Provisioning Simulator

In this article, you will learn how to effectively use the Provisioning Simulator for identity management. We will cover:

• An overview of what the Provisioning Simulator is and its purpose.
• How the Provisioning Simulator works and its benefits.
• Step-by-step instructions on how to activate and deactivate the Provisioning Simulator.
• Methods to view and access data stored by the Provisioning Simulator.
• Additional technical and configuration resources for further information.

Overview

The goal of the Provisioning Simulator is to present and collect information about changes that would have been transmitted to the application connected to IIQ in a real environment. We focus on the case of Active Directory.

How the Provisioning Simulator Works

Provisioning processes to Active Directory are triggered as a result of data changes in IIQ. For example, active IIQ users should have an account in Active Directory. Possible types of operations include Create, Enable, Disable, and Modify. In the standard process flow, the information about changes to a particular identity would be transmitted directly to Active Directory.

The Provisioning Simulator is positioned between IIQ and Active Directory. It collects information about changes and forwards them in an orderly manner to a separate table in the database. This functionality allows us to compare the productive data of users in Active Directory with the data that would have been written by the previous IAM tool during its parallel operation with the new tool.

How to Activate the Provisioning Simulator

1. Open the Debug Page:

   • Navigate to the following webpage: https://$iiqhostname$/identityiq/debug/debug.jsf
   • Note: `$iiqhostname varies depending on the environment.

2. Edit the Configuration:

   • Select and open the file ProvisioningSimulation (Object: IntegrationConfig).
   • Add the configuration according to Appendix 1 (copy the text and replace the current content).

   <?xml version='1.0' encoding='UTF-8'?>
   <!DOCTYPE IntegrationConfig PUBLIC "sailpoint.dtd" "sailpoint.dtd">
   <IntegrationConfig execStyle="synchronous" executor="pro.jakubiak.provisioning.simulator.ProvisioningExecutor" name="ProvisioningSimulation">
     <Attributes>
       <Map>
         <entry key="appConfig">
           <value>
             <Map>
               <entry key="Active Directory">
                 <value>
                   <Map>
                     <entry key="filterConfig">
                       <value>
                         <Map>
                           <entry key="Create"/>
                           <entry key="Disable"/>
                           <entry key="Enable"/>
                           <entry key="Modify"/>
                         </Map>
                       </value>
                     </entry>
                   </Map>
                 </value>
               </entry>
             </Map>
           </value>
         </entry>
         <entry key="integrationConfig">
           <value>
             <Map>
               <entry key="additionalIdAttributeNames"/>
               <entry key="disableProvisioning">
                 <value>
                   <Boolean>true</Boolean>
                 </value>
               </entry>
               <entry key="enableWhitelisting">
                 <value>
                   <Boolean>true</Boolean>
                 </value>
               </entry>
               <entry key="saveUnfilteredRecords">
                 <value>
                   <Boolean>true</Boolean>
                 </value>
               </entry>
              <entry key="storeAdditionalId"/>
             </Map>
           </value>
         </entry>
       </Map>
     </Attributes>
     <ManagedResources>
       <ManagedResource>
         <ApplicationRef>
           <Reference class="sailpoint.object.Application" name="Active Directory"/>
         </ApplicationRef>
       </ManagedResource>
     </ManagedResources>
   </IntegrationConfig>
   

3. Save Changes:

   • Save the changes.

How to Deactivate the Provisioning Simulator

1. Repeat the Activation Steps:

   • Perform the same steps described in the activation process.

2. Use Appendix 2 Configuration:

   • This time, use the configuration file from Appendix 2.

   <?xml version='1.0' encoding='UTF-8'?>
   <!DOCTYPE IntegrationConfig PUBLIC "sailpoint.dtd" "sailpoint.dtd">
   <IntegrationConfig execStyle="synchronous" executor="pro.jakubiak.provisioning.simulator.ProvisioningExecutor" name="ProvisioningSimulation">
     <Attributes>
       <Map>
         <entry key="appConfig"/>
         <entry key="integrationConfig">
           <value>
             <Map>
               <entry key="additionalIdAttributeNames"/>
               <entry key="disableProvisioning">
                 <value>
                   <Boolean></Boolean>
                 </value>
               </entry>
               <entry key="enableWhitelisting"/>
               <entry key="saveUnfilteredRecords">
                 <value>
                   <Boolean>true</Boolean>
                 </value>
               </entry>
               <entry key="storeAdditionalId"/>
             </Map>
           </value>
         </entry>
       </Map>
     </Attributes>
   </IntegrationConfig>
   

Viewing Data Stored in the Table

1. Report:

   • A special report collects all information from the spt_provisioning_record table in CSV and PDF format.

2. Direct Database Access:

   • The table with all information collected during the operation of the Provisioning Simulator is located directly in the IIQ database. It can be queried directly to read the data according to the team’s needs.

Additional Technical and Configuration Information

For more details on implementation and configuration of the Provisioning Simulator, please refer to the following link: Provisioning Simulator for IdentityIQ.

Good job @abartkowski I will use this

Hi Adam,

I’m glad you like the article and find it useful.
Best regards