Thursday, August 26, 2010

OIM 11g: Request management

OIM has always had support for requests based provisioning but the OIM request model is strongly connected  to resource objects. This works great if you want to request something that natively out of the box is a resource object, i.e. an AD account, but works less well if you need to be able to support requests for more granular things like attributes on a process form or target system roles on a child form connected to the process form.

There is a number of ways to work around this problem but none of these approaches is entirely problem free and/or require a lot of implementation work:
  1. Wrap the entity in a custom resource object (example AD group memberships
  2. Wrap the entity in a custom resource object and leverage OIM group and Access Policy framework
  3. Create an custom menu item and do a custom request workflow
  4. Create a totally custom request interface and connect to OIM using the APIs. Potentially use web services as a communication channel
Option one and two require some OIM knowledge and a bit of Java prowess. Option three requires Java, , OIM API skills, Spring and some basic GUI creation skills and four requires knowledge of some kind of web interface plus some understanding of the OIM APIs. Nothing extremely complicated but definitely requires more skill and time than simple configuration.

In 11g there is a new request framework that looks very promising that should hopefully mean that you no longer need to write custom code as soon as you need to support request for anything outside of the base resource objects. This will make OIM implementation that includes decently advanced requirements around requests substantially cheaper and faster.

If you look at the competition it is clearly a weak spot for OIM. IBM TIM has had framework for handling application roles/groups (they call it "access") since 5.0 so OIM clearly needed to catch up on this feature. The OIM framework looks more flexible so if the feature delivers on it's promises it could be a strong advantage for OIM.

No comments:

Post a Comment