Define IBM Security Access Manager Accounts

Define IBM Security Access Manager Accounts

For users that access ISIM, we must define IBM Security Access Manager user accounts in addition to Security Identity Manager user accounts. Use ISAM to provision the ISAM user accounts. This example defines myaccount as an identical user account for both applications. Use identical user accounts for both the ISAM and ISIM. Otherwise, we must configure the user account mapping.

On the computer on which ISAM is installed, start the ISAM utility. Type pdadmin at a command prompt. This prompt can be on the ISAM Authorization Server or the ISAM Policy Server. We can also use ISIM to provision ISAM user accounts.
Take the following steps:

Log in to a secure domain as the sec_master administration user to use the utility.
At the command prompt, type login.
Enter sec_master when prompted for a user ID.
Specify the associated password at the Enter Password prompt.

For example:
pdadmin> login
Enter User ID: sec_master
Enter Password: password
pdadmin>

Define the example myaccount user account on IBM Security Access Manager with the user create command.
user create [-gsouser][-no-password-policy] user_name dn cn sn password [groups]

Where:

-gsouser Enables global sign-on.
-no-password-policy Enables the administrator to create the user with an initial password that is not checked by the existing global password policies.
user_name Name of the user.
dn Registry identifier assigned to the user to create. The format for a distinguished name is like:
cn=Mary Jones,ou=Austin,o=IBM,c=us

cn Common name assigned to the user to create. For example, Mary.
sn Family name of the user. For example, Jones.
password New user account password.
groups List of groups to which the new user is assigned.

For example, type.
user create "myaccount" "cn=FirstName LastName,o=ibm,c=us" "FirstName LastName" "LastName" password

To make the user account valid, type user modify "myaccount" account-valid yes.

Parent topic: Configuration of ISAM for single sign-on with Application server Trust Association Interceptor and ISAM WebSEAL

-gsouser	Enables global sign-on.
-no-password-policy	Enables the administrator to create the user with an initial password that is not checked by the existing global password policies.
user_name	Name of the user.
dn	Registry identifier assigned to the user to create. The format for a distinguished name is like: cn=Mary Jones,ou=Austin,o=IBM,c=us
cn	Common name assigned to the user to create. For example, Mary.
sn	Family name of the user. For example, Jones.
password	New user account password.
groups	List of groups to which the new user is assigned.