This article demonstrates how Identity Security Cloud (ISC) Forms and Workflows can be used to enable the provisioning of user accounts from inputs in a form.
Use case
I came across a customer use-case where an application(end resource) needed certain fields that only the manager of a user can know. The application has a REST API for provisioning user accounts. ISC Forms would allow the manager to provide the additional information needed for user provisioning, and ISC Workflows can automate the task of provisioning the account based on those form inputs.
Current behavior
Currently, if any access request is submitted from ISC’s Request Access centre which triggers a form via Workflow, form input provided by the user cannot be injected in the provisioning plan and the out-of-the-box ISC features cannot be utilized without customization.
Solution Configuration Overview
To simulate this application, we need the following:
- A delimited file source and the V3 account APIs which I can invoke from Workflows. There will be another Webservices source pointing to the actual target which in this case is Demo Connection source (kind of loop back) and perform aggregation to correlate to identity and can have other HTTP operations configured depending on case to handle.
- A form where the manager can select the identity for whom access to demo app needs to be requested and along with selecting other fields to provision on the end resource.
- A workflow with the “Form Submitted” trigger that uses the HTTP Request actions calling the account API to create accounts on the flat file source.
- An external application (outside of ISC) which will be a starting point for manager and it authenticates user against ISC and launches the form.
Solution Implementation
Note: Solution demonstrated in this article is to achieve a use case which enables user to search a user in ISC and input the role, activity, and division attributes in the form. Upon submission, other attributes are fetched from “Requested For” user identity and used to create the account.
Demo Connection Source
Define a Delimited File Source. This acts as a demo app and has access items(entitlements) as role and activities which manager can select along with division as a string field.
Account Schema
Entitlement Schema
Activities
Roles
Demo Connection User Access Form
Design a Form which enables a manager to select users from ISC and select certain inputs for submitting access request.
User : Select field that uses predefined for Identities.
Role : Select field that uses Search for Entitlement with query source.name: “Demo Connection” AND schema:“roles”
Activity : Select field that uses Search for Entitlement with query source.name:“Demo Connection” AND schema:“activities”
Demo Connection User Access Workflow
Simple workflow which checks if identity has account on Demo connections if not then create one ,else send notification to test email to take manual action.
External Application
This is sample application, where user is authenticated against ISC and launches the ISC form using API. A similar application is showcased in Developer Days 2024 using Angular UI.
Demo walkthrough
Manager logs in to External App and launches form, fills the details in form and submit. Account is created on end point using the create account API.
Account provisioned on Demo App
Demo Connection Source
Summary
- Periodic aggregation needs to be scheduled on actual web service source to aggregate newly created account via workflow ,that will correlate to identity and while other provisioning operations can be handled via HTTP operation .
- Identity attribute defined “hasDemoAppAccount” which holds value of true /false and is used in workflow to determine if it is a create account or update account and take respective action.
- As apis of end resource are directly called , logging will happen in workflow executions.
- Approach may be explored further for other use-cases to determine the feasibility.