Documente Academic
Documente Profesional
Documente Cultură
Lab Guide
Jon Harry
Version 1.0
July 2014
Identity Service Center LAB GUIDE
IBM Security Identity Manager
Document Control
Table of Contents
1 Introduction ................................................................................................................................................ 4
1.1 High Level Architecture ....................................................................................................................... 4
1.2 IAM Sandbox 2.1 beta 2 VM ............................................................................................................... 4
1.3 Memory Recommendations ................................................................................................................ 4
1.4 VMware and Networking ..................................................................................................................... 4
2 Preparation for the Labs............................................................................................................................. 5
2.1 Start the IAM Sandbox 2.1 Linux Image.............................................................................................. 5
3 Running Identity Service Center Scenarios ............................................................................................... 7
3.1 Launching Identity Service Center ...................................................................................................... 7
3.2 Identity Service Center Homepage ..................................................................................................... 8
3.3 View Access (end user) ....................................................................................................................... 9
3.4 Request Access (end-user) ................................................................................................................. 9
3.5 View Requests ................................................................................................................................... 13
3.6 Request Access (Manager) ............................................................................................................... 16
3.7 Request Approval .............................................................................................................................. 17
3.8 Request for Information processing .................................................................................................. 20
3.9 Launch in Context .............................................................................................................................. 25
3.9.1 Launch Self-Service Portal ......................................................................................................... 25
3.9.2 Launch Administration Console .................................................................................................. 26
4 Defining Accesses in the Identity Service Center .................................................................................... 28
4.1 Open Identity Manager Administration Console ................................................................................ 28
4.2 Accesses for Roles ............................................................................................................................ 28
4.3 Accesses for Services ....................................................................................................................... 32
4.4 Access for Groups ............................................................................................................................. 34
4.5 Test new access definitions .............................................................................................................. 37
5 Custom Tasks .......................................................................................................................................... 38
5.1 Log on to Administration Console ..................................................................................................... 38
5.2 Review Custom Tasks ....................................................................................................................... 38
5.3 Add a new custom task ..................................................................................................................... 40
5.4 Test Task Changes ........................................................................................................................... 43
5.5 Update Custom Task Label ............................................................................................................... 44
5.6 Test Custom Task Label.................................................................................................................... 45
5.7 Create Drop-down menu ................................................................................................................... 46
5.8 Test Drop-down menu ....................................................................................................................... 47
6 Advanced Customisation ......................................................................................................................... 48
6.1 Identity Service Center customization files........................................................................................ 48
6.2 Custom Company Logo ..................................................................................................................... 49
6.3 Login Page Customisation ................................................................................................................ 50
6.3.1 Changing text .............................................................................................................................. 50
6.3.2 Changing content ........................................................................................................................ 51
6.4 Application Page Customization ........................................................................................................ 52
6.4.1 Changing text .............................................................................................................................. 52
6.4.2 Changing Header Image ............................................................................................................. 53
6.5 Customizing Badges.......................................................................................................................... 54
6.6 Filtering User List............................................................................................................................... 55
6.6.1 Set up scenario ........................................................................................................................... 55
6.6.2 Setting a static user filter ............................................................................................................ 57
6.6.3 Setting a dynamic filter ............................................................................................................... 58
6.7 User Card Content Customization ..................................................................................................... 59
6.7.1 Selecting content and sort options.............................................................................................. 59
6.7.2 NLS attribute and sort field names ............................................................................................. 61
6.7.3 Mapping attribute codes to text ................................................................................................... 61
6.8 Person Image Plug-in ........................................................................................................................ 62
1 Introduction
This lab guide shows how to use the Identity Service Center in IBM Security Identity Manager. This new
interface for business users was initially added in 6.0.0.2 and support for additional use-cases was added
in 6.0.0.3.
HTTP(S) HTTP:
IBM Security
:80 Access Manager
:9091 IBM Security Identity Manager
:443 for Web
Admin Console
Firefox 24
Browser Self-Service Portal
Thunderbird James
E-mail E-mail Server
LDAP JDBC
LDAP :389 :50012 DB2
192.168.42.101 192.168.42.110
w3.jke.test www.jke.test
The Virtual Machines, and the lab guide, assume all virtual machines share a common virtual network.
All IP addresses are hardcoded to be in the “192.168.42.0” subnet.
The labs in this guide do not require internet connectivity or connectivity with the host machine.
If you need it for any reason, the password for labuser is Passw0rd.
local:/home/labuser/startupScripts # ls
startAll.sh* startISAM.sh* startRTSSClient.sh* startWAS.sh*
startCognos.sh* startISIM.sh* startRTSS.sh*
startEmulator.sh* startMyPeopleTDI.sh startTSPMAll.sh*
First, we need to start IBM Security Access Manager for Web (and its LDAP) so that Identity Manager can
provision access to it. Run the following script to start Access Manager and its LDAP:
local:/home/labuser/startupScripts # ./startISAM.sh
GLPSRV041I Server starting.
…
Starting the: Access Manager policy server.
Starting the: Access Manager authorization server.
Starting the: webseald-w3.jke.test
Starting the: webseald-www.jkcloud.test
Starting the: webseald-www.jke.test
Starting the: webseald-www.jkhelpdesk.test
Starting the: webseald-www.jk.test
Next, run the following script to start the services required by Identity Manager - and Identity Manager
itself:
local:/home/labuser/startupScripts # ./startISIM.sh
Using PHOENIX_HOME: /usr/james-2.3.2
Using PHOENIX_TMPDIR: /usr/james-2.3.2/temp
Using JAVA_HOME: /usr/lib64/jvm/jre
Starting Phoenix:
Phoenix running pid=22809
Starting ISIM DB2...
nohup: redirecting stderr to stdout
/etc/profile: DISPLAY was null so not doing xhost commands
07/14/2014 06:21:06 0 0 SQL1063N DB2START processing was successful.
SQL1063N DB2START processing was successful.
Starting ISIM ldap...
IBM Tivoli Identity Manager Adapter Service start request successfully issued!
This script takes 2-3 minutes to run. When complete, you can exit the root terminal window:
local:/home/labuser/startupScripts # exit
James - A JK Enterprises Employee working in Marketing. James is performing a task that requires him
to have access to the Finance Application and the East Region Fileshare. He currently does not have
this access.
Bill - Bill is a Manager at JK Enterprises. He needs to request Fileshare access for himself and for a
member of his team, Susan.
Launch the Firefox 17 browser by double-clicking on the desktop icon shown below:
Go to the following URL to open the ISIM Identity Service Center web application:
http://www.jke.test:9091/itim/ui
Notice that there is a custom JK Enterprises logo and text on this page. We will look at customisation
later on.
Enter james as the User ID and Passw0rd as the Password. Then click Log in.
The homepage shows cards for each task available to the authenticated user.
The Request Access and View Requests tasks were available in the 6.0.0.2 release to allow managers to
request access on behalf of their employees (and to view the status of requests). These functions are
now available to all users (both managers and end users) to request access (and view requests) for
themselves.
View Access is a new task which allows all users to see what Access they currently hold. All users can
view their own access. Managers can also view the access for their employees.
Manage Activities is a new task which allows users to see outstanding workflow actions which are
assigned to them. Approval actions can be performed directly within the Identity Service Center. Other
actions can be performed through links to the Self-Service console.
(1) Custom text - related to the JK Enterprises corporation has been added to both the title bar and
the launch bar.
(2) A Custom "task" has been added for a change password operation. Custom tasks allow the
Identity Service Center to act as a one-stop-shop for identity tasks.
James is an end user in the JK Enterprises organisation; he isnot a manager. This means that James
can only view his own access.
James currently only has access to the Benefits application. That’s not enough to allow him to perform
his new duties. He needs to request additional access.
The Request Access wizard is started. Notice the steps at the top leading the user through the required
process.
James is not a manager and so can only request access for himself. As a result, he doesn't see any user
selection page and is taken directly to the screen where he can select the access that he wants to
request for himself.
On this page all of the Accesses to which James is entitled (based on Provisioning Policies) are displayed
as cards. Each card displays clear information about the associated access. We will see how to
customise this information later.
Accesses can be associated with one or more categories to help users to find what they need. The list of
access cards can be filtered by searching for keywords or by selecting categories.
James is looking for the Finance application. Click on the Application category filter - as shown above.
The list of access cards is filtered and James can now see the Finance application.
Now James wants to find the East region Fileshare. He can use the search for this.
Click on the All Categories link to remove the previously applied filter.
Enter east in the Search Accesses text box and click the Search icon - as shown above.
Click on the East Region File Share card to add it to the request cart. Notice that the cart now shows 2
accesses.
James now has both of the accesses he needs in his request cart. Click Next to move on to the next step
in the request process.
The Identity Management system dynamically determines what information is required from James in
order for his access request to be submitted. A list of these items is displayed.
Note that no account-specific information is being requested for the Finance application. This is because
the account required for this access already exists - only a group change is required.
Item 2 informs that the Easy Region File Share access is dependent on a new account on the Fileshare
service. This item already shows complete (a green tick) because all of the required information has
been completed using defaults.
Before we continue, let's take a look at the account information that is going to be used. Click Provide
Account Information - as shown above.
All of the fields for the new account have been completed (based on Provisioning Policy account
defaults). This policy also dictates that the e-mail address for the account must match the owners e-mail
address. So, what happens if James tries to change it?
Change the e-mail address to jimmy@gmail.com and then click somewhere else on the form.
The value entered is dynamically checked against the Provisioning Policy and an error is displayed.
James can decide to continue with a non-compliant value or accept the suggested compliant value.
Click the Accept suggested value button to revert the e-mail address.
Enter an appropriate justification. As you click away from the text box the tick box goes green. Click
Submit to submit the access request.
Both accesses now show as Pending. They have been submitted into the Identity Manager workflow
engine. Click the Home icon (as shown above) to return to the Identity Service Center homepage.
On the Identity Service Center homepage, click the View Requests card. A list of current requests is
shown:
Note that this list can be filtered based on the application requested, or by timeframe (under Request
History), or using a search.
We can see that our (only) access request is Pending. Click the request to View Details.
On this screen, James can see that one of his requests has been fulfilled and one is still pending. At the
bottom of the screen he can see that there is an approval outstanding. The possible approvers are
Chuck and System Administrator.
Chuck and System Administrator (itim manger) are approvers here because they are members of the
approval role configured in the approval node of the workflow controlling file share account creation.
There's one last thing to look at while we're still logged in as James. Click View Access on the launch
bar.
Back on the View Access Page, you can see that pending access is shown along with current access.
Try filtering based on Access State so that you can see only Pending Access.
Click on the View details… link (as shown above). It will take you to the view requests page that we
were just looking at.
When you're done, click Log Out to log out from the Identity Service Center. There's nothing else for
James to do (except nag Chuck to approve his access).
This is controlled by Manage Others Access entry in the Identity Manager View for the user. We'll look
at views later when we explore custom tasks.
If not already open, open the Firefox browser in the Linux virtual machine and access:
http://www.jke.test:9091/itim/ui
Notice that Bill has more task cards than James had. The cards displayed are controlled by security
configuration within Identity Manager. We'll look at that later.
Bill wants to request access for one of his employees. Click the Request Access card on the Identity
Service Center homepage.
Since Bill is a Manager, the first screen he sees when requesting access is a user selection page. Bill
can either select himself or an employee.
Bill also needs to request access for himself. Click the Request New Access button to restart the
request access wizard.
In addition to selecting themselves from the list of cards, there is also a Quick Select link.
If not already open, open the Firefox browser in the Linux virtual machine and access:
http://www.jke.test:9091/itim/ui
Pending approvals are activities. Click the Manage Activities card on the Identity Service Center
homepage.
In ISIM 6.0.0.3 approvals are the only activities handled natively in the Identity Service Center. Other
activities (for example Request For Information) are shown in the activity list but link out (in context) to
the ISIM Self-Service portal when selected.
Note the filter options. Activities can be filtered based on who the request is for (i.e. who is the owner of
the account that is subject to approval) and who the request is by (i.e. who made the request).
All three approval requests are listed. The first is expanded to show the approval screen.
In addition to seeing high level details of the request on the activity list, a user can also click the view
details link to see all of the attributes associated with the request.
Enter an appropriate approval justification and click Approve. The request is marked as approved.
Chuck wants to reject the requests from both Bill and Susan.
It is possible to process multiple requests at the same time - with a single justification. This allows an
approver to save time when proving the same decision and justification for a batch of requests.
Click the Select Multiple button. This changes the screen so that each pending request has a checkbox.
Select the checkboxes next to the two remaining approval requests. Enter a rejection comment and click
Reject. Both requests are marked as rejected. The justification text is associated with both requests.
Chuck has now processed all outstanding requests. Click Log Out to log out from the Identity Service
Center.
Navigate to ApplicationSupport Applications and select the Transaction Support Application card.
Click Next.
Login to the Identity Service Center again using chuck and Passw0rd.
The Request for Information activity is showing in Chuck's activity list - just like the approvals did. Even
though Chuck has to go out of the Identity Service Center to process this activity he can still use the
Identity Service Center to view Approvals and RFI requests in one place.
Chuck is now in the Self-Service console although note that he has not had to authenticate (his
application server session is valid for both applications) and he has been taken right to the RFI entry
screen (launch-in-context).
The RFI has been submitted. Click the X on the browser tab (as shown above) to return to the Identity
Service Center.
Back at the Integrated Sevice Center, the RFI is still shown. It will vanish the next time the activity list is
refreshed.
Click the Home icon and then select the Manage Activities card again. The RFI task has gone.
Click on the Change Password task. This is a custom task that launches the Change Password function
of the Self-Service Portal.
Notice that the Self-Service Portal page has been launched as a frame within the Identity Service Center
and that chuck is already authenticated.
Click Home icon to return to the Identity Service Center home page.
Click on the Manage Users custom task. Notice the icon in the top right corner which indicates that this
task will open in a new browser window (or tab).
The Identity Service Center launches in a new browser tab. Notice that chuck is already logged in.
Click Refresh to populate the list of Roles and then select the Approval Role for JKE Fileshare and
Business Applications from the list - as shown above.
The Role Name and Description need to be short so they will format properly on the access cards.
Change the Name of the role to Application approvers and change the Description to Approval
Role.
Select the Access Information section and select the check-box to Enable access for this role. This
allows the role to be requested via the Identity Service Center.
Show this role as a common access is used by the self-service console - it causes this access to be
displayed immediately rather than requiring a search. This setting as no effect in the Identity Service
Center.
Each access can be allocated a type in the access type hierarchy. This can be used for filtering accesses
in the Identity Service Center.
Note that the default icon for the access changes to reflect the access type. It is also possible to
specify a custom icon by providing the URL where it can be found.
It is possible to add additional search terms for the access. These are used when users search within the
Identity Service Center access selection screen.
Enter approver in the Search terms text box and click Add.
Enter some appropriate information in the Additional information text box. This will be visible in the
Identity Service Center along with the Role name and description.
Badges are shown wherever the access is shown. Usually badges are used to highlight properties of an
access to which an approver or auditor should pay attention.
Enter Allows Approval for Badge text and select Orange as the Badge class. A preview is shown.
Click Add.
Additional badge classes (text colour, fill etc.) can be defined. We'll look at that later.
Service Accesses are new and are only visible in the Identity Service Center. They do not show up in
the Self-service portal.
For some reason we must always re-specify service passwords when making changes to a service.
Check the check-box to Define and Access and enter Application Directory as the Access Name.
We'll leave this access definition minimal. Click OK at the bottom of the window.
When a user requests an access which gives a group membership, Identity Manager will also process
the creation of a new account on the associated service if the user does not already have one.
We're going to create a new fileshare group and define an access for it.
Click Search to populate the list of services. Groups are associated with services.
Select the radio button associated with the Fileshare service and click Continue.
Click Create.
Check the check-box to Define an Access and select the radio-button to Enable Common Access.
Expand the Change access type selector, expand Access Types and select Fileshares.
Select Access Approval Workflow for JKE Business Applications and FileShares as the Approval
workflow.
The workflows that are shown in this drop-down list are those previously created under Design
WorkflowsManage Access Request Workflows.
Only group accesses provide the ability to directly associate a workflow with the access. Workflow
can be added to Role and Service accesses by modifying the Person and Account workflows under
Configure SystemManage Operations.
Enter /itim/ui/custom/ui/images/identity.png as the Icon URL. When you click away from
the entry box, a preview is shown.
In this case a server relative URL has been given since the image resides on the Identity Manager
application server. An absolute URL can also be given if the image exists on a different server.
Click Finish at the bottom of the window to complete the group (and access) creation.
Click the log out icon to logout from the administration web console.
Notice that our new Application Directory Access is now showing up as part of James' current access.
This is because James has an account on the associated service as a pre-requisite for the Transaction
Support Application access that he holds.
Now that an access is defined for the service it shows up in James' access list and the account details
can be seen.
Click Access Details to see the details of James' account on the Application Directory service.
Click Request Access on the launch bar and select Emily from the user list.
Check that all three of our new accesses are shown - you can try them out if you like.
5 Custom Tasks
In this lab environment, depending on the authenticated user, one or more custom task cards are seen on
the Identity Service Center homepage. Let's have a look at how these are set up and add one of our
own.
Enter itim manager as the User ID and Passw0rd as the Password. Click Log in.
Expand Set System Security and select Manage Views in the navigation menu.
This list shows all of the defined Custom Tasks that can display as cards in the Identity Service Center.
Let's have a look at one of them.
Select CUSTOM_CHANGEPASSWORD.
The only required field for a custom task is the URL. This is where the user's browser is directed when
they select the custom task.
The Icon points to an image to display on the card. A default icon will be used if none is specified.
The Header Category field controls where the custom task is shown on the Launch bar of the Identity
Service Center. If the value is empty the task will not be shown. If more than one task shares this value
then they will show in a drop-down menu on the Launch bar.
Show on home page controls whether the task is shown as a card on the Identity Service Center home
page.
Start task in new window controls whether the URL should be opened in a new window (new browser tab)
or should be loaded as a frame in the Identity Service Center.
Notice that there is no Name for the custom tasks - only and Identifier (made up of a prefix and suffix).
This maps to entries in configuration files which dictate the name for the activity. This allows for multi-
language support. We'll have a look at this later.
Let's change the task so that it shows in the launch bar. Update the Header Category to
SELF_SERVICE, scroll to the bottom of the page, and click OK.
We now want to add our own custom task so click Continue managing custom tasks.
Click Create.
The URL can be seen when accessing the appropriate page in the Self-Service console. The Icon
image URL was found using Firebug to interrogate the source of the Self-Service portal (although
"view source" would probably have worked too.
Click Close to close the Manage Custom Tasks tab. You are now back at the Manage Views tab.
Now we need to add the new task to one or more Views. A view determines what users can see when
they access Identity Manager web interfaces.
A User is mapped to a View based on the group memberships of their ISIM account. Each group on
the ISIM service points to a view. If a user's ISIM account is not a member of any groups then they
will get the default End User view. If a use's ISIM account is a member of multiple groups they will see
a superset of view items.
Click Search to populate the list of existing views. Click on the End User View.
Notice the Manage Others Access tasks here. This is what controls whether a user can manage
access for other users that they have authority over in Identity Manager.
Click Search to populate the view list again and this time select Manager View.
Authenticate as James with james and Passw0rd. James' Identity Manager account is not a member of
any groups so he sees the End User view.
Notice that the Change Password task now appears in the launch bar. That's because we added the
Header Category to its configuration.
You should also see the new task card shown on the Identity Service Center homepage.
Notice that the text is showing the Task Identifier. We need to perform some additional customization to
translate this to a proper text label.
Log Out of the Identity Service Center. We'll come back when we've fixed that label.
Open the gedit text editor using the icon on the desktop:
Note that this opens the editor with root (super-user) permissions.
Click Open.
Press Enter.
CUSTOM_CHANGEPASSWORD=Change Password
CUSTOM_COGNOS_REPORTS=JKEnterprises Reporting
CUSTOM_MANAGEUSERS=Manage Users
CUSTOM_USERPROFILE=My Profile
Click "Save" to save the updated file. Then navigate to FileQuit to exit gedit.
In order to recognise the new label, the Identity Manager application must be restarted. This is most
easily achieved by restarting the application server where it is running.
local:/home/labuser/startupScripts # restartISIM.sh
Stopping ISIM WAS...
ADMU0116I: Tool information is being logged in file
/opt/IBM/WebSphere85/AppServer1/profiles/isim/logs/server1/stopServer.log
ADMU0128I: Starting tool with the isim profile
ADMU3100I: Reading configuration for server: server1
ADMU3201I: Server stop request issued. Waiting for stop status.
ADMU4000I: Server server1 stop completed.
This time the task identifier has been replaced with the label we configured in the CustomLabel.properties
file.
Click on the new card. The view profile screen is loaded as a frame:
Click the Home button to return to the Identity Service Center homepage.
If you like, verify the Manager view by signing in as Chuck and checking that he also sees the new card.
Chuck's Identity Manager account is a member of the Manager group.
Enter itim manager as the User ID and Passw0rd as the Password. Click Log in.
Select CUSTOM_USERPROFILE.
Update the Header Category to SELF_SERVICE, scroll to the bottom of the page, and click OK.
You should now see SELF_SERVICE on the menu bar. If you click on it then it expands to show the two
tasks that we have assigned to that header category.
We'll set a text label for the SELF_SERVICE menu later but, for reference, the file that needs updating
is headerLabel_en.properties.
6 Advanced Customisation
In this section we will explore some of the more advanced customisation options for the Identity Service
Center.
Most of the advanced customisation we will be looking at requires changes to text configuration files. In
order to explore these, and edit them, we will use Nautilus (the file manager on the Linux image) running
as the root user. This gives it full permissions on the system.
Double-click the Root Explorer icon on the desktop to open a Nautilus window as root.
Bookmarks for this lab have been created in the navigation bar. These map as follows:
/opt/IBM/WebSphere85/AppServer1/profiles/isim
ISC Custom UI
/config/cells/localNode01Cell/itim/custom/ui/
Select the ISIM Custom UI bookmark in the root Nautilus window. You will see a number of directories
here.
This system already has some customization in place. In a clean system, the only folder here would be
the original folder. This is where the default versions of the UI files are found. These files should not
be changed.
To perform customization you should copy the default file from the original folder to the same directory
location under the /custom/ui folder and then edit it there. Only changed files need to be copied -
other files will still be found under the original folder.
On this system the config, images, and nls folders contain customized files.
It's also possible to add additional directories under /custom/ui for new content. The userImages
directory is an example of this.
If you like, open the Original folder and have a browse around the file structure to get familiar with it.
Open the config folder and then open the UIconfig.properties file. This is a customized file - a
modified version of the default file found in the original/config directory.
In this file you can see that a custom JKE logo is being used:
#File to be used for Login page or other places which need company logo image
LOGO_IMAGE=jke_banner.png
The file references by LOGO_IMAGE must be located in the images directory. Let's take a look.
Select the ISIM Custom UI bookmark and open the images folder.
Here you can see the jke_banner.png file that is being used.
Rename the UIconfig.properties file to UIconfig.properties.bak. This will force the use of
the original UIconfig.properties file (under original/config directory) which points to an IBM
logo.
In Nautilus, select the ISIM Custom UI bookmark and open the nls folder.
Files in the nls folder are loaded based on the selected language. The system looks for a file with _xx
at the end of the base filename (where xx is the language code for the selected language). If this isn't
found, the system loads the base file (which has no _xx extension).
When English is selected as the language, it is the files with _en suffix that are used. It is these files that
need to be changed to customise what you see when viewing in English.
Open the LoginText_en.properties file. This file, and other language versions, contain the text
substitution definitions from the HTML template file.
…
#Text to show in case the Logo image is missing
LOGO_ALT_TEXT=JKEnterprises
…
#Title for the product name
PRODUCT_NAME=JKEnterprises Identity Manager
…
The PRODUCT_NAME entry provides the title text for the login page. You can also see the other text
which can be changed on the page from within this file.
In Nautilus, select the ISIM Custom UI bookmark and open the original/nls/html folder.
<div style=''>
<div class='aboutLoginH1'>${ABOUT_SITE}</div>
</div>
<div role="list">
<div class="listItem" role="listitem">
<div class="icon accessIcon"></div>
<div class="listDetail">
<div class="ddDisplay">${REQUEST_ACCESS}</div>
</div>
</div>
…
</div>
This HTML file dictates the layout of the content. Notice the use of substitutions for the text to be
displayed. The file can be changed to remove or reorder the existing content - or the whole file could be
replaced to include completely bespoke content.
Remember - if you want to change this file, do not change it here. You should make a copy of the file
in the folder structure outside the original directory and make the change there.
Select the ISIM Custom UI bookmark and open the original/nls folder.
#NLS_ENCODING=UNICODE
#NLS_MESSAGEFORMAT_NONE
ABOUT_SITE=Log on to Identity Service Center to perform the following activities:
REQUEST_ACCESS=Request access
VIEW_REQUEST=View requests
VIEW_ACCESSES=View access
MANAGE_ACTIVITIES=Manage activities
This file, and other language versions, contain the text substitution definitions from the HTML content
page.
Again, if you want to change this file, do not change it here. You should make a copy of the file in the
folder structure outside the original directory and make the change there.
A similar HTML content and properties pair controls the content of the copyright box in the footer of the
login page. The rest of the page is defined directly in the HTML template file.
In Nautilus, select the ISIM Custom UI bookmark and open the nls folder.
#NLS_ENCODING=UNICODE
#NLS_MESSAGEFORMAT_NONE
identityManager=JK Enterprises Identity Manager
productIcon=Product Icon
#header categories
manageAccess=Manage Access
requestStatusTodo=Request Status
#NLS_ENCODING=UNICODE
#NLS_MESSAGEFORMAT_NONE
identityManager=Simple Identity Management
productIcon=Product Icon
#header categories
manageAccess=Manage Access
requestStatusTodo=Request Status
SELF_SERVICE=Self Service
Note that the line we're adding here will set a label for the SELF_SERVICE header category that we
created earlier.
Save the file and close the editor. The header of the application is changed:
In Nautilus, select the ISIM Custom UI bookmark and open the original/config folder.
Right-click on the HeaderMenu.json file and select Copy from the pop-up menu.
Select the ISIM Custom UI bookmark again and open config folder.
Right-click inside the folder and select Paste from the pop-up menu. A copy of the HeaderMenu.json file
should be created.
"secondaryNavigation": {
"secondaryTitleKey": "SVCENTER_HOMEPAGE",
"secondaryIcon": "custom/ui/images/identity.png",
"secondaryNavigation": {
"secondaryTitleKey": "SVCENTER_HOMEPAGE",
"secondaryIcon": "custom/ui/images/access/iconTeamsAccess.gif",
Save the file and close the editor. The image has been changed:
Use the ISIM Data bookmark in the Nautilus window to open /opt/IBM/isim/data. Locate the file
Badge.css and double-click to open it.
.badge.green {
border: 1px solid #226622;
background: #226622;
background: -moz-linear-gradient(center top , #226622 25%, #22dd22 100%);
background: -webkit-linear-gradient(top, #226622 25%, #22dd22 100%);
background: -ms-linear-gradient(top, #226622 25%,#22dd22 100%);
background: linear-gradient(to bottom, #226622 25%,#22dd22 100%);
filter: progid:DXImageTransform.Microsoft.gradient( startColorstr='#228822',
endColorstr='#22ff22',GradientType=0 );
box-shadow: 2px 2px 2px #CCCCCC;
color: white;
font-size: normal;
font-weight: bold;
padding: 2px 5px;
}
The file contains a .badge.<class name> section for each badge class.
Copy the .badge.orange section and paste and the end of the file. Modify it by changing the name to
flame and copy the code for red (#DD2222) into the end colour of the defined gradients - like this:
.badge.flame {
border: 1px solid #C86C1B;
background: #C86C1B;
background: -moz-linear-gradient(center top , #C86C1B 25%, #DD2222 100%);
background: -webkit-linear-gradient(top, #C86C1B 25%, #DD2222 100%);
background: -ms-linear-gradient(top, #C86C1B 25%,#DD2222 100%);
background: linear-gradient(to bottom, #C86C1B 25%,#DD2222 100%);
filter: progid:DXImageTransform.Microsoft.gradient( startColorstr='#C86C1B',
endColorstr='#DD2222',GradientType=0 );
box-shadow: 2px 2px 2px #CCCCCC;
color: white;
font-size: normal;
font-weight: bold;
padding: 2px 5px;
}
Enter itim manager as the User ID and Passw0rd as the Password and click Log In.
Select Manage Roles, click Refresh to populate the list of Roles, and select Application approvers.
Expand Badges and select Flame from the Badge class selector.
Click OK to save the change and then Log out from the Admin console.
If you login to the Identity Service Center and Request Access you'll see the new badge on the
Application approvers card:
This can be done by defining an LDAP filter to be applied to user searches performed within the Request
Access task of the Identity Service Center.
If not already open, open the Firefox browser in the Linux virtual machine and access the Identity
Manager web administration console: http://www.jke.test:9091/itim/console
Enter itim manager as the User ID and Passw0rd as the Password and click Log In.
Click Search to populate the list of defined views and select Help Desk View.
Scroll to the bottom. Select the check box for Manage Others Access and click OK.
In Nautilus, select the ISIM Custom UI bookmark and open the original/config folder.
Right-click on the ActionDefinition.json file and select Copy from the pop-up menu.
Select the ISIM Custom UI bookmark again and open config folder.
Right-click inside the folder and select Paste from the pop-up menu. A copy of the ActionDefinition.json
file should be created.
"SVCENTER_REQUEST_ACCESS_FOR_MYSELF_AND_OTHERS": {
"actionType": "CreateFlow",
"urlHash": "requestAccessForMyselfAndOthers",
"properties": {
"widgetPath": "com/ibm/isim/ui/util/uiflow/requestaccess/RequestAccessFlow",
"widgetArgs": {
"basePersonFilter": "",
"flowType": "both"
"SVCENTER_REQUEST_ACCESS_FOR_MYSELF_AND_OTHERS": {
"actionType": "CreateFlow",
"urlHash": "requestAccessForMyselfAndOthers",
"properties": {
"widgetPath": "com/ibm/isim/ui/util/uiflow/requestaccess/RequestAccessFlow",
"widgetArgs": {
"basePersonFilter": "(jk-isexecutive=false)",
"flowType": "both"
In order for this filter to work the connecting user must have authority (via ISIM ACIs) to read any
attributes used here on all users that they need to see. An ACI was added to the Sandbox
environment to allow this.
Log back into the Identity Service Center using joe and Passw0rd.
Joe can no longer see any executive users (or the System Administrator since that user doesn't have a jk-
isexecutive attribute)
In Nautilus, select the ISIM Custom UI bookmark and open config folder.
(|(jk-isexecutive=false)(jk-isexecutive=${systemUser.owner.jk-isexecutive}))
Log back into the Identity Service Center using joe and Passw0rd.
Click Request Access and scroll to the bottom of the user list.
Currently this is not working - the system doesn't recognise the "owner" relationship modifier.
This file has already been customized in this system so let's have a look at the customized file and make
some changes of our own.
Open root Nautilius and select the ISIM Custom UI bookmark in the root Nautilus window.
Open the config folder and the open the Person.json file.
The file has two parts - one which describes the content shown in grid format (cards) and the other which
shows the content shown in a list format. The JSON within these parts is the same so we'll concentrate
on the grid.
The first section describes the primary identifier for the user.
{
"grid": {
"card": {
"primary": {
"attribute": {
"default": "name",
"Person" : "CN",
"BPPerson" : "CN"
},
"sort": {
"enabled": true,
"labelKey": "name"
}
},
Within the section the attribute to be used is specified for each user type. The attribute associated with
default is used when the user type is not listed.
Most users in our system have type JKPerson. That is not listed so the default attribute (name) will be
used. Also note that name maps to inetOrgPerson givenname attribute.
The sort section allows sorting by the attribute to be enabled or disabled. If sorting is allowed then the
label identifier to be used in the sorting selector is also specified here.
The text for the sorting label is defined in Picker.properties_xx files under the nls directory.
The next section identifies the secondary user identifier. It has the same format as the primary so is not
repeated here.
The third section identifies additional information to be shown on the card. An array of attributes is
specified for each user type. These are all shown on the user card but cannot be sorted:
"tertiary": {
"attributes": {
"default": [
"title"
],
"BPPerson":["ersponsor.name"]
}
},
You can see that in this system the default is to show just the user's job title here.
The final section determines which attribute contains the URL of the user's image. As we'll see in a
minute this attribute may not actually come from LDAP.
OK, now make the following changes in the grid section of the file:
{
"grid": {
"card": {
"primary": {
"attribute": {
"default": "mail",
"Person" : "mail",
"BPPerson" : "mail"
},
"sort": {
"enabled": true,
"labelKey": "email"
}
},
"secondary": {
"attribute": {
"default": "name"
},
"sort": {
"enabled": true,
"labelKey": "name"
}
},
"tertiary": {
"attributes": {
"default": [
"title" , "departmentnumber"
],
"BPPerson":["ersponsor.name"]
Log in to the Identity Service Center using joe and Passw0rd, and select Request Access task.
EMAIL=E-Mail
DEPARTMENTNUMBER=Dept
Log back into the Identity Service Center again (as Joe) and select Request Access task again.
E-mail sort identifier now shows correctly and departmentnumber is now shown as Dept:
departmentnumber.MSS=Management
departmentnumber.MKT=Marketing
departmentnumber.SUP=Support
Log back into the Identity Service Center again (as Joe) and select Request Access task again.
In some cases, the URI for a user's image may be predictable - based on some other attributes and so,
rather than specifically setting the image URI for every user, it can be specified as an Extension Attribute.
Use the ISIM Data bookmark in the Nautilus window to open /opt/IBM/isim/data. Locate the file
enroleExtensionAttributes.properties and double-click to open it.
For some reason the files in this directory are marked as executable so a dialog appears.
This file specifies that the out-of-the-box attribute extension is being used:
person.extension.classname = com.ibm.itim.dataservices.extensions.plugins.PersonExtensionPlugin
A custom plug-in can also be used here if you need to generate image URIs in some other way.
Let's have a look at the configuration for the default plug-in. Locate the following section of the file:
We can see from this configuration that image files are being loaded from within the context of the Identity
Service Center application, and that the filename is being dynamically generated from the uid parameter
of the person.
The /itim/ui/custom/ui directory is mapped to the following directory on the file system:
<ISIM WAS profile>/config/cells/localNode01Cell/itim/custom/ui/ so we would
expect to find the image files for this system here. Let's take a look.
Open the userImages folder and, as expected, you'll see the images.
Other images (for custom logos and application icons etc.) can be loaded to this filesystem to support
other customisation. Note that because this directory is under the WAS cell configuration directory it
will be synchronised from a Domain Manager to all cell members.