Table of Contents

Modules - vs: VS account lifecycle and module configuration

Basic life cycle of virtual system accounts

We have a john.doe identity and a role RoleVS linked to a virtual system VS.

  1. We assign the role 'RoleVS' to the identity john.doe. It will trigger provisioning for the connected systems including the system 'VS'.
  2. The virtual system 'VS' creates a request for creating a new account 'john.doe'. It sends notifications to all implementers - users configured in the settings of this virtual system.
  3. The identity 'john.doe' has now an account on the virtual system, but this account is not yet confirmed by the implementers.
  4. We'll make a change on our account when we edit the last name of the identity from Doe to Roe.
  5. Saving the identity will trigger provisioning for the connected systems.
  6. Because the account 'john.doe' on the virtual system already exists (although only in unconfirmed request form), provisioning evaluates that it's needed to edit the lastName attribute to the new value Roe.
  7. The virtual system creates a second record in the VS request agenda and sends notifications to all implementers.
  8. Implementers have now two notifications and two corresponding requests in IdM. The first is for creating and the second for changing the same account. In the second notification, there is also information about the previous unresolved request.
  9. The implementer makes a manual change on the target system - creates the account and changes its last name.
  10. The implementer confirms in the Requests agenda in IdM that the account was created.
  11. By confirming the request, the creation of the account 'john.doe' is written into the VS data structure (a new item in VsAccount).
  12. The implementer confirms Requests agenda in IdM that the last name of the account was changed.
  13. By confirming the request, the change (DoeRoe) is written into the VS data structure.

How to create a virtual system

It displays a dialog to create a new virtual system.

You can fill:

Beware: Users/roles have to have permission 'Requests on virtual systems (VsRequest)' to receive these requests.

When the configuration of implementers of a virtual system is changed (either the set of implementers or implementer's roles are changed), this change has to be propagated to the configuration of the VS module. The propagation can be triggered manually by clicking on the Test button on the virtual system configuration tab. Also, any following operation on the virtual system will also trigger the propagation, so new requests will be created with the actual configuration of the implementers.

In the detail of the new virtual system, the system schema, mapping and attributes are configured by default

Create a new role

We have created the new virtual system. Now we will assign the system to some users. For this we create a new role and create the mapping for our new virtual system.

Create the mapping on the virtual system

Create a new user

We will create a new user and assign him our role, so he will be provisioned to our new virtual system.

Requests

The Requests agenda of the Virtual Systems ('Virtual systems / Requests') contains all operations, that were requested by IdM on virtual systems. Every request contains the identification of the account and the virtual system, the operation that should be done with the account (create/update/delete), the list of implementers who should implement the request, etc.

The Requests agenda is divided into two tabs:

In our example, the implementers received a new task to create a new account 'john.doe' on the virtual system 'NewVirtualSystem'. To view the request, go to 'Unresolved requests' in 'Virtual systems / Requests'.

You can go to the detail of the request with UID 'john.doe' and the system 'NewVirtualSystem' (click on the button with "magnifying glass"). You can now see the detail of the request for creating new account.

There are three specific groups of information:

If we do not resolve the create request and edit our user 'john.doe', e.g. change user's surname to Doe. A new update request is in 'Unresolved requests'. Click on the detail of the update request.

When we finally resolve our two requests, they are moved to the tab 'Archive'.

Operations with the request

Implement request

The Implement operation marks the request as 'Implemented'.

When a 'delete' request is implemented and there are some unresolved previous requests for the same account, all the previous requests are automatically canceled.

Cancel request

The Cancel operation marks the request as 'Canceled'.

Permissions

Notifications

After the request for updating virtual system is created, the notification is sent to all implementers.

As default was implemented email notification 'vs:vsRequestCreated' for new virtual system requests. This notification is by default automatically connected to virtual systems requests. The email template for this notification can be modified in left main menu 'Notifications / Templates'.

Email template provides similar information as the request detail (described above). For example, 'Target table' is constructed from same data as the table on the request detail. See below for examples of notification emails that are sent during the process described in its basic live cycle (creating and modifying the account 'john.doe') and notification, which displays the change of a multivalued attribute.

Email notification for creating a new account 'john.doe':

Email notification for modifying the account 'john.doe':

Email notification for modifying the multivalued attribute 'ldapGroups' for the account 'john.doe'.

New values 'E,F' were added to the attribute and the values 'C,B' were removed:

Virtual systems configuration

BasicVirtualConfiguration contains these attributes:

Default implementers

If the implementers of the virtual system are not directly configured, the default implemeter's role will be used when creating the virtual systems requests. The default role can be defined in the IdM configuration:

idm.sec.vs.role.default=<some-code-of-role>

The default value of the default implementer's role is superAdminRole.