Identity Management Tips, Thoughts and Opinions

Matthew Pollicove

Subscribe to Matthew Pollicove : eMailAlertsEmail Alerts
Get Matthew Pollicove via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Blog Feed Post

Provisioning Dynamically

Iwas having an extended email conversation with some peers about some issuesthey were experiencing with Pending Value Objects in SAP NetWeaver IdentityManagement. Now for sure, I’ve never been a fan, but I monitored theconversation because you never know when you might learn something. For awhile, my most interesting comment was that “Pending values are something I’mstill “pending” on.” And I figured that would be about it.

Aftera bit, I decided to re-read the original question, thinking there’s got to bean easier way to handle the issue, which involved designing a mechanism todetermine which repository a user should be provisioned to, based on the migrationstatus of a specific system, and then of course, do the provisioning.

Ithen remembered that I had created a “dynamic” provisioning mechanism some timeago for a client that might help. Since I like to share my knowledge far andwide, I will describe the solution.

Theway I originally prototyped the process was to create the new user in IDM andthen have the next task in the workflow create the user in Active Directoryusing the appropriate repository, which would be based on Business Unit (EachBU had different starting points and exchange servers so a single IDMRepository was not going to cut it) that the user belonged to. I used an ActionTask with a “To Custom” pass that contained a script that looked something likethis:

//Main function: DYNAMIC_CREATE_USER

//Description: Initiates a provisioning task for a given entry in the identitystore.
//Syntax:AuditRef=uProvision(Int MSKey, Int TaskID, Int RefAudit, Int Repository,String // UserID, Int Delay[, Int Standalone);
//Parameters: MSKey The entry's ID (MSKey).
//TaskID-The ID of the task to be initiated.
//RefAudit-Reference audit, if available. If the function is called from aprovisioning // job, the audit reference of this task can be submitted to thetask initiated by // uProvision and inserted in the audit log. Use 0 if noreference audit is available.
//Repository-Repository ID. 0 means no repository.
//UserID General user ID or message that will be inserted in the field USERID inthe audit log.
//Typically this can be a distinguished name or Active Directory login name.
//DelayDelay in seconds until the task should be initiated.
//Standalone - Optional. Normally, when a task is started with uProvision andRefAudit is // given, the task will be an event task of the original task. Thisparameter specifies // whether the task should be an event task or not.
//Possible values:
//0: The task is started as an event task. (Default)
//1: The task is started "standalone" (not as an event task).
//AuditRef Audit reference or error message prefixed with !ERROR:.
//Example MyAudit=uProvision(2,5,0,0,"",50);
//Run task 5 on MSKey 2 and wait for 50 seconds before the task is initiated.

varRepName = "";
varRepository = 0;

RepName= Par.get('BUSINESSUNIT');

uErrMsg(1,"Repository Name - " + RepName);

if(RepName == "Corporate ")
 Repository = 10;
elseif (RepName == "Widgets")
 Repository = 9;
elseif (RepName == "Gadgets")
 Repository = 11;
elseif (RepName == "Thingys")
 Repository = 12;
 // Use the Default repository
 Repository = 1;

uErrMsg(1,"Repository Number - " + Repository);

varMSKey = uGetEntryID();
varTaskID = 123;
varRefAudit = 0;
varUserID = Par.get('DISPLAYNAME');
varDelay = 20;;
varAuditRef = uProvision (MSKey, TaskID, RefAudit, Repository, UserID, Delay);

uErrMsg(1,"MSKey: " + MSKey + " TaskID: " + TaskID + "RefAudit: " + RefAudit + " Repository: " + Repository + "UserID: " + UserID + " Delay: " + Delay);
uErrMsg(1,"AuditRef: " + AuditRef);


Ofcourse the names of the Business Units and Repository values will depend onyour project, and you might use a completely different attribute to base yourRepository decision on.

Thetrick to this solution lies with the uProvision function to executethe task using the correct repository. Now I know this could have been doneusing a standard “To-LDAP” pass with some lookups, but I wanted something moreflexible. By using this technique, you are matching the provisioning action toa repository which gives us much more flexibility in the workflow.

Read the original blog entry...

More Stories By Matthew Pollicove

Matt Pollicove is an Identity Management architect, engineer, trainer, project manager, author and blogger with experience in user account provisioning, data synchronization, virtual directory and password management solutions. As a MaXware Technical Consultant and later as a System Engineer, he worked extensively with MaXware (now SAP) software products in large customer environments. In the past Matt has worked with several leading national and international consulting firms and is currently a Sr. Principal Consultant for Commercium Technologies. He is currently the Practice Lead for SAP NetWeaver Identity Management and SailPoint IIQ.