- Provisioning: The process of granting, changing, or removing user access to systems, applications and databases based on a unique user identity.
User provisioning and Account provisioning are same terms and are interchangeably used.
Provisioning can be thought of as :
1. The process of granting, changing, or removing user access to systems, applications and databases based on a unique user identity by creation of user accounts on target systems.
2. The process of providing customers or clients with accounts, the appropriate access to those accounts, all the rights associated with those accounts, and all of the resources necessary to manage the accounts.
1. The process of granting, changing, or removing user access to systems, applications and databases based on a unique user identity by creation of user accounts on target systems.
2. The process of providing customers or clients with accounts, the appropriate access to those accounts, all the rights associated with those accounts, and all of the resources necessary to manage the accounts.
Types of provisioning include:
1. Automated provisioning – Detecting new user record from the Authoritative Source or HR System and automatically provisioning those users with appropriate access on target applications.
2. Self-service provisioning – allows users to update their profile data and request an account or request an entitlement and manage their own passwords.
3. Workflow-based provisioning – gathers the required approvals from the designated approvers before granting a user access to an application or data.
1. Automated provisioning – Detecting new user record from the Authoritative Source or HR System and automatically provisioning those users with appropriate access on target applications.
2. Self-service provisioning – allows users to update their profile data and request an account or request an entitlement and manage their own passwords.
3. Workflow-based provisioning – gathers the required approvals from the designated approvers before granting a user access to an application or data.
These rules run during the processing of provisioning requests.
Some are connector specific and some apply for all connectors, as indicated in their descriptions.
The BeforeProvisioning rule is executed immediately before the connector's provisioning method is called. This gives customer the ability to customize or react to anything in the ProvisioningPlan before the requests are sent to the underlying connectors used in provisioning. This rule is not connector-specific; it runs for all applications regardless of connector type.
An application’s AfterProvisioning rule is executed immediately after the connector's provisioning method is called, but only if the provisioning result is in a committed or queued state. This gives customers the ability to customize or react to anything in the ProvisioningPlan that has been sent out to specific applications after the provisioning request has been processed. This rule is not connector-specific; it runs for all applications regardless of connector type.
A JDBC Provision rule is only specified for an application that uses the JDBC connector and supports provisioning. It contains the application-specific provisioning logic for applications which use that connector. The JDBC connector is a generic connector that cannot know how to provision to the specific database except as instructed in custom-written logic provided a provisioning rule.
A JDBC Operation Provisioning rule is only specified for an application that uses the JDBC connector and supports provisioning. It contains application- and operation-specific provisioning logic for the application. The JDBC connector is a generic connector that cannot know how to provision to the specific database except as instructed in custom-written logic provided a provisioning rule.
Separate JDBCOperationProvisioning rules are created for account enabling, account disabling, account deletion, account unlocking, account creation, and account modification. This rule type was introduced in IdentityIQ version 6.1 as an alternative to specifying a single JDBCProvision rule which performs all of these operations for the application.
These rules are used in determining the recipient Identity for email notifications, escalations, approvals, etc. These apply to different types of system objects, as noted in each rule description.
Provisioning plan and Provisioning policy :
Life Cycle Management triggers a workflow LCM Provisioning and provisioning needs a plan as input and this provisioning plan is actually comes from the provisioning policy of the connector of an application.
ProvisioningPlan used AccountRequest for Operations such as : [ Create , Modify , Delete , Enable , Disable , Unlock ]
Provisioning Plan comes from ------> Provisioning Policy
Provisioning Policy - To prepopulate form data
ProvisioningPlan :
ProvisioningPlan is one object which contains information about what to be provisioned on the target,on which application.
Plan also contains for which identity and it can hold multiple Account requests. Each account request may contain multiple number of Attribute request.
ProvisioningPlan used AccountRequest for Operations such as : [ Create , Modify , Delete , Enable , Disable , Unlock ]
ProvisioningPlan used AttributetRequest for Operations such as : [ Add , Set , Revoke , Remove ]
1. ProvisioningPlan is an object which represents the provisioning request.
2. Its present in package sailpoint.object.ProvisioningPlan.
3. It says for which identity or user the request has been raised where it is needed to work on create, modify, delete operations for which target application account and modify all the related IIQ attributes.
4. It is an object which contains information about what to be provisioned on the target application.
5. It can hold multiple Account requests. Each account request may contain multiple number of Attribute request for an identity.
for example code for prov. plan :
ProvisioningPlan plan = new ProvisioningPlan();
plan.setIdentity(identityObject);// to relate the plan to specific identity.
ProvisioningPlan.AccountRequest accountRequest = new ProvisioningPlan.AccountRequest();
accountRequest.setNativeIdentity("xxx");
accountRequest.setApplication("Application-Name");//In which application
accountRequest.setOperation(ProvisioningPlan.AccountRequest.Operation.Create);
//if you want to assign default membership you can add attribute request
ProvisioningPlan.AttributeRequest attributeRequest = new ProvisioningPlan.AttributeRequest();
attributeRequest.setName("memberOf");
attributeRequest.setOperation("ProvisioningPlan.Operation.Add");
attributeRequest.setValue("yyy");
A Provisioning Plan is then compiled and processed by the IdentityIQ provisioning engine to add or remove the entitlements in the target applications.
Provisioning Policy :
1. Provisioning policies are configured in application to fill the account attributes in provisioning plan for account create/update/delete operations.
2. A Provisioning Policy specifies what attributes are needed for a specific operation on a specific application account. For example, when performing an account "Create" operation on Application "abc Directory", you need to populate the attributes: first Name, last Name, email, cn, dn, manager.