Identity Provision Configuration

Introduction

The provision configuration is used as a definition of how an identity based on the information available on a core identity should be provisioned into a target system. Depending on what account type you want to create the attributes you have to configure are specific for the selected system type. The account type describes what kind of account you want to create in a system, like for the Active Directory an Active Directory User, or an Active Directory Account. The configuration can be used for one or more identity types.

Advance provisioning by hours

This property can be used to define how many hours before the valid from of the earliest valid resource assignment this identity will be provisioned into the target system, but the resource assignments won’t be provisioned until the valid from of the assignment itself is reached.

Deletion delay (hours)

The deletion delay is used to postpone the deletion in the target system. The resource assignment are deprovisioned independently of the identity.

Provisioning Workflow

You can configure a provisioning workflow that replaces the normal provisioning logic.

Deprovisioning Workflow

You can configure a deprovisioning workflow that replaces the normal deprovisioning logic.

Attribute mappings

The attribute mappings is the second tab for the provisioning configuration. It shows all the attributes that should be managed in the target system and how the value is built. In this list, only system identity attributes for the selected account type can be selected. By default, only the mandatory attribute is automatically added when a new configuration is created. All others can be added with the plus button on the right top corner

Open

Attribute

This column shows the attribute name and the target system property name. Entries that don’t have a property name are coreone suite internal attributes.

Options

Each attribute mapping has three options unique, updatable, and the binding mode. The options unique and updatable are set on the attribute but can be overwritten in the scope of this configuration. The binding mode is defined on the system identity type attribute and can be overwritten as well. When the text of the options are bold it means that this value is overwritten and only applies in the scope of this configuration.

Unique

The unique options define if a value has to be unique in our meta-directory and in the target system. The identity can not be provisioned when the calculated value is not unique in both directories.

The possible values are Unique and Not unique

Updateable

The updatable option defines if an attribute value is only calculated at the creation of the identity or periodically.

The possible values are Updatable and Immutable

Binding Mode

The binding mode describes in which direction the value is provisioned.

Target System → CoreOne

The value will be read from the target system and will be stored in the meta-directory of the coreone suite.

CoreOne → Target System

The value in the meta directory will be used and will be provisioned into the target system

CoreOne ↔︎ Target System

Currently not supported.

CoreOne Suite Internal

This value will only be used in the coreone suite.

Dependencies

Dependencies between identity types can be configured, so that a delay of provisioning/deprovisioning can be achieved. This is important when the order of provisioning/deprovisioning must be adhered to.

“Provisioning delay in minutes” defines how much later the identity will be created, starting from the creation date of the identity it is dependent of.

Open

How-to article

Related articles