Information Technology Reference
In-Depth Information
Automated User Provisioning - Invocation of REST
Services
We visualise two groups of “upstream” applications that will invoke the REST
services exposed by IAM, in addition to any business applications that may
need direct access to user data.
The first is an HR type system, which is the authoritative source for
employee onboarding and offboarding. User creation and deletion within
IAM may need to be triggered by the corresponding events in this system.
The second is a resource management system that is used to grant and
revoke user access to various business applications. User role assignments in
IAM may need to be triggered when the corresponding access rights are
assigned or deassigned in this system.
An important consideration is the two-phase request/authorise model that
follows from the Segregation of Duties principle. You will need to decide
whether the request/authorise phases occur in the upstream system (in
which case the invocation to IAM is simply to action the decision), or
whether both the request and the authorisation need to be communicated
to IAM and recorded as two separate events. This has implications on where
logging is done, for example.
