Skip to end of metadata
Go to start of metadata

MidPoint 3.6 and later

Some of these features are available in midPoint 3.6. But not all of them. The full feature set is not complete. Their completion can be ensured by subscribers.

Manual Resource

Manual resources, also known as off-line resources, are those resources that are not connected to midPoint by using identity connector. MidPoint cannot change such resources automatically. Provisioning to these resources rely on a manual work, typically executed by a system administrator. It works like this:

  1. Role is assigned to a user in midPoint.
  2. MidPoint runs through all the configuration and processes to determine which account with what attributes have to be provisioned.
  3. MidPoint creates a case or a ticket for a system administrator to create a new account.
  4. System administrator creates new account according to information specified in the ticket. The ticket is closed.
  5. MidPoint detects that the ticket was closed and updates its data about the account.

The basic principle of manual connectors is the storage of operation deltas in midPoint repository while the manual operation is in progress. MidPoint also remembers the state of the operation and the reference to a case/ticket that is used to track operation progress. This reference is used to update operation status.

MidPoint usually keeps cached version of the account in midPoint repository. In fact the same mechanism that is used for attribute caching is used here. MidPoint keeps the cached data mostly for presentation purposes - we would like to show how we think that the account looks like.

Pure manual resources are disconnected from the target system. Except for indirect feedback taken from closed tickets there is no information that midPoint can get about the state of the target system. Even the cache account data in midPoint are just midPoint's estimate how the account should look like. If there is any change on the target resource that is not driven through midPoint then midPoint has no way how to know about it. Pure manual resource are always in a risk of divergence: the data on the resource and the data in midPoint could gradually diverge over time.

Semi-Manual Resources

Inherent limitation of manual resources is addressed by semi-manual resources. In this case two connectors are combined for the same resource:

  • Manual connector is used for provisioning operations (create, update, delete). These operations are executed manually by system administrator.
  • Ordinary (on-line) connector is used for reading the data. This is typically CSV connector that contains the data exported from the target system. This is usually scheduled export script.

Provisioning operations on a semi-manual resources are executed in exactly the same way as in pure-manual resources. The difference is in the feedback. MidPoint is combining the manual operation data with the on-line data from the resource. The operation deltas are merged with the last known state of the account on the resource. This means that midPoint has much more reliable information about the state of the account on the target system. Therefore midPoint can detect whether accounts has been illegally changed on the target system, whether the system administrator executed the operation correctly and so on. MidPoint can also automatically create new tickets for system administrators to fix inconsistencies between the policy and real state of the account in the target system.

In theory any kind of ordinary identity connector can be combined with the manual connector to create a semi-manual resource. This is allowed by midPoint's unique multi-connector feature.

Internal Provisioning Cases

MidPoint has internal mechanism to maintain information about cases. A case is similar to a trouble ticket or issue that is managed by ITSM systems. However the case is managed internally by midPoint and therefore it can have tighter integration with other identity data in midPoint. For example the cases could be used for identity governance and compliance. The cases could track the progress of policy violation resolutions. And so on.

The cases are also used for manual provisioning. If no ITSM integration is present then the cases are used in place of the ITSM tickets.

ITSM Integration

System administrator in most environments are used to work with existing IT Service Management (ITSM) system, such as Atlassian Jira, HP Service Manager or Remedy ARS. MidPoint has an option to include a custom plug-in for integration with these systems. In that case the manual provisioning cases are created as tickets in the ITSM systems. The system administrators interact only with the ITSM system and they do not need to interact with midPoint at all.

Implementation Progress

These features are only partially implemented. The original plan was to support complete functionality in midPoint 3.6. However existing midPoint subscribers have prioritized other features for midPoint 3.6. Therefore the manual resources were only implemented to the extent that was covered by existing subscription agreements. Following table shows implementation progress.

Supported in version3.6, 3.6.1, 3.73.7.1
Manual resources coreYESYES
Manual resources GUINONO
Provisioning casesNONO
Semi-manual resourcesYES
(with ITSM plugin only)

YES

(with ITSM plugin only)

ITSM pluginsYES
(requires custom development)

YES

(requires custom development)

Provisioning propagationNOYES

As of midPoint 3.6 midPoint does not contain any GUI support for any of these features. The core (back-end) functionality is mostly in place (except for cases), therefore it is partially usable. The goal was to enable functionality with custom ITSM integration plugin. However, that requires custom development. In practice this means that as of midPoint 3.6 these features are likely to work well only if Evolveum professional services are involved. If you are interesting in helping to finish those resources please consider a subscription. These features could be fully productized in midPoint 3.7 given sufficient funding.

Provisioning Propagation

 

MidPoint 3.7.1 and later

MidPoint usually executes all resource operations as soon as possible. But this may be quite troublesome for manual resources where resource operations are usually costly. Therefore there is a way to change that behavior by using provisioning propagation task. In such case midPoint will not execute operations immediately. Requested changes will get queued for (reasonably short) time. Then midPoint will execute all the changes at once in a single operation.

See Provisioning Propagation page for more details.

Configuration

See Manual Resource Configuration page for configuration details.

Sample

Contributed ITSM sample plugin can be found in our github. This plugin calls custom developed WS interface with BMC Remedy as an backened service. Supported operations are creating new ticket and reading status of existing ticket.

See Also

 

  • No labels