IBM Tivoli Identity Manager 4.6 - InfoWorld Test Report
To reach into the various moving parts of our enterprise, ITIM (IBM Tivoli Identity Manager) 4.6 used custom agents that we installed on every managed resource, including our AD domain controllers, database servers, and so forth. The agents hold a reasonably small footprint and require minimal configuration. IBM says that many of its agents don't need to be installed on managed resources, but can manage multiple resources remotely from a single server.
Before any identity management can occur, existing HR applications and the directory must be integrated. For this task, IBM used TDI (Tivoli Directory Integrator), a Java application that functions as an intersection of identity data, both for initial integration and as a permanent connector when needed. TDI runs on Linux and Windows and offers a clear view of any managed resource. In the test, this tool was primarily used to map data from the HR database to AD -- and vice versa -- providing the IBM engineers with a fluid way to manipulate the data.
By pulling in MySQL Java connectors to the TDI tool and working with AD via LDAP, an IBM engineer was able to quickly map database fields to LDAP fields and create a custom connector to move data between them in whole or in part based on triggers, schedules, or manual intervention. TDI handled all integration tasks with aplomb, providing simple methods to reformat disparate data, such as consistently formatting phone numbers, Social Security numbers, and birth dates. We were quite taken with this tool.
The test scenarios caused IBM some fits and starts. At times their own interface seemed to stymie the IBM engineers, but those moments were brief. Overall, every aspect of the test was completed satisfactorily, including the extra-credit portions of integrating the z/OS and Lotus Notes servers. Then again, those are IBM products.
The relative immaturity of the ITIM Web GUI was notable throughout the test. This interface allows admins to create and modify end-user pages, drawing on a wide array of page layout and functionality choices. For instance, it's relatively simple to declare the database fields a user sees when viewing company directory information or modifying his or her personal data, and whether certain fields may be modified at all.
The overall navigation of the UI, however, isn't so clear. In many places, the only way to construct certain actions is to plug JavaScript code snippets into small text fields in the UI. This provides some power, but it's also significantly more complex and substantially less elegant than we expected. At times it seemed like trying to open a window with a brick. Also, the solution is bereft of any undo capabilities. After you've configured and begun running an action -- say, to reconcile AD data with an HR database -- you can't easily step back to a previous state; you can try to revert only by constructing another action. On the plus side, a simulation feature allows you to try policies before enabling them.
The workflow functions of ITIM are top-notch. A GUI representation of a workflow is presented in a Java applet, allowing users to drag elements around to create approval steps, assign tasks, and so forth.
The reporting engine of ITIM is vast and complex. It's possible to generate reports containing nearly any data present in the system, but again, it's a little challenging to assemble the data in a logical form. Crystal Reports integration is present, however, and Crystal would be our reporting tool of choice in an actual implementation.