I'll Get My Coat
Identity Management? I'll Get My Coat...
Provisioning Disconnected (External) Resources
Introducing a great new feature inside Identity Manager 8.1, the ability to manage provisioning to target systems that are not on-line, or synchronous. System targets that may be provisioned manually today can now be integrated into Sun Identity Manager using out-of-the-box functionality. No need for complex workflow or user interface modifications. This new feature is referred to as "External Resources" and is available with the latest version of Sun Identity Manager.
Examples of External Systems would include a badge system with no API, or a procurement request for a cell phone or laptop again using a manual process perhaps interacting with closed systems with no API. During onboarding manual processes, such as sending and receiving fax's or emails or even telephone calls would take place in order to complete the provisioning request. Whilst this works today there's often problems occuring from forgotten work, or badly worded instructions etc giving rise to problems in the order-delivery process (imagine a laptop coming mis-configuring and the resulting cost to get this problem resolved).
We've seen that once customers get their provisioning systems deployed, often by third parties, the cost of introducing new provisioning targets can be expensive and disruptive. Hence often the provisioning systems tend to stagnate as new targets are introducted. Using the External Resources from Sun Identity Manager allows customers to easily integrate a new provisioning target that may be offline, or maybe online, it just depends 
So the External Resource is assigned to Users just as with any other resource. It's what happens behind the scenes that's different which we'll come to discuss laters.
So I'm editing a User record and want to assign a Mobile Phone to the user, what does this look like? Here's a screen shot of editing a user and assigning an External Resource that represents provisioning a Mobile Phone to a user.
Sun Identity Manager has a virtual Identity approach, where is the data associated with the External Request actually stored if the target system does not have an API? Good Question!! As part of the configuration of the External Resources you must tell Identity Manager where to store this information, today out-of-the-box we have two choices 1) Inside a relational database or 2) Inside LDAP.
Inside
my example I'm using a MySQL database, inside this database we've got a
tabled called "attributes" that stores the values for the external
resource account as shown below. This information is passed along to
the external provisioner by either email or by out-of-the-box
integration with Remedy helpdesk:
So back to our process of assigning the Mobile Phone resource to the user John Doe, once the Save button is pressed and Sun IDM stores the external resource attributes in our relational table we see the following Provisioning Request pending processing:
Next step is for the ProcurementAdmin to process the external provisioning request, so this would involve any number of manually performed steps. Perhaps call/fax/email a third party provider of mobile telephones and request one on behalf of John Doe. After a period of time the mobile phone will arrive in the hands of the ProcurementAdmin and they will complete the process by logging into Sun Identity Manager and editing the pending workItem stating it's been completed.
On a recent customer engagement I had to use this new feature with the integrated Remedy HelpDesk support, out of the box there's a built in notifier into this new process of provisioning External Resources, the notifier can be email or Remedy ticket based.
If Remedy is selected then the really cool thing is that the Provisioning Request workItem (that we completed above) is *automatically* completed by a polling system that will check at predetermined points in time whether or not the Remedy Ticket has been completed. This way the ProcurementAdmin use case actor does not have to log into Sun Identity Manager to manually state the asynchronous provisioning has been completed successfully, the system detects this, audits it, emails the requestor stating that the provisioning has been completed and then closes down the workItem... How cool is that??! And yes, it really does work as I found out recently. For those that are interested here's the XML block that is appended to the WSUser object for the Remedy Ticket Deferred Workflow task..
<properties>
<property name="tasks">
<list>
<object name="External Resource Remedy Deferred Task">
<attribute name="authorized" value="true">
<attribute name="date">
<date>2009-04-28T07:19:10.732Z</date>
</attribute>
<attribute name="remedyRule" value="Sample External Remedy Rule"/>
<attribute name="remedyTemplate" value="Mobile Phone External Remedy Template"/>
<attribute name="task" value="External Resource Remedy Deferred Task"/>
<attribute name="ticketId" value="000000000000071"> </attribute>
</object>
</list>
</property>
As you can see above the Remedy TicketID is stored against the WSUser object, this way Sun IDM can query Remedy to see if the Remedy Ticket has been closed off, if so then we automatically close off our provisioning request workItem.
So there you have it, to summarise, External Resources new in Identity Manager 8.1 allow for disconnected or asynchronous provisioning. Fully audited including OOTB email or Remedy integration Sun Identity Manager now provides a solution for those sites where it's either too expensive or not suitable (no API) to include a online provisioning target.
Today's Page Hits: 252
Contact
www.flickr.com
|
Disclaimer I work at Sun Microsystems. The opinions expressed here are my own, and neither Sun nor any other party necessarily agrees with them.
Blogging Calendar
| « May 2009 » | ||||||
| Mon | Tue | Wed | Thu | Fri | Sat | Sun |
|---|---|---|---|---|---|---|
1 | 3 | |||||
5 | 6 | 7 | 8 | 9 | 10 | |
11 | 12 | 14 | 15 | 16 | 17 | |
18 | 19 | 20 | 21 | 22 | 23 | 24 |
25 | 27 | 28 | 29 | 30 | 31 | |
| Today | ||||||