You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

About Provisioning

Provisioning refers to action of using Registry data to create or remove access to applications and services. COmanage Registry defines a mechanism to extract Registry data for provisioning (via plugins), but there are multiple ways to provision applications from Registry:

  1. Push Provisioning: Using Registry plugins, Registry notifies applications when relevant data has changed.
  2. Pull Provisioning: Applications pull data from Registry on demand, either via the REST API or (less desirably) via database views.
  3. Messaging: Upon change of relevant data, a message is issued to a Message Queue or Enterprise Service Bus, which is then responsible for distributing the message to the relevant downstream applications.

Push Provisioning

In order to enable Push Provisioning, one or more Provisioning Plugins must be installed. By default, Registry ships with the following Plugins:

Plugin

Description

Notes

Changelog Provisioning Plugin

Exports transactions as JSON to a changelog file

Disabled by default

Grouper Provisioning Plugin

Provisions data to a MACE Grouper deployment

 

Homedir Provisioning Plugin

Provisions Unix home directories

Experimental

LDAP Provisioning Plugin

Provisions data to an LDAP server

 

You can also write a custom plugin.

Adding a Provisioning Target

The first step to setting up provisioning is to define a Provisioning Target.

  1. Login as a CO Administrator.
  2. Go to Organizations > YourCO > Configuration > Provisioning Targets.
  3. Click (+) Add Provisioning Target.
  4. Configure the new Provisioning Target.
    1. If the Plugin you select has additional configuration options (most do), they will appear after you click Add.
    2. Plugins configured for Automatic Mode will be invoked automatically whenever COmanage Registry notices data suitable for provisioning has changed. Plugins configured for Manual Mode will only be invoked when a CO Admin explicitly does so (as described below).
  5. Configure any Plugin specific options.

Manual Provisioning

Once one or more Provisioning Targets are defined, you can try them out manually by viewing any active CO Person record (Organizations > YourCO > People > My Population), clicking on Provisioned Services, and then clicking the Provision action.

Automatic Provisioning

Automatic Provisioning is triggered whenever data used for provisioning is changed. This data includes

  • Address (attached to CO Person Role)
  • CO Group Membership
  • CO Person Record
  • CO Person Role Record
  • Email Address (attached to CO Person)
  • Identifier (attached to CO Person)
  • Name (attached to CO Person)
  • TelephoneNumber (attached to CO Person Role)

(warning) Only Active or (where appropriate) Grace Period records are provisioned.

Monitoring Push Provisioning

(warning) When provisioning is triggered automatically by an update, there is not currently a way to pass to the end user the results of the provisioning operation (other than manually clicking on the Provisioned Services link for the CO Person) (CO-582). If a provisioning plugin fails in such a situation, an error message will be syslog()d (at LOG_ERR). It is recommended that syslog be suitably configured and monitored to catch any errors with automatic provisioning.

Additionally, a Notification will be generated and sent to the CO Administrators.

Pull Provisioning

Pull Provisioning Not Recommended

Generally, pull provisioning from Registry is not recommended, as it ties applications tightly to the Registry implementation. Use of an intermediary such as LDAP is recommended.

Messaging

This model is not currently supported (CO-583).

  • No labels