Information Technology Reference
In-Depth Information
Provisioning Users to Downstream Systems
The standards body OASIS has a comprehensive model for user provisioning
that is shown in Appendix B. They also specify a markup language to be used
for user provisioning, called SPML (Service Provisioning Markup Language).
Although SPML seems very rigorous and promising, the entire SPML
standard is just a shell that defines the schema of the XML message
envelope. The actual message body is left to the discretion of the
implementing organisation.
SPML also assumes a request/response model that may be too constraining.
We have found value in treating the semantics of user provisioning as a
simple event broadcast rather than as a request/response interaction
between systems. IAM should not have to “know” what downstream
systems exist, for the purpose of provisioning to them. That would be a form
of tight coupling. The list of downstream systems should be maintained in a
flexible and dynamic way, because IAM is rolled out to application after
application over a period of time, and this needs to be done without much
incremental effort, which includes changes to IAM. A loosely-coupled
interaction model would therefore be more robust and operationally cost-
effective in a real-world organisational environment. Here, IAM would only
need to “announce” an event, and it would be up to all concerned
downstream systems to act on it.
Therefore, after a lot of deliberation, we concluded that standards-
compliance for its own sake wasn't worth the cost in complexity and that a
simpler scheme was desirable.
Tip 1
: Use a Publish/Subscribe model to propagate user events to systems
“downstream” of IAM
Multiple systems that maintain local copies of user data need to be notified
when there are changes to user data (adds, updates and deletes). They only
need to register with IAM to receive such notifications. Such a
publish/subscribe model is easily implemented through a “bus” mechanism.
IAM publishes user events on this bus and systems subscribing to these
events receive such messages and make updates to their local data
accordingly. This is the “User Event Bus”.
