Provisioning rules
For each target application that defined on the planning matrix, check if it can be integrated with a connector to support automated provisioning and deprovisioning. If provisioning can be automated, then defined a matrix as shown below to determine which attributes will be update by OpenIAM and how these values should be generated. The example below is based on Active Directory, but should be performed for all of your integrated applications.
Application Name: Active Directory
| Field Name | Description | Rules to generate value |
|---|---|---|
| sAMAccountName | User identity | Limited to 20 characters. First 19 Characters of Last name + first letter of first name. If its not unique, then 18 characters of last + first character of first name + numeric value which is incremented by 1. Example: smithw, smithw2, etc. |
| userPrincipalName | ||
| cn | ||
| dn | ||
| givenName | ||
| middleName | ||
| sn | ||
| ExtensionAttribute10 | ||
| title | ||
| EmailAddress | Email address | Firstname + "." + lastname + "@mycompany.com". If the email already exists, then Firstname + "." + lastname + "2" + "@mycompany.com" |
| memberOf | ||
| mobile | ||
| path (ou) | OU in which the user will be created | OU is linked to Department. Maintain an Department to OU mapping which can be used to determine the OU |
In this matrix, you should also account for event based rules which were captured in the joiners/movers/leavers part of the planning matrix. Some aspects of the JML rules may be event based. For example, on a termination, you may disable the account in Active Directory, but you may end-date the account in Oracle EBS. These details are important for both implementation and documentation purposes.