CA Identity Suite 14.x: CA Identity Manager Implement Provisioning 200

CA
Identity Suite 14.x: CA Identity
Manager ‐ Implement Provisioning 200
<Brand>™® <Product>®™

Clarifier (what comes after the colon)
Lab Guide
Lab Guide

04IMG20459 <course code>
04IMG20459LG1 <inventory code>
‐ PROPRIETARY AND CONFIDENTIAL INFORMATION ‐
© 2017 CA. All rights reserved. CA confidential & proprietary information. For CA, CA Partner and CA
Customer use only. No unauthorized use, copying or distribution. All names of individuals or of companies
referenced herein are fictitious names used for instructional purposes only. Any similarity to any real
persons or businesses is purely coincidental. All trademarks, trade names, service marks and logos
referenced herein belong to their respective companies. These Materials are for your informational
purposes only, and do not form any type of warranty. The use of any software or product referenced in the
Materials is governed by the end user’s applicable license agreement. CA is the manufacturer of these
Materials. Provided with “Restricted Rights.”

CA Identity Suite 14.x: CA Identity Manager ‐ Implement Provisioning 200
Table of Contents
Lab 1‐1 Create a Provisioning Role ∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙ 1
Lab 1‐2 Create an Active Directory Account Template∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙ 5
Lab 1‐3 Build Account Templates ∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙ 7
Lab 1‐4 Assign Account Templates to Provisioning Roles ∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙ 8
Appendix: Dynamic Lab Environment Access and User Guide ∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙ 21
Self‐Directed Learning Access and Instructions ∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙ 23
Instructor‐Led Class Set‐Up∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙ 27
Best Practices ∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙ 29
Troubleshooting ∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙ 30

TOC‐1

© 2017 CA. All rights reserved.

CA Identity Suite 14.x: CA Identity Manager ‐ Implement Provisioning 200

For the Learn More Edition Subscriber:

In addition to this fully functional training platform (Dynamic Lab Environment), your subscription
includes a web‐based training component with recorded demonstrations of these lab activities.
Although not required, we recommend you review the WBT component first, as it describes various
use cases for the features and context for the lab activities.
TOC‐2


Module 1: Deploy Provisioning
Lab 1-1 Create a Provisioning Role
Goal Create a provisioning role for the Flight Operations department at Voonair.
Scenario Now that you have Explored and Correlated the Voonair Active Directory
endpoint, you can start to create provisioning roles so you can assign Active
Directory accounts to any new users that you create going forward. To begin, you
will create a provisioning role that can be assigned to any new users who join the
Flight Operations department at Voonair.
Time 15 minutes
Instructions:
Log in to the CA Identity Suite Virtual Appliance

First, you will log in to the Virtual Appliance dashboard, so you can access the CA Identity Manager
web interfaces.
1. Using the shortcut on the desktop, open the Google Chrome browser.
2. In the Address bar, type the following and press Enter:

192.168.1.20
3. An SSL certificate error appears. It is safe to ignore because it is a self-signed certificate

generated on the fly after an IP address is selected (and therefore not signed by a known
authority).
4. To ignore the SSL certificate error, click Advanced and then click Proceed to 192.168.1.20.
5. Log in to the CA Identity Suite Virtual Appliance using the following credentials:
Username config
Password caeducation
The Virtual Appliance dashboard appears, which shows all the deployed components of CA
Identity Suite, including CA Identity Manager. Notice the links that enable you to access the
User Console and Management Console for CA Identity Manager.
CA Technologies CA Identity Suite 14.x: CA Identity Manager - Implement Provisioning 200 1

Set the Provisioning Role Profile

Base the name of the provisioning role on the Flight Operations department at Voonair.
6. On the Virtual Appliance dashboard, click the User Console link for CA Identity Manager.
7. Log in to the User Console using the following credentials:

Username imadmin
Password test
8. In the User Console, expand Roles and Tasks.
9. Expand Provisioning Roles and click Create Provisioning Role.
10. Select Create a new provisioning role and then click OK.
11. On the Profile tab, in the Name field, type the following:
Flight Operations
Configure the Admin Policy for the Provisioning Role

Define the admin policy so that only users who are members of the System Manager admin role
can be administrators of this provisioning role. Include a scope rule that lets administrators of this
provisioning role manage all users.
12. Click the Administrators tab.
13. Click Add.
14. Under Admin Rule, in the Users drop-down list, select Who are members of <role-rule>.
15. In the drop-down list that subsequently appears, select admin role <admin-role>.
16. Click Browse.
17. Under Search for an admin role, click Search.
18. Scroll down the Search Results, select the System Manager role, and click Select.
19. Under Scope Rule, in the Users drop-down list, select (all).
20. Make sure that Can manage members of this Provisioning Role and Can manage
administrators of this Provisioning Role are selected.
2 CA Identity Suite 14.x: CA Identity Manager - Implement Provisioning 200 CA Technologies

Your completed admin policy should look like this:
21. Click OK.

Your new admin policy appears in a table format.
Configure the Owner Policy for the Provisioning Role

Define the owner policy so that only users who are members of the System Manager admin role
can be owners of this provisioning role.
22. Click the Owners tab.
23. Click Add.
24. Under Owner Rule, in the Users drop-down list, select Who are members of <role-rule>.
26. Click Browse.
Note: The System Manager is the imadmin. In real use cases, you may want to have different
managers administering and owning different roles. In this lab, the imadmin does it all.

Your completed owner policy should look like this:
29. Click OK.

Your new owner policy appears in a table format.
30. Click Submit.
Verify the Provisioning Role Exists

Use the View Provisioning Role task to verify the new provisioning role was created successfully.
31. In the Tasks menu, under Provisioning Roles, click View Provisioning Role.
Under Search Results, you will see the new Flight Operations provisioning role that you created.
You have successfully created the Flight Operations provisioning role.

Lab 1-2 Create an Active Directory Account Template
Goal Create an Active Directory account template.
Scenario Now that you have defined your first provisioning role, you need to create an
account template that you can assign to it. The account template will define the
Active Directory account characteristics for the Flight Operations container on
the Voonair_AD endpoint.
Time 10 minutes
Instructions:
Create the Account Template

Create the Active Directory account template by creating a copy of an existing template of the
same type and tailoring that copy to meet your needs.
1. In the User Console, expand Endpoints.
2. Expand Manage Account Templates and click Create Account Template.
3. Select Create a copy of an account template.
4. Under Search for account templates, in the Search for an account template of Endpoint Type
list, select Active Directory.
5. Click Search.
6. Under Search Results, select the ADSAccountPolicy template and click OK.
7. On the Account Template tab, change the Account Template Name to ADS - Flight Operations.
8. Click the Endpoints tab and click Add Active Directory Endpoint.
9. Click Search.
10. Under Search Results, select the Voonair_AD endpoint and click Select.
11. Click the Account Container tab and click Browse.

12. Select Flight Operations where the ADSOrgUnit=Employees and click Select.
13. Click Submit.
Verify the Account Template Exists

Use the View Account Template task to verify the new account template was created successfully.
14. In the Tasks menu, under Manage Account Templates, click View Account Template.
16. Click Search.
Under Search Results, you will see the new ADS - Flight Operations account template that you
created.
You have successfully created an Active Directory account template.

Lab 1-3 Build Account Templates
Goal Build account templates for other Active Directory containers.
Scenario Using the same process from the previous lab, build the remaining account
templates for the other containers from the Voonair Active Directory endpoint.
Time 20 minutes
Instructions:
Build Account Templates for Other Active Directory Containers
1. In the User Console, expand Endpoints.
2. Expand Manage Account Templates and click Create Account Template.
3. Select Create a copy of an account template.
5. Click Search.
6. Under Search Results, select the ADS - Flight Operations template and click OK.
7. Change the Account Template Name to ADS - Maintenance and Support.
8. Click the Account Container tab and click Browse.
9. Under Search Results, select Maintenance and Support where the ADSOrgUnit=Employees and
click Select.
10. Click Submit.
11. Repeat steps 3 to 10 to create account templates for the following containers:
• Executive
• Customer Service
• Business Operations
• Information Technology
Note: Make sure you select the Account Containers where the ADSOrgUnit=Employees.
12. Using the View Account Template task, verify the new account templates were created.

Lab 1-4 Assign Account Templates to Provisioning Roles
Goal Assign account templates to provisioning roles.

You are now ready to begin using the provisioning part of the product and you
Scenario
feel you have everything set up the way it must be. However, the auditors have
done a review of the capabilities granted using the default, built-in admin roles
and have concluded that they do not, in all cases, grant the appropriate level of
access. Therefore, they are requesting that you create additional admin roles
that have a subset or superset of the accesses granted by the built-in admin
roles.
One of the issues uncovered in the audit was that there were too many people
who were administering user ID without following the corporate policies for
standards and documentation. To resolve this problem, Management decided
that anyone who had user administration responsibilities needed to report to the
manager of the Support department so that there could be control over the
administration of the user ID and to make sure that the proper documentation
was in place. However, there was concern about making a wholesale change of
transferring everyone with user administration capability to the Support
department. Therefore, it was decided to run a test case by setting up the new
function with a scope of the Support department and the Information
Technology department. Then, if things went as planned, they could expand the
functionality to include the whole company. To do this, you need to create a new
Admin Role.
However, before anything is done with a new role, you need to create the
required Provisioning Roles so they can be used as part of the functionality of the
new Admin Role.
Time 60 minutes
Instructions:
Assign an Account Template to the Flight Operations Provisioning Role

Use the Modify Provisioning Role task to assign the Active Directory account template you created
in a previous lab (ADS - Flight Operations) to the Flight Operations provisioning role.
2. Expand Provisioning Roles and click Modify Provisioning Role.
3. Under Search Results, select the Flight Operations provisioning role and click Select.
4. Click the Account Templates tab and click Add Account Template.
5. Under search for account templates, select Active Directory from the drop-down list and click
Search.
6. Under Search Results, select the ADS - Flight Operations account template and click Select.
Going forward, whenever a user is assigned the Flight Operations provisioning role, they will
get an Active Directory account based on the ADS - Flight Operations account template.
7. Click Submit.
You will receive a confirmation that the task has been completed.
Create a Provisioning Role for Maintenance and Support

Create a provisioning role that can be assigned to any new users who join the Maintenance and
Support department at Voonair. Assign the Active Directory account template you created in a
previous lab (ADS - Maintenance and Support) to the provisioning role.
2. Expand Provisioning Roles and click Create Provisioning Role.
3. Select Create a copy of a provisioning role and click OK.
4. Under Search for a provisioning role, click Search.
5. Under Search Results, select the Flight Operations provisioning role and click OK.
6. On the Profile tab, change the name of the provisioning role to Maintenance and Support.
7. Click the Account Templates tab and click Add Account Template.
8. Under search for account templates, select Active Directory from the drop-down list and click
Search.
9. Under Search Results, select the ADS - Maintenance and Support account template and click
Select.
10. On the Account Templates tab, remove the ADS - Flight Operations account template by
clicking the red minus icon at the end of the row in the account templates table.
Going forward, whenever a user is assigned the Maintenance and Support provisioning role,
they will get an Active Directory account based on the ADS - Maintenance and Support account
template. The Administrators and Owners of this provisioning role will be scoped later. For
now, they are set to the System Manager admin role.
11. Click Submit.

12. To verify the new Maintenance and Support provisioning role was created successfully, under
Provisioning Roles, click View Provisioning Role.
13. Under Search Results, you will see the new Maintenance and Support provisioning role listed
with the Flight Operations provisioning role that you created earlier.
Note: At this point, you would typically create provisioning roles for the remaining departments
and associate them to their corresponding account templates that you created earlier.
However, since the roles will not be used in future labs, there is no requirement for you to do
this.
Create a Custom Admin Role

Create a custom admin role called Voonair - Helpdesk by creating a copy of the out-of-the-box
User Manager admin role and adding the admin task for resetting user passwords to the custom
role.
2. Expand Admin Roles and click Create Admin Role.
3. Select Create a copy of an admin role and click OK.
5. Under Search Results, select the User Manager admin role and click OK.
6. On the Profile tab, change the name of the admin role to Voonair - Helpdesk.
7. Click the Tasks tab.

Most of the tasks for the role are predefined because you are copying one of the out-of-the-box
admin roles. You just need to add one additional task called Reset User Password.
8. In the Add Task list, select the Reset User Password task.
The Reset User Password task now appears in the list of tasks for the role.
9. Click the Members tab.

You need to define the member policy so that only users who belong to the Maintenance
department can be members of this admin role. Include a scope rule that lets members of this
admin role manage only users in the Maintenance department.
10. Click Add.

You are going to define the member policy using the Department user attribute.
11. In the Users drop-down list, select where <user-filter>.
12. In the drop-down list, change the attribute to Department and type an attribute value of
Maintenance.
13. Under Add new scoping rule, select User from the drop-down list.
14. In the User drop-down list, select where <user-filter>.
15. In the drop-down list, select <user-attribute> <comparator> <value>.
Maintenance.
17. Click OK.

Your completed member policy for the Voonair - Helpdesk admin role appears.
For this admin role, you will accept the default setting that enables administrators to add and
remove role members. For this setting, you need to specify an Add action to define what
happens when a user is added as a member of this admin role. The Add action must make the
user meet the member rule. Optionally, you can specify a Remove action to define what
happens when a user is removed as a member of this admin role. The Remove action must
prevent the user from meeting the member rule. You will only set an Add action here.
18. Under Add Action, select Set Department to "Maintenance" from the drop-down list.

Define the admin policy so that only users who are members of the System Manager admin role
can be administrators of your Voonair - Helpdesk admin role. Include a scope rule that lets
administrators of your Voonair - Helpdesk admin role manage all users.
20. Click Add.
23. Click Browse.
26. Under Scope Rule, in the Users drop-down list, select (all).
27. Make sure that Can manage members of this Admin Role and Can manage administrators of
this Admin Role are selected.

Your completed admin policy should look like this:
28. Click OK.

Your new admin policy appears in a table format.

Because you created a copy of an existing admin role, the owner of your Voonair - Helpdesk
role is already predefined for you. In this case, the owner policy is configured so that only users
who are members of the System Manager admin role can be owners of your Voonair -
Helpdesk admin role.
30. Click Submit.

31. To verify the new Voonair - Helpdesk admin role was created successfully, under Admin Roles,
click View Admin Role.
32. Under Search Results, scroll down to the bottom and you will see the new Voonair - Helpdesk
admin role.

Modify the Maintenance and Support Provisioning Role

Add an Admin Policy to allow admin role members of Voonair - Helpdesk to add and remove
members (not administrators) to the Maintenance and Support provisioning role. Include a
scoping rule to allow the Voonair - Helpdesk members to only manage users in the Maintenance
department.
2. Expand Provisioning Roles and click Modify Provisioning Role.
3. Under Search Results, select the Maintenance and Support and click Select.
5. Under Admin Policies, click Add.
8. Click Browse.
10. Scroll down the Search Results, select the Voonair - Helpdesk role, and click Select.
11. Under Scope Rule, in the Users drop-down list, select where <user-filter>.
12. In the drop-down list, select <user-attribute> <comparator> <value>.
Maintenance.
14. Under Administrator's Privileges, clear the Can manage administrators of this Provisioning
Role option.
15. Click OK.

Your new admin policy appears in the Admin Policies table.

The owner policy remains unchanged.

17. Click Submit.

Assign the Voonair - Helpdesk Admin Role to a User in Information Technology

Assign this admin role to a user in the Information Technology department, Dylan Davies.
2. Expand Admin Roles and click Modify Admin Role Members/Administrators.
3. Under Search Results, select the Voonair - Helpdesk admin role and click Select.
4. Click Add a user.
5. Search by Last Name using *davies* as the search string.
6. Under Search Results, select ddavies and click Select.

Dylan Davies appears in the list of members on the Membership tab.
7. Click Submit.
Remember from earlier, you specified an Add action to define what happens when a user is
added as a member of this admin role. That Add action was to change the department of the
user to Maintenance. Now you can check that Dylan Davies' department has changed from IT to
Maintenance.
8. Expand Users and Manage Users.
9. Click View User.
10. Under Search for a user, click Search.

11. Under Search Results, scroll down and find Dylan Davies. Notice that his department has
changed to Maintenance.
Create a Password for Dylan Davies

Since the user Dylan Davies was imported from Active Directory, he does not have a password yet.
Use the Reset User Password admin task to set his user password.
2. Click Reset User Password.
4. Under Search Results, select Dylan Davies and click Select.
5. In the Password and Confirm Password fields, type the following:

Password01
6. Click Submit.
7. Click Sign out.
8. Log in to the User Console using the following credentials:

Username ddavies
Password Password01

10. In the Tasks menu, notice that Dylan Davies now has the ability to create, modify, delete, view,
and manage users.
11. Click View User.
13. Notice that only users in the Maintenance department are listed.
Create a New User

You are logged in as Dylan Davies who is a member of the Voonair - Helpdesk admin role because
he belongs to the Maintenance department. The scope of the admin role gives Dylan the ability to
create and manage users in the Maintenance department. Now, go ahead and create a new user
called Tim Smith in the Maintenance department.
1. Under Manage Users, click Create User.
2. Select Create a New User and click OK.
3. On the Create User page, beside the Organization field, click Browse.
4. Under Search for an organization, click Search.
5. Under Search Results, select the im organization and click Select.

6. On the Profile tab, enter the following information for the new user:
User ID tsmith
Password Password01
Confirm Password Password01
Enabled Checked
First Name Tim
Last Name Smith
Full Name Tim Smith
Department Maintenance
7. Click Submit.
8. Under Manage Users, use the View User admin task to verify the new user exists.
9. Log out and then log back in as Tim Smith:

Username tsmith
Password Password01
10. In the Tasks menu, notice that Tim Smith also has the ability to create, modify, delete, view, and
manage users. These admin tasks are available to Tim through his membership of the Voonair -
Helpdesk admin role because he belongs to the Maintenance department.
Delete a User
Log back in as Dylan Davies and delete the Tim Smith user that you just created.
1. Log out and then log back in as Dylan Davies:

Username ddavies
Password Password01

3. Click Delete User.
4. Under Search for users, click Search.
5. Under Search Results, select the tsmith user and click Select.
6. To confirm the deletion, click Yes.

7. Under Manage Users, use the View User admin task to verify the deletion of Tim Smith. He
should no longer be listed as a user.

8.

Appendix: CA Technologies Dynamic Lab Environment
Appendix: Dynamic Lab Environment Access and User Guide
Getting Started
Dynamic Lab Environment is the name of the CA Education virtual environment for labs and
practice activities. The technology behind the Dynamic Lab Environment is provided by Skytap and
some of the instructions in this document reference Skytap.
This appendix provides the following information:
• System and network requirements
• Self-Directed Learning login and usage information
• Setting up an environment (other than Self-Directed Learning)
• Instructor-Led classroom set up
• Best practices
• Troubleshooting
• Escalating unresolved issues
System Requirements
The minimum system requirements for an individual client machine accessing the Dynamic Lab
Environment are listed below. Please check that you meet the minimum requirements and that
you have the equipment you need before attempting to use the environment.
• Windows XP/2003/Vista/2008/Windows 7/2008 R2/Windows 8/2012

Operating
• Mac OS X 10.7 or higher (Lion or Mountain Lion)
Systems
• Linux variants with supported browser and Java versions
• Internet Explorer 8, 9, or 10
Browsers
• Mozilla Firefox
• Google Chrome
• Mac OS X Safari
Java Version
• The acceptable Java versions are Java 1.6, 1.7, or newer.
• If you are unsure which version of Java you are running, simply click the following link and it
will auto-detect: http://java.com/en/download/installed.jsp or type “java -version” in the
terminal for Linux.
• If you are running OS X, please see Running Java on Mac OS X.
• For information on installing Java on your local Linux machine, see How to install Java on my
local Linux machine.

© 2017 CA. All rights reserved
Network Requirements
We recommend a minimum download speed of 1.16 Mb/sec (150 KB/sec) per client connection
(i.e., each individual user). In addition, we recommend latency of 250ms or less.

Self-Directed Learning Access and Instructions
After you register for the course, you will receive a system-generated email that includes two
important pieces of information:
• A published URL to access your assigned lab environment
• The date and time on which your access to that environment expires
Keep this email as you will need to use the URL whenever you access your lab environment.
Here is a sample email with the two pieces of information highlighted:
Access Your Assigned Lab Environment

Click on the published URL from the email or paste the link in your web browser to access your
assigned lab environment. Use this same link each time you access your dynamic lab environment.
A sample environment with multiple Virtual Machines (VMs) is shown below:

The above sample environment includes three VMs. Your particular environment will be
appropriate for the course activities for which you have registered.
NOTE: When you initially access your environment, you may see a Java prompt, asking if
you want to run this application. Click Run if you see this prompt. It will enable you to
properly connect into the environment and enable the keyboard to work correctly.
Manage Your Assigned Lab Environment

You are allocated a certain amount of lab session time to complete all of the activities associated
with a given course. That time starts once you access your environment and continues to run until
the end date and time specified in the email. The clock continues to run even if you are not actively
working in the environment unless you manage your environment.
Use the Suspend and Run buttons to manage your lab environment. These buttons are shown
below:
Using Suspend to preserve your lab time

Click the Suspend button to stop the Run Time clock. Do this any time you are not working on
course activities to preserve your remaining time. You can suspend any or all of the VMs in your
environment by clicking in the check box in each VM window and then clicking the Suspend button.
The Suspend button is called out in the following sample where all three VMs have been checked:

When you click Suspend, your allocated lab time is preserved and the time clock remains paused
until you change the status to Run. The VMs in a suspended environment display that status as
shown in the following image:
Once you have suspended your environment, you can minimize or close the browser window in
which the environment has been running. Use the same URL you were sent in email to re-open
your environment when you are ready to resume.
Using Run to resume running your lab time

Click the Run button to start up suspended VMs and restart the Run Time clock. The Run button is
called out in the following sample:
This may take several minutes. The environment is ready the when VMs are highlighted in green
and display a Running status. Click on the machine(s) you want to directly access to start or resume
your lab activities.
Tracking lab time using the Run Time clock

The Run Time clock in the upper right corner of your set of VMs tracks how much dynamic lab
environment time you have left.

Network Requirements
We recommend a minimum download speed of 1.16 Mb/sec (150 KB/sec) per client connection
(i.e., each individual user). In addition, we recommend latency of 250ms or less.
If you have a group of 15 users, each connecting to their own client session from the same physical
location concurrently, the recommended amount of bandwidth required is
1.16Mb/sec per user x 15 or 17.5Mb/sec.
Connection Test
If you are connecting for the first time, or connecting from a computer you have never used before,
run the connection and speed tests to make sure that your browser supports a connection to the
Dynamic Lab Environment. These tests are hosted by Skytap directly.
Use the following URL to use the Skytap Connectivity Checker to run connection and speed tests:
https://cloud.skytap.com/tools/connectivity

Instructor-Led Class Set-Up
The Dynamic Lab Environment is accessed directly through a URL link that is provided to the
instructor by a system-generated email. The email includes a class URL as well as instructor and
student position URLs. A sample email is shown below:
1. Click the URL link or copy and paste the link to your web browser. If the URL link is valid, your
web browser will load the environment with the appropriate VM or VM set for hands-on
activities.
2. Examine all VMs and ensure they are running by selecting them and clicking the Run button to
power them on.

Once they are powered on, all VMs will show that they are in a running status and you may
log in to the VMs by clicking the desired VM machine.
3. Click the desired VM machine to connect directly to it.
Note: Most VMs will take you directly to the desktop, but if you are prompted to enter login info,
use the following credentials:
- Username: administrator
- Password: caeducation
Students should have been sent an email message telling them to run the tests before class starts.
Best practice is for the instructor to send an email message to your students to introduce yourself
as the instructor and remind them to run the connectivity test before the class starts.

Best Practices
Use the following list of best practices to help you avoid potential issues with the Dynamic Lab
Environment:
• Ensure that you are connected to a dedicated hardwired network connection on a
broadband internet connection.
• Do not use Wi-Fi connection because it is more susceptible to higher latency issues
impacting performance.
• Close all applications and documents you are not using for your virtual training; applications
running in the background may use up your computer's bandwidth and affect system
performance.
• You should not be connected to a corporate VPN while connecting to the virtual training
class.

Troubleshooting
Run both Connectivity Checker and Speed Test from appropriate application regions and submit
results to educationlabs@ca.com. Before the start of class, make sure your browser supports a
connection to the remote labs.


CA Identity Suite 14.x: CA Identity Manager Implement Provisioning 200

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

CA Identity Suite 14.x: CA Identity Manager Implement Provisioning 200

Загружено:

Авторское право:

Доступные форматы

CA

Lab 1-1 Create a Provisioning Role

Log in to the CA Identity Suite Virtual Appliance

2. In the Address bar, type the following and press Enter:

3. An SSL certificate error appears. It is safe to ignore because it is a self-signed certificate

CA Technologies CA Identity Suite 14.x: CA Identity Manager - Implement Provisioning 200 1

Set the Provisioning Role Profile

7. Log in to the User Console using the following credentials:

8. In the User Console, expand Roles and Tasks.

9. Expand Provisioning Roles and click Create Provisioning Role.

Configure the Admin Policy for the Provisioning Role

12. Click the Administrators tab.

13. Click Add.

16. Click Browse.

17. Under Search for an admin role, click Search.

2 CA Identity Suite 14.x: CA Identity Manager - Implement Provisioning 200 CA Technologies

Your completed admin policy should look like this:

21. Click OK.

Configure the Owner Policy for the Provisioning Role

22. Click the Owners tab.

23. Click Add.

26. Click Browse.

27. Under Search for an admin role, click Search.

CA Technologies CA Identity Suite 14.x: CA Identity Manager - Implement Provisioning 200 3

Your completed owner policy should look like this:

29. Click OK.

30. Click Submit.

Verify the Provisioning Role Exists

You have successfully created the Flight Operations provisioning role.

4 CA Identity Suite 14.x: CA Identity Manager - Implement Provisioning 200 CA Technologies

Lab 1-2 Create an Active Directory Account Template

Goal Create an Active Directory account template.

Create the Account Template

1. In the User Console, expand Endpoints.

2. Expand Manage Account Templates and click Create Account Template.

3. Select Create a copy of an account template.

11. Click the Account Container tab and click Browse.

CA Technologies CA Identity Suite 14.x: CA Identity Manager - Implement Provisioning 200 5

13. Click Submit.

Verify the Account Template Exists

16. Click Search.

You have successfully created an Active Directory account template.

6 CA Identity Suite 14.x: CA Identity Manager - Implement Provisioning 200 CA Technologies

Lab 1-3 Build Account Templates

Goal Build account templates for other Active Directory containers.

Build Account Templates for Other Active Directory Containers

1. In the User Console, expand Endpoints.

2. Expand Manage Account Templates and click Create Account Template.

3. Select Create a copy of an account template.

7. Change the Account Template Name to ADS - Maintenance and Support.

8. Click the Account Container tab and click Browse.

10. Click Submit.

CA Technologies CA Identity Suite 14.x: CA Identity Manager - Implement Provisioning 200 7

Lab 1-4 Assign Account Templates to Provisioning Roles

Goal Assign account templates to provisioning roles.

Assign an Account Template to the Flight Operations Provisioning Role

1. In the User Console, expand Roles and Tasks.

2. Expand Provisioning Roles and click Modify Provisioning Role.

Create a Provisioning Role for Maintenance and Support

1. In the User Console, expand Roles and Tasks.

2. Expand Provisioning Roles and click Create Provisioning Role.

3. Select Create a copy of a provisioning role and click OK.

4. Under Search for a provisioning role, click Search.

5. Search by Last Name using davies as the search string.