CA Identity Manager Implementation Guide - CA Technologies

More documents

Recommendations

Info

Task Optimizations■A user accesses a relationship tabA relationship tab is any tab where a user can view or manage aone-to-many relationship between the task's subject and a set ofentitlements. An example of a relationship tab is the Admin Roles tab, whichdisplays the roles that a user has.■A user adds objects on a relationship tabFor example, Identity Manager performs additional security checks when auser adds additional roles to another user on the Admin Roles tab.Task performance is affected by the following:■■Task scope, which determines where an administrator can use a taskRelationship tabs, which display an object's relationship to other objectsTask Scope Evaluation and PerformanceWhen an administrator uses an admin task that involves searching for amanaged object, such as a user, group, organization, task, or role, IdentityManager evaluates and applies task scope rules. These rules can significantlyimpact the amount of time Identity Manager takes to display the list of objects toselect for the task.Note: Unlike member, admin, and owner policy evaluations, information aboutscope rule evaluations is not stored in a cache.Task scope is determined by the following:■■■The type of object that the task manages.Scope rules that apply to the admin role that includes the task. Scope rulesare defined in member, owner, and admin policies.Any user-defined search criteria.For example, consider a Modify User task, which is included in the User Managerrole. The User Manager role has a member policy with a scope rule that allowsUser Managers to manage users in the Employees organization. An administratoropens the Modify User task and enters the search criteria: Last Name starts withA. In this case, the scope for the Modify User task is all users in the Employeesorganization whose last name starts with A.How Identity Manager Renders Relationship TabsA relationship tab allows users to view and manage the relationship that a task'ssubject has with a set of entitlements. For example, the Provisioning Roles tabshows the provisioning roles that a user has.78 Implementation Guide
Task OptimizationsTo determine the objects that appear on a relationship tab, CA Identity Managerperforms numerous security evaluations, which can significantly impactperformance.The following example shows the steps that CA Identity Manager takes to renderthe Provisioning Roles tab:1. An administrator clicks the Provisioning Roles tab in the Modify User task.2. CA Identity Manager retrieves the provisioning roles where the selected useris a member.3. If the tab is configured to allow management of role administrators, CAIdentity Manager makes a second call to retrieve the list of provisioning roleswhere the selected user is an administrator.4. CA Identity Manager evaluates each provisioning role that the user has tosee if the administrator who initiated the task can manage membership forthat role.If the administrator can manage role members, CA Identity Managerdisplays an active check box in the Membership column for that role in thelist of roles on the tab.5. CA Identity Manager evaluates each provisioning role that the user has tosee if the administrator who initiated the task can manage administrativerights for that role.If the administrator can manage administrative rights, CA Identity Managerdisplays an active check box in the Administrator column for that role in thelist of roles on the tab.CA Identity Manager must complete steps 2-5 to display the provisioningroles the user currently has. If the administrator needs to assign a newprovisioning role, the following additional steps are required.6. The administrator clicks the Add button to locate new provisioning roles toassign.7. CA Identity Manager displays a search screen that the administrator can useto search for the role to add.8. The administrator enters a search filter to find the role to add.9. CA Identity Manager returns the list of provisioning roles that meet followingcriteria:■■■■The roles match the search filter entered by the administrator.The administrator can manage membership for the roles.The user is in the administrative scope of the administrator for the roles.The user does not already have the provisioning roles.10. CA Identity Manager repeats step 9 to determine the roles where theadministrator can manage administrative privileges.Chapter 6: Optimizing Identity Manager 79
Page 1 and 2:
CA Identity ManagerImplementation G
Page 3:
CA Product ReferencesThis document
Page 7 and 8:
Task Processing and Performance ...
Page 9 and 10:
Chapter 1: Managing Identities andA
Page 11 and 12:
Admin Roles for User Account Manage
Page 13 and 14:
Admin Roles for User Account Manage
Page 15 and 16:
Password ManagementThe account temp
Page 17 and 18:
CA RCM Integration■■Notificatio
Page 19:
CA Enterprise Log Manager Integrati
Page 22 and 23:
Complying with Business PoliciesThe
Page 24 and 25:
Complying with Business PoliciesRep
Page 26 and 27:
Transforming Data in the User Store
Page 28 and 29: Approving Business ChangesBusiness
Page 31 and 32: Chapter 3: Identity ManagerArchitec
Page 33 and 34: Identity Manager ComponentsFor exam
Page 35 and 36: Identity Manager ComponentsWhen you
Page 37 and 38: Identity Manager ComponentsCertain
Page 39 and 40: Identity Manager ComponentsWorkPoin
Page 41: Sample CA Identity Manager Installa
Page 44 and 45: Decide What to ManageHow to Configu
Page 46 and 47: Decide What to ManageAccount Templa
Page 48 and 49: Determine Audit RequirementsYou vie
Page 50 and 51: Decide User Store RequirementsCapab
Page 52 and 53: Decide Hardware RequirementsDecide
Page 54 and 55: Choose a Method to Import UsersAddi
Page 56 and 57: Choose a Method to Import UsersExec
Page 58 and 59: Develop a Deployment PlanSynchroniz
Page 60 and 61: Develop a Deployment PlanTo deploy
Page 62 and 63: Develop a Deployment PlanEnvironmen
Page 65 and 66: Chapter 5: Integrating with SiteMin
Page 67: Password Policies with SiteMinderCA
Page 70 and 71: Role OptimizationsRole Optimization
Page 72 and 73: Role OptimizationsObjectTypeBaseObj
Page 74 and 75: Role Optimizations■■Tune the us
Page 76 and 77: Role OptimizationsTo limit the numb
Page 80 and 81: Task OptimizationsRelationship Tabs
Page 82 and 83: Task OptimizationsGuidelines for Op
Page 84 and 85: Guidelines for Group Member\Adminis
Page 86 and 87: Identity Policy Optimizations■An
Page 88 and 89: Identity Policy OptimizationsLimit
Page 90 and 91: Tuning for Provisioning ComponentsC
Page 92 and 93: Runtime Components TuningIdentity M
Page 94 and 95: Runtime Components TuningTuning JMS
Page 97 and 98: Chapter 7: Creating a Disaster Reco
Page 99 and 100: Define Disaster Recovery Requiremen
Page 101 and 102: Develop Backup PlansMulti-Site Conn
Page 103 and 104: Develop Restore ProceduresComponent
Page 105 and 106: Develop Restore ProceduresRestore C
Page 107 and 108: Test the Recovery PlanTest the Fail
Page 109 and 110: Chapter 8: Transitioning From eTrus
Page 111 and 112: eTrust Admin Management Interfacese
Page 113 and 114: Batch Processing in Identity Manage
Page 115: Next Steps■etautilYou use the eta
Page 118 and 119: How Role Evaluation Affects Perform
show all

CA Identity Manager Implementation Guide - CA Technologies

Create successful ePaper yourself

Delete template?

Save as template?