96 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
Again, only WPM can be used to import and export objects from the object
4.1.3 Users and groups
Tivoli Access Manager maintains information about Tivoli Access Manager users
and groups in the user registry. Users and groups that already exist in the user
registry can be imported into Tivoli Access Manager. If a user or group does not
already exist in the user registry, it can be created directly within Tivoli Access
When a user is authenticated to Tivoli Access Manager, a user credential is
returned. This credential is used by other Tivoli Access Manager functions to
uniquely identify the user making the request.
Tivoli Access Manager supports different types of users. When a domain is
created, a special user known as the
domain administrator is created. For the
management domain, the domain administrator is
sec_master. The sec_master
user and associated password are created during the configuration of the Tivoli
Access Manager Policy Server. For other domains, the user ID and password of
the domain administrator are established when the domain is created. The
domain administrator has nearly complete control of the domain. The domain
administrator is added as a member of the Tivoli Access Manager
group within the domain. The iv-admin group represents those users with domain
administration privileges. When adding users to the iv-admin group, ensure that
you do not compromise the security of your domain. Another predefined group,
ivmgrd-servers contains the Policy Servers and the Policy Proxy Servers. By
default, members of this group are authorized to delegate requests to other Tivoli
Access Manager servers on behalf of the requestor.
There are two more predefined (built-in) Access Manager groups:
any-other Represents all authenticated users.
unauthenticated Represents all users who have not been authenticated by
Those two groups have a very important role in defining and applying ACLs, as
described in “Evaluating an ACL” on page 103.
Chapter 4. Configuration and customization 97
Managing users and groups
Users and groups in Access Manager can be managed using the WPM or the
pdadmin CLI. All standard actions on the groups and users can be performed,
Create a user or group
Import users or groups
Modify existing users or groups
Delete users or groups
List users or groups
Show existing user properties
These actions on users begin with user followed by the type of action with
appropriate options in pdadmin.
pdadmin > user [create | import | list | modify | show | delete] options
The commands performed on groups begin with group:
pdadmin > group [create | import | list | modify | show | delete] options
Changing a password
There is no explicit command for managing user passwords. Since the user
password is actually one of the user attributes, the user modify command is
used to change (or set up) a user password.
pdadmin > user modify user_name password password
Every time you create a new user you need to set the password.
When setting or changing a password, the password must comply with the
The defined Tivoli Access Manager password policy
The password policy for the underlying operating system
The password policy for the underlying user registry
When creating a new user you also need to enable the user in the Access
pdadmin> user modify user_name account-valid yes
If the account is disabled (not explicitly enabled) a user cannot log in.
The other necessary step in setting up new users in Access Manager is to make
the password valid. This step is not necessary if the user does not need to supply
a password during authentication (for example, the user logs into the system with
pdadmin> user modify user_name password-valid yes