The default tasks, which CA IdentityMinder deploys when you create a CA IdentityMinder environment, are configured to support a wide range of administration use cases. Most CA IdentityMinder implementations do not require all of the functionality provided in the default tasks. After creating a CA IdentityMinder environment, modify these tasks to suit specific administration needs.
The following steps provide guidelines for modifying tasks:
The default Create User, Modify User, and View User tasks provide full administrative capabilities. In most implementations, only a small number of administrators need all of the available capabilities.
Create new tasks that include only the required capabilities. For example, if most user management tasks involve only profile and group management, create a new Modify User task that includes only the Profile and Group tabs. Remove the Admin Roles, Access Roles, and Provisioning Roles tabs, which are available in the default Modify User task.
Unused tabs can cause significant overhead if they are left in frequently used tasks. This is especially true when using a Task Execution Web Service (TEWS) client, where these tabs may be inadvertently activated through the tab java class, which is provided with CA IdentityMinder.
The specialized tasks that you create should match the delegated administration model that you defined for your environment.
By default, all relationship tabs provide the ability to manage administrative rights for the object that the tab manages, such as roles and groups. Most implementations do not need to provide this functionality to administrators.
To eliminate the additional overhead that occurs when CA IdentityMinder evaluates administrative rights, clear the Manage Administrators option on the following tabs, if this functionality is not required:
To enable users to manage administrative rights on specific tabs, create copies of the default tabs, enable the Manage Administrators option, and disable the Manage Members option. Add the new tabs to specialized tasks, which are only used by the administrators who need them.
You can configure each role tab to include searches that allow administrators to specify criteria for new roles to assign to a user. Role searches limit the number of member and admin policy rules that CA IdentityMinder must evaluate to determine which roles an administrator can assign to a user.
For each CA IdentityMinder task, you can specify a user synchronization option, which synchronizes users with identity policies, and a provisioning account synchronization option, which synchronizes users with provisioned accounts. The options enable you to synchronize users when a task completes, or when an event completes.
To eliminate evaluation and processing time, set the synchronization to occur when a task completes, instead of when events complete.
|
Copyright © 2013 CA.
All rights reserved.
|
|