Friday, August 27, 2010

OIM Howto: Support for request based OIM group memberships

The normal OIM group management interface is oriented towards an administrator. In many cases it can be useful to be able to support request based OIM group memberships. To do this you basically follow the same steps as documented in Leverage standard connector group management
  1. Create a new RO called "OIM group membership" 
  2. Add an object form that lets the user indicate what OIM group they would like to become member of.
  3. Add a process form and data sink or prepop from the object form
  4. Add approval process (if needed)
  5. Add provisioning process that basically calls a task that calls the addMemberUser method in tcGroupOperationsIntf.
This in turn can be leveraged to do request based AD group memberships through attaching access policies to the groups that adds rows to the AD group membership child form of the AD User object. This will support multiple groups as the child form rows are added culminatively.

There are a couple of different options for the object form in step two and which approach you choose largely depends on your requriements.

One is to use a drop down backed by a lookup table. The lookup table could either be populated manually or as P.K. suggests in P.K. suggests in a recent thread on OTN discussion forum you could also create a scheduled taks and use the APIs to auto populate the lookup with the OIM groups. If you go down that path you may want to include logic that excludes certain OIM groups, i.e. system administrators, or just takes a subset of groups, i.e. all oim groups that starts with adGroups.

Another option is to use a child form which would support requests for multiple groups in a single reqeuest. If you go for this option you have to add the support on the process form as well and your provisioning logic will be slightly more complex.
    The target system net result is identical to the approach in Leverage standard connector group management but you can argue that it is a cleaner approach that more leverages the standard OIM functionality. It also leverages the OIM group admin user interface which makes it clearer what AD groups a specific user has access to.

    2 comments:

    1. Hi Martin,

      I have recently saw your post "OIM Howto: Support for request based OIM group memberships "

      as I was looking for some answers for this solution in OIM11 g.
      I had used the similar solution in oim 91x environment, But in order to implement the same solution in 11g, I am seeing some challenges for couple of simple items earlier possible in 91x env.
      OIM 11g challenges:
      1> How to create the approval process and have the Object form with lookup values ? as in 11g there is no concept of object form?

      Have you worked across implementing the same solution in 11g ?

      Appreciate your help.

      Thanks
      ~Aditya

      ReplyDelete
    2. Unfortunately I have not worked on OIM 11g as I am spending my time in the big blue world of IBM TIM/TAM for the last couple of years.

      ReplyDelete