IC SunsetThe developerWorks Connections platform will be sunset on December 31, 2019. On January 1, 2020, this community and its apps will no longer be available. More details available on our FAQ.
Topic
  • 5 replies
  • Latest Post - ‏2018-07-19T07:11:23Z by frisalde
frisalde
frisalde
119 Posts

Pinned topic Deleting provisioning policies by mistake

‏2018-07-17T12:48:49Z | membership: policies; provisioning role;

Dear ISIM colleagues,

I would like to get your feedback regarding the capability to identify the provisioning policies where a role is defined as membership, to be more concise, how the user interface has been designed to provide this capability. 

 

Altough from my point of view, it is a very interested feature, even it would be vey interesting to be able to add one role as membership of multiples provisioning policies in just one step, our vision is that the user interface is confused (see the attached screenshot). More of our ISIM administrators have deleted provisioning policies thinking that they were removing the role as membership of the policies.

 

Before request IBM a enhacement of this interface, I would like to know your point of view.

 

Thanks for your feedback

Attachments

  • frisalde
    frisalde
    119 Posts
    ACCEPTED ANSWER

    Re: Deleting provisioning policies by mistake

    ‏2018-07-19T07:11:23Z  
    • yn2000
    • ‏2018-07-18T16:29:14Z

    It seems like that your choice of the UI design is similar to what is provided by the old ITIM v4.x
    The ITIM v4.x UI have more control over what the operator should be doing, so that it has less mistake in operating the ITIM system. For example: You have to navigate through OU before working on People data, so that you would not have a mistake on which OU you are operating it.
    The UI in the ITIM v5.x and beyond is to be considered as more 'open', where you can do things from here and there, but 'open' design is coming with the price of more possible mistake could happen when operating it.
    I guess, you cannot have them all, my friend.

     

    Having said, the way you operate ISIM seems to be more advanced than what most common companies do.
    So, considering that you utilize and tightly manage roles and policies for your business processes, I believe it is better to use IBM Security Role and Policy Modeler product and then send the outcome to the ISIM at once, instead updating the policy one by one, like you said.

     

    Rgds. YN.

    Hi,
    thanks again for your feedback.

    Like you I started working with TIM 4.X and there is not doubt the new interface was a big enhacement (do you rememeber when you mmove to OU where there was hundreds of object and the interface didn't response until the total of objects could be showed?). Nevertheless, from my point of view there is still a long way to walk.

     

    According your suggestion, Governance will be our next step.

  • Sanjay Sutar
    Sanjay Sutar
    198 Posts

    Re: Deleting provisioning policies by mistake

    ‏2018-07-17T14:03:31Z  

    As i see it when you are on "Manage Policies" , you are essentially *managing policies*.

    So search by role is just facility to search all policies that have certain role as member. But still you are managing policies not roles.

    Again regarding having feature to add one role to multiple policies in single (or shall i say few) clicks, i guess you are seeing this just from ease of usage on UI and overlooking what actually happen when a policy is modified (not just in terms of role addition/removal). Policy evaluation is one of complex and resource intensive operation and can cause the system to become unresponsive if the scope of change is large. 

  • yn2000
    yn2000
    1133 Posts

    Re: Deleting provisioning policies by mistake

    ‏2018-07-17T15:54:39Z  

    It is an interesting use case and I am thinking out-side the box here.

    First, adding comments from Sanjay, luckily, because of a free format naming label, I always use 'xxx Role' in the role name, and 'xxx Policy' in the policy name, to clearly differentiate between a role or a policy. In fact, I also try to differentiate the naming convention for Identity Policy and Password Policy against Provisioning Policy, so that I can clearly see the label when looking at the data directly in the TDS repository.

    Second, I always fill the description to inform the operator better. In fact, I forgot which one, but I recall that I have to inject a description of a component directly into TDS repository, not just for operator, but for 'future me' too.

    Now, talking about the feature to add a role to a policy. If I am not mistaken, the role name that you fill into the interface is searched based on a sub-string search, isn't it? It means that there is a possibility to represent multiple roles, which lead to a bigger challenge for IBM developer to distinguish which role to add, isn't it?

    Rgds. YN.

  • frisalde
    frisalde
    119 Posts

    Re: Deleting provisioning policies by mistake

    ‏2018-07-18T07:09:29Z  

    Thanks for your feedback.

    I totally agree with both of us, we have a name convention too, nevertheless our ISIM Administrators know that they are working with PP, but taking into consideration the last operation that they did it was to get the PPs where a role is membership they think that there are going to break the link the relation between the listed policies and the searched role. From user perspective, they were working with roles, no PPs.

    Likely the mistake comes due to the same operation is done from 2 different ways, or because you are able to reach a GUI capability (mamanging PP) from two different start point.

    Followingthis approach, when you are working with people you are able to consult the Organization structure where the user is located, but you are not able to change any characteric of the OU container, for instance. If you want to do that, it is mandatory to open the "Manage Organization Structure" option. When you are listing the user accounts you can get the details of the Service which one account belongs to, but you can not change the service definition. If you want to do that, it is mandatory to open the "Manage Service" option.

    As a summary, the user chooses in the left menu the kind of objects he wants to work with. "Managing Provisioning Policies" is an exception due to there is a shortcut from role.

    Last, modify multiples PP (it would be the effect of adding one role to multiple PP) it could be heavy operation, but from my point of view, it is no depending of the number of PP if not the number of users affected by the operation, it is, the number of members of the managed role. Thanks the "Enfoce change only" capability when an PP is being modificated, it is not needed to make a entire policy evaluation.

    Another issue to take into consideration is the impact of the PP modification in the managed systems. As many managed systems are affected as heavier the operation will be. Most of the time we do that to define "functional" roles, ie, a role which grants multiple authorizations in one or multiples managed systems. Nowadays it is done modifing one per one PP which have collateral troubles due same users are affected and a race condition is in place. If multiple PP modification will be managed as one operation the system could be join the evaluation result in one managed system to request just one operation instead of multiple as nowadays. Nevertheless, I know it is totally change of product design.

    Thanks again for your valuable feedback.

    Updated on 2018-07-18T07:15:36Z at 2018-07-18T07:15:36Z by frisalde
  • yn2000
    yn2000
    1133 Posts

    Re: Deleting provisioning policies by mistake

    ‏2018-07-18T16:29:14Z  

    It seems like that your choice of the UI design is similar to what is provided by the old ITIM v4.x
    The ITIM v4.x UI have more control over what the operator should be doing, so that it has less mistake in operating the ITIM system. For example: You have to navigate through OU before working on People data, so that you would not have a mistake on which OU you are operating it.
    The UI in the ITIM v5.x and beyond is to be considered as more 'open', where you can do things from here and there, but 'open' design is coming with the price of more possible mistake could happen when operating it.
    I guess, you cannot have them all, my friend.

     

    Having said, the way you operate ISIM seems to be more advanced than what most common companies do.
    So, considering that you utilize and tightly manage roles and policies for your business processes, I believe it is better to use IBM Security Role and Policy Modeler product and then send the outcome to the ISIM at once, instead updating the policy one by one, like you said.

     

    Rgds. YN.

  • frisalde
    frisalde
    119 Posts

    Re: Deleting provisioning policies by mistake

    ‏2018-07-19T07:11:23Z  
    • yn2000
    • ‏2018-07-18T16:29:14Z

    It seems like that your choice of the UI design is similar to what is provided by the old ITIM v4.x
    The ITIM v4.x UI have more control over what the operator should be doing, so that it has less mistake in operating the ITIM system. For example: You have to navigate through OU before working on People data, so that you would not have a mistake on which OU you are operating it.
    The UI in the ITIM v5.x and beyond is to be considered as more 'open', where you can do things from here and there, but 'open' design is coming with the price of more possible mistake could happen when operating it.
    I guess, you cannot have them all, my friend.

     

    Having said, the way you operate ISIM seems to be more advanced than what most common companies do.
    So, considering that you utilize and tightly manage roles and policies for your business processes, I believe it is better to use IBM Security Role and Policy Modeler product and then send the outcome to the ISIM at once, instead updating the policy one by one, like you said.

     

    Rgds. YN.

    Hi,
    thanks again for your feedback.

    Like you I started working with TIM 4.X and there is not doubt the new interface was a big enhacement (do you rememeber when you mmove to OU where there was hundreds of object and the interface didn't response until the total of objects could be showed?). Nevertheless, from my point of view there is still a long way to walk.

     

    According your suggestion, Governance will be our next step.