Implementing the Plan

After the plans are partitioned and any missing fields are provided, the subdivided plans can be implemented through one of the following mechanisms:

The results are recorded in the plan and indicate if the request was implemented immediately or placed in a queue for future implementation. This status determines when the identity cube is updated to reflect the provisioned changes. See also Updating the Identity Cube.

The following table provides an overview of the provisioning mechanism.

Provisioning Mechanism

Plan Implementation

Integration Executors

Managed plan implementation using integration executors.Starts as an asynchronous process that might not complete immediately.

Direct Read-Write Connectors

Application objects contain the provisioning configuration.

Work Items

Unmanaged plan implementation using the controlling workflow.

Integrations

Integrations are a separately licensed components that communicate with systems within your network. The following table provides and overview of the integration modules and connectors.

System

Module

Connector

Provisioning systems, such as:
OIM, ISIM, FIM

Provisioning Integration Modules (PIMs)

Read/write connectors and
IntegrationConfigs/Executors

IT Service Management, such as:
Remedy, Service Now, HP Service Manager

Service Integration Modules (SIMs)

IntegrationConfigs/Executors

Mobile device management systems, such as: AirWatch, MobileIron, Good Technology

Mobile Integration Modules (MIMs)

Read/write Connectors

IT Security: HP ArcSight

IT Security Integration Module

IntegrationConfigs/Executors

Enterprise Applications: Oracle EBS, SAP Portal, PeopleSoft, Siebel and NetSuite

Enterprise Resource Planning Integration Modules (ERP Integration Modules)

Read/Write Connectors

Mainframe: RACF, CA-Top Secret, CA-ACF2, RACF LDAP and Top Secret LDAP

Mainframe Integration Modules

Read/Write Connectors

Healthcare: Epic and Cerner

Healthcare Integration Modules

Read/Write Connectors

Identity Intelligence/Analytics: SAP GRC

GRC Integration Module

IntegrationConfigs/Executors

Integration Executors attempt an immediate update of the target application. If the immediate update attempt is unsuccessful, Integration Executors, place the activity in a queue.

Note: Even if the activity does not immediately commit, the Integration Executors cannot communicate back to IdentityIQ when the request is completed. Therefore, these requests are always considered to be queued.

See also Plan Initializer Rule.

Direct Read-Write Connectors

Read-write connectors are available to manage data communication between IdentityIQ and an ever-increasing number of applications. For applications using these connectors, you manage provisioning activities through the variables in the Provisioning configuration for that application.

Provisioning using direct read-write connector with these applications is fully automated. These connectors generally:

  • Run the plan immediately.

  • Can report back a committed status to IdentityIQ in real time.

  • Confirm that the changes can be reflected on the identity cube immediately.

See also Plan Initializer Rule.

IdentityIQ Updates

For items that require updates to IdentityIQ, such as roles assigned to an identity or identity attribute changes, a separate plan is created. These requests are similar to direct connector updates. Although no connector is required to complete these internal updates, the requests are run immediately and are reported back as committed when updated.

Work Items

Work Items, opened in IdentityIQ that contain provisioning instructions, to provision unmanaged plans. The controlling workflow or Remediation Manager is responsible for implementing an unmanaged plan. An unmanaged plan:

  • Includes provisioning requests to any application where data is aggregated using read-only connectors.

  • Does not have an Integration Executor that communicates with the plan.

  • Are identified and examined after the Integration Executors and direct read-write connectors are called.

If the unmanaged plan contains any requests, one or more work items are opened in IdentityIQ that contains the provisioning instructions from the plan. Each work item is assigned to a user who is responsible for implementing the changes required to complete the specified provisioning tasks. Work item assignees are often the application or entitlement owner. When the provisioning action is completed, the work item assignee must manually mark the work item as complete.

Note: Provisioning tasks managed through work items are considered queued, rather than committed. Even if the assigned user marks the work item complete, IdentityIQ cannot determine with certainty if the changes were actually made until the next aggregation from the source application is completed.

Plan Initializer Rule

You can specify a Plan Initializer rule to run during the implementation of the provisioning plan. An installation-specific rule can be added to integration and provisioning configurations. When a rule is specified, it runs immediately prior to running the provisioning activity for the application. Provisioning is based on the provisioning plan and application associated configuration or integration executor.

See also Implementing the Plan.