Identity feed management

As administrator, you need to take a number of initial steps to take employee data from one or more human resources repositories. You use the data to populate the Identity Manager registry with an equivalent set of users.

Overview

An identity is the subset of profile data that uniquely represents a person in one or more repositories, and additional information related to the person. For example, an identity might be represented by unique combination of the first, last, full name, and employee number of a person. The data might also contain additional information such as phone numbers, manager, and email address. A data source can be a customer's user repository or a file, a directory, or a custom source.

Use Identity Manager to add a number of users to the system by reading a data source, such as a user repository, directory, file, or custom source. The process of adding users based on a user data repository is called an identity feed, or HR feed.

Reconciliation for an identity feed is the process of synchronizing the data between the data source and Identity Manager. The initial reconciliation populates Identity Manager with new users, including their profile data. A subsequent reconciliation both creates new users and also updates the user profile of any existing users that are found.

You can use several source formats to load identity records into the Identity Manager user registry.

You need to anticipate the effect of missing information in the user record. For example, the record that you feed into Identity Manager might not have an email address for the user. The user does not receive a password for a new account in an email and must call the help desk, or contact the manager.

Common sources for identity feeds

Identity Manager supplies the following service types to handle many of the most common sources for identity feeds:
  • Comma-Separated Value (CSV) identity feed
  • DSML identity feed
  • AD OrganizationalPerson identity feed (Microsoft Windows Active Directory)
  • INetOrgPerson (LDAP) identity feed
  • IDI data feed

You can populate initial content and subsequent changes to the content of the people registry from these sources:

Comma-Separated Value (CSV) file
Use a comma-separated value (CSV) file. A CSV file contains a set of records separated by a carriage return/line (CR/LF) feed pair. Each record contains a set of fields separated by a comma. You can use a global identity policy to select the schema attributes that create a user ID.
Directory Services Markup Language (DSML) v1 file
Use a DSML v1 file to populate the people registry. A DSML file represents directory structural information in an XML file format. If you run the identity feed more than one time, duplicate people are modified according to the newest file. A global identity policy does not apply to a DSML file.
Windows Server Active Directory
From Windows Server Active Directory, importing only the information found in the inetOrgPerson schema portion of a Windows Server Active Directory user. You can use a global identity policy to select the schema attributes that create a user ID. The identity feed process uses all user objects in the specified base.
INetOrgPerson identity feed
Use an LDAP directory server. The data uses the objectclass implied by the person profile name specified in the service definition. You can use a global identity policy to select the schema attributes that create a user ID. The identity feed process ignores records that do not have the specified objectclass.
Custom identity sources
Use custom identity sources to populate initial content and subsequent changes to the content of the people registry. Depending on the identity source, you might use a global identity policy to select the schema attributes that create a user ID.
For example, use an IBM® Security Directory Integrator identity feed to obtain more flexibility than a standard data feed provides. Additional capabilities include:
  • Working with a subset of data, such as filtering users in a specified department
  • Enabling additional attribute mapping beyond the standard mapping
  • Enabling data lookups, such as the manager of an employee, obtained from another data source
  • Changing detection on the data source
  • Using databases and human resource systems such as DB2 Universal Database and SAP
  • Controlling attributes; for example, updating status such as suspending a person
  • Deleting identity records
  • Initiating changes with IBM Security Directory Integrator, instead of using Identity Manager reconciliations

For more information about providing customized identity feeds, see the information about IBM Security Directory Integrator integration in the Identity Manager extensions directory.

Enabling workflow for identity feeds

Regardless of the method used, the Identity Manager Server can be configured to call the workflow engine for identity feed records. Enabling the workflow engine results in enforcement of all applicable provisioning policies for incoming identities. The configuration results in slower feed performance. Persons are automatically enrolled in any applicable dynamic roles even if the workflow engine is not enabled for an identity feed. For initial loads, consider importing identities into the system and then enabling applicable provisioning policies to improve identity feed performance.