Академический Документы
Профессиональный Документы
Культура Документы
Identity Suite 14.x: CA Identity
Manager ‐ Implement Provisioning 200
<Brand>™® <Product>®™
Clarifier (what comes after the colon)
Lab Guide
Lab Guide
04IMG20459 <course code>
04IMG20459LG1 <inventory code>
‐ PROPRIETARY AND CONFIDENTIAL INFORMATION ‐
© 2017 CA. All rights reserved. CA confidential & proprietary information. For CA, CA Partner and CA
Customer use only. No unauthorized use, copying or distribution. All names of individuals or of companies
referenced herein are fictitious names used for instructional purposes only. Any similarity to any real
persons or businesses is purely coincidental. All trademarks, trade names, service marks and logos
referenced herein belong to their respective companies. These Materials are for your informational
purposes only, and do not form any type of warranty. The use of any software or product referenced in the
Materials is governed by the end user’s applicable license agreement. CA is the manufacturer of these
Materials. Provided with “Restricted Rights.”
CA Identity Suite 14.x: CA Identity Manager ‐ Implement Provisioning 200
Table of Contents
Lab 1‐1 Create a Provisioning Role ∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙ 1
Lab 1‐2 Create an Active Directory Account Template∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙ 5
Lab 1‐3 Build Account Templates ∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙ 7
Lab 1‐4 Assign Account Templates to Provisioning Roles ∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙ 8
Appendix: Dynamic Lab Environment Access and User Guide ∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙ 21
Self‐Directed Learning Access and Instructions ∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙ 23
Instructor‐Led Class Set‐Up∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙ 27
Best Practices ∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙ 29
Troubleshooting ∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙∙ 30
TOC‐1
© 2017 CA. All rights reserved.
CA Identity Suite 14.x: CA Identity Manager ‐ Implement Provisioning 200
For the Learn More Edition Subscriber:
In addition to this fully functional training platform (Dynamic Lab Environment), your subscription
includes a web‐based training component with recorded demonstrations of these lab activities.
Although not required, we recommend you review the WBT component first, as it describes various
use cases for the features and context for the lab activities.
TOC‐2
© 2017 CA. All rights reserved.
Module 1: Deploy Provisioning
Goal Create a provisioning role for the Flight Operations department at Voonair.
Scenario Now that you have Explored and Correlated the Voonair Active Directory
endpoint, you can start to create provisioning roles so you can assign Active
Directory accounts to any new users that you create going forward. To begin, you
will create a provisioning role that can be assigned to any new users who join the
Flight Operations department at Voonair.
Time 15 minutes
Instructions:
1. Using the shortcut on the desktop, open the Google Chrome browser.
4. To ignore the SSL certificate error, click Advanced and then click Proceed to 192.168.1.20.
5. Log in to the CA Identity Suite Virtual Appliance using the following credentials:
Username config
Password caeducation
The Virtual Appliance dashboard appears, which shows all the deployed components of CA
Identity Suite, including CA Identity Manager. Notice the links that enable you to access the
User Console and Management Console for CA Identity Manager.
6. On the Virtual Appliance dashboard, click the User Console link for CA Identity Manager.
10. Select Create a new provisioning role and then click OK.
11. On the Profile tab, in the Name field, type the following:
Flight Operations
14. Under Admin Rule, in the Users drop-down list, select Who are members of <role-rule>.
15. In the drop-down list that subsequently appears, select admin role <admin-role>.
18. Scroll down the Search Results, select the System Manager role, and click Select.
19. Under Scope Rule, in the Users drop-down list, select (all).
20. Make sure that Can manage members of this Provisioning Role and Can manage
administrators of this Provisioning Role are selected.
24. Under Owner Rule, in the Users drop-down list, select Who are members of <role-rule>.
25. In the drop-down list that subsequently appears, select admin role <admin-role>.
28. Scroll down the Search Results, select the System Manager role, and click Select.
Note: The System Manager is the imadmin. In real use cases, you may want to have different
managers administering and owning different roles. In this lab, the imadmin does it all.
31. In the Tasks menu, under Provisioning Roles, click View Provisioning Role.
Under Search Results, you will see the new Flight Operations provisioning role that you created.
Scenario Now that you have defined your first provisioning role, you need to create an
account template that you can assign to it. The account template will define the
Active Directory account characteristics for the Flight Operations container on
the Voonair_AD endpoint.
Time 10 minutes
Instructions:
4. Under Search for account templates, in the Search for an account template of Endpoint Type
list, select Active Directory.
5. Click Search.
6. Under Search Results, select the ADSAccountPolicy template and click OK.
7. On the Account Template tab, change the Account Template Name to ADS - Flight Operations.
8. Click the Endpoints tab and click Add Active Directory Endpoint.
9. Click Search.
10. Under Search Results, select the Voonair_AD endpoint and click Select.
12. Select Flight Operations where the ADSOrgUnit=Employees and click Select.
14. In the Tasks menu, under Manage Account Templates, click View Account Template.
15. Under Search for account templates, in the Search for an account template of Endpoint Type
list, select Active Directory.
Under Search Results, you will see the new ADS - Flight Operations account template that you
created.
Scenario Using the same process from the previous lab, build the remaining account
templates for the other containers from the Voonair Active Directory endpoint.
Time 20 minutes
Instructions:
4. Under Search for account templates, in the Search for an account template of Endpoint Type
list, select Active Directory.
5. Click Search.
6. Under Search Results, select the ADS - Flight Operations template and click OK.
9. Under Search Results, select Maintenance and Support where the ADSOrgUnit=Employees and
click Select.
11. Repeat steps 3 to 10 to create account templates for the following containers:
• Executive
• Customer Service
• Business Operations
• Information Technology
Note: Make sure you select the Account Containers where the ADSOrgUnit=Employees.
12. Using the View Account Template task, verify the new account templates were created.
Time 60 minutes
Instructions:
3. Under Search Results, select the Flight Operations provisioning role and click Select.
4. Click the Account Templates tab and click Add Account Template.
8 CA Identity Suite 14.x: CA Identity Manager - Implement Provisioning 200 CA Technologies
© 2017 CA. All rights reserved.
Module 1: Deploy Provisioning
5. Under search for account templates, select Active Directory from the drop-down list and click
Search.
6. Under Search Results, select the ADS - Flight Operations account template and click Select.
Going forward, whenever a user is assigned the Flight Operations provisioning role, they will
get an Active Directory account based on the ADS - Flight Operations account template.
7. Click Submit.
You will receive a confirmation that the task has been completed.
5. Under Search Results, select the Flight Operations provisioning role and click OK.
6. On the Profile tab, change the name of the provisioning role to Maintenance and Support.
7. Click the Account Templates tab and click Add Account Template.
8. Under search for account templates, select Active Directory from the drop-down list and click
Search.
9. Under Search Results, select the ADS - Maintenance and Support account template and click
Select.
10. On the Account Templates tab, remove the ADS - Flight Operations account template by
clicking the red minus icon at the end of the row in the account templates table.
Going forward, whenever a user is assigned the Maintenance and Support provisioning role,
they will get an Active Directory account based on the ADS - Maintenance and Support account
template. The Administrators and Owners of this provisioning role will be scoped later. For
now, they are set to the System Manager admin role.
CA Technologies CA Identity Suite 14.x: CA Identity Manager - Implement Provisioning 200 9
© 2017 CA. All rights reserved.
Module 1: Deploy Provisioning
12. To verify the new Maintenance and Support provisioning role was created successfully, under
Provisioning Roles, click View Provisioning Role.
13. Under Search Results, you will see the new Maintenance and Support provisioning role listed
with the Flight Operations provisioning role that you created earlier.
Note: At this point, you would typically create provisioning roles for the remaining departments
and associate them to their corresponding account templates that you created earlier.
However, since the roles will not be used in future labs, there is no requirement for you to do
this.
5. Under Search Results, select the User Manager admin role and click OK.
6. On the Profile tab, change the name of the admin role to Voonair - Helpdesk.
8. In the Add Task list, select the Reset User Password task.
The Reset User Password task now appears in the list of tasks for the role.
12. In the drop-down list, change the attribute to Department and type an attribute value of
Maintenance.
13. Under Add new scoping rule, select User from the drop-down list.
16. In the drop-down list, change the attribute to Department and type an attribute value of
Maintenance.
For this admin role, you will accept the default setting that enables administrators to add and
remove role members. For this setting, you need to specify an Add action to define what
happens when a user is added as a member of this admin role. The Add action must make the
user meet the member rule. Optionally, you can specify a Remove action to define what
happens when a user is removed as a member of this admin role. The Remove action must
prevent the user from meeting the member rule. You will only set an Add action here.
CA Technologies CA Identity Suite 14.x: CA Identity Manager - Implement Provisioning 200 11
© 2017 CA. All rights reserved.
Module 1: Deploy Provisioning
18. Under Add Action, select Set Department to "Maintenance" from the drop-down list.
21. Under Admin Rule, in the Users drop-down list, select Who are members of <role-rule>.
22. In the drop-down list that subsequently appears, select admin role <admin-role>.
25. Scroll down the Search Results, select the System Manager role, and click Select.
26. Under Scope Rule, in the Users drop-down list, select (all).
27. Make sure that Can manage members of this Admin Role and Can manage administrators of
this Admin Role are selected.
31. To verify the new Voonair - Helpdesk admin role was created successfully, under Admin Roles,
click View Admin Role.
32. Under Search Results, scroll down to the bottom and you will see the new Voonair - Helpdesk
admin role.
3. Under Search Results, select the Maintenance and Support and click Select.
6. Under Admin Rule, in the Users drop-down list, select Who are members of <role-rule>.
7. In the drop-down list that subsequently appears, select admin role <admin-role>.
8. Click Browse.
10. Scroll down the Search Results, select the Voonair - Helpdesk role, and click Select.
11. Under Scope Rule, in the Users drop-down list, select where <user-filter>.
13. In the drop-down list, change the attribute to Department and type an attribute value of
Maintenance.
14. Under Administrator's Privileges, clear the Can manage administrators of this Provisioning
Role option.
3. Under Search Results, select the Voonair - Helpdesk admin role and click Select.
7. Click Submit.
You will receive a confirmation that the task has been completed.
Remember from earlier, you specified an Add action to define what happens when a user is
added as a member of this admin role. That Add action was to change the department of the
user to Maintenance. Now you can check that Dylan Davies' department has changed from IT to
Maintenance.
11. Under Search Results, scroll down and find Dylan Davies. Notice that his department has
changed to Maintenance.
6. Click Submit.
10. In the Tasks menu, notice that Dylan Davies now has the ability to create, modify, delete, view,
and manage users.
13. Notice that only users in the Maintenance department are listed.
3. On the Create User page, beside the Organization field, click Browse.
6. On the Profile tab, enter the following information for the new user:
User ID tsmith
Password Password01
Confirm Password Password01
Enabled Checked
First Name Tim
Last Name Smith
Full Name Tim Smith
Department Maintenance
7. Click Submit.
You will receive a confirmation that the task has been completed.
8. Under Manage Users, use the View User admin task to verify the new user exists.
10. In the Tasks menu, notice that Tim Smith also has the ability to create, modify, delete, view, and
manage users. These admin tasks are available to Tim through his membership of the Voonair -
Helpdesk admin role because he belongs to the Maintenance department.
Delete a User
Log back in as Dylan Davies and delete the Tim Smith user that you just created.
5. Under Search Results, select the tsmith user and click Select.
7. Under Manage Users, use the View User admin task to verify the deletion of Tim Smith. He
should no longer be listed as a user.
8.
Getting Started
Dynamic Lab Environment is the name of the CA Education virtual environment for labs and
practice activities. The technology behind the Dynamic Lab Environment is provided by Skytap and
some of the instructions in this document reference Skytap.
This appendix provides the following information:
• System and network requirements
• Self-Directed Learning login and usage information
• Setting up an environment (other than Self-Directed Learning)
• Instructor-Led classroom set up
• Best practices
• Troubleshooting
• Escalating unresolved issues
System Requirements
The minimum system requirements for an individual client machine accessing the Dynamic Lab
Environment are listed below. Please check that you meet the minimum requirements and that
you have the equipment you need before attempting to use the environment.
Java Version
• The acceptable Java versions are Java 1.6, 1.7, or newer.
• If you are unsure which version of Java you are running, simply click the following link and it
will auto-detect: http://java.com/en/download/installed.jsp or type “java -version” in the
terminal for Linux.
• If you are running OS X, please see Running Java on Mac OS X.
• For information on installing Java on your local Linux machine, see How to install Java on my
local Linux machine.
Network Requirements
We recommend a minimum download speed of 1.16 Mb/sec (150 KB/sec) per client connection
(i.e., each individual user). In addition, we recommend latency of 250ms or less.
After you register for the course, you will receive a system-generated email that includes two
important pieces of information:
• A published URL to access your assigned lab environment
• The date and time on which your access to that environment expires
Keep this email as you will need to use the URL whenever you access your lab environment.
Here is a sample email with the two pieces of information highlighted:
The above sample environment includes three VMs. Your particular environment will be
appropriate for the course activities for which you have registered.
NOTE: When you initially access your environment, you may see a Java prompt, asking if
you want to run this application. Click Run if you see this prompt. It will enable you to
properly connect into the environment and enable the keyboard to work correctly.
When you click Suspend, your allocated lab time is preserved and the time clock remains paused
until you change the status to Run. The VMs in a suspended environment display that status as
shown in the following image:
Once you have suspended your environment, you can minimize or close the browser window in
which the environment has been running. Use the same URL you were sent in email to re-open
your environment when you are ready to resume.
This may take several minutes. The environment is ready the when VMs are highlighted in green
and display a Running status. Click on the machine(s) you want to directly access to start or resume
your lab activities.
Network Requirements
We recommend a minimum download speed of 1.16 Mb/sec (150 KB/sec) per client connection
(i.e., each individual user). In addition, we recommend latency of 250ms or less.
If you have a group of 15 users, each connecting to their own client session from the same physical
location concurrently, the recommended amount of bandwidth required is
1.16Mb/sec per user x 15 or 17.5Mb/sec.
Connection Test
If you are connecting for the first time, or connecting from a computer you have never used before,
run the connection and speed tests to make sure that your browser supports a connection to the
Dynamic Lab Environment. These tests are hosted by Skytap directly.
Use the following URL to use the Skytap Connectivity Checker to run connection and speed tests:
https://cloud.skytap.com/tools/connectivity
The Dynamic Lab Environment is accessed directly through a URL link that is provided to the
instructor by a system-generated email. The email includes a class URL as well as instructor and
student position URLs. A sample email is shown below:
1. Click the URL link or copy and paste the link to your web browser. If the URL link is valid, your
web browser will load the environment with the appropriate VM or VM set for hands-on
activities.
2. Examine all VMs and ensure they are running by selecting them and clicking the Run button to
power them on.
Once they are powered on, all VMs will show that they are in a running status and you may
log in to the VMs by clicking the desired VM machine.
3. Click the desired VM machine to connect directly to it.
Note: Most VMs will take you directly to the desktop, but if you are prompted to enter login info,
use the following credentials:
- Username: administrator
- Password: caeducation
Students should have been sent an email message telling them to run the tests before class starts.
Best practice is for the instructor to send an email message to your students to introduce yourself
as the instructor and remind them to run the connectivity test before the class starts.
Best Practices
Use the following list of best practices to help you avoid potential issues with the Dynamic Lab
Environment:
• Ensure that you are connected to a dedicated hardwired network connection on a
broadband internet connection.
• Do not use Wi-Fi connection because it is more susceptible to higher latency issues
impacting performance.
• Close all applications and documents you are not using for your virtual training; applications
running in the background may use up your computer's bandwidth and affect system
performance.
• You should not be connected to a corporate VPN while connecting to the virtual training
class.
Troubleshooting
Run both Connectivity Checker and Speed Test from appropriate application regions and submit
results to educationlabs@ca.com. Before the start of class, make sure your browser supports a
connection to the remote labs.