Implementing the Plan
After the plans are partitioned and any missing fields are provided, the subdivided plans can be implemented through one of the following mechanisms:
The results are recorded in the plan and indicate if the request was implemented immediately or placed in a queue for future implementation. This status determines when the identity cube is updated to reflect the provisioned changes. See also Updating the Identity Cube.
The following table provides an overview of the provisioning mechanism.
Provisioning Mechanism |
Plan Implementation |
Integration Executors |
Managed plan implementation using integration executors.Starts as an asynchronous process that might not complete immediately. |
Direct Read-Write Connectors |
Application objects contain the provisioning configuration. |
Work Items |
Unmanaged plan implementation using the controlling workflow. |
Integrations
Integrations are a separately licensed components that communicate with systems within your network. The following table provides and overview of the integration modules and connectors.
System |
Module |
Connector |
Provisioning systems, such as: |
Provisioning Integration Modules (PIMs) |
Read/write connectors and |
IT Service Management, such as: |
Service Integration Modules (SIMs) |
IntegrationConfigs/Executors |
Mobile device management systems, such as: AirWatch, MobileIron, Good Technology |
Mobile Integration Modules (MIMs) |
Read/write Connectors |
IT Security: HP ArcSight |
IT Security Integration Module |
IntegrationConfigs/Executors |
Enterprise Applications: Oracle EBS, SAP Portal, PeopleSoft, Siebel and NetSuite |
Enterprise Resource Planning Integration Modules (ERP Integration Modules) |
Read/Write Connectors |
Mainframe: RACF, CA-Top Secret, CA-ACF2, RACF LDAP and Top Secret LDAP |
Mainframe Integration Modules |
Read/Write Connectors |
Healthcare: Epic and Cerner |
Healthcare Integration Modules |
Read/Write Connectors |
Identity Intelligence/Analytics: SAP GRC |
GRC Integration Module |
IntegrationConfigs/Executors |
Integration Executors attempt an immediate update of the target application. If the immediate update attempt is unsuccessful, Integration Executors, place the activity in a queue.
Note: Even if the activity does not immediately commit, the Integration Executors cannot communicate back to IdentityIQ when the request is completed. Therefore, these requests are always considered to be queued.
See also Plan Initializer Rule.
Direct Read-Write Connectors
Read-write connectors are available to manage data communication between IdentityIQ and an ever-increasing number of applications. For applications using these connectors, you manage provisioning activities through the variables in the Provisioning configuration for that application.
Provisioning using direct read-write connector with these applications is fully automated. These connectors generally:
-
Run the plan immediately.
-
Can report back a committed status to IdentityIQ in real time.
-
Confirm that the changes can be reflected on the identity cube immediately.
See also Plan Initializer Rule.
IdentityIQ Updates
For items that require updates to IdentityIQ, such as roles assigned to an identity or identity attribute changes, a separate plan is created. These requests are similar to direct connector updates. Although no connector is required to complete these internal updates, the requests are run immediately and are reported back as committed when updated.
Work Items
Work Items, opened in IdentityIQ that contain provisioning instructions, to provision unmanaged plans. The controlling workflow or Remediation Manager is responsible for implementing an unmanaged plan. An unmanaged plan:
-
Includes provisioning requests to any application where data is aggregated using read-only connectors.
-
Does not have an Integration Executor that communicates with the plan.
-
Are identified and examined after the Integration Executors and direct read-write connectors are called.
If the unmanaged plan contains any requests, one or more work items are opened in IdentityIQ that contains the provisioning instructions from the plan. Each work item is assigned to a user who is responsible for implementing the changes required to complete the specified provisioning tasks. Work item assignees are often the application or entitlement owner. When the provisioning action is completed, the work item assignee must manually mark the work item as complete.
Note: Provisioning tasks managed through work items are considered queued, rather than committed. Even if the assigned user marks the work item complete, IdentityIQ cannot determine with certainty if the changes were actually made until the next aggregation from the source application is completed.
Plan Initializer Rule
You can specify a Plan Initializer rule to run during the implementation of the provisioning plan. An installation-specific rule can be added to integration and provisioning configurations. When a rule is specified, it runs immediately prior to running the provisioning activity for the application. Provisioning is based on the provisioning plan and application associated configuration or integration executor.
See also Implementing the Plan.