Identity Management

Concepts

Service Manager Service Portal Identity Management (IdM) uses role-based access control, which controls whether a user can perform an operation based on the user's assignment to a role and the role's association with application-defined permissions.

The relationships among organizations, groups, roles, and permissions in Service Manager Service Portal are:

  • Permissions are the most basic unit of authorization. They enable access to Service Manager Service Portal applications and services.
  • Roles are user-defined collections of permissions. Roles are associated with groups that contain members (users).
  • Groups have one or more users. A group can be associated with one or more roles, and a group belongs to one or more organizations.
  • Organizations can contain one or more groups.

An organization determines a user's Service Manager Service Portal entry point at log in and associates its group members with services and resources. Examples of organizations are companies, business units, and departments.

The Service Manager Service Portal Administrator configures an LDAP (Lightweight Directory Access Protocol) directory service to determine membership in an Service Manager Service Portal organization.

When a user logs in, LDAP authenticates the login credentials by verifying that the user name and password match an existing user in the LDAP directory.

Authorization and abilities of an organization's user are determined by predefined roles and permissions and membership to group DNs (distinguished names) in the LDAP directory. You assign a group DN to a predefined role that has predefined abilities.

Two default Service Manager Service Portal organizations are provided:

  • Provider Organization - At installation, a single Provider organization is created. Members of the Provider organization use the Identity application to create one or more consumer organizations, manage configured organizations, and manage resources and services (such as designing, offering, and publishing resources and services for consumption).

    The organizations, resources, and services that can be managed are determined by the roles and permissions assigned to the members of the Provider organization. The Service Manager Service Portal Administrator manages all organizations, roles, groups and permissions across all organizations.

    There is only one Provider organization and it is automatically set up during installation. You may modify the Provider organization as needed; however, you cannot delete it.

  • Consumer Organization - At installation, a single Consumer organization is created. The Administrator uses the Identity application to modify this default Consumer organization as needed. Additionally, the Service Manager Service Portal Organization Administrator can use the Identity application to manage roles, groups and permissions within an organization.

    Members of the Consumer organization subscribe to, or consume, the resources and services provided by the Provider organization. There may be multiple consumer organizations configured by the Provider organization. However, each consumer or subscriber sees only the services and resources of the consumer organization of which he is a member. Membership to a consumer organization is determined by the LDAP configuration of the consumer organization.

Tasks

The Administrator can perform the following tasks in the Identity application:

  • Manage Organizations – Create, revise, and delete organizations.
  • Manage Languages – Add, set as default, and delete languages within a Consumer organization.
  • Manage Roles – Create, revise, and delete roles within an organization. You can also associate permissions to roles and remove associated permissions from roles.
  • Manage Groups – Create, revise, and delete groups within an organization. You can also add users and roles to groups and remove users and roles from groups.
  • Manage Permissions – Create, revise, and delete permissions within an organization. You can also associate groups and permissions to roles and remove groups and permissions from roles.
  • Manage Impersonations – For request on behalf, create and delete impersonations.
  • Service Manager Service Portal Automation License – Manage Service Manager Service Portal licensing.