Automated user life cycle management is a critical part of the OpenIAM identity management solution. It provides organizations with the ability to automatically:

• create users and grant the right level of access when they join the firm;
• adjust access rights when a person's position in the firm changes;
• terminate / revoke access when a user leaves the firm.

Each of these operations is supported by audit logs to provide visibility into when and why changes have occurred.

Life cycle management in OpenIAM

The diagram below provides a high level overview of how automated provisioning works in OpenIAM. The diagram also considers that a deployment may have more than one authoritative source. Authoritative source can be segregated based on a variety of factors including user type, attributes, etc.

Most Human Resources (HR) systems can be integrated with OpenIAM using one of the following approaches.

• API / SDK / Database view. OpenIAM can use either the API, SDK or View provided by the HR system to extract user and organizational information at regularly scheduled intervals: every 1 h, 4 h, 24 h, etc. This approach will require the use of an OpenIAM connector.
• CSV file. CSV file that is generated from the HR system which can be processed by OpenIAM by picking up the files from a network location at regular intervals.

Under the scenario, OpenIAM will do the following to implement automated provisioning.

• Query the source system for new information about employees through the connectors.
• For each new or modified user that is found, the OpenIAM synchronization service will:
  • Map the incoming data to OpenIAM objects.
  • Determine the level of access that a user should have across applications by determining appropriate birthright access as well as other entitlement memberships.
  • Pass the object to the provisioning services.
• The provisioning service will:
  • Obtain a full list of entitlements based on a person's group or role membership from the authorization service.
  • For each application that a person should be provisioned to, the service will:
    • Determine the value of each attribute by using a policy map associated with a Managed System.
    • Send a message to each connector with the results of the policy map.
• Connectors will:
  • Communicate with the target system.
  • Apply the changes to the target .system based on the message received from the provisioning service.
  • Send a response back to OpenIAM via the message bus. OpenIAM will update the identity status and save the actions in the audit logs.

Configuring automated life cycle management

As described above, to implement automated provisioning, please follow the details described in each of the following sections.

• Install and register the connector.
• Connect to your application.
• Configure your connector.
• Integrate with your source system.
• Synchronize for the initial data loading.
• Import existing entitlements from the target application.
• Import existing users and their entitlements.
• Role based provisioning.
• Birthright access using business rules.
• Joiners, movers, and leavers.
• Orphan management.