Scribd Logo
Upload

Welcome to Scribd!

  • Provisioning Broker and Engine

    Uploaded by

    Saeed Nashar
    6 views35 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    6 views35 pages

    Provisioning Broker and Engine

    Uploaded by

    Saeed Nashar

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 35

    Provisioning Broker and Engine

    Fundamentals of IdentityIQ Implementation


    Overview
    Provisioning Broker and Engine
    • Provisioning overview
    • What causes provisioning to occur?
    • Provisioning channels
    • Integration Modules and provisioning
    • Provisioning architecture
    • Provisioning process and components
    • Walkthrough of provisioning example
    • Debugging tools

    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 2


    What Causes Provisioning?
    • User Driven Request (Lifecycle Manager)
    • Identity
    • Entitlement
    • Account
    • Role
    • Event Driven (Identity Refresh or Lifecycle Event)
    • Automatic Role Assignment based on Identity Attribute
    • Sunrise/Sunset of Role
    • Joiner/Leaver/Mover/Native Change
    • Remediation
    • Certification Item Revoke
    • Policy Violation Remediation

    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 3


    Provisioning Channels
    3 Options
    • Read/Write Connectors
    • Used to directly connect with many types of target applications
    • Used by some Integration Modules to indirectly connect with target applications
    • Integration Configurations
    • Used by some Integration Modules to indirectly connect with target applications
    • Provisioning Integration Modules (PIM): Tivoli Identity Manager
    • Service Desk Integration Modules (SIM): Remedy, ServiceNow, HP Service Manager
    • Internal Provisioning (WorkItems/Notifications)
    • Used when no alternative provisioning pathway is defined

    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 4


    Integration Modules
    Provisioning Purpose
    • Provisioning Integration Modules (PIM)
    • Integrates with 3rd party provisioning providers
    • Provisioning provider handles provisioning requests submitted by IdentityIQ
    • Service Desk Integration Modules (SIM)
    • Integrates with support providers to automate ticketing/tracking
    • Service desk personnel responds to ticket to support provisioning
    • Mobile Device Management Integration Module (MIM)
    • Integrates with Mobile Device Management (MDM) Systems to indirectly manage mobile
    devices
    • MDM system performs the specified action on the target device

    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 5


    Knowledge Check

    Copyright ©© SailPoint
    Copyright SailPoint Technologies,
    Technologies, Inc.
    Inc. 2017.
    2017. All
    All rights
    rights reserved.
    reserved. 6
    Provisioning
    Architecture

    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 7


    Provisioning Architecture
    Connectors
    • Direct
    App 1
    Read/Write Target
    Connector Resource 1

    • Dual Channel (Connector)

    App 2
    Connector 1 Target
    (for read) Resource 2

    App 2 - Proxy
    Connector 2
    (for write)

    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 8


    Provisioning Architecture
    Integration Modules
    • Direct – Mobile Device Management Integration Module (MIM)

    Connector MDM
    Application A
    MIM System

    • Direct – Provisioning Integration Module (PIM)

    Application A Target
    Resource A
    PIM Provisioning
    Application System

    Application B Target
    Resource B

    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 9


    Provisioning Architecture
    Integration Modules
    • Dual Channel (Integration Configuration)

    Connector (for read)


    Application X
    Target Resource X

    Integration Provisioning or
    Config Service Desk
    (for write) System

    Application Y Target Resource Y


    Connector (for read)

    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 10


    Provisioning Process
    and Components

    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 11


    Provisioning Process
    Provisioning
    Plan

    Plan Compiler

    Provisioning
    Project
    Provisioning Provisioning Provisioning
    Plan Plan Plan

    Plan Evaluator

    Read/Write Integration Internal


    Connector Config Provisioning

    Manual
    AD/LDAP IDM Help Desk
    WorkItems
    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 12
    Provisioning Object
    Provisioning Plan
    • Contains one or more requests for
    one identity
    • Role or entitlement request
    • Account request
    • Defines type of action
    • Create, modify, delete, unlock,
    enable, disable
    <ProvisioningPlan>
    <AccountRequest application=“LDAP"
    nativeIdentity=“cn=Andrea.Hudson,ou=people,dc=training,
    dc=sailpoint,dc=com" op="Modify">
    <AttributeRequest name="groups" op="Add"
    value=“cn=VPN,ou=groups,dc=training,dc=sailpoint,dc=com"/>
    </AccountRequest>

    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 13
    Provisioning Component
    Plan Compiler
    • Expands role requests into
    entitlement requests
    • Compiles additional information for
    provisioning accounts or roles
    • Role Provisioning Policies
    • Application Provisioning Policies
    • Assimilates manual feedback
    • Converts the original provisioning plan into a Provisioning Project

    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 14


    Provisioning Component
    Plan Compiler (cont.)
    • Determines how provisioning will be carried out
    • Standard provisioning prioritization
    1. Integration Configuration with Managed
    Resources list
    2. Connector with provisioning configured
    3. Connector acting as proxy
    4. IdentityIQ WorkItems

    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 15


    Provisioning Object
    Provisioning Project
    • Contains one or more provisioning plans split
    up by destination
    • Contains copy of original plan

    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 16


    Provisioning Component
    Plan Evaluator
    • Input is a provisioning project object
    Performs dependency checking
    • Passes each plan to designated target
    • Connector, integration, or work item

    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 17


    Provisioning Component
    Read/Write Connectors
    • Used for aggregation and provisioning
    • Implemented in IdentityIQ as
    Applications/Connectors
    • Used by applications, PIMs, SIMs,
    and MIMs
    • Can serve as provisioning proxy
    (application points to another application for provisioning)

    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 18


    Read/Write Connectors
    Connector Registry
    • Connector registry defines
    • Connector/integration support: featuresString
    • Class that handles provisioning
    • Class defined as connector has a provision method that takes a single argument
    • A ProvisioningPlan
    • Connector entry copied into Application object
    • Location
    • <install dir>/WEB-INF/config/connectorRegistry.xml
    • Debug Page  Configuration  Connector Registry

    Example:
    <Application connector="sailpoint.connector.JDBCConnector"
    featuresString="DISCOVER_SCHEMA, PROVISIONING, GROUP_PROVISIONING"
    name="JDBC Template" type="JDBC">

    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 19


    Provisioning Object
    Integration Configurations
    • Defines parameters for how an
    integration runs
    • Details the integration executor class
    • Includes list of applications handled by
    IntegrationConfig
    • Used by SIMs and some PIMs
    • Installed through console or debug page
    • XML object loaded when enabling PIM/SIM support

    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 20


    IntegrationConfig Object
    Example
    <IntegrationConfig name="TDI Integration”
    executor="sailpoint.integration.tdi.TDIIntegrationExecutor”>

    <ManagedResources>
    <ManagedResource name="Active Directory">
    <ApplicationRef>
    <Reference class="sailpoint.object.Application" name="TDI Active Directory"/>
    </ApplicationRef>
    </ManagedResource>
    </ManagedResources>

    </IntegrationConfig>

    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 21


    Provisioning Component and Object
    Internal Provisioning
    • WorkItem delivered to user inbox
    • Provides details for manual
    provisioning
    • Used when no provisioning pathway
    is defined

    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 22


    Universal Manager Setting
    Alternative to Standard Provisioning Prioritization
    • Used to provision all non-specified applications
    • Replaces work item as default channel
    • Implemented through connector or integration configuration

    • Provisioning Evaluation Process


    1. Integration Configuration with Managed Resources list
    2. Connector with provisioning configured
    3. Connector acting as proxy
    4. Integration Configuration with Universal Manager option enabled

    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 23


    Provisioning Process
    Walkthrough

    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 24


    Example: Plan (Original)
    <ProvisioningPlan>
    <AccountRequest application=“LDAP"
    nativeIdentity=“cn=Andrea.Hudson,ou=people,
    dc=training,dc=sailpoint,dc=com" op="Modify">
    <AttributeRequest name="groups" op="Add"
    value=“cn=VPN,ou=groups,dc=training,dc=sailpoint,dc=com"/>
    </AccountRequest>
    <Requesters>
    <Reference class="sailpoint.object.Identity"
    id="2c901c0d31d3af460131d4854fa60424" name="Randy.Knight"/>
    </Requesters>
    </ProvisioningPlan>

    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 25


    Example: Do we have an Account?
    • If not, we need to add Account Request
    • Use Application Account Provisioning Policy to gather or populate fields

    <AccountRequest application=“LDAP" nativeIdentity=“cn=Andrea.Hudson,ou=people,dc=training,


    dc=sailpoint,dc=com" op="Create">
    <AttributeRequest name="groups" op="Add" value=“cn=VPN,ou=groups,dc=training,dc=sailpoint,dc=com"/>
    <AttributeRequest name="userPassword" op="Add" value="password">
    <Attributes>
    <Map>
    <entry key="secret" value="true"/>
    </Map>
    </Attributes>
    </AttributeRequest>
    <AttributeRequest name="cn" op="Add" value=“Andrea.Hudson"/>
    <AttributeRequest name="ObjectClass" op="Add" value="inetOrgPerson"/>
    </AccountRequest>

    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 26


    Example: Provisioning Policy
    • How do account fields get created?
    • Role and Application Provisioning Policy Defines how provisioning fields get
    populated
    • Can request users to fill in fields
    • Define owners
    • Auto-create forms
    • Can auto-populate fields

    Example: LDAP Provisioning Policy, Native Identity Attribute:


    return “cn=" + identity.getName() + ",ou=people,
    dc=training,dc=sailpoint,dc=com";

    LDAP Provisioning Plan:


    <AccountRequest application=“LDAP"
    nativeIdentity=“cn=Andrea.Hudson,ou=people,dc=training,
    dc=sailpoint,dc=com op="Create">

    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 27


    Example: Provisioning Policy – Providing Values

    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 28


    Example: Provisioning Plan with Account
    <ProvisioningPlan>
    <AccountRequest application=“LDAP" nativeIdentity=“cn=Andrea.Hudson,ou=people,dc=training,
    dc=sailpoint,dc=com" op="Create">
    <AttributeRequest name="groups" op="Add" value=“cn=VPN,ou=groups,dc=training,dc=sailpoint,dc=com"/>
    <AttributeRequest name="userPassword" op="Add" value="password">
    <Attributes> ... </Attributes>
    </AttributeRequest>
    <AttributeRequest name="cn" op="Add" value=“Andrea.Hudson"/>
    <AttributeRequest name="ObjectClass" op="Add" value="inetOrgPerson"/>
    </AccountRequest>
    <Attributes>
    <Map>
    <entry key="requester" value="Randy.Knight"/>
    <entry key="source" value="LCM"/>
    </Map>
    </Attributes>
    <Requesters>
    <Reference class="sailpoint.object.Identity" id="2c901c0d31d3af460131d4854fa60424" name="Randy.Knight"/>
    </Requesters>
    </ProvisioningPlan> Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 29
    Knowledge Check

    Copyright ©© SailPoint
    Copyright SailPoint Technologies,
    Technologies, Inc.
    Inc. 2017.
    2017. All
    All rights
    rights reserved.
    reserved. 30
    Debugging

    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 31


    Debugging/Troubleshooting
    • Administrator Console
    • Provides details of failed provisioning transactions and any captured error messages

    • Log4j.properties
    • log4j.logger.sailpoint.api.Provisioner
    • log4j.logger.sailpoint.provisioning.PlanCompiler
    • log4j.logger.sailpoint.provisioning.PlanEvaluator
    • log4j.logger.sailpoint.provisioning.IIQEvaluator
    • Logging for Connectors involved in provisioning
    • Look at Connector Registry or Integration Config. for class name

    • Audit Options
    • Provision
    • Manual Provisioning
    • Provisioning Complete
    • Provisioning Failure

    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 32


    Next Step?

    Practice
    Exercises

    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 35


    Putting it All Together
    Section 5, Final Exercise
    • Debug and resolve problem discovered during user acceptance testing
    • Problem discovered in LCM
    • Researching will utilize
    • Identity Cubes
    • Entitlement Catalog
    • Data sources
    • … and possibly more
    • Resolving will utilize
    • Rules
    • Coding
    • Aggregation
    • Refresh
    • …and possibly more

    Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 36

    You might also like