Alan Baugher

Cloud Web Services to/from Identity Management

Discussion created by Alan Baugher Employee on Aug 18, 2016

Team,

 

Based on requests, I have put together a short list of what is possible with the IM solution for source-of-records and/or downstream endpoints/applications with regards to web services.

 

*** ***

 

Review options for managing Web Services to/from CA IM:

 

There are five (5) options, where Option 3 and 4 are the most common, followed by Option 2.   

 

Note: Most Cloud Applications will have their own ETL (extract/transform/load) modules to be used onsite to enrich data or determine use-case/sub-use-case(s).

These ETL module will use a PULL process from the cloud’s app web services, either manual or via scheduled tasks.

 

Details on options below w/ recommendations:

 

 

**** ****

 

 

Transactional Process(es):

 

Option 1:    Assumes SOR (source-of-record) SME resource is able to build/tie a web service submission (SOAP/XML) to a task in SOR; and No ETL module is required.  [Require SNOW SME/developer skill set to build SOAP calls to be PUSHED to another solution.]

Data Flow Example:   SOR (Workday/ServiceNow/etc.) ->  Web Services (HTTPS/SOAP) transaction defined in SOR to PUSH -> CA Identity Manger (TEWS – Web Services enabled for each task) -> CA IM Business Rules (if needed)

 

 

 

Scheduled Process(es):      (see PDF for example)

 

Option 2:   Assumes no web service is create in the SOR, but a middle-ware component of ETL is used.    [May require developer skill set for ETL module to call a Web Service module]

Data Flow Example:  SOR (Workday/ServiceNow/etc.)  ->  ETL (PULL via Scheduler Tool - extract-transform-load module/provided by vendor or created by customer or services/ used to enrich data or identify use-case) ->  Custom Java/CLI Web Service Module --> CA Identity Manger (TEWS – Web Services enabled for each task) -> CA IM Business Rules (if needed)

 

 

Option 3:   Assumes no web service is create in the SOR, but a middle-ware component of ETL is used and CA IM Bulk Loader Client (pre-built java module to Web Services)    [No developer skill set expected]

Data Flow Example:  SOR (Workday/ServiceNow/etc.)  ->  ETL (PULL via Scheduler Tool- extract-transform-load module/provided by vendor or created by customer or services/ used to enrich data or identify use-case) -> CA IM BLC (pre-built java module to TEWS) -> CA Identity Manger (TEWS – Web Services enabled for each task) -> CA IM Business Rules (if needed)

 

 

 

IM is SOR, not the cloud app:

 

Option 4:   Assumes IM is the source of truth/record (SOR) for EMPLOYEE/CONTRACTORS [IM would create and manage access + call ServiceNow if needed for other access]

Data Flow Example:   Delegated Admin (Manual/Browser) ->  CA IM User Console ->  IM Create User or Modify User Tasks -> Submission ->  Two Data Pathway -> Automated to managed endpoints (on-prem/cloud)   & CA NIM Module ->  Create/Manage Tickets in Service Now

 

[CA NIM = CA Normalized Incident Management.    A module included under the CA Identity Suite license for use with ticket systems.]

 

Option 5:   Assumes IM is the source of truth/record (SOR) for EMPLOYEE/CONTRACTORS [IM would create and manage access + ServiceNow is a cloud endpoint]

Data Flow Example:  Delegated Admin (Manual/Browser) ->  CA IM User Console ->  IM Create User or Modify User Tasks -> Submission -> Automated to managed endpoints (on-prem/cloud)  -> CA API Gateway (Layer7) -> REST Web Service Configuration to Service Now -> Create/Manage Tickets in Service Now

 

[CA API Gateway.  A module included under the CA identity Suite license for use with Cloud Web Services]

 

 

###### ####

 

Example of calling IM TEWS (SOAP) via a CLI (Powershell)

https://communities.ca.com/thread/241751474

 

Example of using IM BLC (A pre-built module using IM TEWS)

https://communities.ca.com/thread/241744971

 

Knowledge Transfer of Web Services:  SOAPUI, a 3rd party tool, that is useful for knowledge transfer & addressing the learning curve of using web services.

https://www.soapui.org/

 

 

 

 

IM/SNOW Example:

 

  • If option 1 is chosen as the design, then assign a SNOW SME/Developer to the project team for eighty (80) hours.
    • Goal:
      • IM Architects would exposed the IM Tasks, and provide the Web Service WSDL
      • Customer Network team would expose the IM solution via a secure web access control solution, e.g. SSO/SM
      • SNOW SME would update the SNOW solution to call a remote web service
        • Body of the remote service call would include variables and the exact IM task name.
        • Process would capture the IM transaction ID for any submitted request.
        • SNOW SME would update the SNOW solution to include a verification check, to call the IM VST (view submitted task) with the transaction ID.
          • Process would record success/failure.

 

 

 

Comments are welcome.  Any other options being used in the field?

 

See example PDF with a Cloud SOR.

 

Cheers,

 

A.

Outcomes