Topic
  • 5 replies
  • Latest Post - ‏2013-06-11T16:55:29Z by dgowda01
7PKW_Jian_Tsen_Ooi
7PKW_Jian_Tsen_Ooi
3 Posts

Pinned topic Integrate multiple applications that uses the same Active Directory

‏2013-05-14T04:37:10Z |

Hi there,

We are running ITIM v5.1 and are in the process of integrating multiple applications that uses the same Active Directory.

Access to these applications is granted based on group membership in AD and as mentioned above they are all using the same Active Directory.

The solution I had in mind was to re-use the existing AD Service which is using the AD Adapter.                                                
The idea is to create a separate set of provisioning policies (default pp and role-specific pps) for each of these applications and associate the AD Service as an entitlement. These provisioning policies will just set/remove group membership.                                            

The problem with this approach is that we won't be able to have a separate workflow for each application because a workflow is tied to an entity and not provisioning policy.
For instance, once the user is assigned the relevant group membership in AD, some applications will require a few work orders and/or mail notifications to be sent to different parties.

I would like to avoid mixing the workflow logic for these applications in the existing ADAccount workflows (add, modify etc...) which is currently used to drive the provisioning process of AD accounts.

Is it possible to achieve this in such a way that we could define separate workflows for each of these applications... Or what would be a better/cleaner approach to implement this?

Hopefully the way I explain this makes sense... Any input is much appreciated.

PS: I've raised a PMR already and the request has been escalated to L2, waiting for the guys to come back to me. But I would like to get some input from the community as well.

Cheers.

  • franzw
    franzw
    405 Posts

    Re: Integrate multiple applications that uses the same Active Directory

    ‏2013-05-14T08:38:55Z  

    The solution very much depends on your request model - i.e. what is the user requesting ?

    It is important here if your service is set to "correct compliance" (RBAC model) or to something else (Request model).

    In general you seem to heading into the RBAC land - this means that you should tie the approval into the Role. Alsa this mean that you will have to do the approval/reject in context of the person workflows. To make this work you should carefully desing the data on your role - in the current release you work with the role classification/accesstype to govern the flows and the roleowner can then eventualy be used as approver.

    IMHO it is important that you flow is governed by data - no hard coding - so that you will not get a dependency between the workflows and the roles/policeis.

    I do not know if this gives you a hint or this a misunderstanding...

    BTW - not to be pessimistic - but I do not think you will get much from your PMR - this is basically service work...

    HTH

    Regards

    Franz Wolfhagen

  • 7PKW_Jian_Tsen_Ooi
    7PKW_Jian_Tsen_Ooi
    3 Posts

    Re: Integrate multiple applications that uses the same Active Directory

    ‏2013-05-14T12:33:41Z  

    Thanks for your input Franz, let me give you some more background.

    The IdM system is already implemented and is designed around role-based access control/provisioning (i.e. users request roles).
    The set up is pretty much what you described; in the context of the person TIM does the following (modify person workflow):
    - First, call Approval workflows
    - Then, call modifyPerson extenstion
    - Then, call enforcePolicyForPerson extension

    This is a very high level overview. Also Active Directory is already integrated to TIM, people get an Active Directory account automatically - as a "default role" - when they are created in TIM.

    So now there are these applications sharing the same Active Directory and they all use AD group membership for authorization, but each of these applications have a specific requirement in terms of work orders and email notifications (not approvals) that must be sent once the user is a member of  the relevant group(s) in AD.

    Technically, I can just go ahead and modify the Windows AD Account workflows to branch to the relevant work order(s) and/or notification based on the role classification. But I am afraid this solution might cause some difficulties in the long run, in terms of maintenance and performance. Let say in a few years they decide to add 100 applications using AD groups, the AD workflows will be huge and troubleshooting will be a pain...

    I want to avoid this route and was wondering if there was a more "elegant" approach?

    PS: To be honest I don't expect much from the PMR either but hey it doesn't hurt to raise one :-)

    Cheers

  • franzw
    franzw
    405 Posts

    Re: Integrate multiple applications that uses the same Active Directory

    ‏2013-05-14T12:57:55Z  

    Thanks for your input Franz, let me give you some more background.

    The IdM system is already implemented and is designed around role-based access control/provisioning (i.e. users request roles).
    The set up is pretty much what you described; in the context of the person TIM does the following (modify person workflow):
    - First, call Approval workflows
    - Then, call modifyPerson extenstion
    - Then, call enforcePolicyForPerson extension

    This is a very high level overview. Also Active Directory is already integrated to TIM, people get an Active Directory account automatically - as a "default role" - when they are created in TIM.

    So now there are these applications sharing the same Active Directory and they all use AD group membership for authorization, but each of these applications have a specific requirement in terms of work orders and email notifications (not approvals) that must be sent once the user is a member of  the relevant group(s) in AD.

    Technically, I can just go ahead and modify the Windows AD Account workflows to branch to the relevant work order(s) and/or notification based on the role classification. But I am afraid this solution might cause some difficulties in the long run, in terms of maintenance and performance. Let say in a few years they decide to add 100 applications using AD groups, the AD workflows will be huge and troubleshooting will be a pain...

    I want to avoid this route and was wondering if there was a more "elegant" approach?

    PS: To be honest I don't expect much from the PMR either but hey it doesn't hurt to raise one :-)

    Cheers

    You seem to have a pretty good architecture in place - so you just need a couple of ideas.

    Now - it  seems to me that what you need is a workflow process for each of these applications. I believe you can do this with a couple of manual services - i.e. representing the application by a couple of "dummy" manual services.

    Now - the problem with this is that there are now cross dependency mechanism available in ISIM other than the Service dependency - and that can not be used here. This is based on the assumption that the manual service workflow should trigger the actual AD account provisioning at a specific point in time. You can of course code this with some magic API usage - but this is not recommendable - we need to find an elegant and simple trigger for this.

    Another way of solving this is to new workflows to the AD Account operations and then  trigger these when the necessary conditions are fulfilled - this is relatively straight forward but means that you have to be able to catch the triggers elegantly in the account create/modify workflow (and eventual account delete if some specific cleanup has to be performed).

    There are also a lot of combinations of these 2 methods possible - but I am out of ideas right now for a simple elegant solution that can handle the approve/reject role situation and on top of this trigger the group assignment at the right point in time....

    If you do not have the point in time requirement the Manual Service solution should work.

    I will be back if my brain finds out something.... :-) stay tuned (but do not hold your breath).

    HTH

    Regards

    Franz Wolfhagen

  • 7PKW_Jian_Tsen_Ooi
    7PKW_Jian_Tsen_Ooi
    3 Posts

    Re: Integrate multiple applications that uses the same Active Directory

    ‏2013-05-15T05:28:15Z  
    • franzw
    • ‏2013-05-14T12:57:55Z

    You seem to have a pretty good architecture in place - so you just need a couple of ideas.

    Now - it  seems to me that what you need is a workflow process for each of these applications. I believe you can do this with a couple of manual services - i.e. representing the application by a couple of "dummy" manual services.

    Now - the problem with this is that there are now cross dependency mechanism available in ISIM other than the Service dependency - and that can not be used here. This is based on the assumption that the manual service workflow should trigger the actual AD account provisioning at a specific point in time. You can of course code this with some magic API usage - but this is not recommendable - we need to find an elegant and simple trigger for this.

    Another way of solving this is to new workflows to the AD Account operations and then  trigger these when the necessary conditions are fulfilled - this is relatively straight forward but means that you have to be able to catch the triggers elegantly in the account create/modify workflow (and eventual account delete if some specific cleanup has to be performed).

    There are also a lot of combinations of these 2 methods possible - but I am out of ideas right now for a simple elegant solution that can handle the approve/reject role situation and on top of this trigger the group assignment at the right point in time....

    If you do not have the point in time requirement the Manual Service solution should work.

    I will be back if my brain finds out something.... :-) stay tuned (but do not hold your breath).

    HTH

    Regards

    Franz Wolfhagen

    Really appreciate your input Franz,

    I see where you are going with these options, I will do some more testing (and thinking) and will share the "final" solution here.

    Thanks again for your time.

    Cheers.

  • dgowda01
    dgowda01
    32 Posts

    Re: Integrate multiple applications that uses the same Active Directory

    ‏2013-06-11T16:55:29Z  

    Really appreciate your input Franz,

    I see where you are going with these options, I will do some more testing (and thinking) and will share the "final" solution here.

    Thanks again for your time.

    Cheers.

    I had a similar requirement in one of my previous projects and the route I took was to create a 'ad groups' service profile (RMI adapter), which would just return success on add, modify and delete, but search the ITIM LDAP for AD accounts based on the groups list and return accounts that were members of the groups defined in the service as 'accounts' in the recon operation. With one profile, I could define many service instances (all using their own set of groups, based on a parameter in service form). Each service would get it's own set of provisioning policies.