There are two important aspects when it comes to security for Cloud Pak for Business Automation. The first is authentication and the second is authorization.
In this article, we will focus on authorization but more specifically, the use of Cloud Pak foundational services component IAM and System for Cross-domain Identity Management (SCIM). Cloud Pak for Business Automation transition to using IAM SCIM starting version 21.0.3 for authorization lookup.
What is SCIM?
SCIM is an open standard that enables enterprises to manage user identities and access in a standardized way. It provides a common set of user attributes, protocols, and REST APIs that allow applications to communicate with identity providers and exchange user information securely. SCIM allows enterprises to synchronize their user identity data across multiple systems. It provides a single API for managing user identities, regardless of the underlying system. Using SCIM can help organizations improve their user management processes by providing a standardized way to manage user identities and access across different LDAP repositories. This can reduce the risk of data inconsistencies and ensure that users have a consistent experience when accessing different applications. Additionally, SCIM can help organizations streamline the onboarding and offboarding processes by allowing them to easily synchronize user information across different systems.
What are the motivations for using SCIM in CP4BA
There are several different capabilities in CP4BA such as FileNet Content Manager, Business Automation Workflow, Operational Decisions Manager, Automation Decision Services, and Automation Document Processing so it is important that all the capabilities and components leverage the same approach for managing user identities and authorization. Below are the motivations for configuring and using SCIM in CP4BA:
- SCIM removes LDAP configurations across the components and leverage one LDAP configuration that is configured through Cloud Pak foundational services (CPfs) component Identify Access Management (IAM). There is only one LDAP configuration that is maintained and configured in IAM for all the LDAP repositories.
- SCIM provides a consistent way to do user, group, and group memberships lookup across the CP4BA components.
- With LDAP repositories configured with IAM, IAM SCIM provides an abstraction layer with different LDAP providers (e.g., Microsoft Active Directory (MSAD), IBM Security Directory Server (IBM SDS), etc.)
Note: It is important that you understand your LDAP schema and attributes so that you can correctly map the SCIM attribute mapping with IAM during configuration. Incorrect SCIM mapping can cause improper or unexpected authorization lookup and/or poor performance.
When to use LDAP instead of SCIM
LDAP (Lightweight Directory Access Protocol) is a widely used protocol for accessing directory services, including user authentication and authorization. It provides a secure and reliable way to manage user identities and access permissions. There are some key differences between LDAP and SCIM that should be considered when deciding which protocol to use. One of the main differences is that LDAP is a protocol for accessing directory services, while SCIM is a protocol for exchanging user identity data. While both protocols can be used to manage user identities, they serve different purposes and have different use cases. LDAP is primarily used for accessing and searching for user information stored in a central directory server. It is often used in large organizations with complex directory structures and a high number of users and groups. The LDAP protocol is more performant since its implementation can be LDAP provider specific like MSAD.
On the other hand, SCIM is designed to synchronize user identity data across multiple systems. It is particularly useful for enterprises that have multiple systems and processes that need to access user information, but does not require the full functionality of an LDAP directory.
- If you have large LDAP repositories with large number of users, and groups with large # of members (essentially, a complex LDAP hierarchy), then use direct LDAP bind. Direct LDAP query can be more efficient than SCIM in some cases, particularly when there are many users or groups to synchronize. In these cases, direct LDAP queriescan reduce the amount of data transmitted over the network and improve performance.
- If you are migrating FileNet Content Manager with LDAP configured to CP4BA, then keep the LDAP configuration in the P8 domain. You may consider to perform LDAP migration to SCIM if you wish at a later time.
- If you have different CP4BA capabilities and each capabilities’ user population resides in different LDAP hierarchies, it will be difficult to optimize SCIM configuration for authorization performance.