Topic
  • 6 replies
  • Latest Post - ‏2013-03-17T09:14:30Z by SystemAdmin
ssayed
ssayed
22 Posts

Pinned topic ITIM 5.1: within custom account add workflow - creating new person.

‏2013-03-15T18:50:07Z |
I have a requirement from the customer where a subset of user population should be able to create a new Consultant onboarded ino the company. HR Feed comming from peoplesoft brings in all employees, so this new person create is only for Consultants. As in any typical implementation we have custom person objectclass inheriting from inetorgperson

So when i was given this requirment. My first reaction is this is simple, we open the admin UI to these subset of people and they can create the Consultants and the CustomPerson add workflow will go thru the required approvals and notifications and RFIs.
Unfortunately the stake holders do not like this idea of opening the admin UI to anyone other that the Enterprise Information Security Team and the ITIM admins.

My second suggestion was we have a self registration out of box andwe should be able to use that. Anyone internal to the company can send in the request for a new Consultant and it will still go thru the required approvals/notificatin and RFI's.
In this scenario, the objection was we want to have a way to report on who is the requester. And I dont see self registration out of box could do that.

The next option I suggested is we create a manual/custom account which captures all the new consultants details. When this account is submitted, we can go thru the approvals in this custom account workflow and if possible create a person here.

The first question is:
Did I miss any other simpler solution?

The second question is :
In account workflow, we dont have person object. SO how do I create/initialize this before passing to the createPerson.
Couple of snippets:
// This one will initialize the container that you need to pass to createPerson Extension in this workflow.
var myContainer = new ContainerSearch();
var containerArr = myContainer.searchByFilter("Organization Unit", "(ou=Others)", 2);
process.auditEvent("Found: " + containerArr[0]);
container.set(containerArr[0]);

// the person create where i am facing some issues
var myPerson = new Person();
myPerson.setProperty("uid","myuid");
myPerson.setProperty("sn","mysn");
myPerson.setProperty("cn","mycn");
myPerson.setProperty("employeenumber","999999");
newUser.set(myPerson);

// when I use this above code to create person, I get:
CTGIMA616E Invalid data input to a workflow activity.

What I should use is the person object initialize with correct custom person profile. SO i checked the self registration code and accordingly did the following
var myPerson = new Person("MYCUSTOMPERSONPROFILENAME");
myPerson.setProperty("uid","myuid");
myPerson.setProperty("sn","mysn");
myPerson.setProperty("cn","mycn");
myPerson.setProperty("employeenumber","999999");
newUser.set(myPerson);

And the error I get is:
Script interpreter error, line=1, col=20 Error while calling java constructor 'com.ibm.itim.script.wrappers.generic.ProtectedPersonWrapper(string)' (java.lang.reflect.InvocationTargetException).

Seems like the javascript wrapper does not have access to the same java constructor.
DO I need to nowrap this person java class in scriptextensions.properties?

I hope this is a lot of information but get some replies to this post.
Thank You
regards
S
Updated on 2013-03-17T09:14:30Z at 2013-03-17T09:14:30Z by SystemAdmin
  • HomerJSimpson
    HomerJSimpson
    157 Posts

    Re: ITIM 5.1: within custom account add workflow - creating new person.

    ‏2013-03-15T19:21:24Z  
    1. yes...you missed a couple easier options:

    option1: Use Views/ACIs to limit what these users can do in the Admin Console. Yes, they'll be accessing the console, but they won't be able to see/access anything the admins can. Perhaps your customer doesn't know about Views/ACIs and thinks they have to give full access to the admin console, in order for this subset of users to create your Consultant objects. This would probably be the best/recommended approach (unless you can add the consultants via datafeed).

    option 2: If (for some reason) your customer still doesn't want to allow these users to access the admin console (even though you can limit what the users can see/do in that UI)...then you can do something similar to the self reg...but actually have your users authenticate before creating the new Consultant objects. See the examples in $ITIM_HOME/extensions/5.1/examples/apps/. These don't prompt for login, because the creds are provided by the setEnv file. But you could easily create your own app (either web-based like Self_Reg or CLI-based like those in the apps example) where your user has to authenticate to create a user.

    Your option to create an account probably wouldn't be the best approach...as someone will need to own these "accounts"....so could end up being pretty messy.
    2. The Person object IS provided in the Account 'add' operation. It's an Input Parameter called 'owner'. So you shouldn't need to script for it.
    That being said...it looks like you might be try to use the new Person() Java method, in the script context, rather than the new Person() JavaScript method...which requires you provide either DN, a Person object itself. Here is the JavaScript reference for that object:
    http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isim.doc_6.0/reference/ref/ref_ic_javext_person.htm
  • yn2000
    yn2000
    1086 Posts

    Re: ITIM 5.1: within custom account add workflow - creating new person.

    ‏2013-03-15T19:59:45Z  
    "...the stake holders do not like this idea of opening the admin UI to anyone other that the Enterprise Information Security Team and the ITIM admins..." Well, tell your stake holders that everything is about money. How about telling that the company has to pay for a million dollars to build an application that can be as secure as what TIM Admin Console can provide. First, All user is to be authenticated by ITIM; Second, The Person who can request is controlled in a Role. Third, The Person who can approve is also controlled in a Role. Forth, The approver needs to interact with the ITIM system, Fifth, Who can do this and that, read and write that, and any other things in ACI, which is up to the attribute level, for crying out loud. Plus all of the goodies, such as delegated admin, forensic and auditing, that ITIM Admin Console can offer.

    What I meant to say is that please do not under estimate the complexity of managing consultant/contractor data, because the requirement grows and the company may not realize it now. How about automatic termination date embedded in the creation process? How about re-certification? How about 30 days notification to the requester, not the contractor? There are so many small things that are easily resolved, if the ITIM Admin Console is available to the user. In fact, I would not create a custom objectclass for a consultant/contractor, because the requirement may grow, such as that an employee can become a consultant and he/she would like all access intact, while with a custom objectclass, you have to delete and recreate the user entry.

    Rgds. YN.
  • ssayed
    ssayed
    22 Posts

    Re: ITIM 5.1: within custom account add workflow - creating new person.

    ‏2013-03-15T20:59:03Z  
    • yn2000
    • ‏2013-03-15T19:59:45Z
    "...the stake holders do not like this idea of opening the admin UI to anyone other that the Enterprise Information Security Team and the ITIM admins..." Well, tell your stake holders that everything is about money. How about telling that the company has to pay for a million dollars to build an application that can be as secure as what TIM Admin Console can provide. First, All user is to be authenticated by ITIM; Second, The Person who can request is controlled in a Role. Third, The Person who can approve is also controlled in a Role. Forth, The approver needs to interact with the ITIM system, Fifth, Who can do this and that, read and write that, and any other things in ACI, which is up to the attribute level, for crying out loud. Plus all of the goodies, such as delegated admin, forensic and auditing, that ITIM Admin Console can offer.

    What I meant to say is that please do not under estimate the complexity of managing consultant/contractor data, because the requirement grows and the company may not realize it now. How about automatic termination date embedded in the creation process? How about re-certification? How about 30 days notification to the requester, not the contractor? There are so many small things that are easily resolved, if the ITIM Admin Console is available to the user. In fact, I would not create a custom objectclass for a consultant/contractor, because the requirement may grow, such as that an employee can become a consultant and he/she would like all access intact, while with a custom objectclass, you have to delete and recreate the user entry.

    Rgds. YN.
    HomerJSimpson, Yn2000
    I agree, maybe the need to let the customer understand the simplicity of using admin console and ACI and doing the same work. And I appreciate this observation from both the responses as yet. But guys I would rather show that the new Contractor can be created from the add account workflow and then argue why should not go that path. (btw - yn2000 - both employees and contarctor have same custom objectclass. maybe the way i wrote the scenario was misleading.)
    My earlier question about should/can i nowrap the com.ibm.itim.dataservices.model.domain.Person, also is not the right approach because of all the existing workflows.
    Maybe implement a script extension for create person.
    I do appreciate the quick feedback. Thank You
    regards
    Sohail
  • HomerJSimpson
    HomerJSimpson
    157 Posts

    Re: ITIM 5.1: within custom account add workflow - creating new person.

    ‏2013-03-15T21:10:35Z  
    • ssayed
    • ‏2013-03-15T20:59:03Z
    HomerJSimpson, Yn2000
    I agree, maybe the need to let the customer understand the simplicity of using admin console and ACI and doing the same work. And I appreciate this observation from both the responses as yet. But guys I would rather show that the new Contractor can be created from the add account workflow and then argue why should not go that path. (btw - yn2000 - both employees and contarctor have same custom objectclass. maybe the way i wrote the scenario was misleading.)
    My earlier question about should/can i nowrap the com.ibm.itim.dataservices.model.domain.Person, also is not the right approach because of all the existing workflows.
    Maybe implement a script extension for create person.
    I do appreciate the quick feedback. Thank You
    regards
    Sohail
    Hi ssayed...

    you're going to end up doing a lot of work and ending up with a mess on your hands if you continue down the path of creating the Consultant (Person) from an Account add Operation.
    In order to get the Account into the add operation, you need an owner for the Account to begin with....so you'd be requesting an Account for PersonA...but during the operation you wan to create PersonB (Consultant) while creating the Account?

    Perhaps you can just show your customer the comments from the experts on this forum thread...along with doing some whiteboarding for the customer, to convince them there are better alternatives.
    It would save you both time/effort and wouldn't have to clean anything up (other than erasing the whiteboard when you're done).
  • jmdennis
    jmdennis
    52 Posts

    Re: ITIM 5.1: within custom account add workflow - creating new person.

    ‏2013-03-16T01:59:25Z  
    • ssayed
    • ‏2013-03-15T20:59:03Z
    HomerJSimpson, Yn2000
    I agree, maybe the need to let the customer understand the simplicity of using admin console and ACI and doing the same work. And I appreciate this observation from both the responses as yet. But guys I would rather show that the new Contractor can be created from the add account workflow and then argue why should not go that path. (btw - yn2000 - both employees and contarctor have same custom objectclass. maybe the way i wrote the scenario was misleading.)
    My earlier question about should/can i nowrap the com.ibm.itim.dataservices.model.domain.Person, also is not the right approach because of all the existing workflows.
    Maybe implement a script extension for create person.
    I do appreciate the quick feedback. Thank You
    regards
    Sohail
    ssayed, I have to agree emphatically with Homer. What you're trying to do goes against IdM principles: a person object is NOT an account. Explain to the customer they may also have issues with the auditors when they run account reports.

    As for yet, another alternative, I have seen solutions where the SSUI was customized to provide person creation capabilities. Perhaps the customer would not be as sensitive to opening that UI.

    jdennis
  • SystemAdmin
    SystemAdmin
    9855 Posts

    Re: ITIM 5.1: within custom account add workflow - creating new person.

    ‏2013-03-17T09:14:30Z  
    • jmdennis
    • ‏2013-03-16T01:59:25Z
    ssayed, I have to agree emphatically with Homer. What you're trying to do goes against IdM principles: a person object is NOT an account. Explain to the customer they may also have issues with the auditors when they run account reports.

    As for yet, another alternative, I have seen solutions where the SSUI was customized to provide person creation capabilities. Perhaps the customer would not be as sensitive to opening that UI.

    jdennis
    Just to add to the choir - I totally agree with the sentiments raised here - do not do this.

    ITIM/ISIM is a top-down system - i.e. it wants to be the center of your IdM based on the persons you feed in.

    Some of the competitive products are using a bottom-up process - more like the one you are being required to implement.

    It is not impossible to use ITIM this way - but the consequences of doing so must be very well integrated in the overall design and architecture of the solution - and this is a very delicate thing to do. I would guess that only a handful consultants/business partners has the knowledge and experience to this.

    If you do not get this right the problem will be that you get into all kind of problems later on - you may believe that your solution works - and suddenly your workflows nd policies will work together - and you are not able to understand why...

    I normally calls ITIM a "security ERP" system as it has many of the same patterns that ERP systems have (e.g. SAP R/3) - and also the same pitfalls. If you have ever heard stories about ERP projects going wrong it is normally because people try to change the system into a direction it is not designed for - and this also applies to ITIM. Therefore it is very important that you understand the architecture of ITIM and adheres to that - else you will never get a succesful project and your customer will probably never be able to get the full benefit of the IdM system.

    So - basically this is nothing special for ITIM but applies to any IdM system.

    Regards
    Franz Wolfhagen