Powered by Algolia

    Automated Provisioning

    The diagram below provides a high level overview of how automated provisioning works in OpenIAM. The diagram also takes into account that a deployment may have more than one authoritative source. Authoritative source can be segregate based on a variety of factors including: User type, attributes, etc.

    life cycle management overview

    Most Human resources (HR) systems can be integrated with OpenIAM using one of the following approaches:

    • API / SDK / Database view - OpenIAM can use either the API, SDK or View provided by the HR system to extract user and organizational information at regularly scheduled intervals; every 1 hr, 4hrs, 24 hrs,etc. This approach will require the use of an OpenIAM Connector.
    • CSV file - CSV file that is generated from the HR system which can be processed by OpenIAM by picking up the files from a network location at regular intervals.

    Under the scenario, OpenIAM will do the follow to implement automated provisioning:

    • Query the source system for new information about employees through the connectors
    • For each new or modified user that is found, the OpenIAM synchronization service will:
      • Map the incoming data to OpenIAM objects
      • Determine the level of access that a user should have across applications by determine appropriate birthright access as well other entitlement membership
      • Pass the object to the provisioning services
    • The provisioning service will perform the following steps:
      • From the authorization service, obtain a full list of entitlements based on a person's group or role membership
      • For each application that a person should be provisioned to, the service will:
        • Determine the value of each attribute by using a policy map associated with a "Managed System"
        • Send a message to each connector with the results of the policy map
    • Connectors will:
      • Communicate with the target system
      • Apply the changes to target system based on the message received from the provisioning service
      • Send a response back to OpenIAM via the message bus. OpenIAM will update the identity status and save the actions in the audit logs.
    Previous
    Connectors via Docker
    Next
    Import entitlements