Provisioning system is just managing existing data stores. It is not doing any authentication or authorization on behalf of the application, that is job of access management. Therefore provisioning system is affecting the enforcement of security policies indirectly by manipulating data in other systems.
Provisioning Connectors and Agents
Provisioning systems can communicate with each application using application's own protocol or interface. There are two basic approaches:
- Connectors are pieces of code running on the side of provisioning system. In this aspect they are similar to the database drivers. Connectors expose application's objects (accounts, groups, ACLs, ...) to the provisioning system. Connectors use various kinds of remote protocols or APIs for that purpose. Connectors are non-intrusive and do not requite any installation on the application side.
- Agents run on the application side. Similarly to connectors agents are exposing application's objects to the provisioning system. Agents are intrusive and require installation (and integration) on the application side. However agents can use also local APIs and may be much more powerful than connectors.
Policies and Processes
Provisioning systems do not deal only with the technical aspects of the integration. Policies and processes are almost always part of provisioning system deployment projects.TODO. Most provisioning systems include its own version of workflow subsystem customized for identity management applications. It is usually quite easy to set up rules that automatically determine the basic accounts for a new hire and let system administrators approve the creation of such accounts. This is a unique aspect of provisioning systems when compared to other identity management technologies. Other technologies usually focus only on the technical side of the problem, not the business side.
Why Do We Need Provisioning?