 4.5.1.

Within IBM Tivoli Identity Manager, security access controls are also enforced with the use of account passwords resets. Password resets are available using self-care, administrative or help desk type roles, but become an important access control tool when used to reset compromised account passwords. IT Administration may push down whole organization password resets and securely distribute these passwords to account owners. Complimenting password resets, password policies within IBM Tivoli Identity Manager keep the new passwords consistent with corporate character complexity. See Chapter 25: Password and Logon Properties and Chapter 21: Password Policies in the IBM Tivoli Identity Manager Policy and Organization Administrator Guide version 4.5.1.

Workflow mechanisms complete the security access controls by providing the flexibility to implement business-centric workflows that regulate whether actions may take place. To accommodate complex business models, IBM Tivoli Identity Manager can have workflows designed to require approvals that regulate access controls based on a variety of participant approvers. Additionally, request for information workflows further refine approval to the account attribute level. See Chapter 7 and 8: Workflow and Workflow JavaScript® Extensions in the IBM Tivoli Identity Manager Policy and Organization Administrator Guide version 4.5.1.

For More Information

For more information about this tool, click on the link for this tool at the top of this page.