Symantec IGA

  • Private Community
 View Only
Back to discussions
Expand all | Collapse all

Cloud Web Services to/from Identity Management

  • 1.  Cloud Web Services to/from Identity Management

    Posted Aug 18, 2016 11:17 AM
      |   view attached

    Team,

     

    Based on requests, I have put together a short list of what is possible with the IM solution for source-of-records and/or downstream endpoints/applications with regards to web services.

     

    *** ***

     

    Review options for managing Web Services to/from CA IM:

     

    There are five (5) options, where Option 3 and 4 are the most common, followed by Option 2.   

     

    Note: Most Cloud Applications will have their own ETL (extract/transform/load) modules to be used onsite to enrich data or determine use-case/sub-use-case(s).

    These ETL module will use a PULL process from the cloud’s app web services, either manual or via scheduled tasks.

     

    Details on options below w/ recommendations:

     

     

    **** ****

     

     

    Transactional Process(es):

     

    Option 1:    Assumes SOR (source-of-record) SME resource is able to build/tie a web service submission (SOAP/XML) to a task in SOR; and No ETL module is required.  [Require SNOW SME/developer skill set to build SOAP calls to be PUSHED to another solution.]

    Data Flow Example:   SOR (Workday/ServiceNow/etc.) ->  Web Services (HTTPS/SOAP) transaction defined in SOR to PUSH -> CA Identity Manger (TEWS – Web Services enabled for each task) -> CA IM Business Rules (if needed)

     

     

     

    Scheduled Process(es):      (see PDF for example)

     

    Option 2:   Assumes no web service is create in the SOR, but a middle-ware component of ETL is used.    [May require developer skill set for ETL module to call a Web Service module]

    Data Flow Example:  SOR (Workday/ServiceNow/etc.)  ->  ETL (PULL via Scheduler Tool - extract-transform-load module/provided by vendor or created by customer or services/ used to enrich data or identify use-case) ->  Custom Java/CLI Web Service Module --> CA Identity Manger (TEWS – Web Services enabled for each task) -> CA IM Business Rules (if needed)

     

     

    Option 3:   Assumes no web service is create in the SOR, but a middle-ware component of ETL is used and CA IM Bulk Loader Client (pre-built java module to Web Services)    [No developer skill set expected]

    Data Flow Example:  SOR (Workday/ServiceNow/etc.)  ->  ETL (PULL via Scheduler Tool- extract-transform-load module/provided by vendor or created by customer or services/ used to enrich data or identify use-case) -> CA IM BLC (pre-built java module to TEWS) -> CA Identity Manger (TEWS – Web Services enabled for each task) -> CA IM Business Rules (if needed)

     

     

     

    IM is SOR, not the cloud app:

     

    Option 4:   Assumes IM is the source of truth/record (SOR) for EMPLOYEE/CONTRACTORS [IM would create and manage access + call ServiceNow if needed for other access]

    Data Flow Example:   Delegated Admin (Manual/Browser) ->  CA IM User Console ->  IM Create User or Modify User Tasks -> Submission ->  Two Data Pathway -> Automated to managed endpoints (on-prem/cloud)   & CA NIM Module ->  Create/Manage Tickets in Service Now

     

    [CA NIM = CA Normalized Incident Management.    A module included under the CA Identity Suite license for use with ticket systems.]

     

    Option 5:   Assumes IM is the source of truth/record (SOR) for EMPLOYEE/CONTRACTORS [IM would create and manage access + ServiceNow is a cloud endpoint]

    Data Flow Example:  Delegated Admin (Manual/Browser) ->  CA IM User Console ->  IM Create User or Modify User Tasks -> Submission -> Automated to managed endpoints (on-prem/cloud)  -> CA API Gateway (Layer7) -> REST Web Service Configuration to Service Now -> Create/Manage Tickets in Service Now

     

    [CA API Gateway.  A module included under the CA identity Suite license for use with Cloud Web Services]

     

     

    ###### ####

     

    Example of calling IM TEWS (SOAP) via a CLI (Powershell)

    https://communities.ca.com/thread/241751474

     

    Example of using IM BLC (A pre-built module using IM TEWS)

    https://communities.ca.com/thread/241744971

     

    Knowledge Transfer of Web Services:  SOAPUI, a 3rd party tool, that is useful for knowledge transfer & addressing the learning curve of using web services.

    https://www.soapui.org/

     

     

     

     

    IM/SNOW Example:

     

    • If option 1 is chosen as the design, then assign a SNOW SME/Developer to the project team for eighty (80) hours.
      • Goal:
        • IM Architects would exposed the IM Tasks, and provide the Web Service WSDL
        • Customer Network team would expose the IM solution via a secure web access control solution, e.g. SSO/SM
        • SNOW SME would update the SNOW solution to call a remote web service
          • Body of the remote service call would include variables and the exact IM task name.
          • Process would capture the IM transaction ID for any submitted request.
          • SNOW SME would update the SNOW solution to include a verification check, to call the IM VST (view submitted task) with the transaction ID.
            • Process would record success/failure.

     

     

     

    Comments are welcome.  Any other options being used in the field?

     

    See example PDF with a Cloud SOR.

     

    Cheers,

     

    A.