Wednesday, March 14, 2007

Day one and two at ITIM 4.6 Basic Implementation Workshop

In the first two days of the basic implementation workshop we have already covered a lot of ground. It's almost moving to fast so for the last two nights I would bring my book back to the hotel and go over the exercises again using my sandbox environment on my laptop. But here are some bullet points I've picked up in the first two days:

  • Do not touch the TIM LDAP or the TIM database directly for any reason. In other words these two things are off limits to any other system besides TIM. While it may be tempting to let some system connect up to the LDAP make a query or something, it is highly discouraged by the Tivoli folks.
  • The default page in TIM when any user logs in is the change password screen. This may be confusing to people and make them think that they must change their password. This screen can be changed.
  • Changing UIDs is very difficult if not nearly impossible. Avoid doing this. An ideal solution for UID is to use something that will not change like Employee Number. Do not use FI LastName.
  • Referral attributes like Supervisor or Manager will require two loads of TIM. The supervisors need to exist in TIM before you can populate the supervisor (ersupervisor) attribute.
  • The Password Policy you choose for TIM should be the same as the password policy you are using on target systems. It is possible to make it different, but be careful because when a user is required to change their password ,while it may be allowed on TIM may not be allowed on the target resource or vice versa.
  • In TIM you can configure how to handle non compliant accounts. The choice is Notify, Mark or Correct. be very careful when configuring TIM to correct non compliant accounts. By simply removing a role from someone you may cause TIM to delete many accounts from some target resource. De provisioning accounts may mean different things on different target resources. You should choose to Mark non compliant accounts instead of correct them at least until you are completely comfortable with TIM. And that may never happen. :-)
  • When you don't want a user to have an account, but you cannot change the Role and you cannot change the Provisioning Policy, simply suspend the account.
  • In TIM 4.6 some restrictions in provisioning policies have been removed from past versions so that you really no longer need to use Locations or Business Partner Locations in your organization tree. Keep this in mind when designing the tree because when you have to search for people you often have to choose the category of people you are looking for. It's sometimes easier of they are all the same.
  • Static vs. Dynamic Roles - Static roles are simple to set up, but you must maintain them manually. Dynamic roles are automatic (use an LDAP search to build), however they can cause slower performance because they are constantly be re-evaluated.
  • If you have customized any Service Profile Forms, make sure to back up the service profile before you reload the form in TIM. Not sure how often you would encounter a need to reload the Service Profile, but if you did have to for some reason you would blow away any customization you made to the form earlier.
  • For any target systems you will manage with TIM designate a Service Owner. This way when setting up workflows you can have requests routed automatically to those people who actually manage that resource. Obviously then those people would require a TIM account.
  • I still have to verify this one yet, but a Provisioning Policy has to exist in the same container as the service it pertains to.
  • Service Selection Policies get evaluated anytime anything in TIM changes. This will result in poorer performance. Avoid using these.
  • When two policies for the exact same service applies to you, the one with the higher priority wins. (The lower number means higher priority)
  • There is a recycle bin in TIM. Anytime you delete an account, it goes into the recycle bin. This is used internally by TIM and accounts are kept there for 62 days.
  • When doing a recon your goal is to have 0 orphaned accounts. To help with that TIM by default will match up the account name on the target system with what is in the alias field in TIM. This is a nice feature to help minimize orphans. When you are feeding people into TIM use the alias field and populate it with what is likely to be the account names for your target systems. TIM will try to match these up during a recon and those accounts that match will be adopted.
  • There are two different kind of workflows - provisioning people and operational. Also workflows can be global or profile specific. There is a workflow element called "work order". This is only useful if you want to send something to someone, but not receive anything back. Technically with a lot of custom coding you can get something back, but there are other ways to do this.
  • Users in a TIM environment can begin to receive a lot of email especially when there is approvals required and things to do. You can use Post Office Aggregation which will group email notifications so that users do not get bombarded with email.
  • is where you will store strings that can be used in your workflows.
  • Delegate Authority is a feature available in TIM which allows you to transfer your To Do list to someone else for some specified amount of time. The To Do list will reside in only one place so if you delegate authority to someone else say while you are on vacation you will not get copied on that To Do list. When you return items on the To Do list which the delegate was seeing will not come back to you so that person who was delegated must process those To Do's. Likewise before you delegate to someone else, you must process all To Do's on your list because those To Do's that have not been processed yet will not go to the person delegated. It only directs new requests to the person delegated.
  • Make sure to have another account besides ITIM Manager in the event someone locks the ITIM Manager account.

As I learn new things or if I find corrections to any of the above I will post again, but that's not bad for the first two days of class. I still have several hours of work on my sandbox to catch up to what we have done in class, but repetition and constant exposure to this product is how you will learn it. I venture to guess it could take at least a few years to learn TIM so I am doing everything I can to spend as many hours as possible with it so that I can learn it faster.


Oscar Tejada said...

I'm currently having a bad experience configuring ITIM 4.6 and the Active Directory Adapter...

there is no way to make it work!! matter the syntax and variations, i get always the same "unable to bind to basepoint" error message....have you have similars experiences before?, or perhaps some config examples to make my life easier ; )

if so, please contact me here or at

Anonymous said... is very informative. The article is very professionally written. I enjoy reading every day.
payday loan payday

Anonymous said...

Can anyone recommend the top RMM program for a small IT service company like mine? Does anyone use or How do they compare to these guys I found recently: [url=] N-able N-central desktop management
[/url] ? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

Anonymous said...

What To Look For When Getting a cash advance. Cash advance loans are available for anyone above 18 years of age who has a. If you need 100 dollars or 500 dollars or even if you need 1000 dollars you can. Cash advance network middot Cash advance new york middot Cash advance no credit check middot. An advance deposit for costs in the amount set forth below. [url=]quick cash advance loan[/url] You can qualify for a cash advance pay day loan even with bad credit slow.

Anonymous said...

Hi all! I'm from London but am living in Berlin at the moment.
Gotta love this site!

[url=]Barrater is my life[/url]