Design migration process
To create a profile of a user's access, we will need to:
- Define the application in OpenIAM
- Import entitlements
Most organizations have a collection applications which can be integrated through connectors and others which cannot. For the applications which connectors, you can review the connector documentation. However, for those that do not, we cna import them through a CSV file. To simplify this process, out of the box templates have been provided.
Load application list
First load the list of applications into OpenIAM. Use a CSV file with the format described below.
| Column name | Description |
|---|---|
| MANAGED_SYSTEM_NAME | Name as it will defined in OpenIAM |
| DESCRIPTION | User friendly description of this application or service |
| IS_MANUAL | Y - if a connector does not exist. N - if a connector does exist |
| IS_ACTIVE | Y - Configuration is available for use. N - configuration disabled and no tasks will be processed for this application. |
| IS_VISIBLE | Y - Application is visible in the catalog. N - application is not visible in the catalog. |
| PARTICIPATE_IN_ACCESSCERTIFICATION | Y - Application is available for use in access certification. N - application is not available for use in access certification |
| CONNECTOR_NAME | Name of the OpenIAM connector which will be used with this configuration |
| URL | URL of the application, service or tenant. |
| PORT | Port this application is listening on. |
| CATEGORY_NAME | Category under which the application should be listed in the service catalog. |
| PERMISSIONS_LIST | Permissions which will be used with this application. Example: READ, WRITE, EXECUTE. These can be unique to this application |
| APPLICATION_OWNER_TYPE | Type of application owner: User or Group |
| APPLICATION_OWNER | Name of the application owner |
| APPLICATION_ADMIN_TYPE | Type of application admin : User or Group |
| APPLICATION_ADMIN | Name of the application admin |
| APPROVER1_TYPE | Type of first approver: Supervisor, application owner, application admin, entitlement owner, specific user or group |
| APPROVER1 | Name of the first approver (user name or group name ) |
| APPROVER2_TYPE | Type of second approver: Supervisor, application owner, application admin, entitlement owner, specific user or group |
| APPROVER2 | Name of the second approver (user name or group name ) |
| APPROVER3_TYPE | Type of third approver: Supervisor, application owner, application admin, entitlement owner, specified user or group |
| APPROVER3 | Name of the third approver (user name or group name ) |
Example:
MANAGED_SYSTEM_NAME,DESCRIPTION,IS_MANUAL,IS_ACTIVE,IS_VISIBLE,PARTICIPATE_IN_ACCESSCERTIFICATION,CONNECTOR_NAME,URL,PORT,CATEGORY_NAME,PERMISSIONS_LIST,APPLICATION_OWNER_TYPE,APPLICATION_OWNER,APPLICATION_ADMIN_TYPE,APPLICATION_ADMIN,APPROVER1_TYPE,APPROVER1,APPROVER2_TYPE,APPROVER2,APPROVER3_TYPE,APPROVER3Adobe Creative Cloud,,Y,Y,Y,,,,,Enterprise Applications,,,,GROUP,IT_HelpDesk,SUPERVISOR,Reports To,GROUP,Information_Security,,Salesforce ,,Y,Y,Y,,,,,Sales,,,,GROUP,IT_HelpDesk,SUPERVISOR,Reports To,GROUP,Information_Security,,
Load entitlements
The next steps is to load the entitlements that users have. This step assumes that the user has already be created in OpenIAM and we are simply adding the permissions that a user has in each application.
| Column name | Description |
|---|---|
| MANAGED_SYSTEM_NAME | Name of managed system. This value MUST align exactly with the managed system name from the file above |
| GROUP_TYPE | If you are defining a group, then enter the group metadata type. This allows us to define types which are specific to an application. |
| ROLE_TYPE | If you are defining a role, then enter the role metadata type. This allows us to define types which are specific to an application. |
| ENTITLEMENT_NAME | Enter the group / role name. |
| IS_ACTIVE | Flag indicating if this entitlement is active or not. |
| ENTITLEMENT_OWNER_TYPE | Type of entitlement owner: User or Group |
| ENTITLEMENT_OWNER | Name of the entitlement owner |
| ENTITLEMENT_ADMIN_TYPE | Type of entitlement admin : User or Group |
| ENTITLEMENT_ADMIN | Name of the entitlement admin |
| APPROVER1_TYPE | Type of first approver: Supervisor, application owner, application admin, entitlement owner, specific user or group |
| APPROVER1 | Name of the first approver (user name or group name ) |
| APPROVER2_TYPE | Type of second approver: Supervisor, application owner, application admin, entitlement owner, specific user or group |
| APPROVER2 | Name of the second approver (user name or group name ) |
| APPROVER3_TYPE | Type of third approver: Supervisor, application owner, application admin, entitlement owner, specific user or group |
| APPROVER3 | Name of the third approver (user name or group name ) |
Note, that when we defining the approval flow, OpenIAM supports defining the flow at both the application and entitlement level. In this way, you can define the approval flow at the application level and override it at the entitlement level if needed.
Example:
MANAGED_SYSTEM_NAME,GROUP_TYPE,ROLE_TYPE,ENTITLEMENT_NAME,IS_ACTIVE,ENTITLEMENT_OWNER_TYPE,ENTITLEMENT_OWNER,ENTITLEMENT_ADMIN_TYPE,ENTITLEMENT_ADMIN,APPROVER1_TYPE,APPROVER1,APPROVER2_TYPE,APPROVER2,APPROVER3_TYPE,APPROVER3MyApp,Application,,Third Party Application Support ServiceNow,Y,,,,,,,,,,MyApp,Application,,Third Party Application Support MGR ServiceNow,Y,,,,,,,,,,MyApp,Application,,Third Party DBA Support ServiceNow,Y,,,,,,,,,,MyApp,Application,,Third Party DBA Support MGR ServiceNow,Y,,,,,,,,,,