®

F12
IBM Tivoli Identity Manager Best Practices
Thomas L. Brooks, PMP

San Francisco, CA

May 7-10, 2007

© IBM Corporation 2007

RETURN TO INDEX

®

IBM Software Group

IBM Tivoli Identity Manager Best Practices

© 2007 IBM Corporation

IBM Software Group | Tivoli software

Agenda
Introduction Lifecycle of an ITIM Implementation Project
Prior to Project Start Project Initiation and Planning Project Execution, Control, and Closure

Deployment Expectations and Pitfalls to Avoid Steady State Considerations Supplemental Materials
Component View vs. Logical View Identity Management Pyramid Best Practice Deployment Approach Who Does What and When? Steady State Backup

3

IBM Software Group | Tivoli software

Introduction
What makes an ITIM Implementation different?
Complexity of identity management business needs Required level of commitment from the customer Misconceptions about the ITIM solution Range of skills needed to implement an ITIM solution Limited pool of experienced ITIM solution implementers Maturity of the ITIM solution

4

and experience does an ITIM implementer need? Possess a working knowledge of the product itself. and the foundational skills needed to install and configure it Know what tools. and other intellectual capital are available for ITIM solutions and learn how to use them properly Know who the contacts are in various IBM organizations and teams to get help when you need it Strongly recommend participating in at least one ITIM implementation being managed or led by an experienced resource before attempting one on your own Must have good negotiating skills for expectation and satisfaction management and for getting and holding on to the resources you need Must have a strong project manager 5 . knowledge.IBM Software Group | Tivoli software Introduction (cont. templates.) What skills. the middleware components of the solution.

and leading the team through the successful implementation of the ITIM solution to meet the business needs.IBM Software Group | Tivoli software Lifecycle of an ITIM Implementation Project Prior to Project Start The timeframe before the software is sold and/or before a contract for services is signed when the team is supporting the sales cycle and helping to close the deal. Project Initiation and Planning The timeframe between the signing of a contract for services and the establishment of a baseline project plan. cost. Focus is on gathering information to produce scope. Focus is on monitoring the status of project activities. Project Execution. Control. and Closure The timeframe following the establishment of a baseline project plan when the work of the project is proceeding and the change control and issues management processes are being executed through the controlled closure of the project. taking corrective action as needed. and time estimates and setting expectations. 6 . Focus is on establishing the project team and assessing and/or resetting expectations as needed to get the project started properly.

IBM Software Group | Tivoli software Prior to Project Start Understanding Requirements Several key high level questions must be addressed – – – – Do you have clear business needs and goals? Does the responsibility for achieving these goals rest with a specific group? How does the identity management business need fit into the “big picture”? What are the “real” constraints that will affect the implementation? Most customers will not have all the answers at this point Drive information gathering to be specific and focus on the critical areas Take advantage of tools. and other intellectual capital available 7 . templates.

) Setting Expectations This timeframe is when you have the most power to shape perceptions Guide the stakeholders towards a phased implementation Look for opportunities to create some early “wins” Try to avoid full scale implementation and/or customization in the first phase You can’t win them all – when you don’t. document thoroughly Improper expectations can disrupt every aspect of an implementation 8 .IBM Software Group | Tivoli software Prior to Project Start (cont.

not an exercise – use it to your advantage Limit scope to simple platforms. and functions – no customizations! Ensure that very specific objectives are defined with completion criteria Stick to the basics – this is not the time to try new stuff or push the envelope Do not get held up by details – note questions and issues and move on Conclude with a demo to the key customer stakeholders – make it an event! A successful Proof of Concept does not need to eliminate all doubts or answer all questions – it just needs to reassure the stakeholders that it can work in their environment 9 .) Performing a Proof of Concept (PoC) Should be treated as a tool. configs.IBM Software Group | Tivoli software Prior to Project Start (cont.

and other intellectual capital available Have a more experienced implementer review estimates and discuss feedback 10 .) ITIM Implementation Estimation and Sizing Time.IBM Software Group | Tivoli software Prior to Project Start (cont. templates. Functionality – What is the timeline? Are there multiple phases? When are key milestones? – Will the services be time and materials or fixed price? What are the rates? – What will be in scope for each phase and overall? Resource Planning – What is the size and composition of the implementation team? – What resources will various stakeholders provide for the implementation? Hardware Sizing – What capacity does the solution need to accommodate? Defining Initial Architecture – Do you have enough info to define an initial architecture with stakeholder approval? Factor in all the information you have and allow for missing data Take advantage of tools. Cost.

Structure them so that they can be followed as a natural aspect of the implementation. In the strictest sense. templates. Deliverables and Completion Criteria Make sure that all deliverables are concrete and specific and all completion criteria is finite and within your control.IBM Software Group | Tivoli software Prior to Project Start (cont. Assumptions Use this section to cover any areas where you do not have enough information or where you want to confirm that your understanding of something matches other stakeholders’. if it is not listed here. and other intellectual capital available 11 .) ITIM Implementation Statement of Work Scope Be as specific and thorough as possible. Take advantage of tools. This serves as the basis for all project activities. Change Control and Issues Management Processes Ensure that these sections are clearly defined and tailored to the specific project. it should not be done without a formal change order. Responsibilities – both Contractor and Customer Clearly define what the contractor project team will do versus what the customer project team will do.

IBM Software Group | Tivoli software Project Initiation and Planning Before You Get Started on Project Tasks Understanding the History – Review everything that has taken place up to this point – You want to be prepared to be fully productive on the first day of the project Engaging the IBM Account Team or IBM Advocate – Especially important if they were not involved in the pre-sales activities – Involving them from the start improves your position when issues arise Securing Project Team Resources – You need to make sure you have the right resources with the right skills when you – need them Allow enough time for other commitments to be wrapped up before planning to have resources in place 12 .

IBM Software Group | Tivoli software Project Initiation and Planning (cont.) Beginning Project Tasks Assessing Your Position – – – – Especially critical if you were not involved in the pre-sales activities Needs to be a natural part of the project startup You need to make sure the stakeholders do not feel like they are rehashing Should be comprehensive Resetting Expectations As Needed – Should be done as soon as you complete assessment of your position and have – – recommendations to present Everyone who was involved in setting the original expectations needs to be part of resetting them Make this a positive experience Developing the Initial Project Plan – Build this around key project milestones and keep it high level – Be sure to factor in all of the information you have available – Avoid allowing stakeholders to lock you into this initial plan – no commitments yet 13 .

but not too soon! Critical that all key stakeholders participate in the meeting Use this as an opportunity to gauge stakeholder “investment” in the project Observe how the stakeholders interact with each other – look for the “power” Try to sense the internal politics – look for factions and try to discern their support of the project Seek additional information and details that you have not obtained yet Schedule follow up discussions with stakeholders as needed Be confident.IBM Software Group | Tivoli software Project Initiation and Planning (cont. but realistic and end the meeting on a positive note 14 .) Project Kickoff Meeting Should schedule during first two weeks of starting project.

) Baselining the Project Plan Build on the initial project plan by applying what you learn from the project kickoff meeting and follow up discussions Do not make the project plan too detailed – some abstraction gives you flexibility to deal with minor events Solicit input from the whole team Avoid overloading resources right from the start Plan for unexpected delays and think about how tasks that are not on the critical path can be rearranged if necessary Finalize the project plan that you are confident you can meet and get the right stakeholder to sign it to indicate their acceptance.IBM Software Group | Tivoli software Project Initiation and Planning (cont. This is your baseline! 15 .

) Initiating Change Control and Issues Management Processes Once you baseline the project plan. they should get a change request Thoroughly documented change requests and issues will help prevent drifting expectations and misunderstandings as the project proceeds The results of change requests are reflected as updated project plan baselines and the status of issues are reflected in a running issues log 16 . it is critical that you enforce the Change Control Process right from the start Make sure all of the project stakeholders are aware of these processes from the beginning The project manager is the judge of whether minor events or requests are adding up enough to have an impact on the baseline – if so.IBM Software Group | Tivoli software Project Initiation and Planning (cont.

and Closure Status Tracking and Reporting Plan to be engaged enough to keep track of everything going on Include the project manager in as many technical meetings and discussions as possible If your project manager is not busy with project management duties. Control. they should spend time learning more about the product Your project manager should be positioned as the status reporting interface between your team and the other stakeholders Arrange status discussions and meetings for various audiences at regular intervals Your goal is to be prepared to respond to any question the stakeholders may pose at any time in a way that inspires confidence and the sense that everything is under control 17 .IBM Software Group | Tivoli software Project Execution.

) Ongoing Expectation Management Stakeholder expectations should be monitored constantly – assume nothing! Use status meetings and status reports to help guide expectations Be aware of how factors outside your project may be influencing stakeholder expectations Enlist the aid of resources who demonstrate a good understanding of the project scope and who are realistic and supportive of your plans Make sure that communication is occurring consistently with all levels of stakeholders Make a special effort to create and maintain an open channel of communication with the sponsor and/or executive management Enforce the change control and issues management processes 18 . Control.IBM Software Group | Tivoli software Project Execution. and Closure (cont.

document everything thoroughly Gather as much information as possible before contacting Technical Support Learn to escalate issues effectively – use it.) Managing Changes and Issues and Avoiding CritSits Changes and issues are a natural aspect of the project – if it was easy. but don’t abuse it Develop a network of “go to” people throughout the organization who you can turn to for assistance in dealing with stumbling blocks Being responsive and demonstrating progress can sometimes be the difference between a significant issue and a CritSit 19 . but not emotional when dealing with changes and issues Set a good example – be positive and keep morale up Even when the stakeholders are friendly and cooperative. and Closure (cont. nobody would pay for consultants to do it! Be passionate.IBM Software Group | Tivoli software Project Execution. Control.

Teach a man to fish. Control.IBM Software Group | Tivoli software Project Execution.” sums it up The preparation should begin from the first day of the project and continued throughout – effective knowledge transfer is a critical success factor! Consider this goal when developing all project documentation and deliverables – the more thorough. and Closure (cont. you have fed him for today. and you have fed him for a lifetime.) Preparing To Be Self Sufficient The overall objective in an ITIM implementation project is to obtain the maximum benefit from the solution you have invested in The quote. the better Share tips and techniques about how to troubleshoot the solution and deal with unexpected behaviors and results The solution operation resources should be both technically prepared and psychologically comfortable assuming operational control of the solution 20 . “Give a man a fish.

Control.IBM Software Group | Tivoli software Project Execution. and Closure (cont.) Controlled Closing Verifying the Deliverables and Exit Criteria – Review all deliverables produced by your team for contract compliance – Confirm that all exit criteria are satisfied and get stakeholder signoff as appropriate Releasing Resources – Make sure you get all of the work products from the resources before they leave – Plan the orderly release of project resources to allow them to transition to the next project in a timely fashion Identifying Follow On Opportunities with Stakeholders – Arrange a meeting with stakeholders specifically to discuss “next steps” – Try to time discussions to capitalize on current project success and/or momentum 21 .

organizations. etc. workflows. The volume and frequency of change to the configuration elements The maturity of the business logic the solution is based upon The quality of the identity and account data that is being managed The extent to which the out of the box solution has been customized The skill levels and experience of the operation and administration staff Central vs. Distributed Security Administration Model 22 . The most important of these factors are: The functionality of the solution that has been deployed The complexity of the enterprise in terms of identities. policies.IBM Software Group | Tivoli software Steady State Considerations Level of Effort (LOE) or Full Time Equivalents (FTEs) required to operate and maintain an ITIM solution are dependent upon many factors. managed targets. roles.

Planning early in the project to ensure that there will be coverage for all of these aspects is the most effective way to avoid problems down the road. These aspects are: Thorough documentation of the decisions made during the solution design and implementation Detailed understanding of the configurations and any customizations made to the solution Staff with the proper foundational skills and training to operate and maintain the solution Detailed processes and procedures for operation and maintenance scenarios An individual or team that clearly owns the solution Complete socialization of the solution throughout the enterprise 23 .) Regardless of the quantities.IBM Software Group | Tivoli software Steady State Considerations (cont. there are certain aspects of operation and maintenance that are almost universal.

Linux) The relevant database platforms (i. MS SQL Server) The relevant directory server (i. DB2. HPUX. Solaris. documentation. Windows. WebSphere. Sun ONE) The relevant application server (i. Oracle. IBM Directory Server.e. AIX.e. and communication with IBM Tivoli Customer Support 24 .e.) The resources responsible for operating and maintaining the ITIM solution should have an administrative-level understanding and working knowledge and skills in the following areas: The operating system(s) that the ITIM solution is running on (i.e. WebLogic) The IBM Tivoli Identity Manager application itself TCP/IP Networking configuration and troubleshooting Information gathering.IBM Software Group | Tivoli software Steady State Considerations (cont.

prepared. Project management Solution design Detailed project planning Internal process and standards design and definition Data loading and migration Configuration of entitlements (org unit. skill level and types of customer resources that will be applied to the project. and 100.) Some level of customization Test environment implementation Change control and QA process Production roll out implementation Documentation Training In general. Workflow. a "typical" customer implementation with medium/high complexity. the more organized. Customer's project standards and security and IT process maturity. 3. password & identity polices.the range varies based on the following factors: 1. will likely range 10-18 months duration an require an IBM project team of 3-5 resources. Consultants) to assist the customer with their ITIM deployment. This estimated duration and team size could be higher based on actual solution design results . Architect.000+ users. 2. As a rough rule of thumb. IBM can significantly assist here by supplying highly skilled.IBM Software Group | Tivoli software Deployment Expectations – General Information As customer scale and complexity increase. etc. Complexity and heterogeneity of the customer specific OS/application/hardware IT environment The customer's unique business and technical requirements Number. implementation work increases but not in strictly linear fashion. the more efficient is the deployment. All IT deployments require: 25 . access control. educated. seasoned ITIM deployment resources (PM. and committed the customer is. 4.

database. and number of project team members are not necessarily indicative of size or complexity of an identity management solution deployment Size and complexity is more often driven by the variety and intricacy of the business logic that is to be implemented in the solution For a given time and effort. data points like number of users.IBM Software Group | Tivoli software Pitfalls to Avoid – Planning and Estimating Lessons Learned By themselves. number of platforms/applications. The most effective way to level the skewing factors to arrive at a meaningful data point in terms of time and effort is by deriving the number of unique user account data stores for which a solution needs to be implemented Determining the number of unique user account data stores usually requires a detailed discovery effort 26 . number of agents. number of roles/policies. LDAP. etc. the number of systems that can be implemented can skew widely based on whether those systems are platforms or applications and in the case of applications. whether the underlying user account data store is proprietary.

applications. and aim to establish basic functionality that can be expanded on and improved in subsequent project phases When there are many unknowns or complex targets are part of the first phase scope. tend to focus on the platforms vs. fewer targets decreases risk and improves chance of success More project team members do not generally result in a faster deployment – there is an optimal project team size The combined IBM and customer project team gets more efficient in deploying targets and estimating time and effort with each successive phase – the IBM resources understand the customer environment better and the customer resources understand the capabilities and limitations of the solution better 27 .IBM Software Group | Tivoli software Pitfalls to Avoid – Planning and Estimating Lessons Learned The two most common challenges in identity management solution deployment projects are vague requirements and unstable scope The most rapid and successful deployments begin with adequate analysis and detailed design.

not blame placement Customer education and knowledge transfer must start at the beginning of the project Proper project management principals must be followed throughout the life of the project 28 .IBM Software Group | Tivoli software Pitfalls to Avoid – General Project Lessons Learned The majority of detailed solution design effort must take place at the beginning stages of the project. both customer and IBM. should be aware of the entire project scope and goals Any decisions that affect change on the project should be communicated to all team members Project issues and problems should be approached with a goal of resolution. not “design as we go” Following a pre-defined and agreed upon deployment roadmap is instrumental to recognize success Customer executive support and sponsorship must exist for a project to be successful A teaming approach between the customer and IBM will greatly smooth out the engagement All members of the team.

IBM Software Group | Tivoli software Supplemental Materials 29 .

IBM Software Group | Tivoli software Application Installation Process – Component View RDBMS agent Administrator Web User Interface XML over SSL agent XML over SSL mainframe Web User Interface End User ITIM Application DSMLv2 over SSL DSMLv2 Server & Notifier Existing Identity Store IDI HR Application J2EE Application Server JDBC IIOP LDAP v3 if policy.set…() Java Application ITIM Directory Data 30 .getMember()s ITIM Workflow Database then Accounts.

IBM Software Group | Tivoli software ITIM Data – Logical View Organizational Structure d to signe as Identities own Roles Organizations manager developer root Accounts Administrator Locations Policies apply to Services unix windows new employee Locations Cont st ar t Workflows ain 31 deploy Organizational Units apply to .

IBM Software Group | Tivoli software Integrated Identity Management Pyramid Self-Regulating Access Controls Across Organizations Competitive Advantage: Extend security automation to business partners Productivity: Enforce security policies proactively Scale: Support large. distributed user base Compliance: Ease support of audits Productivity: Speed accurate account creation Risk: Eliminate Backdoor Access ROI: Cut Helpdesk Costs by 40% Fundamental: Administer web and legacy environments consistently Integration: Meta view of Enterprise Data Assets Security: Consistent Authentication and Authorization to all Resources 32 Access Control Policy Automation Distributed Administration Access Request Audit Trails Access Request Approval Process Automation Orphan Account Control Password Management Connectors to Access Control Systems Data Integration Layer Access Controlled Systems .

• Scheduled re-organisations with shorter nonproductive time for the end-user • Fast activation and deactivation of user • Time consuming tasks replaced by automation 33 . • Necessary reporting available • High visibility of the solution • Large benefits gained among the end-users and in the central user administration and support desk • Compact delivery time • Consistent GUI for Admin • Consistent Account creation • Full Audi Trail • Simple Workflow introduced • Start Road to RBAC • User registration is automatically updated • Reduced Admin • Necessary reporting for external parties • Consolidation of users • Organisational Structure • HR Feed creating new users • High visibility of the solution • Large benefits gained among the end-users and in the central user administration • Higher security and lower license cost • Rule-set for automated creation and deletion of user accounts • Rule-set for org. • Organisational chart may need refining • Administration by Role management introduced • Requires input and buy-in from application/system owners • Time consuming tasks replaced by automation • Large benefits gained by the application owners • Delegated admin possible • Improved control from detailed reporting Feature Benefit • One interface for ALL user administration. • Role-based access control fully enabled.IBM Software Group | Tivoli software Best Practice Deployment Approach . Reset and Self Service across managed platforms • Organizational tree established • Eliminate Risks from ‘Backdoor’ access.Phased Approach to Implementation Phase 1 Foundation & Password Management Phase 2 Auto Provision Std Accounts & workflow Phase 3 Role based account management Phase 4 Custom Agents & Extension Phase 5 Maturity • Out of the box supported applications/systems (5) • Baseline reporting • Covers large or small user target • HR Feed established • Orphan Account Control • Single action to close/ suspend a user accounts • Password Management: synchronisation. • Able to self maintain ITIM to reflect changing business demands. Scope • HR-Feed for managing user accounts – high demands on data quality. changes • Full workflow for account management • Focused on small community • Custom developed agent • Start program to extend RBAC to cover all companies • No unauthorised administration of user accounts outside of ITIM • Workflow supports authorisation mgmt • Templates for later rollout established • All significant applications covered • Customer able to repeat new instances of agent installs and integrate into appropriate policies. • Only ‘run-out’ applications excluded – if any.

Business Role etc Automatically Initiated Approval/RFI Workflows as Needed Repeat Phases 1 and 2 for Additional Systems and Applications 34 . Adopted and otherwise Cleaned Up Self Service Forgotten and Reset Password Phase 2 : Automatic Provisioning for Infrastructure Accounts Infrastructure Accounts Provisioned Automatically Dynamically Driven by Attribute Evaluation Org Unit.IBM Software Group | Tivoli software Best Practice Deployment Approach – Deployment Strategy Phase 1 Phase A : Business Analysis Roles and Policies Phase 2 Phase 3 Auto Provisioning & Workflow for Infrastructure Accts Policies and Roles Defined RBAC Phase 4 Custom Agents Phase 5 Maturity Password Management Repeat Phase 1 and 2 for additional Systems and Apps as requirements are defined Foundation : Infrastructure Systems Non Infrastructure Systems and Applications Phase 1 : Infrastructure Foundation Orphan Accounts Identified. Job Title.

IBM Software Group | Tivoli software Best Practice Deployment Approach – Deployment Strategy Phase 1 Phase A : Business Analysis Roles and Policies Phase 2 Phase 3 Auto Provisioning & Workflow for Infrastructure Accts Policies and Roles Defined RBAC Phase 4 Custom Agents Phase 5 Maturity Password Management Repeat Phase 1 and 2 for additional Systems and Apps as requirements are defined Foundation : Infrastructure Systems Non Infrastructure Systems and Applications Phase 3 : RBAC for Out of the Box Services and Apps Analysis of Business Role Requirements completed Mapping of Business Roles to Access rights Define Roles and Policies (Roles may be Static or Dynamic) Culminating in the Automatic Role Driven Provisioning and Deprovisioning of Access Rights Phase 4 : Develop Custom Agents Tools: IDI. LDAP-X. CLI-X Phase 5 : Maturity All Access Rights are now Controlled Refine Roles and Policies as Required 35 . RDBMS-X.

4 Months 5 – 7 Months TBD Based on Business Requirement Analysis Timelines for Phases 3+ cannot be determined without knowing: Details behind business requirements Details behind the number of systems/apps for which access rights are to be managed Details behind the targets that will require custom agents vs out of the box How complex the role matrix will be 36 .IBM Software Group | Tivoli software Best Practice Deployment Approach – Deployment Strategy Phase 1 Phase A : Business Analysis Roles and Policies Phase 2 Phase 3 Auto Provisioning & Workflow for Infrastructure Accts Policies and Roles Defined RBAC Phase 4 Custom Agents Phase 5 Maturity Password Management Repeat Phase 1 and 2 for additional Systems and Apps as requirements are defined Foundation : Infrastructure Systems Non Infrastructure Systems and Applications 3 .

Restricted Deliverables. Early ROI. High Impact 37 . Well Defined Deliverables. High Visibility. Late ROI.IBM Software Group | Tivoli software Best Practice Deployment Approach – Business Pain Led Realization of ROI Business/Technology Focus “Top Down” Deployment Tactical Coverage. Low Impact. Higher Deployment costs Applications Applications Application Development Employees Customers Business Portals Business Process Integration Application Connectivity Partners Applications Applications Suppliers Infrastructure Data Operating Systems “Bottom Up” Deployment High Coverage.

Strategy Options Option 1 : Bottom Up Phase A : Business Analysis Roles and Policies Phase 2 : Auto Phase 3 : Roles and Policies provisioning and Refined .IBM Software Group | Tivoli software Best Practice Deployment Approach .RBAC workflow of Phase 1 : Foundation standard accounts Password Management Phase 4 : Custom Agents Phase 5 : Maturity Customer Repeats Phase 1 and 2 Option 2 : Top Down Business Analysis for Roles and Policies Custom Agent Password Management & Reconciliation Auto Provision & Workflow Roles and Policies Phase 5 : Maturity 38 .

Medium to high impact on system owners etc. Driven by Infrastructure. Low impact on operation and maintenance resources. Higher implementation cost. Against: Limited coverage in the first phases. minimal % of user accounts managed. co-operation required. Potentially custom agents will have to be developed at an early stage. 39 . Eases ITIM gently into the business. Many manual processes can be replaced by automation.IBM Software Group | Tivoli software Best Practice Deployment Approach – For and Against Option 1 – Bottom Up For: User and business awareness of product and benefits are visible from and early stage. Against: Organisational structure may have to be altered at a later phase. Password management can be implemented for a large number of users. Minimal benefit to support and overall business. Deep coverage of an application once implementation has finished. No development of agents required in phase 1. Option 2 – Top Down For: Focused use of resources from the individual target. First implementation will be showcase of what can be done. Broadens skills and understanding within your organisation at the first phase. not Business.

IBM Software Group | Tivoli software Who Does What and When? – Tivoli Security Engagement Model 40 .

IBM Software Group | Tivoli software Who Does What and When? – Implementation PREPARATION and PLANNING Determine Scope and Approach Document As-Is Process Maps Perform Readiness Assessment Schedule Training Technology Architecture Drawing and Solution Design Verify Client Environment FRAMEWORK DESIGN CONFIGURATION DEPLOY TO PRODUCTION Budget and Actuals Tracking Develop and Maintain Work Plan Monitoring and Reporting Activities Help Desk Support Training Project Wrap-up Activities Tech Ed Project Mgmt. Project Team Training Install and Test E/S Install and Test Agents Data File Design Configure Organization Structure and Roles Administrator Training End User Training Technical Installation Document Installation History Perform System Tuning Data Files Preparation Design Account Management Forms Data Loading Configure Account Management Forms Implementation WorkGrp/ Policy Flow ACI Org/ Conf Design ITIM Groups and ACIs Configure ITIM Groups and ACIs Configure Provisioning Policies and Entitlements Configure Security Administration Workflows & Procedures Perform PreProduction Testing Enable Chosen Workflows and Procedures Reconciliation and Orphan Account Cleanup 41 Develop Provisioning Policies and Entitlements Design Security Administration Workflows & Procedures Design Testing Strategy and Scripts Develop To-Be Process Maps Develop Automated Processes Auto .

IBM Software Group | Tivoli software Who Does What and When? – Typical Deliverables by Implementation Phases Project Management Scoping. Project Status Reporting Preparation and Planning FRAMEWORK Project Wrap-up Activities DEPLOY TO PRODUCTION DESIGN CONFIGURATION Handoff from Sales Documented Scope and project success requirements/goals Documented as-is process maps Training plan Technology Architecture Drawing Solution Design Client Environment Verification Documented Work Plan Project Team training delivered Installation of E/S and Agents complete Documented Data File design Organization Structure Configured in EnRole Documented to-be process maps Documented Automated Processes Administrator Training delivered Data File Preparation Complete Design Documentation for Account Management Forms Design Documentation for ITIM Groups and ACIs Design Documentation for Provisioning Policies and Entitlements Documented security administration workflows & procedures Unit Test Scripts Business Integration Test Scripts Help Desk Training delivered Account Management forms configuration complete Groups and ACIs configuration complete Password Policy and Identity Policies Provisioning Policies and Entitlements configured in ITIM Security administration workflows & procedures configured Unit Test results documentation End User Training delivered Documented Installation History Data loading complete Initial Reconciliation and Data Cleansing complete Business Integration Test results documented Final project Sign-off 42 . Budget and Actuals Tracking. Planning and Documenting Sales and PREPARATION and Pre-Planning PLANNING Work Plan.

extensive direct knowledge transfer Operations Staff: ~12 FTEs – Central team of 4 FT Application Administrators and a distributed team of PT Security Administrators 43 . clear requirements. initial data load. experienced project management. Clarify. Customization Consultant. Sybase. each -. limited Production // Expand Production to UPA and Custom Service Provider Applications Average Lifecycle Duration for Agents: 2 mos. RBAC project completed prior to start of this project Phase Focuses: Installation and configuration. adding about 100 per week) Number of Provisioning Policies: 300+ (there is one policy per role in this environment) Project Timeline: 24 mos. assistance from Tivoli Development and quick fixes Transition to Operations: Formal product training. Configuration. Architect/Tech Lead. for simple agents and 8 mos. and 2 PT Application Administrators) Major Project Work Products: Solution Design.000 Number of “out of the box” Agents: 4 – Tivoli Access Manager (TAM). Products Implemented: TIM Number of Users Managed: 25. out of the box targets. 2 FT Application Administrators. total. for the most complex agents IBM Project Staff: 5 FT (Project Manager. excellent relationship with the customer. Technical Lead. Customization. RACF Number of “custom” Agents: 4 – Universal Provisioning Agent (UPA) (3 apps done) and Generic Service Provider for Applications (4 apps done) Number of Unique Account Data Stores: 11 Number of Organizational Roles: 300+ (out of 1400 total roles identified. and 2 Implementers) Customer Project Staff: 4 FT and 2 PT (Project Manager. 2 phases of 12 mos. product issues Project Strengths: RBAC project completed in advance.separate 2 yr.IBM Software Group | Tivoli software Steady State Backup – Case Studies – Customer #1 Customer’s Project Goal: Create single user interface (UI) for identity and access management and true Roles Based Access Control (RBAC) environment. strong customer executive sponsor. custom reports. Installation. Implementation Documentation Project Challenges: Enterprise complexity.

IBM Software Group | Tivoli software Steady State Backup – Case Studies – Customer #2 Customer’s Project Goal: Reduce security admin costs and eliminate annual recertification audit findings. installation and configuration. lack of requirements.4th phase planned Phase Focuses: Detailed solution design. IDI Number of Users Managed: 13. Customization Consultant. detailed documentation Operations Staff: ~7 FTEs – Central team of 6 FT Security Administrators and a team of PT Technical SMEs 44 . testing and validation // Operational readiness and limited Production // Improve automation and expand Production // 4th phase planned to put additional targets in Production Average Lifecycle Duration for Agents: 1 mo. 3 phases 7/5/6 mos. for out of the box agents and 2 mos. 2 FT Application Administrators. Customization. Lotus Notes. and 2 PT Technical Subject Matter Experts (SMEs)) Major Project Work Products: Solution Design. -. Configuration. total. Training Project Challenges: Enterprise complexity. customer skills Project Strengths: Excellent relationship with the customer. for custom agents IBM Project Staff: 6 FT (Project Manager. Installation. strong customer executive sponsor.000 (3. IDI Agent to Provision to LDAP Number of Unique Account Data Stores: 9 Number of Organizational Roles: 100+ Number of Provisioning Policies: 160+ Project Timeline: 18 mos. custom agents/utilities/reports. NT.500 internal and 9. Solaris.500 external) Number of “out of the box” Agents: 7 – AIX. and 2 Implementers) Customer Project Staff: 4 FT and 2 PT (Project Manager. Oracle. Trainer/Technical Writer. Architect/Tech Lead. experienced project management Transition to Operations: Custom in-house training. Technical Lead. Implementation and Operations Documentation. HPUX. direct knowledge transfer. Products Implemented: TIM. Sybase Number of “custom” Agents: 2 – Generic Service Provider for Null Services.

IDI. direct knowledge transfer. Installation. 1 FT Implementer (assisted by Tivoli Support and Development) Customer Project Staff: 1 PT Project Manager. detailed documentation Operations Staff: 2 FTEs – 2 FT Application Administrators (strong troubleshooting skills and Unix. IDI Number of Users Managed: 450. total. initial data load. aid from Tivoli Support and Development Transition to Operations: Formal product training. IBM Project Staff: 1 PT Project Manager. 1 FT Application Administrator. and a team of PT Technical SMEs Major Project Work Products: Solution Design. and scripting skills) 45 .000 Number of “out of the box” Agents: None Number of “custom” Agents: 1 – IDI Agent to Provision to LDAP (Customer Internal Portal) Number of Unique Account Data Stores: 1 Number of Organizational Roles: 40 (30 static. IBM Directory Server (IDS). and easily detect/suspend noncompliant accounts.3rd phase planned Phase Focuses: Installation and configuration. WebSphere Application Server (WAS). and limited Production // Improve automation and expand Production // 3rd phase planned to put Unix targets in Production Average Lifecycle Duration for Agents: 1 mo. hardware allocation Project Strengths: Excellent relationship with the customer. Configuration. Training Project Challenges: Changing requirements. each -. Products Implemented: TIM.IBM Software Group | Tivoli software Steady State Backup – Case Studies – Customer #3 Customer’s Project Goal: Save time/money with password self service. 10 dynamic) Number of Provisioning Policies: 60 Project Timeline: 16 mos. 2 phases of 8 mos. Implementation and Operations Documentation.000 user ids for their portal applications. easily manage 450. Customization. TIM. custom UI for password self service.

Middleware) Major Project Work Products: Solution Design. Customization. 2 PT Technical SMEs (Java. TIM Number of Users Managed: 30. Implementation and Operations Documentation. Configuration. 6 mos. 1 PT Architect. for Generic Service Provider IBM Project Staff: 1 PT Project Manager. Middleware) 46 . IDI. each. direct knowledge transfer. customer skills. Training Project Challenges: Changing requirements. 3 phases of 6 mos. 1 FT Implementer Customer Project Staff: 1 FT Application Administrator. Installation. Products Implemented: TAM. for TAM/IDI and 12 mos. 1 PT Technical SME (Java.5 FTE – 1 FT Application Administrator.IBM Software Group | Tivoli software Steady State Backup – Case Studies – Customer #4 Customer’s Project Goal: Provide secure access to data for external users. for TAM and 6 mos. product knowledge. detailed documentation Operations Staff: 1. for TIM Phase Focuses: TAM/IDI in Production // TIM test and validation // TIM in Production Average Lifecycle Duration for Agents: 1 mo. product issues Project Strengths: Services team commitment. assistance from Tivoli Development and quick fixes Transition to Operations: Formal product training. total.000 Number of “out of the box” Agents: 1 – TAM Number of “custom” Agents: 1 – Generic Service Provider for Applications (3 apps done) Number of Unique Account Data Stores: 4 Number of Organizational Roles: 10 Number of Provisioning Policies: 3 Project Timeline: 18 mos.

2 FT + 4 PT 1. of Data Stores No. of Policies Project Timeline Agent Timeline Project Staff Size Ops.000 11 300+ 300+ 24 mo.000 4 10 3 18 mo.5 FTE 47 . – 3 phases 1 – 2 mo.IBM Software Group | Tivoli software Steady State Backup – Side-by-Side Comparisons Customer #1 Create single UI for identity and access management and true RBAC environment Customer #2 Reduce security admin costs and eliminate annual recertification audit findings 13. 9 FT + 2 PT ~12 FTE 30. – 3 phases 1 – 6 mo.000 9 100+ 160+ 18 mo. 10 FT + 2 PT ~7 FTE Customer #3 Save time/money with password self service. of Roles No. – 2 phases 1 mo. detect and suspend noncompliant accounts 450. manage users for portal apps. 2 FT + 2 PT 2 FTE Customer #4 Project Goals Secure access to data for external users Users Managed No. – 2 phases 2 – 8 mo. Staff Size 25.000 1 40 60 16 mo.

IBM Software Group | Tivoli software Q&A 48 .

For a complete Tivoli Course Catalog and Certification Exams visit www. you get the most knowledgeable experts on Tivoli technology to accelerate your implementation.tivoli-ug.ibm. learn about online and in-person opportunities near you at www.ibm.ibm.com/software/support/premium/ps_enterprise. Visit www.com/software/tivoli/services Tivoli Support IBM Software Premium Support provides an extra layer of proactive support. For a complete list of Services Offerings visit www. personalized to your environment.IBM Software Group | Tivoli software For More Information Tivoli User Groups You can get even more out of Tivoli software by participating in independently run Tivoli User Groups around the world. skills sharing and problem management.org Tivoli Training IBM offers technical training and education services to help you acquire.com/software/tivoli/education Tivoli Services With IBM Software Services for Tivoli. maintain and optimize your IT skills.html 49 RETURN TO INDEX .