Implementing the Plan

After the plans are partitioned and any missing fields are provided, the subdivided plans can be implemented through one of the following mechanisms:

• Integrations

• Direct Read-Write Connectors

• Work Items

The results are recorded in the plan and indicate if the request was implemented immediately or placed in a queue for future implementation. This status determines when the identity cube is updated to reflect the provisioned changes. See also Updating the Identity Cube.

The following table provides an overview of the provisioning mechanism.

Provisioning Mechanism	Plan Implementation
Integration Executors	Managed plan implementation using integration executors.Starts as an asynchronous process that might not complete immediately.
Direct Read-Write Connectors	Application objects contain the provisioning configuration.
Work Items	Unmanaged plan implementation using the controlling workflow.

Integrations

Integrations are a separately licensed components that communicate with systems within your network. The following table provides and overview of the integration modules and connectors.

System	Module	Connector
Provisioning systems, such as: OIM, ISIM, FIM	Provisioning Integration Modules (PIMs)	Read/write connectors and IntegrationConfigs/Executors
IT Service Management, such as: Remedy, Service Now, HP Service Manager	Service Integration Modules (SIMs)	IntegrationConfigs/Executors
Mobile device management systems, such as: AirWatch, MobileIron, Good Technology	Mobile Integration Modules (MIMs)	Read/write Connectors
IT Security: HP ArcSight	IT Security Integration Module	IntegrationConfigs/Executors
Enterprise Applications: Oracle EBS, SAP Portal, PeopleSoft, Siebel and NetSuite	Enterprise Resource Planning Integration Modules (ERP Integration Modules)	Read/Write Connectors
Mainframe: RACF, CA-Top Secret, CA-ACF2, RACF LDAP and Top Secret LDAP	Mainframe Integration Modules	Read/Write Connectors
Healthcare: Epic and Cerner	Healthcare Integration Modules	Read/Write Connectors
Identity Intelligence/Analytics: SAP GRC	GRC Integration Module	IntegrationConfigs/Executors

Integration Executors attempt an immediate update of the target application. If the immediate update attempt is unsuccessful, Integration Executors, place the activity in a queue.

Note: Even if the activity does not immediately commit, the Integration Executors cannot communicate back to IdentityIQ when the request is completed. Therefore, these requests are always considered to be queued.

See also Plan Initializer Rule.

Direct Read-Write Connectors

Read-write connectors are available to manage data communication between IdentityIQ and an ever-increasing number of applications. For applications using these connectors, you manage provisioning activities through the variables in the Provisioning configuration for that application.

Provisioning using direct read-write connector with these applications is fully automated. These connectors generally:

• Run the plan immediately.

• Can report back a committed status to IdentityIQ in real time.

• Confirm that the changes can be reflected on the identity cube immediately.

See also Plan Initializer Rule.

IdentityIQ Updates

For items that require updates to IdentityIQ, such as roles assigned to an identity or identity attribute changes, a separate plan is created. These requests are similar to direct connector updates. Although no connector is required to complete these internal updates, the requests are run immediately and are reported back as committed when updated.

Work Items

Work Items, opened in IdentityIQ that contain provisioning instructions, to provision unmanaged plans. The controlling workflow or Remediation Manager is responsible for implementing an unmanaged plan. An unmanaged plan:

• Includes provisioning requests to any application where data is aggregated using read-only connectors.

• Does not have an Integration Executor that communicates with the plan.

• Are identified and examined after the Integration Executors and direct read-write connectors are called.

If the unmanaged plan contains any requests, one or more work items are opened in IdentityIQ that contains the provisioning instructions from the plan. Each work item is assigned to a user who is responsible for implementing the changes required to complete the specified provisioning tasks. Work item assignees are often the application or entitlement owner. When the provisioning action is completed, the work item assignee must manually mark the work item as complete.

Note: Provisioning tasks managed through work items are considered queued, rather than committed. Even if the assigned user marks the work item complete, IdentityIQ cannot determine with certainty if the changes were actually made until the next aggregation from the source application is completed.

Plan Initializer Rule

You can specify a Plan Initializer rule to run during the implementation of the provisioning plan. An installation-specific rule can be added to integration and provisioning configurations. When a rule is specified, it runs immediately prior to running the provisioning activity for the application. Provisioning is based on the provisioning plan and application associated configuration or integration executor.

See also Implementing the Plan.