Identity Service Center 1.0 20140717 PDF

IDENTITY SERVICE CENTER
IBM Security Identity Manager
Lab Guide
Jon Harry
Version 1.0
July 2014
Identity Service Center LAB GUIDE
Document Control
Release Date Version Authors Comments

17th July 2014 1.0 Jon Harry Initial Version
Page 2 of 63 [Version 1.0]

Table of Contents
1 Introduction ................................................................................................................................................ 4
1.1 High Level Architecture ....................................................................................................................... 4
1.2 IAM Sandbox 2.1 beta 2 VM ............................................................................................................... 4
1.3 Memory Recommendations ................................................................................................................ 4
1.4 VMware and Networking ..................................................................................................................... 4
2 Preparation for the Labs............................................................................................................................. 5
2.1 Start the IAM Sandbox 2.1 Linux Image.............................................................................................. 5
3 Running Identity Service Center Scenarios ............................................................................................... 7
3.1 Launching Identity Service Center ...................................................................................................... 7
3.2 Identity Service Center Homepage ..................................................................................................... 8
3.3 View Access (end user) ....................................................................................................................... 9
3.4 Request Access (end-user) ................................................................................................................. 9
3.5 View Requests ................................................................................................................................... 13
3.6 Request Access (Manager) ............................................................................................................... 16
3.7 Request Approval .............................................................................................................................. 17
3.8 Request for Information processing .................................................................................................. 20
3.9 Launch in Context .............................................................................................................................. 25
3.9.1 Launch Self-Service Portal ......................................................................................................... 25
3.9.2 Launch Administration Console .................................................................................................. 26
4 Defining Accesses in the Identity Service Center .................................................................................... 28
4.1 Open Identity Manager Administration Console ................................................................................ 28
4.2 Accesses for Roles ............................................................................................................................ 28
4.3 Accesses for Services ....................................................................................................................... 32
4.4 Access for Groups ............................................................................................................................. 34
4.5 Test new access definitions .............................................................................................................. 37
5 Custom Tasks .......................................................................................................................................... 38
5.1 Log on to Administration Console ..................................................................................................... 38
5.2 Review Custom Tasks ....................................................................................................................... 38
5.3 Add a new custom task ..................................................................................................................... 40
5.4 Test Task Changes ........................................................................................................................... 43
5.5 Update Custom Task Label ............................................................................................................... 44
5.6 Test Custom Task Label.................................................................................................................... 45
5.7 Create Drop-down menu ................................................................................................................... 46
5.8 Test Drop-down menu ....................................................................................................................... 47
6 Advanced Customisation ......................................................................................................................... 48
6.1 Identity Service Center customization files........................................................................................ 48
6.2 Custom Company Logo ..................................................................................................................... 49
6.3 Login Page Customisation ................................................................................................................ 50
6.3.1 Changing text .............................................................................................................................. 50
6.3.2 Changing content ........................................................................................................................ 51
6.4 Application Page Customization ........................................................................................................ 52
6.4.1 Changing text .............................................................................................................................. 52
6.4.2 Changing Header Image ............................................................................................................. 53
6.5 Customizing Badges.......................................................................................................................... 54
6.6 Filtering User List............................................................................................................................... 55
6.6.1 Set up scenario ........................................................................................................................... 55
6.6.2 Setting a static user filter ............................................................................................................ 57
6.6.3 Setting a dynamic filter ............................................................................................................... 58
6.7 User Card Content Customization ..................................................................................................... 59
6.7.1 Selecting content and sort options.............................................................................................. 59
6.7.2 NLS attribute and sort field names ............................................................................................. 61
6.7.3 Mapping attribute codes to text ................................................................................................... 61
6.8 Person Image Plug-in ........................................................................................................................ 62

1 Introduction
This lab guide shows how to use the Identity Service Center in IBM Security Identity Manager. This new
interface for business users was initially added in 6.0.0.2 and support for additional use-cases was added
in 6.0.0.3.
1.1 High Level Architecture

The high-level architecture for the major components of the lab may be summarized as follows:
HTTP(S) HTTP:
IBM Security
:80 Access Manager
:9091 IBM Security Identity Manager
:443 for Web
Admin Console
Firefox 24
Browser Self-Service Portal
Identity Service Center
Thunderbird James
E-mail E-mail Server
LDAP JDBC
LDAP :389 :50012 DB2
192.168.42.101 192.168.42.110
w3.jke.test www.jke.test
IAM Sandbox 2.1 Beta 2
1.2 IAM Sandbox 2.1 beta 2 VM

This lab uses a pre-built Virtual Machine. It is based on the IAM Sandbox 2.1 beta 2 release. A few
changes have been made (mainly for ease-of-use). Hopefully these will be fed into the final version of
this sandbox release.
1.3 Memory Recommendations

This lab was designed for host machines with at least 12Gb of memory since the Virtual Machine is
allocated 8Gb. The lab could probably run on an 8Gb host machine but this has not been tested.
1.4 VMware and Networking

The lab virtual machines require VMware workstation or VMware ESX Server – in this lab we will use
VMware Workstation.
The Virtual Machines, and the lab guide, assume all virtual machines share a common virtual network.
All IP addresses are hardcoded to be in the “192.168.42.0” subnet.
The labs in this guide do not require internet connectivity or connectivity with the host machine.

2 Preparation for the Labs

The following steps are required before you can begin the lab exercises.
2.1 Start the IAM Sandbox 2.1 Linux Image

Use VMware Workstation to start the "ISAM Sandbox 2.1 beta 2" VM image. Once the OS starts you will
automatically be logged in as labuser.
If you need it for any reason, the password for labuser is Passw0rd.
Launch a Root Terminal by double-clicking on the desktop icon shown below:
The terminal launches in the /home/labuser/startupScripts directory.
local:/home/labuser/startupScripts # ls
startAll.sh* startISAM.sh* startRTSSClient.sh* startWAS.sh*
startCognos.sh* startISIM.sh* startRTSS.sh*
startEmulator.sh* startMyPeopleTDI.sh startTSPMAll.sh*
First, we need to start IBM Security Access Manager for Web (and its LDAP) so that Identity Manager can
provision access to it. Run the following script to start Access Manager and its LDAP:
local:/home/labuser/startupScripts # ./startISAM.sh
GLPSRV041I Server starting.
…
Starting the: Access Manager policy server.
Starting the: Access Manager authorization server.
Starting the: webseald-w3.jke.test
Starting the: webseald-www.jkcloud.test
Starting the: webseald-www.jke.test
Starting the: webseald-www.jkhelpdesk.test
Starting the: webseald-www.jk.test
The script takes 1-2 minutes to run.
Next, run the following script to start the services required by Identity Manager - and Identity Manager
itself:
local:/home/labuser/startupScripts # ./startISIM.sh
Using PHOENIX_HOME: /usr/james-2.3.2
Using PHOENIX_TMPDIR: /usr/james-2.3.2/temp
Using JAVA_HOME: /usr/lib64/jvm/jre
Starting Phoenix:
Phoenix running pid=22809
Starting ISIM DB2...
nohup: redirecting stderr to stdout
/etc/profile: DISPLAY was null so not doing xhost commands
07/14/2014 06:21:06 0 0 SQL1063N DB2START processing was successful.
SQL1063N DB2START processing was successful.
Starting ISIM ldap...

GLPSRV041I Server starting.

…
GLPSRV009I 6.3.0.17 server started.
Starting ISIM WAS...
ADMU0116I: Tool information is being logged in file
/opt/IBM/WebSphere85/AppServer1/profiles/isim/logs/server1/startServer.log
ADMU0128I: Starting tool with the isim profile
ADMU3100I: Reading configuration for server: server1
ADMU3200I: Server launched. Waiting for initialization status.
ADMU3000I: Server server1 open for e-business; process id is 23741
Starting TDI Dispatcher...
Platform is Linux
Starting IBM Tivoli Identity Manager Adapter service...
Service not running.... Creating the service
Starting Service with Process ID:
23515
nohup: redirecting stderr to stdout
IBM Tivoli Identity Manager Adapter Service start request successfully issued!
This script takes 2-3 minutes to run. When complete, you can exit the root terminal window:
local:/home/labuser/startupScripts # exit
You are now ready to start the lab exercises

3 Running Identity Service Center Scenarios

In this lab exercise we will run through the use cases supported by the Identity Service Center in Identity
Manager 6.0 Fixpack 3 (6.0.0.3). The personas we will use are:
James - A JK Enterprises Employee working in Marketing. James is performing a task that requires him
to have access to the Finance Application and the East Region Fileshare. He currently does not have
this access.
Bill - Bill is a Manager at JK Enterprises. He needs to request Fileshare access for himself and for a
member of his team, Susan.
Chuck - Chuck is a Manager at JK Enterprises. He is an approver for fileshare access.
3.1 Launching Identity Service Center

James has taken on some new responsibility and, in order to perform his new duties, he requires some
additional access. James knows that for all Identity Management tasks he needs to go to the Identity
Service Center.
Launch the Firefox 17 browser by double-clicking on the desktop icon shown below:
Go to the following URL to open the ISIM Identity Service Center web application:
http://www.jke.test:9091/itim/ui
The application login page is displayed:
Notice that there is a custom JK Enterprises logo and text on this page. We will look at customisation
later on.

Enter james as the User ID and Passw0rd as the Password. Then click Log in.
3.2 Identity Service Center Homepage

When successful authentication to the Identity Service Center is complete, the homepage is displayed:
The homepage shows cards for each task available to the authenticated user.
The Request Access and View Requests tasks were available in the 6.0.0.2 release to allow managers to
request access on behalf of their employees (and to view the status of requests). These functions are
now available to all users (both managers and end users) to request access (and view requests) for
themselves.
View Access is a new task which allows all users to see what Access they currently hold. All users can
view their own access. Managers can also view the access for their employees.
Manage Activities is a new task which allows users to see outstanding workflow actions which are
assigned to them. Approval actions can be performed directly within the Identity Service Center. Other
actions can be performed through links to the Self-Service console.
Customisation has been applied to this homepage:
(1) Custom text - related to the JK Enterprises corporation has been added to both the title bar and
the launch bar.
(2) A Custom "task" has been added for a change password operation. Custom tasks allow the
Identity Service Center to act as a one-stop-shop for identity tasks.

3.3 View Access (end user)

Before requesting anything new, James wants to see his current access.
Click on the View Access card.
James is an end user in the JK Enterprises organisation; he isnot a manager. This means that James
can only view his own access.
James currently only has access to the Benefits application. That’s not enough to allow him to perform
his new duties. He needs to request additional access.
3.4 Request Access (end-user)

Click the Request Access link on the launch bar - as shown above. Tasks that are configured to be
visible on the launch bar can be accessed without returning to the homepage.
The Request Access wizard is started. Notice the steps at the top leading the user through the required
process.
James is not a manager and so can only request access for himself. As a result, he doesn't see any user
selection page and is taken directly to the screen where he can select the access that he wants to
request for himself.

On this page all of the Accesses to which James is entitled (based on Provisioning Policies) are displayed
as cards. Each card displays clear information about the associated access. We will see how to
customise this information later.
Accesses can be associated with one or more categories to help users to find what they need. The list of
access cards can be filtered by searching for keywords or by selecting categories.
James is looking for the Finance application. Click on the Application category filter - as shown above.
The list of access cards is filtered and James can now see the Finance application.
Click on the Finance application card to add it to the request cart.
Now James wants to find the East region Fileshare. He can use the search for this.
Click on the All Categories link to remove the previously applied filter.
Enter east in the Search Accesses text box and click the Search icon - as shown above.
Only one access is now shown.

Click on the East Region File Share card to add it to the request cart. Notice that the cart now shows 2
accesses.
James now has both of the accesses he needs in his request cart. Click Next to move on to the next step
in the request process.
The Identity Management system dynamically determines what information is required from James in
order for his access request to be submitted. A list of these items is displayed.
Note that no account-specific information is being requested for the Finance application. This is because
the account required for this access already exists - only a group change is required.
Item 2 informs that the Easy Region File Share access is dependent on a new account on the Fileshare
service. This item already shows complete (a green tick) because all of the required information has
been completed using defaults.
Only a justification is required before the request can be submitted.

Before we continue, let's take a look at the account information that is going to be used. Click Provide
Account Information - as shown above.
All of the fields for the new account have been completed (based on Provisioning Policy account
defaults). This policy also dictates that the e-mail address for the account must match the owners e-mail
address. So, what happens if James tries to change it?
Change the e-mail address to jimmy@gmail.com and then click somewhere else on the form.
The value entered is dynamically checked against the Provisioning Policy and an error is displayed.
James can decide to continue with a non-compliant value or accept the suggested compliant value.
Click the Accept suggested value button to revert the e-mail address.
Click Save and Continue to return.

Enter an appropriate justification. As you click away from the text box the tick box goes green. Click
Submit to submit the access request.
Both accesses now show as Pending. They have been submitted into the Identity Manager workflow
engine. Click the Home icon (as shown above) to return to the Identity Service Center homepage.
3.5 View Requests

James can use the Identity Service Center to view the status of requests that he has made. This is
especially useful because it allows James to see what approvals are holding up the request.

On the Identity Service Center homepage, click the View Requests card. A list of current requests is
shown:
Note that this list can be filtered based on the application requested, or by timeframe (under Request
History), or using a search.
We can see that our (only) access request is Pending. Click the request to View Details.

On this screen, James can see that one of his requests has been fulfilled and one is still pending. At the
bottom of the screen he can see that there is an approval outstanding. The possible approvers are
Chuck and System Administrator.
Chuck and System Administrator (itim manger) are approvers here because they are members of the
approval role configured in the approval node of the workflow controlling file share account creation.
There's one last thing to look at while we're still logged in as James. Click View Access on the launch
bar.
Back on the View Access Page, you can see that pending access is shown along with current access.
Try filtering based on Access State so that you can see only Pending Access.

Click on the View details… link (as shown above). It will take you to the view requests page that we
were just looking at.
When you're done, click Log Out to log out from the Identity Service Center. There's nothing else for
James to do (except nag Chuck to approve his access).
3.6 Request Access (Manager)

When a Manager requests or views access the flow is slightly different because, in addition to
requesting/vewing access for themselves, they can also request/view access for their employees.
This is controlled by Manage Others Access entry in the Identity Manager View for the user. We'll look
at views later when we explore custom tasks.
If not already open, open the Firefox browser in the Linux virtual machine and access:
Login with bill and Passw0rd.

Notice that Bill has more task cards than James had. The cards displayed are controlled by security
configuration within Identity Manager. We'll look at that later.
Bill wants to request access for one of his employees. Click the Request Access card on the Identity
Service Center homepage.
Since Bill is a Manager, the first screen he sees when requesting access is a user selection page. Bill
can either select himself or an employee.
Select the card for Susan.
Select the East Region File Share and click Next.
Enter an appropriate justification and click Submit.
Bill also needs to request access for himself. Click the Request New Access button to restart the
request access wizard.
In addition to selecting themselves from the list of cards, there is also a Quick Select link.
Click Select me.
Select the East Region File Share and click Next.
Enter an appropriate justification and click Submit.
Bill's work is done. Click Log Out.
3.7 Request Approval

There are now three pending requests for access to the East Region Fileshare. We can use these to
show the Request Approval process in the Identity Service Centre.
If not already open, open the Firefox browser in the Linux virtual machine and access:

Log in to the Identity Service Center with chuck and Passw0rd.
Pending approvals are activities. Click the Manage Activities card on the Identity Service Center
homepage.
In ISIM 6.0.0.3 approvals are the only activities handled natively in the Identity Service Center. Other
activities (for example Request For Information) are shown in the activity list but link out (in context) to
the ISIM Self-Service portal when selected.
The Manage Activities list opens.

Note the filter options. Activities can be filtered based on who the request is for (i.e. who is the owner of
the account that is subject to approval) and who the request is by (i.e. who made the request).
All three approval requests are listed. The first is expanded to show the approval screen.
In addition to seeing high level details of the request on the activity list, a user can also click the view
details link to see all of the attributes associated with the request.
Enter an appropriate approval justification and click Approve. The request is marked as approved.
Chuck wants to reject the requests from both Bill and Susan.
It is possible to process multiple requests at the same time - with a single justification. This allows an
approver to save time when proving the same decision and justification for a batch of requests.
Click the Select Multiple button. This changes the screen so that each pending request has a checkbox.

Select the checkboxes next to the two remaining approval requests. Enter a rejection comment and click
Reject. Both requests are marked as rejected. The justification text is associated with both requests.
Chuck has now processed all outstanding requests. Click Log Out to log out from the Identity Service
Center.
3.8 Request for Information processing

As mentioned above, approvals are the only workflow activity type that can currently be managed
completely within the Identity Service Center. Let's take a look at how other activities are processed.
Login to the Identity Service Center using james and Passw0rd.
Select the Request Access card.

Navigate to ApplicationSupport Applications and select the Transaction Support Application card.
Click Next.
Enter a suitable justification and click Submit.

Click Log Out.
Login to the Identity Service Center again using chuck and Passw0rd.
Select the Manage Activities card.
The Request for Information activity is showing in Chuck's activity list - just like the approvals did. Even
though Chuck has to go out of the Identity Service Center to process this activity he can still use the
Identity Service Center to view Approvals and RFI requests in one place.
Click on the activity entry; it will open a new browser tab.

Chuck is now in the Self-Service console although note that he has not had to authenticate (his
application server session is valid for both applications) and he has been taken right to the RFI entry
screen (launch-in-context).
Click on the Provide Information to provide the requested information.
Enter a telex number and click OK.

The RFI has been submitted. Click the X on the browser tab (as shown above) to return to the Identity
Service Center.
Back at the Integrated Sevice Center, the RFI is still shown. It will vanish the next time the activity list is
refreshed.
Click the Home icon and then select the Manage Activities card again. The RFI task has gone.

Click Log Off to exit the Identity Service Center.
3.9 Launch in Context

We've just seen that the Identity Service Center can launch into the Self-Service portal to allow handling
of Request-For-Information requests. This is also available for custom tasks that point to either the Self
Service portal or the Administration Console.
3.9.1 Launch Self-Service Portal

If not already open, open the Identity Service Center http://www.jke.test:9091/itim/ui
Login with chuck and Passw0rd.
Click on the Change Password task. This is a custom task that launches the Change Password function
of the Self-Service Portal.

Notice that the Self-Service Portal page has been launched as a frame within the Identity Service Center
and that chuck is already authenticated.
Click Home icon to return to the Identity Service Center home page.
3.9.2 Launch Administration Console

It is also possible to launch into the Identity Manager Admin Console from the Identity Service Center.
Click on the Manage Users custom task. Notice the icon in the top right corner which indicates that this
task will open in a new browser window (or tab).

The Identity Service Center launches in a new browser tab. Notice that chuck is already logged in.
Close the new tab by clicking on the X - as shown above.
Back in the Identity Service Center, click Log Off to exit.

4 Defining Accesses in the Identity Service Center

In the Identity Service Center, identity management is presented only in terms of "Accesses". There is
very little mention of identity management concepts such as "Roles", "Accounts", or "Groups". These still
exist of course but in order to be displayed and requested via the Identity Service Center they are
mapped to Accesses.
4.1 Open Identity Manager Administration Console

If not already open, open the Firefox browser in the Linux virtual machine and access the Identity
Manager web administration console: http://www.jke.test:9091/itim/console
Enter itim manager as the User ID and Passw0rd as the Password.
Click Log in.
4.2 Accesses for Roles

Accesses can be defined for roles. Let's create an access for the role used to allocate users as
approvers for File share access.
Select Manage Roles from the navigation menu.

Click Refresh to populate the list of Roles and then select the Approval Role for JKE Fileshare and
Business Applications from the list - as shown above.
Select the General Information section.
The Role Name and Description need to be short so they will format properly on the access cards.
Change the Name of the role to Application approvers and change the Description to Approval
Role.

Select the Access Information section and select the check-box to Enable access for this role. This
allows the role to be requested via the Identity Service Center.
Show this role as a common access is used by the self-service console - it causes this access to be
displayed immediately rather than requiring a search. This setting as no effect in the Identity Service
Center.
Click to expand the Change access type selector.
Each access can be allocated a type in the access type hierarchy. This can be used for filtering accesses
in the Identity Service Center.
This hierarchy can be customised under Configure SystemManage Access Types.
Expand Access Types and select Role.

Note that the default icon for the access changes to reflect the access type. It is also possible to
specify a custom icon by providing the URL where it can be found.
It is possible to add additional search terms for the access. These are used when users search within the
Identity Service Center access selection screen.
Enter approver in the Search terms text box and click Add.
Enter some appropriate information in the Additional information text box. This will be visible in the
Identity Service Center along with the Role name and description.
Expand the Badges configuration.
Badges are shown wherever the access is shown. Usually badges are used to highlight properties of an
access to which an approver or auditor should pay attention.
Enter Allows Approval for Badge text and select Orange as the Badge class. A preview is shown.
Click Add.
Additional badge classes (text colour, fill etc.) can be defined. We'll look at that later.

Click OK to save our changes.
Click Close to close the Manage Roles tab.
4.3 Accesses for Services

Accesses can be created for Services. A service access is used to request an account on that service.
Service Accesses are new and are only visible in the Identity Service Center. They do not show up in
the Self-service portal.
Select Manage Services from the navigation menu.
Click Refresh to populate the list of Services.
Select the Business Applications Service.

For some reason we must always re-specify service passwords when making changes to a service.
Enter Passw0rd as the Password.
Select the Access Information section.
Check the check-box to Define and Access and enter Application Directory as the Access Name.
Enter a suitable Access Description.
We'll leave this access definition minimal. Click OK at the bottom of the window.
Click Close to close the Change Service tab.

Click Close to close the Manage Services tab.
4.4 Access for Groups

Many authorization systems use group memberships to control access. Identity Manager allows
accesses to be created for group memberships.
When a user requests an access which gives a group membership, Identity Manager will also process
the creation of a new account on the associated service if the user does not already have one.
We're going to create a new fileshare group and define an access for it.
Select Manager Groups from the navigation menu.
Click Search to populate the list of services. Groups are associated with services.
Select the radio button associated with the Fileshare service and click Continue.
Click Create.

Enter HQ File Share for erldapservicegroup.
Scroll to the bottom of the window and click Next.
Check the check-box to Define an Access and select the radio-button to Enable Common Access.
Enter HQ File Share as the Access Name.
Expand the Change access type selector, expand Access Types and select Fileshares.

Enter a description for the access.
Select Access Approval Workflow for JKE Business Applications and FileShares as the Approval
workflow.
The workflows that are shown in this drop-down list are those previously created under Design
WorkflowsManage Access Request Workflows.
Only group accesses provide the ability to directly associate a workflow with the access. Workflow
can be added to Role and Service accesses by modifying the Person and Account workflows under
Configure SystemManage Operations.
Enter /itim/ui/custom/ui/images/identity.png as the Icon URL. When you click away from
the entry box, a preview is shown.
In this case a server relative URL has been given since the image resides on the Identity Manager
application server. An absolute URL can also be given if the image exists on a different server.
Click Finish at the bottom of the window to complete the group (and access) creation.
Click the log out icon to logout from the administration web console.

4.5 Test new access definitions

Authenticate as Chuck using chuck and Passw0rd.
Select View Access and select James.
Notice that our new Application Directory Access is now showing up as part of James' current access.
This is because James has an account on the associated service as a pre-requisite for the Transaction
Support Application access that he holds.
Now that an access is defined for the service it shows up in James' access list and the account details
can be seen.
Click Access Details to see the details of James' account on the Application Directory service.
Click Request Access on the launch bar and select Emily from the user list.
Check that all three of our new accesses are shown - you can try them out if you like.

5 Custom Tasks
In this lab environment, depending on the authenticated user, one or more custom task cards are seen on
the Identity Service Center homepage. Let's have a look at how these are set up and add one of our
own.
5.1 Log on to Administration Console

Enter itim manager as the User ID and Passw0rd as the Password. Click Log in.
5.2 Review Custom Tasks
Expand Set System Security and select Manage Views in the navigation menu.
Select Manage Custom Tasks.

This list shows all of the defined Custom Tasks that can display as cards in the Identity Service Center.
Let's have a look at one of them.
Select CUSTOM_CHANGEPASSWORD.
The only required field for a custom task is the URL. This is where the user's browser is directed when
they select the custom task.
The Icon points to an image to display on the card. A default icon will be used if none is specified.

The Header Category field controls where the custom task is shown on the Launch bar of the Identity
Service Center. If the value is empty the task will not be shown. If more than one task shares this value
then they will show in a drop-down menu on the Launch bar.
Show on home page controls whether the task is shown as a card on the Identity Service Center home
page.
Start task in new window controls whether the URL should be opened in a new window (new browser tab)
or should be loaded as a frame in the Identity Service Center.
Notice that there is no Name for the custom tasks - only and Identifier (made up of a prefix and suffix).
This maps to entries in configuration files which dictate the name for the activity. This allows for multi-
language support. We'll have a look at this later.
Let's change the task so that it shows in the launch bar. Update the Header Category to
SELF_SERVICE, scroll to the bottom of the page, and click OK.
We now want to add our own custom task so click Continue managing custom tasks.
5.3 Add a new custom task

In this section we will create a custom task that allows a user to view or edit their Identity Management
user profile. This task is available in the ISIM Self-Service console but is not yet available directly in the
Identity Service Center.
Click Create.

Set the Identity Suffix to USERPROFILE.
Set the Description to View Your Identity Management Profile.
Set the URL to /itim/self/ViewProfile.do
Set the Icon to /itim/self/images/profile.gif
Select the Show on home page checkbox.
The URL can be seen when accessing the appropriate page in the Self-Service console. The Icon
image URL was found using Firebug to interrogate the source of the Self-Service portal (although
"view source" would probably have worked too.
Click OK to save the new custom task.
Click Close to close the Manage Custom Tasks tab. You are now back at the Manage Views tab.
Now we need to add the new task to one or more Views. A view determines what users can see when
they access Identity Manager web interfaces.
A User is mapped to a View based on the group memberships of their ISIM account. Each group on
the ISIM service points to a view. If a user's ISIM account is not a member of any groups then they

will get the default End User view. If a use's ISIM account is a member of multiple groups they will see
a superset of view items.
Click Search to populate the list of existing views. Click on the End User View.
Select the Configure View section and scroll to the bottom.

Notice the Manage Others Access tasks here. This is what controls whether a user can manage
access for other users that they have authority over in Identity Manager.
Select the check-box for CUSTOM_USERPROFILE and click OK.
Click Define views for additional tasks
Click Search to populate the view list again and this time select Manager View.
Select Configure View, select CUSTOM_USERPROFILE and click OK.
Log off from the Identity Manager Administration Console.
5.4 Test Task Changes

Authenticate as James with james and Passw0rd. James' Identity Manager account is not a member of
any groups so he sees the End User view.
Notice that the Change Password task now appears in the launch bar. That's because we added the
Header Category to its configuration.

You should also see the new task card shown on the Identity Service Center homepage.
Notice that the text is showing the Task Identifier. We need to perform some additional customization to
translate this to a proper text label.
Log Out of the Identity Service Center. We'll come back when we've fixed that label.
5.5 Update Custom Task Label

In order to configure the name to be displayed for our task, we need edit an Identity Manager
configuration file.
Open the gedit text editor using the icon on the desktop:
Note that this opens the editor with root (super-user) permissions.
Click Open.
Click the Type a filename button and then enter

/opt/IBM/isim/data/CustomLabels.properties in the Location field.

Press Enter.
Scroll right to the bottom of the file.
CUSTOM_CHANGEPASSWORD=Change Password
CUSTOM_COGNOS_REPORTS=JKEnterprises Reporting
CUSTOM_MANAGEUSERS=Manage Users
CUSTOM_USERPROFILE=My Profile
Add a line for CUSTOM_USERPROFILE as shown above.
Click "Save" to save the updated file. Then navigate to FileQuit to exit gedit.
In order to recognise the new label, the Identity Manager application must be restarted. This is most
easily achieved by restarting the application server where it is running.
Open a command prompt and run the following script:
local:/home/labuser/startupScripts # restartISIM.sh
Stopping ISIM WAS...
/opt/IBM/WebSphere85/AppServer1/profiles/isim/logs/server1/stopServer.log
ADMU3201I: Server stop request issued. Waiting for stop status.
ADMU4000I: Server server1 stop completed.
Starting ISIM WAS...

/opt/IBM/WebSphere85/AppServer1/profiles/isim/logs/server1/startServer.log
ADMU3200I: Server launched. Waiting for initialization status.
ADMU3000I: Server server1 open for e-business; process id is 27566
Done.
local:/home/labuser/startupScripts #
5.6 Test Custom Task Label

If not already there, open the ISIM Identity Service Center web application:
Authenticate as James with james and Passw0rd.

This time the task identifier has been replaced with the label we configured in the CustomLabel.properties
file.
Click on the new card. The view profile screen is loaded as a frame:
Click the Home button to return to the Identity Service Center homepage.
Click Log Out.
If you like, verify the Manager view by signing in as Chuck and checking that he also sees the new card.
Chuck's Identity Manager account is a member of the Manager group.
5.7 Create Drop-down menu

At the moment our new My Profile card is not shown on the menu bar. Let's get it up there.
Open the Identity Manager web administration console: http://www.jke.test:9091/itim/console
Enter itim manager as the User ID and Passw0rd as the Password. Click Log in.
Navigate to Set System SecurityManage Views.

Select Manage Custom Tasks.
Select CUSTOM_USERPROFILE.
Update the Header Category to SELF_SERVICE, scroll to the bottom of the page, and click OK.
Log out of the Administration console.
5.8 Test Drop-down menu

Open the ISIM Identity Service Center web application:
Authenticate as James with james and Passw0rd.
You should now see SELF_SERVICE on the menu bar. If you click on it then it expands to show the two
tasks that we have assigned to that header category.
We'll set a text label for the SELF_SERVICE menu later but, for reference, the file that needs updating
is headerLabel_en.properties.

6 Advanced Customisation
In this section we will explore some of the more advanced customisation options for the Identity Service
Center.
Most of the advanced customisation we will be looking at requires changes to text configuration files. In
order to explore these, and edit them, we will use Nautilus (the file manager on the Linux image) running
as the root user. This gives it full permissions on the system.
Double-click the Root Explorer icon on the desktop to open a Nautilus window as root.
Bookmarks for this lab have been created in the navigation bar. These map as follows:
/opt/IBM/WebSphere85/AppServer1/profiles/isim
ISC Custom UI
/config/cells/localNode01Cell/itim/custom/ui/
ISIM Data /opt/IBM/isim/data
6.1 Identity Service Center customization files

Before we look at any specific customizations, let's have a look at how the files used for customization are
laid out.
Select the ISIM Custom UI bookmark in the root Nautilus window. You will see a number of directories
here.
This system already has some customization in place. In a clean system, the only folder here would be
the original folder. This is where the default versions of the UI files are found. These files should not
be changed.

To perform customization you should copy the default file from the original folder to the same directory
location under the /custom/ui folder and then edit it there. Only changed files need to be copied -
other files will still be found under the original folder.
On this system the config, images, and nls folders contain customized files.
It's also possible to add additional directories under /custom/ui for new content. The userImages
directory is an example of this.
If you like, open the Original folder and have a browse around the file structure to get familiar with it.
6.2 Custom Company Logo

The logo shown on the login page of the Identity Service Center can be customised as part of "skinning"
the application. This system already has a customized JK Enterprise logo displayed.
Select the ISIM Custom UI bookmark in the root Nautilus window.
Open the config folder and then open the UIconfig.properties file. This is a customized file - a
modified version of the default file found in the original/config directory.
In this file you can see that a custom JKE logo is being used:
#File to be used for Login page or other places which need company logo image
LOGO_IMAGE=jke_banner.png
The file references by LOGO_IMAGE must be located in the images directory. Let's take a look.
Close the editor window and return to Nautilus.
Select the ISIM Custom UI bookmark and open the images folder.
Here you can see the jke_banner.png file that is being used.
Rename the UIconfig.properties file to UIconfig.properties.bak. This will force the use of
the original UIconfig.properties file (under original/config directory) which points to an IBM
logo.

6.3 Login Page Customisation

The Identity Service Center Login page is constructed in three stages:
 A top-level template HTML file (default /original/template/Login.html)
 Lower level content HTML files (defaults under /original/nls/html)
 Language text substitution properties files (defaults under /original/nls)
6.3.1 Changing text

For making small changes to the login page, just changing the text substitution properties files may be
enough. Some customization has already been done on this system - introducing the JK Enterprises
name in the title and in the Copyright message. Let's find those customized files.
In Nautilus, select the ISIM Custom UI bookmark and open the nls folder.
Files in the nls folder are loaded based on the selected language. The system looks for a file with _xx
at the end of the base filename (where xx is the language code for the selected language). If this isn't
found, the system loads the base file (which has no _xx extension).
When English is selected as the language, it is the files with _en suffix that are used. It is these files that
need to be changed to customise what you see when viewing in English.
Open the LoginText_en.properties file. This file, and other language versions, contain the text
substitution definitions from the HTML template file.
…
#Text to show in case the Logo image is missing
LOGO_ALT_TEXT=JKEnterprises
…
#Title for the product name
PRODUCT_NAME=JKEnterprises Identity Manager
…
The PRODUCT_NAME entry provides the title text for the login page. You can also see the other text
which can be changed on the page from within this file.
Change the file as follows:
#Title for the product name

PRODUCT_NAME=One Stop Identity Shop
#Label for the user ID field
USER_ID=User name
Save the file and close the text editor.

This changes the login page:
6.3.2 Changing content

The content on the right-hand side of the login page is controlled by a content HTML file. This has not
been customised in this system and so is found under the original directory.
In Nautilus, select the ISIM Custom UI bookmark and open the original/nls/html folder.
Locate the LoginPageInfoContent_en.html file and right-click on it.
Select Open Withgedit Text Editor from the pop-up menus.
<div style=''>
<div class='aboutLoginH1'>${ABOUT_SITE}</div>
</div>
<div role="list">
<div class="listItem" role="listitem">
<div class="icon accessIcon"></div>
<div class="listDetail">
<div class="ddDisplay">${REQUEST_ACCESS}</div>
</div>
</div>
…
</div>
This HTML file dictates the layout of the content. Notice the use of substitutions for the text to be
displayed. The file can be changed to remove or reorder the existing content - or the whole file could be
replaced to include completely bespoke content.
Remember - if you want to change this file, do not change it here. You should make a copy of the file
in the folder structure outside the original directory and make the change there.
Close the text editor and return to Nautilus.

Select the ISIM Custom UI bookmark and open the original/nls folder.
Locate and open the LoginPageInfoContent_en.properties file.
#NLS_ENCODING=UNICODE
#NLS_MESSAGEFORMAT_NONE
ABOUT_SITE=Log on to Identity Service Center to perform the following activities:
REQUEST_ACCESS=Request access
VIEW_REQUEST=View requests
VIEW_ACCESSES=View access
MANAGE_ACTIVITIES=Manage activities
This file, and other language versions, contain the text substitution definitions from the HTML content
page.
Again, if you want to change this file, do not change it here. You should make a copy of the file in the
folder structure outside the original directory and make the change there.
A similar HTML content and properties pair controls the content of the copyright box in the footer of the
login page. The rest of the page is defined directly in the HTML template file.
6.4 Application Page Customization

The components within the Identity Service Center application are built in two stages:
 JSON files describing the layout and properties (defaults under original/config)
 Language text substitution properties files (defaults under original/nls)
6.4.1 Changing text

Simple changes can be made by changes to the text substitution files. Let's have a look at a change of
this type that has already been made in this system.
In Nautilus, select the ISIM Custom UI bookmark and open the nls folder.
Locate and open the headerLabel_en.properties file:
identityManager=JK Enterprises Identity Manager
productIcon=Product Icon
#header categories
manageAccess=Manage Access
requestStatusTodo=Request Status
#out of box task labels

SVCENTER_HOMEPAGE=JK Enterprises Service Center
…
Make the following changes:
identityManager=Simple Identity Management
productIcon=Product Icon

#header categories
manageAccess=Manage Access
requestStatusTodo=Request Status
SELF_SERVICE=Self Service
#out of box task labels

SVCENTER_HOMEPAGE=One Stop Identity Shop
…
Note that the line we're adding here will set a label for the SELF_SERVICE header category that we
created earlier.
Save the file and close the editor. The header of the application is changed:
6.4.2 Changing Header Image

The image used in the application header can be changed by modifying the JSON file which points to it.
This file hasn't been customized yet so we'll need to make a copy.
In Nautilus, select the ISIM Custom UI bookmark and open the original/config folder.
Right-click on the HeaderMenu.json file and select Copy from the pop-up menu.
Select the ISIM Custom UI bookmark again and open config folder.
Right-click inside the folder and select Paste from the pop-up menu. A copy of the HeaderMenu.json file
should be created.
Open the new HeaderMenu.json file.
Locate this part of the file:
"secondaryNavigation": {
"secondaryTitleKey": "SVCENTER_HOMEPAGE",
"secondaryIcon": "custom/ui/images/identity.png",
and change to:
"secondaryNavigation": {
"secondaryTitleKey": "SVCENTER_HOMEPAGE",
"secondaryIcon": "custom/ui/images/access/iconTeamsAccess.gif",
Save the file and close the editor. The image has been changed:

6.5 Customizing Badges

The badges available for Accesses can be customised by modifying the CSS file where their styles are
defined. This file is found under <ISIM HOME>/data.
Use the ISIM Data bookmark in the Nautilus window to open /opt/IBM/isim/data. Locate the file
Badge.css and double-click to open it.
Click Display to open the file using a text editor.
.badge.green {
border: 1px solid #226622;
background: #226622;
background: -moz-linear-gradient(center top , #226622 25%, #22dd22 100%);
background: -webkit-linear-gradient(top, #226622 25%, #22dd22 100%);
background: -ms-linear-gradient(top, #226622 25%,#22dd22 100%);
background: linear-gradient(to bottom, #226622 25%,#22dd22 100%);
filter: progid:DXImageTransform.Microsoft.gradient( startColorstr='#228822',
endColorstr='#22ff22',GradientType=0 );
box-shadow: 2px 2px 2px #CCCCCC;
color: white;
font-size: normal;
font-weight: bold;
padding: 2px 5px;
}
The file contains a .badge.<class name> section for each badge class.
Copy the .badge.orange section and paste and the end of the file. Modify it by changing the name to
flame and copy the code for red (#DD2222) into the end colour of the defined gradients - like this:
.badge.flame {
border: 1px solid #C86C1B;
background: #C86C1B;
background: -moz-linear-gradient(center top , #C86C1B 25%, #DD2222 100%);
background: -webkit-linear-gradient(top, #C86C1B 25%, #DD2222 100%);
background: -ms-linear-gradient(top, #C86C1B 25%,#DD2222 100%);
background: linear-gradient(to bottom, #C86C1B 25%,#DD2222 100%);
filter: progid:DXImageTransform.Microsoft.gradient( startColorstr='#C86C1B',
endColorstr='#DD2222',GradientType=0 );
box-shadow: 2px 2px 2px #CCCCCC;
color: white;
font-size: normal;
font-weight: bold;
padding: 2px 5px;
}
Save the file and close the editor.
Access the Identity Manager web administration console: http://www.jke.test:9091/itim/console
Enter itim manager as the User ID and Passw0rd as the Password and click Log In.
Select Manage Roles, click Refresh to populate the list of Roles, and select Application approvers.
Select the Access Information section, scroll to the bottom.
Expand Badges and select Flame from the Badge class selector.
Click OK to save the change and then Log out from the Admin console.

If you login to the Identity Service Center and Request Access you'll see the new badge on the
Application approvers card:
6.6 Filtering User List

By default, the list of users presented when the Manage Others Access task is available is the full set of
users that the logged in user is authorised to see based on Identity Manager ACIs. In some cases it may
be desirable to limit this list of users within the Identity Service Center.
This can be done by defining an LDAP filter to be applied to user searches performed within the Request
Access task of the Identity Service Center.
6.6.1 Set up scenario

Before we can show this customisation in action, we need a user who is authorised to request access for
a lot of people. We have a helpdesk user (Joe) who can see all users but he is currently not authorised to
view or request access on behalf of others in the Identity Service Center. We need to change that.
Enter itim manager as the User ID and Passw0rd as the Password and click Log In.
Select Set System SecurityManage Views using the navigation menu.

Click Search to populate the list of defined views and select Help Desk View.
Open the Configure View section and scroll to the bottom.
Scroll to the bottom. Select the check box for Manage Others Access and click OK.
Log off from the Administration Console.
Now let's have a look which users Joe can see.
If not already open, open the Identity Service Center http://www.jke.test:9091/itim/ui
Login with joe and Passw0rd.
Select Request Access task and scroll through the list.

Joe can currently see all users in the system.
Logout of the Identity Service Center.
6.6.2 Setting a static user filter

The base user filter can be changed by editing the JSON file where it is defined. This file hasn't been
customized yet so we'll need to make a copy.
In Nautilus, select the ISIM Custom UI bookmark and open the original/config folder.
Right-click on the ActionDefinition.json file and select Copy from the pop-up menu.
Select the ISIM Custom UI bookmark again and open config folder.
Right-click inside the folder and select Paste from the pop-up menu. A copy of the ActionDefinition.json
file should be created.
Open the new ActionDefinition.json file.
Locate this part of the file:
"SVCENTER_REQUEST_ACCESS_FOR_MYSELF_AND_OTHERS": {
"actionType": "CreateFlow",
"urlHash": "requestAccessForMyselfAndOthers",
"properties": {
"widgetPath": "com/ibm/isim/ui/util/uiflow/requestaccess/RequestAccessFlow",
"widgetArgs": {
"basePersonFilter": "",
"flowType": "both"
and modify the basePersonFilter as follows:

"SVCENTER_REQUEST_ACCESS_FOR_MYSELF_AND_OTHERS": {
"actionType": "CreateFlow",
"urlHash": "requestAccessForMyselfAndOthers",
"properties": {
"widgetPath": "com/ibm/isim/ui/util/uiflow/requestaccess/RequestAccessFlow",
"widgetArgs": {
"basePersonFilter": "(jk-isexecutive=false)",
"flowType": "both"
This static filter will limit search results to non-executive users.
Save the file.
In order for this filter to work the connecting user must have authority (via ISIM ACIs) to read any
attributes used here on all users that they need to see. An ACI was added to the Sandbox
environment to allow this.
Log back into the Identity Service Center using joe and Passw0rd.
Click Request Access.
Joe can no longer see any executive users (or the System Administrator since that user doesn't have a jk-
isexecutive attribute)
6.6.3 Setting a dynamic filter

In addition to setting a static filter, a dynamic filter can be created. The variables available are:
 Attributes of the authenticated ISIM account - ${systemUser.<attribute>}
 Attributes of authenticated ISIM person - ${systemUser.owner.<attribute>}
In Nautilus, select the ISIM Custom UI bookmark and open config folder.

Open the ActionDefinition.json file.
Modify the basePersonFilter as follows:
(|(jk-isexecutive=false)(jk-isexecutive=${systemUser.owner.jk-isexecutive}))
This filter should only allow executives to be seen by other executives.
Save the file.
Log back into the Identity Service Center using joe and Passw0rd.
Click Request Access and scroll to the bottom of the user list.
Currently this is not working - the system doesn't recognise the "owner" relationship modifier.
6.7 User Card Content Customization

6.7.1 Selecting content and sort options
The content shown on User cards can be customised. It is controlled by the following JSON configuration
files: …/(original)/config/Person.json
This file has already been customized in this system so let's have a look at the customized file and make
some changes of our own.
Open root Nautilius and select the ISIM Custom UI bookmark in the root Nautilus window.
Open the config folder and the open the Person.json file.
The file has two parts - one which describes the content shown in grid format (cards) and the other which
shows the content shown in a list format. The JSON within these parts is the same so we'll concentrate
on the grid.
The first section describes the primary identifier for the user.
{
"grid": {
"card": {
"primary": {
"attribute": {
"default": "name",
"Person" : "CN",
"BPPerson" : "CN"
},
"sort": {
"enabled": true,
"labelKey": "name"
}
},
Within the section the attribute to be used is specified for each user type. The attribute associated with
default is used when the user type is not listed.
Most users in our system have type JKPerson. That is not listed so the default attribute (name) will be
used. Also note that name maps to inetOrgPerson givenname attribute.

The sort section allows sorting by the attribute to be enabled or disabled. If sorting is allowed then the
label identifier to be used in the sorting selector is also specified here.
The text for the sorting label is defined in Picker.properties_xx files under the nls directory.
The next section identifies the secondary user identifier. It has the same format as the primary so is not
repeated here.
The third section identifies additional information to be shown on the card. An array of attributes is
specified for each user type. These are all shown on the user card but cannot be sorted:
"tertiary": {
"attributes": {
"default": [
"title"
],
"BPPerson":["ersponsor.name"]
}
},
You can see that in this system the default is to show just the user's job title here.
The final section determines which attribute contains the URL of the user's image. As we'll see in a
minute this attribute may not actually come from LDAP.
OK, now make the following changes in the grid section of the file:
{
"grid": {
"card": {
"primary": {
"attribute": {
"default": "mail",
"Person" : "mail",
"BPPerson" : "mail"
},
"sort": {
"enabled": true,
"labelKey": "email"
}
},
"secondary": {
"attribute": {
"default": "name"
},
"sort": {
"enabled": true,
"labelKey": "name"
}
},
"tertiary": {
"attributes": {
"default": [
"title" , "departmentnumber"
],
"BPPerson":["ersponsor.name"]
Save the file and exit the editor.

Log in to the Identity Service Center using joe and Passw0rd, and select Request Access task.
Notice how the card content has changed.
Log out of the Identity Service Center.
6.7.2 NLS attribute and sort field names

The NLS text for the attribute names and sort options are held in the Picker_xx.properties file.
This file has not been customized in this environment.
Create a copy of …/original/nls/Picker_en.properties in …/nls directory.
Open the new file.
Add the following lines to the end of the file:
EMAIL=E-Mail
DEPARTMENTNUMBER=Dept
Log back into the Identity Service Center again (as Joe) and select Request Access task again.
E-mail sort identifier now shows correctly and departmentnumber is now shown as Dept:
6.7.3 Mapping attribute codes to text

At the moment our departments show up as codes. We can translate these to make things clearer.
Create a copy of …/original/nls/CardCustomValue_en.properties in …/nls directory and

open the new file.
Add these lines to the end of the file:

departmentnumber.MSS=Management
departmentnumber.MKT=Marketing
departmentnumber.SUP=Support
Log back into the Identity Service Center again (as Joe) and select Request Access task again.
Department names now replace the codes:
6.8 Person Image Plug-in

In the ISC, user cards should, if possible, display with an image of the person. By default, the link to the
image is located as a person attribute - erImageURI.
In some cases, the URI for a user's image may be predictable - based on some other attributes and so,
rather than specifically setting the image URI for every user, it can be specified as an Extension Attribute.
Use the ISIM Data bookmark in the Nautilus window to open /opt/IBM/isim/data. Locate the file
enroleExtensionAttributes.properties and double-click to open it.
For some reason the files in this directory are marked as executable so a dialog appears.
Click Display to open the file using a text editor.
This file specifies that the out-of-the-box attribute extension is being used:
person.extension.classname = com.ibm.itim.dataservices.extensions.plugins.PersonExtensionPlugin
This plug-in uses attribute substitution to generate the image URI.
A custom plug-in can also be used here if you need to generate image URIs in some other way.

Let's have a look at the configuration for the default plug-in. Locate the following section of the file:
# Attribute extension rules

# Specify the rule for each attribute, including variables to substitute
# If the substitution cannot be performed, then the default value will be returned
# If the substitution fails and no default value is specified, then the attribute will
not be returned
plugin.person.erImageURI=/itim/ui/custom/ui/userImages/${uid}.jpg
We can see from this configuration that image files are being loaded from within the context of the Identity
Service Center application, and that the filename is being dynamically generated from the uid parameter
of the person.
The /itim/ui/custom/ui directory is mapped to the following directory on the file system:
<ISIM WAS profile>/config/cells/localNode01Cell/itim/custom/ui/ so we would
expect to find the image files for this system here. Let's take a look.
Close the editor window and return to Nautilus.
Select the ISIM Custom UI bookmark in the root Nautilus window.
Open the userImages folder and, as expected, you'll see the images.
Other images (for custom logos and application icons etc.) can be loaded to this filesystem to support
other customisation. Note that because this directory is under the WAS cell configuration directory it
will be synchronised from a Domain Manager to all cell members.
*** END OF DOCUMENT ***

Identity Service Center 1.0 20140717 PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Identity Service Center 1.0 20140717 PDF

Încărcat de

Drepturi de autor:

Formate disponibile

IDENTITY SERVICE CENTER

IBM Security Identity Manager

Release Date Version Authors Comments

Page 2 of 63 [Version 1.0]

Page 3 of 63 [Version 1.0]

1.1 High Level Architecture

Identity Service Center

IAM Sandbox 2.1 Beta 2

1.2 IAM Sandbox 2.1 beta 2 VM

1.3 Memory Recommendations

1.4 VMware and Networking

Page 4 of 63 [Version 1.0]

2 Preparation for the Labs

2.1 Start the IAM Sandbox 2.1 Linux Image

Launch a Root Terminal by double-clicking on the desktop icon shown below:

The terminal launches in the /home/labuser/startupScripts directory.

The script takes 1-2 minutes to run.

Page 5 of 63 [Version 1.0]

GLPSRV041I Server starting.

You are now ready to start the lab exercises

Page 6 of 63 [Version 1.0]

3 Running Identity Service Center Scenarios

Chuck - Chuck is a Manager at JK Enterprises. He is an approver for fileshare access.

3.1 Launching Identity Service Center

The application login page is displayed:

Page 7 of 63 [Version 1.0]

3.2 Identity Service Center Homepage

Customisation has been applied to this homepage:

Page 8 of 63 [Version 1.0]

3.3 View Access (end user)

Click on the View Access card.

3.4 Request Access (end-user)

Page 9 of 63 [Version 1.0]

Click on the Finance application card to add it to the request cart.

Only one access is now shown.

Page 10 of 63 [Version 1.0]

Only a justification is required before the request can be submitted.

Page 11 of 63 [Version 1.0]

Click Save and Continue to return.

Page 12 of 63 [Version 1.0]

3.5 View Requests

Page 13 of 63 [Version 1.0]

Page 14 of 63 [Version 1.0]

Page 15 of 63 [Version 1.0]

3.6 Request Access (Manager)

Login with bill and Passw0rd.

Page 16 of 63 [Version 1.0]

Select the card for Susan.

Select the East Region File Share and click Next.

Enter an appropriate justification and click Submit.

Click Select me.

Select the East Region File Share and click Next.

Enter an appropriate justification and click Submit.

Bill's work is done. Click Log Out.

3.7 Request Approval

Page 17 of 63 [Version 1.0]

Log in to the Identity Service Center with chuck and Passw0rd.

The Manage Activities list opens.

Page 18 of 63 [Version 1.0]

Page 19 of 63 [Version 1.0]

3.8 Request for Information processing

Login to the Identity Service Center using james and Passw0rd.

Select the Request Access card.