Chapter 1: Introduction [Sample Chapter]

PDF version HERE

The goal of this book is demonstrating how to solve complex requirement by programming. You will learn the advanced techniques from example. We do not explain the basic concepts. We assume you have already had some experience with CA IdentityMinder API and you should able to customized workflow.

If you do not familiar with CA IdentityMinder API or workflow, I suggest to get book volume I. The volume I for beginner explains concepts and examples code, steps by step.

http://www.caidentitymanagerbook.com/ca-identitymanager-java-develper-guide.html





This chapter covers 2 topics:
  • Overview requirements of this book.
  • Explain Utility components features of this book

Technical Terms
To avoid confusion, we define some terms:
  • User means user information maintained by CA IdentityMinder Server. User is stored in CA IdentityMinder User Store.
  • Global User means user information maintained by the Provisioning Server. It is stored in Provisioning Director.
  • Account means user information in Endpoint.  For example account in Active Directory.
  • Endpoint is destination of user information after provisioning.
  • BLTH stand for Business Logic Task Handler.
  • Listener means listener API

1.1    Requirements Overview

Forward company wants to implement new IDM System.
Existing System
  • Forward company has HR system provides web services interface.
  • The HR System feeds new employees’ information. We do not know exactly when new employees arrive. The IDM System needs to run schedule to check new data.
  • Forward company has Ticket System. Some processes are required to call it by web services.
  • Forward company has one endpoint is Active Directory.

Figure 1-1 shows existing system
Employee States
  • There are 3 states of employee
o    Regular for fulltime employee. The attribute employeeType is Fulltime.
o    Termination is status for employee who quitted. the attribute employeeType is Terminated
o    Pre-delete: it is status for terminated employee. We want to store these users in special ou “predelete”. For example, after 90 days of termination, we plan to delete the terminated user. We move these user to ou “predelete”

  • The status can convert:
o    From regular state to termination state
o    From termination state back to regular state
o    From termination state to pre-delete state



Figure 1-2 shows employee state

  • The status cannot convert jumping across state from regular to pre-delete.
  • We do not convert pre-delete state back to termination state.
 Provisioning process
  • There are 2 types of provisioning process:
o    New Hire is process for provisioning brand new employee. It has never been in our system before.
o    Re-Hire is process convert termination state back to be regular.

De-provisioning process
  • There are 2 types of de-provisioning process:
o    Terminated is process for convert regular state to terminated state.
o    Pre-delete is process for convert terminated state to pre-delete state.    

 
Figure 1-3 shows relationship between employee’s state and processes

Additional requirements
IDM System has to:
  • Require employee number as key for all screen.
  • Provide screen to configure web services properties.
  • Provide schedule for calling web services
  • Provide a screen for lock AD account.
  • Provide a dynamic workflow for request access CRM and HR application. 

1.1.1    Provisioning Process: New hire and re-hire

The provisioning process starts from scheduling task to get new employees’ information by web services of HR System. When we get data, we have to search user (exclude OU pre-delete):
  • If user is not found, start the new hire process.
  • If user is found and status is terminated, start the re-hire process.
After finished create or set up user/account, both process will go to Ticket System, and enable user process. We can write as flow chart below:


Figure 1-4 shows high level flow chart of provisioning process


The requirement details of each process, we show in steps below:
Scheduling task requirements
  • Step1: Get HR system endpoint from configuration.
  • Step2: Call web services
  • Step3: Call provisioning process.

Figure 1-5 shows how to implement scheduling task.
We implement Scheduling task in chapter 8 you will learn how to:
  • Save admin task configuration.
  • Access other admin task’s configuration.
  • Create schedule task
  • Calling other admin task by internal API.
New hire process requirements
  • Step1: Generate unique NT Login and user id in the right format.
  • Step2: Create User in the right OU.
  • Step3: Send email to IDM Admin: there is new user created.
  • Step4: Add provisioning role.
  • Step5: Create account in AD.
  • Step6: Go to process: Ticket System.
     We implement new hire process in chapter 3 you will learn how to:
  • Initial, validate and capture input by BLTH
  • Search user by API
  • Share session attributes between BLTH, workflow and listener
  • Create routing path in workflow
  • Create user, add provisioning role by API
  • Develop listener API capture events.
  • Add account by API
  • Generate event and embedded workflow by API
  • Exception handling
Re-hire process requirements
  • Step1: Update user’s attributes. We keep the old user id and password.
  • Step2: Send email to IDM Admin: There is user starts re-hire process.
  • Step3: Add provisioning role
  • Step4: Update account’s attributes in AD
  • Step5: Go to process: Ticket System
We implement re-hire process in chapter 7 you will learn how to:
  • API working with Identity Policy.
  • Update global user’s attribute by generating event SynchronizeAttributesWithAccountsEvent.

Figure 1-6 shows how new hire and re-hire workflow
 Ticket System and enable user/account process requirements
  • Step1: Calling Ticket System, if there is error, send web services request to IDM admin by email.
  • Step2: Wait until hire date
o    Enable user and account
  • Step3: Send email to IDM Admin: user and account are enabled and ticket number.
  • Step4: If office == US101, wait until 6 am on hire date
o    Calling Ticket System again
We implement ticket process in chapter 4 you will learn how to:
  • Calling web services (Ticket System)
  • Implement delay for waiting until hire date.
  • Enable user and account
  • Generating event by Advanced API (Task Session)
  • Sharing attribute (ticket ID) inside workflow.   





 Figure 1-7 shows workflow for calling ticket system and enable user/account

1.1.2    De-provisioning Termination process

The terminated process is process to employee who quitted. We can describe as steps below:
  • Step 1: Enters employee number.
  • Step 2: Our system search active user by employee number.
  • Step 3: Change status to be terminated and disable user.
  • Step 4: Disable account.
  • Step 5: Revoke provisioning role.


Figure 1-8 shows overall de-provisioning Termination process
All implementation will show in chapter 5. You will learn how to:
  • Disable user and account by API
  • Revoke provisioning role by API

1.1.3    De-provisioning Pre-delete process

Pre-Deleted process is process for moving terminated user and account to special OU “predelete”. The pre-delete process can describe as below steps:
  • Step1: Enter employee number that they want to terminate.
  • Step2: Check user’s state. Only terminated user can be move. 
  • Step3: move user to OU predelete.
  • Step4: move account to AD container PreDelete. 

     


Figure 1-9 shows the final result for pre-delete process

We implement in Chapter 6: De-provisioning process: Pre-Deleted and you will learn:
  • Moving user and account by API.

1.1.4 Lock AD account

    This example demonstrates how to modify AD account’s attribute directly. Administrator enters employee number. IDM system looks up AD account to lock account, hide email from exchange and disable log on remote terminal. 
 

Figure 1-10 shows screen and locked AD account.
We implement in Chapter 9. You will learn how to modify account’s attribute directly by API.

1.1.5 Workflow

    IDM System provides form for requesting CRM and HR application.
  • If request CRM application
o    Requires approvers from web services (HR System)
o    If request has been approve, IDM system will send ticket.
  • If request HR application
o    Requires the first approver from admin role.  If user’s office is US101, requires second approver from properties file.
o    If request has been approve, IDM system will add provisioning role to user.



 
Figure 1-11 shows workflow.

Additional requirements:
  • Send email inform all approvers. Request is waiting.
  • Send email alert after request is still waiting. For testing, we set 5 minutes for alert.
  • Send email inform the request is time out. For testing, we set 10 minutes for timeout.
  • Send email to requester when request rejected.
    You will learn how to:
  • Generate workflow by API.
  • Set approver by API.
  • Using velocity email template in workflow.
  • Implement time out in workflow.

[END OF SAMPLE]

1.2 Utility Components

1.2.1 DisplayUtils.java
 1.2.2 WorkpointHelper.java
1.2.3 TaskSessionUtils.java
1.2.4 EmailUtils.java
 1.3 Conclusion

1 comment:

  1. UnknownMarch 29, 2019 at 12:16 PM

    please,updated the full link to download the ca identity manager book

    ReplyDelete

Subscribe to: Posts (Atom)