Provisioning refers to action of using Registry data to create or remove access to applications and services. COmanage Registry defines a mechanism to extract Registry data for provisioning (via plugins), but there are multiple ways to provision applications from Registry:
- Push Provisioning: Using Registry plugins, Registry notifies applications when relevant data has changed.
- Pull Provisioning: Applications pull data from Registry on demand, either via the REST API or (less desirably) via database views.
- Messaging: Upon change of relevant data, a message is issued to a Message Queue or Enterprise Service Bus, which is then responsible for distributing the message to the relevant downstream applications.
In order to enable Push Provisioning, one or more Provisioning Plugins must be installed. By default, Registry ships with various Provisioning Plugins, including for LDAP, Grouper, Mailman, and Salesforce. You can also write a custom plugin.
Adding a Provisioning Target
The first step to setting up provisioning is to define a Provisioning Target.
- Login as a CO Administrator and select your CO.
- Go to Configuration > Provisioning Targets.
- Click (+) Add Provisioning Target.
- Configure the new Provisioning Target.
- If the Plugin you select has additional configuration options (most do), they will appear after you click Add.
- Plugins configured for Automatic Mode will be invoked automatically whenever COmanage Registry notices data suitable for provisioning has changed. Plugins configured for Manual Mode will only be invoked when a CO Admin explicitly does so (as described below). As of Registry v3.2.0, Plugins can be configured in Enrollment Mode. Plugins in Enrollment Mode will only be invoked once, at the conclusion of an Enrollment Flow.
- As of Registry v1.0.3, Provisioning Targets can be ordered, so that a given provisioner can be guaranteed to run before another provisioner (for the same record). This applies only during Automatic Provisioning.
As of Registry v2.0.0, a Provisioning Group can be specified. If provided, only CO People who are members of the CO Group (and only the CO Group itself, if the Provisioning Target also supports provisioning groups) will be provisioned using this provisioner. If a CO Person is subsequently removed from the group, their record will be deleted from the target (that is, the provisioning operation will automatically be converted to a delete action).
Keep in mind that when a CO Person is not in Active or Grace Period status, they are effectively removed from all Groups (with the exception of All Members Groups) for purposes of provisioning. So, for example, if a CO Person is expired, and the Provisioning Target is configured for the I Like Ice Cream Group (of which the person is a member), they will be completely removed from the Provisioning Target. Only All Members groups (at either the CO or COU level) can be used to maintain an expired record in the Provisioning Target (assuming the Target supports such behavior in the first place).
As of Registry v3.2.0, an Organizational Identity Source can be associated with a Provisioning Target, via the Skip If Associated With Org Identity Source configuration option. If set, then a CO Person who has an Organizational Identity created from the specified Organizational identity Source will not be provisioned.
If used with a Provisioning Group, this setting takes precedence, and will prevent the CO Person from being provisioned.
- Configure any Plugin specific options.
Once one or more Provisioning Targets are defined, you can try them out manually by viewing any active CO Person record (Organizations > YourCO > People > My Population), clicking on Provisioned Services, and then clicking the Provision action.
Reprovisioning a Target
It is possible to reprovision all records for a given target, via Organizations > YourCO > Configuration > Provisioning Targets and then selecting the appropriate Reprovision All button. This effectively calls manual provisioning for each defined CO Person and CO Group (whether or not they are active). For large datasets, this operation may take a while.
Note that reprovisioning has no way of knowing how to clear entries from the provisioning target that are not known to COmanage Registry. A typical pattern for reprovisioning all records would be to first clear out the target entirely (eg: delete all records from the LDAP server) and then execute Reprovision All.
Automatic Provisioning is triggered whenever data used for provisioning is changed. This data includes
- Address (attached to CO Person Role)
- CO Group Membership
- CO Person Record
- CO Person Role Record
- Email Address (attached to CO Person)
- Identifier (attached to CO Person)
- Name (attached to CO Person)
- TelephoneNumber (attached to CO Person Role)
Which records are provisioned are determined by CO Person and Person Role Status.
Note for Developers
Provisioning can be disabled on a per model/save basis by passing the option
"provision" => false (v1.0.1 and later).
Monitoring Push Provisioning
When provisioning is triggered automatically by an update, there is not currently a way to pass to the end user the results of the provisioning operation (other than manually clicking on the Provisioned Services link for the CO Person) (CO-582). If a provisioning plugin fails in such a situation, an error message will be syslog()d (at
LOG_ERR). It is recommended that syslog be suitably configured and monitored to catch any errors with automatic provisioning.
Additionally, a Notification will be generated and sent to the CO Administrators.
Pull Provisioning Not Recommended
Generally, pull provisioning from Registry is not recommended, as it ties applications tightly to the Registry implementation. Use of an intermediary such as LDAP is recommended.
This model is not currently supported (CO-583).