IBM Support

Preventing inadvertent changes or deletions of critical accounts

Troubleshooting


Problem

If service accounts like 'root' are owned within ISIM and "Correct non-compliance" is specified for the related services, there is a possibility that they may be altered or deleted due to changes to related provisioning policies

Symptom

Exposure of critical system accounts to inadvertent changes by ITIM

Cause

.

Resolving The Problem

Recommendations:

1. Identify service accounts for all end-points.

2. Do not adopt service accounts. Auto-provisioning actions will never apply to orphan accounts.

3. If you do allow service accounts to be adopted, ensure that the provisioning policy allowing the entitlement remain tightly managed.

4. Be wary of enabling "Correct non-compliance" for a service if you haven't addressed service accounts.

5. Configure ISIM to exclude reconciliation of service accounts from the end-point(s). Review the topic "Excluding accounts from reconciliations" in ISIM's documentation. This procedure will allow specification of accounts by service type that are to be excluded from reconciliations. This is the safest technique to protect these accounts.

For example, here are sample ldif statements will exclude a series of TAM service accounts from being reconciled:


dn: ou=excludeAccounts, ou=itim, ou=IBM, dc=com
ou: excludeAccounts
objectClass: top
objectClass: organizationalUnit

dn: cn=TAM4Profile, ou=excludeAccounts, ou=ITIM, ou=IBM, dc=com
erObjectProfileName: TAM4Profile
objectClass: top
objectClass: erIdentityExclusion
cn: TAM4Profile
erAccountID: sec_master
erAccountID: ivmgrd/master
erAccountID: ivmgrd/master
erAccountID: default-webseald/hctunx86
erAccountID: default-webseald/hctunx87
erAccountID: amwpm/hctunx83.us.tgr.net
erAccountID: amwpm/hctunx82.us.tgr.net
erAccountID: default-webseald/hctunx88
erAccountID: default-webseald/hctunx89

[{"Product":{"code":"SSRMWJ","label":"IBM Security Identity Manager"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.0;7.0","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Product Synonym

isim itim

Document Information

Modified date:
16 June 2018

UID

swg21214530