|
Every ogainization has to deal with provisioning of services, the task of assigning resources and services to users. Service provisioning involves the creation, maintenance, and deactivation of user objects and user attributes, as they exist in distributed systems, directories, or applications.
Provisioning can be critical for security purposes, especially de-provisionging, the removal of services from a user account.
To optimize interactions with customer, suppliers and partners, it is critical to provide access to the appropriate applications.
Provisioning can be extremely difficult from an administrative perspective. The different items or services that need to be provisioned are furnished by different types of applications. Administration needs to be provided for each system and this is obviously an expensive undertaking. To make matters worse, extensive manual intervention is required to make sure all items are covered and this presents the possibility of omission or error.
The ideal situation would require adding or deleting a user in only one system and then having that system alert other appropriate systems to provision or de-provision specific items or services. A new breed of applications from companies (such as Business Layers) has emerged to perform this function. These applications contain the business logic necessary to provision items and services across different systems. This architecture is shown in the diagram below.
Provisioning requires:
- » Coordination between the various tasks.
- » The ability to synchronize between various applications.
Coordination and synchronization enable 'workflow', the continuous process consisting of the different steps in supplying items to the appropriate party. For example, providing access to a particular application might require the approval of two different management levels. Workflow needs to know where to route these requests for a particular application, as well as perform the requisite steps in the correct order (e.g. a PC must be provided before applications can be set up on the user's PC). An example of the provisioning process is shown in the figure below.
 |
In addition, workflow needs to handle both manual and automatic processes. The efficiency of provisioning is gained by automating as much as possible. However, some manual intervention is always necessary. In the example above, a manager's approval is desired to definitely be a manual process, so that there is control in the system. Since this approval will not always happen on a specific schedule, the workflow system needs to be able to handle waits in the provisioning process. In the figure above, all steps are automatic unless indicated as manual.
The provisioning system provides the workflow logic but also needs to:
- » Enforce this logic in the target applications
- » Handle exceptions when they occur
In order for the workflow logic to be deployed, there needs to be a description of the system. This role is supplied by a directory, which routes the flow of information by providing directions and what needs to be done at each 'location'. The directory provides the explicit architecture of the system, making this architecture easy to discover. (Note: the key functionality of a directory is its ability to make relationships between objects self-evident as one navigates through the directory hierarchy). The role of the directory in provisioning is shown in the figure below.
The provisioning system uses the directory to organize the logic and where each part of it should be applied. A key role of the directory is acting as a centralized storage of user identities.
There are, however, other key requirements beyond workflow logic, exception handling and routing of the workflow logic, for a provisioning system to truly excel. These tasks include:
- » Aggregation and integration of identity data to enforce provisioning rules.
- » Self-discovery of the set of relationships on which the provisioning rules can be applied.
- » Enforcing the workflow logic for the different data stores.
- » Tracking the results of the provisioning process
A traditional LDAP directory cannot meet these needs. To have the directory fulfill all these needs, even if it could, would not be desirable anyway since it would then become a potential single point of failure.
RadiantOne Identity and Context Virtualization Platform handles all the key requirements described above to maximize the effectiveness of provisioning applications. To find out more the various RadiantOne components and capabiolites, please go to Products.
|
