Provisioning rules

For each target application that defined on the planning matrix, check if it can be integrated with a connector to support automated provisioning and deprovisioning. If provisioning can be automated, then defined a matrix as shown below to determine which attributes will be update by OpenIAM and how these values should be generated. The example below is based on Active Directory, but should be performed for all of your integrated applications.

Application Name: Active Directory

Field NameDescriptionRules to generate value
sAMAccountNameUser identityLimited to 20 characters. First 19 Characters of Last name + first letter of first name. If its not unique, then 18 characters of last + first character of first name + numeric value which is incremented by 1. Example: smithw, smithw2, etc.
userPrincipalName
cn
dn
givenName
middleName
sn
ExtensionAttribute10
title
EmailAddressEmail addressFirstname + "." + lastname + "@mycompany.com". If the email already exists, then Firstname + "." + lastname + "2" + "@mycompany.com"
memberOf
mobile
path (ou)OU in which the user will be createdOU is linked to Department. Maintain an Department to OU mapping which can be used to determine the OU

In this matrix, you should also account for event based rules which were captured in the joiners/movers/leavers part of the planning matrix. Some aspects of the JML rules may be event based. For example, on a termination, you may disable the account in Active Directory, but you may end-date the account in Oracle EBS. These details are important for both implementation and documentation purposes.