Table of Contents

Provisioning

Provisioning ensures the implementation of accounts settings on end systems according to the settings in IdM. The provisioning itself then only propagates information to the end system. It does not make the evaluation of which identities should be subject to provisioning on a particular system. This is the task of accounts aministration which is an integral part of IdM and precedes the provisioning itself.

Provisioning is an integral part of the ACC module (ACCount management)

As it has been already said, the provisioning is preceded by accounts administration. In most cases, provisioning is therefore run by the service ensuring accounts administration. If this service evaluates that such a change of the account which requires provisioning has occurred, it will call the service ProvisioningService. This service includes the following methods:

Provisioning queue

All provisioning operations are processed through provisioning queue. The individual operations (create, update, delete) are serialized, saved in the queue, and then processed. If provisioning operation is completed, then archive provisioning operation record is created ⇒ active provisioning operation is executed and is moved into archive.

Three entities was created to persist provisioning operations and their state:

Supported provisioning operation states:

To extend or reconfigure the provisioning mechanism, the processing has been moved to the events on the dto SysProvisioningOperationDto and to the individual processors treating this dto (the list of the registered processors has been extracted to the application on the module page). Calling the provisioning then takes places through publishing the events with the SysProvisioningOperationDto content through ProvisioningExecutor. The individual operations are serialized, saved in the queue, and transmitted to the processors. If a provisioning error occurs or some of the processors stops working, then it is possible to find what happened in the agenda placed above the queue (error code, return state etc.). The GuardedStrings (e.g. passwords) are not saved in the serialized state - the values are replaced and saved in a confidential storage from which they are only read when needed (account re-calculation, provisioning implementation).

The operation content in SysProvisioningOperationDto is called ProvisioningContext and is divided into two logical units:

First the accountObject (wish), then the connectorObject which is the real provisioning input is calculated. When repeating the operation, a new connectorObject from an accountObject is always calculated so that the possible changes which could occur right on the end system are taken into consideration.

Once the object (defined by the identifier on the system and the idm entity) is in the queue, all the other requests for the provisioning of the same objects fall directly into the queue - consistent sequence of operations on one object in the end system.

Provisioning queue functions:

More about attribute strategies (attributes merge and etc.) is here.

Retry mechanism

Provisioning operations ending with an error are placed into the queue and new running time is scheduled to them = another attempt will be executed by long running task periodically - long running task RetryProvisioningTaskExecutor configuration is needed. Only failed operations are processed from queue by retry mechanism.

Asynchronous provisioning

Then requests for active provisioning operations (create, update, delete) fall directly into the queue as CREATED and is processed by long running task periodically - long running task ProvisioningQueueTaskExecutor configuration is needed.

Change password operation is still synchronous - is needed to change passwords immediately.