CA Identity Manager Implementation Guide - CA Technologies

More documents

Recommendations

Info

Task OptimizationsGuidelines for Optimizing TasksThe default tasks, which Identity Manager deploys when you create an IdentityManager environment, are configured to support a wide range of administrationuse cases. Most Identity Manager implementations do not require all of thefunctionality provided in the default tasks. After creating an Identity Managerenvironment, modify these tasks to suit specific administration needs.The following steps provide guidelines for modifying tasks:■Create specialized user management tasksThe default Create User, Modify User, and View User tasks provide fulladministrative capabilities. In most implementations, only a small number ofadministrators need all of the available capabilities.Create new tasks that include only the required capabilities. For example, ifmost user management tasks involve only profile and group management,create a new Modify User task that includes only the Profile and Group tabs.Remove the Admin Roles, Access Roles, and Provisioning Roles tabs, whichare available in the default Modify User task.Unused tabs can cause significant overhead if they are left in frequently usedtasks. This is especially true when using a Task Execution Web Service(TEWS) client, where these tabs may be inadvertently activated through thetab java class, which is provided with Identity Manager.The specialized tasks that you create should match the delegatedadministration model (see page 63) that you defined for your environment.■Disable Manage Administrators in relationship tabsBy default, all relationship tabs provide the ability to manage administrativerights for the object that the tab manages, such as roles and groups. Mostimplementations do not need to provide this functionality to administrators.To eliminate the additional overhead that occurs when Identity Managerevaluates administrative rights, clear the Manage Administrators option onthe following tabs, if this functionality is not required:■■■■Admin RolesProvisioning RolesAccess RolesGroupsTo enable users to manage administrative rights on specific tabs, createcopies of the default tabs, enable the Manage Administrators option, anddisable the Manage Members option. Add the new tabs to specialized tasks,which are only used by the administrators who need them.82 Implementation Guide
Guidelines for Group Member\Administrator Optimizations■Enable scoped searches in role relationship tabsYou can configure each role tab to include searches that allow administratorsto specify criteria for new roles to assign to a user. Role searches limit thenumber of member and admin policy rules that Identity Manager mustevaluate to determine which roles an administrator can assign to a user.■Set task synchronization optionsFor each Identity Manager task, you can specify a user synchronizationoption, which synchronizes users with identity policies, and a provisioningaccount synchronization option, which synchronizes users with provisionedaccounts. The options enable you to synchronize users when a taskcompletes, or when an event completes.To eliminate evaluation and processing time, set the synchronization tooccur when a task completes, instead of when events complete.Guidelines for Group Member\Administrator OptimizationsTo improve performance of searches for group members and administrators,consider the following:■Define well-known attributes in the directory configuration file(directory.xml), which describes the user store structure and contents toIdentity Manager.A well-known attribute is an attribute that has a special meaning in IdentityManager.To improve group member\administrator searches, define the followingwell-known attributes for the user object:%MEMBER_OF%Identifies an attribute on the user object that stores a list of groupswhere the user is a member.When defined, this attribute can prevent Identity Manager fromsearching all of the members in all of the groups in the user store. Groupsearches can significantly affect performance in very large groups.%ADMINISTRATOR_OF%Identifies an attribute on the user object that stores a list of groupswhere the user is an administrator.Like the %MEMBER_OF% attribute, this well-known attribute caneliminate lengthy group searches.■Specify the Group Type in the directory configuration fileIdentity Manager supports three types of groups: standard groups, nestedgroups, and dynamic groups.Chapter 6: Optimizing Identity Manager 83
Page 1 and 2:
CA Identity ManagerImplementation G
Page 3:
CA Product ReferencesThis document
Page 7 and 8:
Task Processing and Performance ...
Page 9 and 10:
Chapter 1: Managing Identities andA
Page 11 and 12:
Admin Roles for User Account Manage
Page 13 and 14:
Admin Roles for User Account Manage
Page 15 and 16:
Password ManagementThe account temp
Page 17 and 18:
CA RCM Integration■■Notificatio
Page 19:
CA Enterprise Log Manager Integrati
Page 22 and 23:
Complying with Business PoliciesThe
Page 24 and 25:
Complying with Business PoliciesRep
Page 26 and 27:
Transforming Data in the User Store
Page 28 and 29:
Approving Business ChangesBusiness
Page 31 and 32: Chapter 3: Identity ManagerArchitec
Page 33 and 34: Identity Manager ComponentsFor exam
Page 35 and 36: Identity Manager ComponentsWhen you
Page 37 and 38: Identity Manager ComponentsCertain
Page 39 and 40: Identity Manager ComponentsWorkPoin
Page 41: Sample CA Identity Manager Installa
Page 44 and 45: Decide What to ManageHow to Configu
Page 46 and 47: Decide What to ManageAccount Templa
Page 48 and 49: Determine Audit RequirementsYou vie
Page 50 and 51: Decide User Store RequirementsCapab
Page 52 and 53: Decide Hardware RequirementsDecide
Page 54 and 55: Choose a Method to Import UsersAddi
Page 56 and 57: Choose a Method to Import UsersExec
Page 58 and 59: Develop a Deployment PlanSynchroniz
Page 60 and 61: Develop a Deployment PlanTo deploy
Page 62 and 63: Develop a Deployment PlanEnvironmen
Page 65 and 66: Chapter 5: Integrating with SiteMin
Page 67: Password Policies with SiteMinderCA
Page 70 and 71: Role OptimizationsRole Optimization
Page 72 and 73: Role OptimizationsObjectTypeBaseObj
Page 74 and 75: Role Optimizations■■Tune the us
Page 76 and 77: Role OptimizationsTo limit the numb
Page 78 and 79: Task Optimizations■A user accesse
Page 80 and 81: Task OptimizationsRelationship Tabs
Page 84 and 85: Guidelines for Group Member\Adminis
Page 86 and 87: Identity Policy Optimizations■An
Page 88 and 89: Identity Policy OptimizationsLimit
Page 90 and 91: Tuning for Provisioning ComponentsC
Page 92 and 93: Runtime Components TuningIdentity M
Page 94 and 95: Runtime Components TuningTuning JMS
Page 97 and 98: Chapter 7: Creating a Disaster Reco
Page 99 and 100: Define Disaster Recovery Requiremen
Page 101 and 102: Develop Backup PlansMulti-Site Conn
Page 103 and 104: Develop Restore ProceduresComponent
Page 105 and 106: Develop Restore ProceduresRestore C
Page 107 and 108: Test the Recovery PlanTest the Fail
Page 109 and 110: Chapter 8: Transitioning From eTrus
Page 111 and 112: eTrust Admin Management Interfacese
Page 113 and 114: Batch Processing in Identity Manage
Page 115: Next Steps■etautilYou use the eta
Page 118 and 119: How Role Evaluation Affects Perform
show all

CA Identity Manager Implementation Guide - CA Technologies

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?