CA Identity Manager Implementation Guide - CA Technologies

More documents

Recommendations

Info

Role OptimizationsRole OptimizationsIdentity Manager includes three types of roles:■Admin rolesDetermine the privileges a user has in the User Console.When a user logs into an Identity Manager environment, the user's accounthas one or more admin roles. Each admin role contains tasks, such as CreateUser, that a user can complete in that Identity Manager environment. Theadmin roles that a user has determine the presentation of the User Console,therefore users see only the tasks that are associated with their roles.■Provisioning rolesGive users accounts in managed endpoints, such as an email system.■Access rolesOffer an additional way to provide entitlements in Identity Manager.Roles include policies that determine the following:■■■Who can use the role (for admin and access roles only) and where they canuse itWho can manage role members and administratorsWho can modify the role definitionEvaluating roles and their associated privileges can have a significant impact onIdentity Manager performance.How Role Evaluation Affects Performance at LoginWhen an Identity Manager user attempts to log into the User Console, thefollowing actions occur:1. Identity Manager prompts the user to supply credentials, such as a username and password.2. The user's credentials are authenticated using one of the following methods:■■Identity Manager native authenticationSiteMinder authentication, if the Identity Manager implementationincludes SiteMinder70 Implementation Guide
Role Optimizations3. Identity Manager evaluates every member policy for every admin role in theenvironment to determine which admin roles apply to the user.Note: This evaluation occurs only once for a given user. After the initialevaluation, Identity Manager caches the results. Identity Manager uses thecached information until a change occurs to the user or to the set of memberpolicies, which causes Identity Manager to refresh the information in thecache.4. The Identity Manager User Console displays the categories that the user canview based on his roles.This process occurs for every user that logs into the User Console. If an IdentityManager environment contains a large number of roles, or inefficient memberpolicies, role membership evaluation can significantly impact performance. Inthis case, the initial screen that users see when they log into the User Consolemay display slowly.Note: Identity Manager does not need to evaluate member policies when a useraccesses a public task to self-register or to request a forgotten password. Inthese cases, Identity Manager does not need a list of the user's roles because itdoes not display the complete User Console.Role Objects and PerformanceTo support each role, Identity Manager creates a number of objects in theIdentity Manager object store (see page 34), depending on the roleconfiguration.Identity Manager creates one base object for each role. In addition to the baseobject, Identity Manager creates two objects for each member, admin, andowner policy rule (see page 73), and two objects for each scope rule. The ruleobjects include:■Rule definition objectContains metadata about the rule, such as rule type■Rule data objectContains the expression to be evaluatedThe following table illustrates the objects created for a single admin role.ObjectTypeBaseObjectMember PolicyObjectsAdmin PolicyObjectsOwnerPolicyObjectsAdminRole1 Member rules: 2 (1rule definition objectAdmin rule: 2 (1 ruledefinition object andOwner rule:2 (1 ruleChapter 6: Optimizing Identity Manager 71
Page 1 and 2:
CA Identity ManagerImplementation G
Page 3:
CA Product ReferencesThis document
Page 7 and 8:
Task Processing and Performance ...
Page 9 and 10:
Chapter 1: Managing Identities andA
Page 11 and 12:
Admin Roles for User Account Manage
Page 13 and 14:
Admin Roles for User Account Manage
Page 15 and 16:
Password ManagementThe account temp
Page 17 and 18:
CA RCM Integration■■Notificatio
Page 19: CA Enterprise Log Manager Integrati
Page 22 and 23: Complying with Business PoliciesThe
Page 24 and 25: Complying with Business PoliciesRep
Page 26 and 27: Transforming Data in the User Store
Page 28 and 29: Approving Business ChangesBusiness
Page 31 and 32: Chapter 3: Identity ManagerArchitec
Page 33 and 34: Identity Manager ComponentsFor exam
Page 35 and 36: Identity Manager ComponentsWhen you
Page 37 and 38: Identity Manager ComponentsCertain
Page 39 and 40: Identity Manager ComponentsWorkPoin
Page 41: Sample CA Identity Manager Installa
Page 44 and 45: Decide What to ManageHow to Configu
Page 46 and 47: Decide What to ManageAccount Templa
Page 48 and 49: Determine Audit RequirementsYou vie
Page 50 and 51: Decide User Store RequirementsCapab
Page 52 and 53: Decide Hardware RequirementsDecide
Page 54 and 55: Choose a Method to Import UsersAddi
Page 56 and 57: Choose a Method to Import UsersExec
Page 58 and 59: Develop a Deployment PlanSynchroniz
Page 60 and 61: Develop a Deployment PlanTo deploy
Page 62 and 63: Develop a Deployment PlanEnvironmen
Page 65 and 66: Chapter 5: Integrating with SiteMin
Page 67: Password Policies with SiteMinderCA
Page 72 and 73: Role OptimizationsObjectTypeBaseObj
Page 74 and 75: Role Optimizations■■Tune the us
Page 76 and 77: Role OptimizationsTo limit the numb
Page 78 and 79: Task Optimizations■A user accesse
Page 80 and 81: Task OptimizationsRelationship Tabs
Page 82 and 83: Task OptimizationsGuidelines for Op
Page 84 and 85: Guidelines for Group Member\Adminis
Page 86 and 87: Identity Policy Optimizations■An
Page 88 and 89: Identity Policy OptimizationsLimit
Page 90 and 91: Tuning for Provisioning ComponentsC
Page 92 and 93: Runtime Components TuningIdentity M
Page 94 and 95: Runtime Components TuningTuning JMS
Page 97 and 98: Chapter 7: Creating a Disaster Reco
Page 99 and 100: Define Disaster Recovery Requiremen
Page 101 and 102: Develop Backup PlansMulti-Site Conn
Page 103 and 104: Develop Restore ProceduresComponent
Page 105 and 106: Develop Restore ProceduresRestore C
Page 107 and 108: Test the Recovery PlanTest the Fail
Page 109 and 110: Chapter 8: Transitioning From eTrus
Page 111 and 112: eTrust Admin Management Interfacese
Page 113 and 114: Batch Processing in Identity Manage
Page 115: Next Steps■etautilYou use the eta
Page 118 and 119: How Role Evaluation Affects Perform
show all

CA Identity Manager Implementation Guide - CA Technologies

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?