Introduction
In the realm of identity management, ensuring the integrity of provisioning processes during the critical go-live phases of applications or connectors is essential. The ProvisioningSimulator tool is specifically crafted to meet the needs of SailPoint IdentityIQ developers. This tool provides a robust solution for simulating all changes that IdentityIQ software would normally provision to the target application. Instead of directly impacting the target system, these changes are redirected to a database, allowing for thorough assessment and documentation without risking production environments.
The ProvisioningSimulator supports detailed analysis and reporting on the potential effects of planned changes, offering developers the necessary insights to understand and communicate the implications of these changes. The core functionality centers around providing clear, actionable answers to the question: “Who will be affected, and how, by the changes you are implementing on the production environment?” This tool not only enhances transparency during the deployment process but also significantly mitigates the risk of unintended consequences.
Components
The ProvisioningSimulator integration is comprised of several key components that work together to ensure effective simulation of provisioning changes:
- IntegrationConfig: This component is the backbone of the integration, responsible for setting up the provisioning interceptor. It allows for precise configuration of how provisioning requests are intercepted and handled, ensuring that changes are redirected appropriately without impacting production systems.
- Integration Executor Class: Once provisioning changes are intercepted, this executor class takes charge. It processes the intercepted provisioning actions according to the configurations specified in the IntegrationConfig. This class ensures that all simulated provisioning actions are executed accurately, reflecting what would happen in a live environment.
- Workflow Component: This component facilitates modifications to the IntegrationConfig objects. It provides a structured and user-friendly way to implement and manage changes in the configuration settings, allowing developers to update and test different provisioning scenarios efficiently.
Installation Guide
Installing the ProvisioningSimulator involves a straightforward process that ensures the tool is correctly integrated with your SailPoint IdentityIQ environment. Follow these steps to get started:
- Import XML Configuration Files: Begin by importing all XML files found in the
configdirectory. These files contain essential configuration settings needed for the integration to function properly. - Deploy the JAR File: Next, copy the
Release/ProvisioningSimulator_v_X_X.jarfile into the$IIQ_HOME/WEB-INF/libdirectory of your IdentityIQ installation. This step is crucial as it includes the necessary executable files for the integration. - Copy Hibernate Configuration Files : Copy files located in
WEB-INF/classesinto the$IIQ_HOME/WEB-INF/classesdirectory. - Execute IIQ Console Schema: Run the IIQ console schema to recreate the database creation files. Locate all Data Definition Language (DDL) statements related to the
spt_provisioning_recordcolumns in the$IIQ_HOME/WEB-INF/database/create_identityiq.$YOURDB$directory and execute them in your database. This step ensures that the necessary database structures are in place. - Restart the Application Servers: Finally, restart your application servers. This action ensures that all new configurations and the JAR file are fully integrated and activated within the system.
Configuration Steps
After successful installation, the ProvisioningSimulator needs to be configured. The configuration process consists of three key steps:
-
General Simulator Configuration: This step involves setting up the overall behavior of the simulator for all applications. Here, you define the general parameters and operational settings that govern how the simulator functions across the board.
<entry key="integrationConfig"> <value> <Map> <entry key="disableProvisioning" value="false"/> <entry key="saveUnfilteredRecords" value="true"/> <entry key="enableWhitelisting" value="true"/> <entry key="storeAdditionalId" value="true"/> <entry key="additionalIdAttributeName" value="city"/> </Map> </value> </entry>- disableProvisioning - if this attribute is set to
TRUEit completely stops provisioning to the target application - simulation will be executed but no provisioning transaction will be sent to the connector (even the one which is not filtered). - saveUnfilteredRecords - if this attribute is set to
TRUEprovisioning simulator will store provisioning record entry in the database even if provisioning transaction was not filtered out - it will mark this transaction asprovisionedin thespt_provisioning_recordtable. - enableWhitelisting - this attribute allows to switch provisioning simulator behaviour from blacklisting to whitelisting - if set to
FALSEall attributes will be provisioned apart from the ones that are configured in filterConfig for the target application. if it is set toTRUEit will only provision attributes which are listed in the filterConfig for the target application. - storeAdditionalId - in the database schema there is additional place prepared to store additional identity attribute (eg. country, companyCode etc…) - if this attribute is set to
TRUE- additional attribute will be stored within provisioning records. - additionalIdAttributeName - this attribute contains name of the identity attribute which should be stored in the database for each provisioning record when
storeAdditionalIdis set toTRUE.
- disableProvisioning - if this attribute is set to
-
Application Filter Configuration: In this step, you configure the attributes and operations that should be filtered for specific applications. This allows you to tailor the simulator’s behavior to suit the needs of different applications by specifying which changes should be intercepted and logged.
<entry key="appConfig"> <value> <Map> <entry key="TestSQL"> <value> <Map> <entry key="filterConfig"> <value> <Map> <entry key="Create"> <value> <List> <String>username</String> <String>name</String> </List> </value> </entry> <entry key="Modify"> <value> <List> <String>first_name</String> <String>name</String> </List> </value> </entry> </Map> </value> </entry> </Map> </value> </entry> -
Managed Resources Configuration: This final step involves specifying which applications’ provisioning transactions should be intercepted by the simulator. By defining managed resources, you tell IdentityIQ which applications are within the scope of the simulation, ensuring that only relevant provisioning actions are captured.
<ManagedResources> <ManagedResource> <ApplicationRef> <Reference class="sailpoint.object.Application" name="TestSQL"/> </ApplicationRef> </ManagedResource> </ManagedResources>
By following these steps, the ProvisioningSimulator will be properly configured to simulate provisioning changes effectively within your SailPoint IdentityIQ environment.
Access to Data: Sync Preview
Once the ProvisioningSimulator is configured, you can view the provisioning records created in the spt_provisioning_record table. Each record in this table captures essential details about the provisioning actions being intercepted. Here’s a breakdown of each field in the data structure:
- identity: Identity id reference of the identity being provisioned. This field links the provisioning action to a specific identity within IdentityIQ.
- identitySupplId: A supplementary identifier for the identity, providing an additional reference that may be used for more detailed tracking or integration purposes - it is also planned to allow filtering based on this attribute.
- identityName: The name of the identity, offering a human-readable reference to the user or entity affected by the provisioning action.
- applicationName: The name of the application to which the provisioning action is targeted. This field helps identify the context in which the provisioning change is occurring.
- nativeIdentity: The identifier used within the target application to represent the account.
- operation: The type of provisioning operation being performed, such as create or modify. This field indicates the nature of the change being simulated.
- provisioningStatus: The status of the provisioning operation, providing information on whether the action was Provisioned or Filtered.
- oldValue: The previous value of the attribute being changed. This field captures the state of the attribute before the provisioning action, useful for comparison and auditing.
- newValue: The new value of the attribute after the provisioning action. This field shows what the attribute will be updated to, as a result of the provisioning operation.
- attributeName: The name of the attribute being modified. This field identifies which specific attribute of the identity is affected by the provisioning action.
Support and Feedback
The ProvisioningSimulator is designed to evolve and adapt to the needs of the SailPoint IdentityIQ community. We encourage you to actively participate in enhancing its functionality by submitting feature requests and improvement ideas. Your feedback is invaluable in making this tool even more effective and versatile.
If you have suggestions for new features or enhancements, please create a ticket in our GitHub repository. By doing so, you help us prioritize and implement changes that benefit the entire community. Together, we can continuously improve the ProvisioningSimulator and ensure it meets the growing demands of identity management.
Visit the GitHub repository to submit your feature requests and collaborate with other developers.
For the time being, the installation files can be found below. Eventually, the code will be hosted in the CoLab once it is approved.
colab-provisioning-simulator-plugin_v_1_2.jar (16.4 KB)
colab-provisioning-simulator-plugin_v_1_2_xmls.zip (11.3 KB)