Configuration Guide › Identity Manager Environments › Create an Identity Manager Environment

Create an Identity Manager Environment

Identity Manager environments let you manage objects in a directory with a set of roles and tasks. Use the Identity Manager environment wizard to guide you through the steps to create an Identity Manager environment.

Note the following before creating an Identity Manager environment:

• If you are using an LDAP user store, and you configured a user container such as ou=People, in the directory configuration file (directory.xml) for your Identity Manager directory, verify that the users you select when you create the Identity Manager environment exist in that container. Selecting a user account that does not exist in the user container may cause failures.
• When you configure an Identity Manager environment to manage an LDAP user directory with a flat or flat user structure, the profile for the user that you select must include the organization to which the user belongs. To help ensure that the user’s profile is configured correctly, add the name of the user’s organization to the physical attribute that corresponds to the %ORG_MEMBERSHIP% well-known attribute in the directory.xml file. For example, when the physical attribute description is mapped to the %ORG_MEMBERSHIP% well-known attribute in the directory.xml file, and the user belongs to the Employees organization, the user’s profile should contain the attribute/value pair description=Employees.

To create an Identity Manager environment

1. If CA Identity Manager uses a cluster of Policy Servers, stop all but one Policy Server.
2. If you have a cluster of Identity Manager nodes, stop all but one Identity Manager node.
3. In the Management Console, click Environments.
4. Click New.

   The Identity Manager environment wizard opens.

5. Supply the following information:
   • Environment name

     Specifies a unique name for the environment

   • Description

     Describes the environment

   • Protected alias

     Specifies a unique name that is added to the URL for accessing protected tasks in the Identity Manager environment. For example, when the alias is employees, the URL for accessing the employee environment is http://myserver.mycompany.com/iam/im/employees

     Note: The alias is case sensitive and cannot contain spaces. We recommend using lowercase letters without punctuation or spaces when you specify the alias.

   • Base URL

     Specifies the URL for CA Identity Manager. Do not include the alias, for example, http://myserver.mycompany.com/iam/im.

     If you are using a Web Agent, the Base URL should be changed to reflect the URL of the Web Agent.

     Note: If you are using a Web Agent to protect Identity Manager resources, do not specify a port number in the Base URL field. If you are using a Web Agent and the Base URL contains a port number, the links to Identity Manager tasks will not work properly.

     For more information about protecting Identity Manager resources, see the Installation Guide for your application server.

     Click Next.

6. Select an Identity Manager directory to associate with the environment you are creating, and click Next.
7. When the Identity Manager environment supports provisioning, select the appropriate provisioning server to use.

   Note: You are not prompted to select a provisioning server if you selected a Provisioning directory as the Identity Manager directory.

8. Configure support for public tasks. Typically, these tasks are self-service tasks, such as self-registration or forgotten password tasks. Users do not need to log in to access public tasks.

   Note: To enable users to use self-service tasks, configure public task support.

   1. Specify a unique name that is added to the URL for accessing public tasks.

      Example: You would use the following URL to access the default self-registration task:

      http://myserver.mycompany.com/iam/im/alias/index.jsp?task.tag=SelfRegistration

      In this URL, alias is the unique name that you supply.

   2. Specify one of the following existing user accounts that will serve as the public user account. CA Identity Manager uses this account to allow unknown users to access public tasks without having to supply credentials.
      • LDAP users enter the unique identifier or relative DN of the public user account. This value must be mapped to the %USER_ID% well-known. For example, if the user’s DN is uid=Admin1, ou=People, ou=Employees, ou=NeteAuto, type Admin1.
      • Relational database users type the value that is mapped to the %USER_ID% well-known attribute in the directory configuration file, or the unique identifier for the user.

   Click Validate to view the user’s full identifier.

9. Select the tasks and roles to create for this environment. You can do the following:
   • Create default roles

     Creates a set of default tasks and roles that are initially available in the environment. Administrators can use these tasks and roles as templates for creating new tasks and roles in the User Console.

   • Create only the system manager role

     Creates only the System Manager role and the tasks associated with it.

     The System Manager role is required to access the environment.

     A System Manager can create new tasks and roles in the User Console.

   • Import roles from the file

     Imports a role definition file that you exported from another Identity Manager environment.

     Note: To use the Identity Manager environment, the role definitions file must include at least the System Manager role or a role that includes similar tasks.

     Select the Import roles from the file option button, and type the path and filename of the role definitions file or browse for the file to import.

10. Select Role Definitions files to create sets of default tasks for your environment, and click Next.

    Role Definitions files are XML files that define a set of tasks and roles required to support specific features. For example, if you need to manage Active Directory and UNIX NIS endpoints, select those Role Definitions files.

    Note: This step is optional. If you do not want to create additional default tasks to support new functionality, skip this screen.

11. Define a user to serve as the System Manager for this environment as follows:
    1. In the System Manager field, type the value that is mapped to the %USER_ID% well-known attribute in the directory configuration file, or specify one of the following user accounts:
       • LDAP users enter the unique identifier or relative DN of the user. For example, if the user’s DN is uid=Admin1, ou=People, ou=Employees, ou=NeteAuto, type Admin1.
       • Relational database users type the unique identifier for the user.
    2. Click Add.

       CA Identity Manager adds the complete identifier of the user to the list of users.

    3. Click Next.

    Note the following when specifying the System Manager:

    • The System Manager should not be the same user as the administrator of the user store.
    • You can specify multiple System Managers for the Environment; However, you can only specify the initial System Manager in the Management Console. To specify additional System Managers, assign the System Manager role to the appropriate users in the User Console.
12. In the Inbound Administrator field, specify an Identity Manager administrator account that can execute admin tasks that are mapped to inbound mappings.

    The user must be able to execute all those tasks on any user. The Provisioning Synchronization Manager role contains the provisioning tasks that are included in the default inbound mappings.

    A page summarizing the settings for the environment appears.

13. Review the settings for the environment. Click Previous to make changes or click Finish to create the Identity Manager environment with the current settings.

    The Environment Configuration Output screen displays the progress of the environment creation.

14. Click Continue to exit the Identity Manager environment wizard.
15. Start the Environment.
16. If you stopped any Policy Servers in Step 1, restart them now.