Provisioning systems are always customized during deployment. This may be a small customization or a huge one, but some customization is always there. The most important difference between provisioning products is the approach to customization. Some products are little more than a platform that requires to develop almost everything during deployment (e.g. OpenIDMv2). Such products are extremely flexible but may be relatively costly to deploy especially if your environment is quite the usual one. Other products implement many common IDM scenarios out of the box while still allowing some space for customization (e.g. midPoint). These products are generally easier and less costly do deploy but may not be suitable if your environment is miles away from the usual thing. There is no "one size fits all" when it comes to provisioning. It is important to select the right tool for the job.
Limitations of Provisioning
Provisioning systems are essentially complex data synchronization tools. Therefore there are several limitations that should be kept in mind when designing a deploying provisioning solution:
- Delays: Data propagation is not immediate. There are delays. These can range from few seconds (if live data feed is used) to days or even weeks (if reconciliation is used).
- Consistency: As there are multiple copies of data and there are delays, data consistency might be a serious problem. Make sure that the consistency mechanism of your provisioning system is designed to handle that.
- Performance: Provisioning systems are customizable using expressions and plugins and other custom code. This limits the amounts of data formalization and therefore also optimizations. There is usually trade-off between system flexibility and performance. The more flexible the provisioning system is the worse is its performance. But generally all provisioning systems perform significantly worse then other identity management technologies (e.g. identity repository or access management).
- A real Achilles' heel that combines all the limitations above is a change that affects massive number of accounts. That may be a change in the expression that is used by almost all accounts, change in a definition of a role assigned to most users, etc. Such changes are very slow to propagate and pose a significant consistency risk.
Provisioning System Implementations