OIM 11g R2 PS2 (11.1.2.2.) : OOTB Composites , Approval Policies and Disconnected App Provisioning

In this post, I will talk about something which I did not notice on first glance while working with OIM 11g R2 PS2. Well the change basically is that the all the OOTB approval policies don't come with the product and it is basically a blank slate to start with. OOTB there will be no approval policies in OIM that you will see.

But if you do an disconnected application provisioning it will go through "Request Level Approval" and "Operational Level Approval" next.
On further investigation I found out that approval workflows are hard coded in in process task adapters if I chose the Application Instance as Disconnected.

"ManualProvisioningStart" has the name of workflow attached "DisconnectedProvisioning!1.0" which gets directly invoked on create,enable,disable,modify etc. operations.

By default all connected applications will not go through any approvals since no approval policies.

We can still leverage existing 12 SOA approval workflows available on SOA Server.

1. 2 certification related
2. AutoApproval
3. BeneficiaryManagerApproval
4. DefaultOperationApproval
5. DefaultRequestApproval
6. DefaultRoleApproval
7. DefaultSODApproval
8. OAACGRoleAssignSODCheck
9. ProvideInformation
10. RequestorManagerApproval
11. DefaultSODApproval
12. DisconnectedProvisioning.

Also as was mentioned all self assign role/resource etc have been deprecated along with resource related request types.

IAM - Custom Connector Development Questions

In this post, I will be listing a few questions that will be help in designing, building and estimating a custom connector for an IAM solution.

These questions are quite generic and can be used in a variety of situations

1. Provisioning/Reconciliation/or Both: Generally provisioning is assumed by default as that is the whole point of connector development but we should keep the reconciliation estimate also in mind if that is required. If both are required then estimates obviously go higher and with much longer development cycle.
2. Is Authoritative Source (Yes/No) ? : If the end system is an authoritative source of data for user,role or organization information then a slightly different design is required for connector development with more checks and balances in place.
3. Provisioning Functions (CRUD) ? Which all provisioning functions should be considered for connector development. It is most likely all but in some situations delete or update of all attributes are not required so that will save some time and effort for a tailored solution.
4. Reconciliation Features (Agent less or Agent based) ? Most connector should work without actually installing anything on end systems (i.e. Agent less) there by reducing time, effort and complexity involved but in situations where an Agent based connector is required , two components are developed, one on end system and one on IAM system. This requires more testing and fault tolerance.
5. Is Password or any other secure attribute part of connector development ?
6. What will be connectivity channel requirement for the connector like SSL/TLS or any other protocol ?
7. What type of User Accounts this connector should support  (Regular Users/ Service Accounts/ Any Other  ) ?
8. How many number of Attributes that this connector should support ?  This can greatly affect the time and effort as this more attributes require some generic design which can make the connector more flexible but with initial effort early on.
9. Group/Role/Entitlement/Org or any other Entity management part of the connector solution.
10. Any other additional capabilities that this connector should support ?

IAM - Application Integration Questionnaire

In this post, I have come up with a list of questions that can be asked to integrate any standard or custom third party applications with the IdM product.
This questions will be specially helpful if the number of Apps are large enough.

1.       App Name

2.       App Description

3.       No. of Users

4.       Types of Users

5.       Type of App (online/thick client/legacy/cloud/any other) : Please mention

6.       No. of App Instances

7.       Type of Connectivity available (JDBC/Web Service/Directory/Messaging system/File system/any other)

8.       Database used by the App (Proprietary/Standard)

9.       Mention database name if known

10.   Is it Authoritative source of data for Users/Role/Org or any other entity?

11.   Does this App depend on any other App?

12.   If yes, mention the other App Name

13.   Network zone this app resides in (public/subnet/intranet/firewalled/limited etc.)

14.   Any web services exposed by this App.

15.   Is SSO a requirement for App ?

16.   Is provisioning a requirement for this App ?

17.   Is reconciliation a requirement for this App ?

18.   Is password sync a requirement for this App ?

19.   Does this App require any special treatment from performance, security or high availability perspective?

20.   What does this App store? Put a tick (Users/Groups/Roles/Entitlement/Org Structure)