IC5Notice: We have upgraded developerWorks Community to the latest version of IBM Connections. For more information, read our upgrade FAQ.
Topic
  • 4 replies
  • Latest Post - ‏2014-05-28T06:16:49Z by franzw
frisalde
frisalde
43 Posts

Pinned topic Provisioning policies feed

‏2014-05-23T15:01:41Z |

I would like to integrate a homemade Identity Management solution with ITIM.

A requirement is to be able to manage provisioning policies from ITIM outside. My primitive idea is to use IDI and a JNDI connector. Although that way can be used for identities feed purposes, can be used to feed provisioning policies?

I would like to know your experiences in this issue, by means of JNDI, Web services, using the ITIM API, or whatever. (ldap commands will not be a way since the policy enforcement is not done)

Thanks in advance.

  • franzw
    franzw
    332 Posts

    Re: Provisioning policies feed

    ‏2014-05-23T18:22:51Z  

    You cannot use JNDI to feed policies.

    But you can use the external application API to do that - check this technote : http://www-01.ibm.com/support/docview.wss?uid=swg21659565

    But I do  not understand the need for this automation - the 2 systems should not try to manage the same systems - that would be a very bad idea - instead you could make ITIM a managed system (or preferable the other way around) using a custom adapter.

    HTH

    Regards

    Franz Wolfhagen

  • frisalde
    frisalde
    43 Posts

    Re: Provisioning policies feed

    ‏2014-05-26T07:30:51Z  
    • franzw
    • ‏2014-05-23T18:22:51Z

    You cannot use JNDI to feed policies.

    But you can use the external application API to do that - check this technote : http://www-01.ibm.com/support/docview.wss?uid=swg21659565

    But I do  not understand the need for this automation - the 2 systems should not try to manage the same systems - that would be a very bad idea - instead you could make ITIM a managed system (or preferable the other way around) using a custom adapter.

    HTH

    Regards

    Franz Wolfhagen

    Thanks Franz.

    The idea is not having two IAM systems, if not to have just only one interface. ITIM is responsable for enforcement the policies on distributed system, and the homemade development is in charge of mainframe authorizations. More and more we are migrating the mainframe authorizations management from homemade development to ITIM, but there is a heavy development which started 20 years ago.

    I'll have a look the attached reference.

    Thanks as usually for your valuable remarks.

  • frisalde
    frisalde
    43 Posts

    Re: Provisioning policies feed

    ‏2014-05-27T13:46:46Z  
    • franzw
    • ‏2014-05-23T18:22:51Z

    You cannot use JNDI to feed policies.

    But you can use the external application API to do that - check this technote : http://www-01.ibm.com/support/docview.wss?uid=swg21659565

    But I do  not understand the need for this automation - the 2 systems should not try to manage the same systems - that would be a very bad idea - instead you could make ITIM a managed system (or preferable the other way around) using a custom adapter.

    HTH

    Regards

    Franz Wolfhagen

    Initially, it looks like to be more suitable to use WebService instead of the ITIM API.

    It is supposed that the invocation of WSProvisioningPolicyService method, for instance, will create and evaluate the provisioning policy, ie, will create the accounts as a result of the policy evaluation. won't it?.

  • franzw
    franzw
    332 Posts

    Re: Provisioning policies feed

    ‏2014-05-28T06:16:49Z  
    • frisalde
    • ‏2014-05-27T13:46:46Z

    Initially, it looks like to be more suitable to use WebService instead of the ITIM API.

    It is supposed that the invocation of WSProvisioningPolicyService method, for instance, will create and evaluate the provisioning policy, ie, will create the accounts as a result of the policy evaluation. won't it?.

    I simply cannot see the need for using the WS for this - there is nothing there that it can do better than the API AFAIK.

    WS is a good idea if you really expose a service across security domains - I really do not see that is your need - but there are no technically problem using the one instead of the other - so if you want to live through all the hazzle of the WS overhead r you simply have more experience using them go ahead and use it.

    I have no practical knowledge of doing exactly this kind of integration - so I cannot answer you honestly if it will create accounts (i.e. enforce the policy) - but that should definitely be part of your testcases. In theory there should be difference working with the UI and the API/WS - but you may find that not all functionality is available in the latter.

    Regards

    Franz Wolfhagen