Hi Team,
I am building a custom application for ISIM for requesting accesses and application resides in ISIM, the functionality of this custom app will be like we have in ISC today, 
as of now I am able to request for access from my custom application and request is successfully submitted to ISIM as batch request and workflow started. Now the concern is that for every request, requester is same(the ISIM user account by which rest APIs(itim/restlogin/login.jsp) are getting authenticated), so mean to say if in my APIs I am using username abcd, then for every request, requester is abcd. I would like to know if there is any way where logged in user can be requester(keep in mind I don't have the logged in user's password.)?

another thing if someone has developed this custom application like ISC using ISIM Rest APIs, then are there known rest APIs limitations?

------------------------------
Deepak Singla
------------------------------

I think your expectations of the ISIM REST api are fundamentally flawed. The REST API only works in context of the user you authenticate as - this is basically the whole purpose of it.
What you describe her - running an application as one user and the switch to a specific user - is something you would normally do as a full fledged WebSphere application on the ISIM server (basically you are implement your own UI with full security context).
You CAN do this utilizing the ISIM Java APPS (external) API (or WS by utilizing the WSExtension extensibility) - but this is far from trivial and requires deep skills of ISIM and WebSphere (and not least understanding the security implication and how to remedy these - else you run the risk basically giving ITIM Manager access through your custom UI...)

I think you should seriously go back to the drawing table and evaluate what you really need - if this is something server functionality then you should implement it as such e.g. LCR/Workflow or API from Java or SDI - if it enduser - then customize your ISC/SSUI (SSUI is deprecated in newest 6.0.2 release).

My advice is that you contact IBM Security Expert Labs that has skills/resources helping on this on a service engagement.

HTH

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message:
Sent: Mon February 03, 2020 06:36 AM
From: Deepak Singla
Subject: IAM Rest APIs for custom ISC like application

Hi Team,
I am building a custom application for ISIM for requesting accesses and application resides in ISIM, the functionality of this custom app will be like we have in ISC today, 
as of now I am able to request for access from my custom application and request is successfully submitted to ISIM as batch request and workflow started. Now the concern is that for every request, requester is same(the ISIM user account by which rest APIs(itim/restlogin/login.jsp) are getting authenticated), so mean to say if in my APIs I am using username abcd, then for every request, requester is abcd. I would like to know if there is any way where logged in user can be requester(keep in mind I don't have the logged in user's password.)?

another thing if someone has developed this custom application like ISC using ISIM Rest APIs, then are there known rest APIs limitations?

------------------------------
Deepak Singla
------------------------------

Thanks Franz for your kind response, I am in initial phase of my development, and as of now I am able to request any of the AD Accesses via REST APIs, but the thing is that requester is always same.. Just would like to know is there any compliance issue/audit issues if requester will be same for all of requests placed in ISIM?

------------------------------
Deepak Singla
------------------------------

Original Message:
Sent: Tue February 04, 2020 03:47 AM
From: Franz Wolfhagen
Subject: IAM Rest APIs for custom ISC like application

I think your expectations of the ISIM REST api are fundamentally flawed. The REST API only works in context of the user you authenticate as - this is basically the whole purpose of it.
What you describe her - running an application as one user and the switch to a specific user - is something you would normally do as a full fledged WebSphere application on the ISIM server (basically you are implement your own UI with full security context).
You CAN do this utilizing the ISIM Java APPS (external) API (or WS by utilizing the WSExtension extensibility) - but this is far from trivial and requires deep skills of ISIM and WebSphere (and not least understanding the security implication and how to remedy these - else you run the risk basically giving ITIM Manager access through your custom UI...)

I think you should seriously go back to the drawing table and evaluate what you really need - if this is something server functionality then you should implement it as such e.g. LCR/Workflow or API from Java or SDI - if it enduser - then customize your ISC/SSUI (SSUI is deprecated in newest 6.0.2 release).

My advice is that you contact IBM Security Expert Labs that has skills/resources helping on this on a service engagement.

HTH

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs

Original Message:
Sent: Mon February 03, 2020 06:36 AM
From: Deepak Singla
Subject: IAM Rest APIs for custom ISC like application

Hi Team,
I am building a custom application for ISIM for requesting accesses and application resides in ISIM, the functionality of this custom app will be like we have in ISC today, 
as of now I am able to request for access from my custom application and request is successfully submitted to ISIM as batch request and workflow started. Now the concern is that for every request, requester is same(the ISIM user account by which rest APIs(itim/restlogin/login.jsp) are getting authenticated), so mean to say if in my APIs I am using username abcd, then for every request, requester is abcd. I would like to know if there is any way where logged in user can be requester(keep in mind I don't have the logged in user's password.)?

another thing if someone has developed this custom application like ISC using ISIM Rest APIs, then are there known rest APIs limitations?

------------------------------
Deepak Singla
------------------------------

That is not a technical question but a business problem.
You need to understand if you make this UI available to somebody you will probably have problems tracking who actually raised the request - and I believe most CISOs would consider this a problem.
If you need to requesting user to be the one that performs the request you need to have this user perform the login - but if that is the case I would just use ISC - why is that not an option ?
If ISC is considered "too complex/ugly/..." and you want to have your own simple UI you can just add your UI to the ISC - I believe this is described in the samples or the formal documentation - then you will get the login for free and you can concentrate on the UI functionality...

HTH

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message:
Sent: Tue February 04, 2020 04:29 AM
From: Deepak Singla
Subject: IAM Rest APIs for custom ISC like application

Thanks Franz for your kind response, I am in initial phase of my development, and as of now I am able to request any of the AD Accesses via REST APIs, but the thing is that requester is always same.. Just would like to know is there any compliance issue/audit issues if requester will be same for all of requests placed in ISIM?

------------------------------
Deepak Singla

Original Message:
Sent: Tue February 04, 2020 03:47 AM
From: Franz Wolfhagen
Subject: IAM Rest APIs for custom ISC like application

I think your expectations of the ISIM REST api are fundamentally flawed. The REST API only works in context of the user you authenticate as - this is basically the whole purpose of it.
What you describe her - running an application as one user and the switch to a specific user - is something you would normally do as a full fledged WebSphere application on the ISIM server (basically you are implement your own UI with full security context).
You CAN do this utilizing the ISIM Java APPS (external) API (or WS by utilizing the WSExtension extensibility) - but this is far from trivial and requires deep skills of ISIM and WebSphere (and not least understanding the security implication and how to remedy these - else you run the risk basically giving ITIM Manager access through your custom UI...)

I think you should seriously go back to the drawing table and evaluate what you really need - if this is something server functionality then you should implement it as such e.g. LCR/Workflow or API from Java or SDI - if it enduser - then customize your ISC/SSUI (SSUI is deprecated in newest 6.0.2 release).

My advice is that you contact IBM Security Expert Labs that has skills/resources helping on this on a service engagement.

HTH

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs

Original Message:
Sent: Mon February 03, 2020 06:36 AM
From: Deepak Singla
Subject: IAM Rest APIs for custom ISC like application

Hi Team,
I am building a custom application for ISIM for requesting accesses and application resides in ISIM, the functionality of this custom app will be like we have in ISC today, 
as of now I am able to request for access from my custom application and request is successfully submitted to ISIM as batch request and workflow started. Now the concern is that for every request, requester is same(the ISIM user account by which rest APIs(itim/restlogin/login.jsp) are getting authenticated), so mean to say if in my APIs I am using username abcd, then for every request, requester is abcd. I would like to know if there is any way where logged in user can be requester(keep in mind I don't have the logged in user's password.)?

another thing if someone has developed this custom application like ISC using ISIM Rest APIs, then are there known rest APIs limitations?

------------------------------
Deepak Singla
------------------------------

Thanks Franz for quick response, Yes we are facing difficulties as end users are confused while accessing ISC and secondly we have lot of subforms while requesting for account..

I will work on your advise as well,meanwhile do you have any link for UI customizations?

------------------------------
Deepak Singla
------------------------------

Original Message:
Sent: Tue February 04, 2020 04:58 AM
From: Franz Wolfhagen
Subject: IAM Rest APIs for custom ISC like application

That is not a technical question but a business problem.
You need to understand if you make this UI available to somebody you will probably have problems tracking who actually raised the request - and I believe most CISOs would consider this a problem.
If you need to requesting user to be the one that performs the request you need to have this user perform the login - but if that is the case I would just use ISC - why is that not an option ?
If ISC is considered "too complex/ugly/..." and you want to have your own simple UI you can just add your UI to the ISC - I believe this is described in the samples or the formal documentation - then you will get the login for free and you can concentrate on the UI functionality...

HTH

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs

Original Message:
Sent: Tue February 04, 2020 04:29 AM
From: Deepak Singla
Subject: IAM Rest APIs for custom ISC like application

Thanks Franz for your kind response, I am in initial phase of my development, and as of now I am able to request any of the AD Accesses via REST APIs, but the thing is that requester is always same.. Just would like to know is there any compliance issue/audit issues if requester will be same for all of requests placed in ISIM?

------------------------------
Deepak Singla

Original Message:
Sent: Tue February 04, 2020 03:47 AM
From: Franz Wolfhagen
Subject: IAM Rest APIs for custom ISC like application

I think your expectations of the ISIM REST api are fundamentally flawed. The REST API only works in context of the user you authenticate as - this is basically the whole purpose of it.
What you describe her - running an application as one user and the switch to a specific user - is something you would normally do as a full fledged WebSphere application on the ISIM server (basically you are implement your own UI with full security context).
You CAN do this utilizing the ISIM Java APPS (external) API (or WS by utilizing the WSExtension extensibility) - but this is far from trivial and requires deep skills of ISIM and WebSphere (and not least understanding the security implication and how to remedy these - else you run the risk basically giving ITIM Manager access through your custom UI...)

I think you should seriously go back to the drawing table and evaluate what you really need - if this is something server functionality then you should implement it as such e.g. LCR/Workflow or API from Java or SDI - if it enduser - then customize your ISC/SSUI (SSUI is deprecated in newest 6.0.2 release).

My advice is that you contact IBM Security Expert Labs that has skills/resources helping on this on a service engagement.

HTH

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs

Original Message:
Sent: Mon February 03, 2020 06:36 AM
From: Deepak Singla
Subject: IAM Rest APIs for custom ISC like application

Hi Team,
I am building a custom application for ISIM for requesting accesses and application resides in ISIM, the functionality of this custom app will be like we have in ISC today, 
as of now I am able to request for access from my custom application and request is successfully submitted to ISIM as batch request and workflow started. Now the concern is that for every request, requester is same(the ISIM user account by which rest APIs(itim/restlogin/login.jsp) are getting authenticated), so mean to say if in my APIs I am using username abcd, then for every request, requester is abcd. I would like to know if there is any way where logged in user can be requester(keep in mind I don't have the logged in user's password.)?

another thing if someone has developed this custom application like ISC using ISIM Rest APIs, then are there known rest APIs limitations?

------------------------------
Deepak Singla
------------------------------

If you want help you really need to invest some effort yourself - see http://www.catb.org/esr/faqs/smart-questions.html
Go through the samples in ISIM - they are installed in your ISIM home directory or downloadable from your VA.
And the formal documentation for ISIM you should know where to find...

HTH

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message:
Sent: Tue February 04, 2020 05:09 AM
From: Deepak Singla
Subject: IAM Rest APIs for custom ISC like application

Thanks Franz for quick response, Yes we are facing difficulties as end users are confused while accessing ISC and secondly we have lot of subforms while requesting for account..

I will work on your advise as well,meanwhile do you have any link for UI customizations?

------------------------------
Deepak Singla

Original Message:
Sent: Tue February 04, 2020 04:58 AM
From: Franz Wolfhagen
Subject: IAM Rest APIs for custom ISC like application

That is not a technical question but a business problem.
You need to understand if you make this UI available to somebody you will probably have problems tracking who actually raised the request - and I believe most CISOs would consider this a problem.
If you need to requesting user to be the one that performs the request you need to have this user perform the login - but if that is the case I would just use ISC - why is that not an option ?
If ISC is considered "too complex/ugly/..." and you want to have your own simple UI you can just add your UI to the ISC - I believe this is described in the samples or the formal documentation - then you will get the login for free and you can concentrate on the UI functionality...

HTH

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs

Original Message:
Sent: Tue February 04, 2020 04:29 AM
From: Deepak Singla
Subject: IAM Rest APIs for custom ISC like application

Thanks Franz for your kind response, I am in initial phase of my development, and as of now I am able to request any of the AD Accesses via REST APIs, but the thing is that requester is always same.. Just would like to know is there any compliance issue/audit issues if requester will be same for all of requests placed in ISIM?

------------------------------
Deepak Singla

Original Message:
Sent: Tue February 04, 2020 03:47 AM
From: Franz Wolfhagen
Subject: IAM Rest APIs for custom ISC like application

I think your expectations of the ISIM REST api are fundamentally flawed. The REST API only works in context of the user you authenticate as - this is basically the whole purpose of it.
What you describe her - running an application as one user and the switch to a specific user - is something you would normally do as a full fledged WebSphere application on the ISIM server (basically you are implement your own UI with full security context).
You CAN do this utilizing the ISIM Java APPS (external) API (or WS by utilizing the WSExtension extensibility) - but this is far from trivial and requires deep skills of ISIM and WebSphere (and not least understanding the security implication and how to remedy these - else you run the risk basically giving ITIM Manager access through your custom UI...)

I think you should seriously go back to the drawing table and evaluate what you really need - if this is something server functionality then you should implement it as such e.g. LCR/Workflow or API from Java or SDI - if it enduser - then customize your ISC/SSUI (SSUI is deprecated in newest 6.0.2 release).

My advice is that you contact IBM Security Expert Labs that has skills/resources helping on this on a service engagement.

HTH

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs

Original Message:
Sent: Mon February 03, 2020 06:36 AM
From: Deepak Singla
Subject: IAM Rest APIs for custom ISC like application

Hi Team,
I am building a custom application for ISIM for requesting accesses and application resides in ISIM, the functionality of this custom app will be like we have in ISC today, 
as of now I am able to request for access from my custom application and request is successfully submitted to ISIM as batch request and workflow started. Now the concern is that for every request, requester is same(the ISIM user account by which rest APIs(itim/restlogin/login.jsp) are getting authenticated), so mean to say if in my APIs I am using username abcd, then for every request, requester is abcd. I would like to know if there is any way where logged in user can be requester(keep in mind I don't have the logged in user's password.)?

another thing if someone has developed this custom application like ISC using ISIM Rest APIs, then are there known rest APIs limitations?

------------------------------
Deepak Singla
------------------------------

Thanks Franz :)

------------------------------
Deepak Singla
------------------------------

Original Message:
Sent: Tue February 04, 2020 05:14 AM
From: Franz Wolfhagen
Subject: IAM Rest APIs for custom ISC like application

If you want help you really need to invest some effort yourself - see http://www.catb.org/esr/faqs/smart-questions.html
Go through the samples in ISIM - they are installed in your ISIM home directory or downloadable from your VA.
And the formal documentation for ISIM you should know where to find...

HTH

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs

Original Message:
Sent: Tue February 04, 2020 05:09 AM
From: Deepak Singla
Subject: IAM Rest APIs for custom ISC like application

Thanks Franz for quick response, Yes we are facing difficulties as end users are confused while accessing ISC and secondly we have lot of subforms while requesting for account..

I will work on your advise as well,meanwhile do you have any link for UI customizations?

------------------------------
Deepak Singla

Original Message:
Sent: Tue February 04, 2020 04:58 AM
From: Franz Wolfhagen
Subject: IAM Rest APIs for custom ISC like application

That is not a technical question but a business problem.
You need to understand if you make this UI available to somebody you will probably have problems tracking who actually raised the request - and I believe most CISOs would consider this a problem.
If you need to requesting user to be the one that performs the request you need to have this user perform the login - but if that is the case I would just use ISC - why is that not an option ?
If ISC is considered "too complex/ugly/..." and you want to have your own simple UI you can just add your UI to the ISC - I believe this is described in the samples or the formal documentation - then you will get the login for free and you can concentrate on the UI functionality...

HTH

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs

Original Message:
Sent: Tue February 04, 2020 04:29 AM
From: Deepak Singla
Subject: IAM Rest APIs for custom ISC like application

Thanks Franz for your kind response, I am in initial phase of my development, and as of now I am able to request any of the AD Accesses via REST APIs, but the thing is that requester is always same.. Just would like to know is there any compliance issue/audit issues if requester will be same for all of requests placed in ISIM?

------------------------------
Deepak Singla

Original Message:
Sent: Tue February 04, 2020 03:47 AM
From: Franz Wolfhagen
Subject: IAM Rest APIs for custom ISC like application

I think your expectations of the ISIM REST api are fundamentally flawed. The REST API only works in context of the user you authenticate as - this is basically the whole purpose of it.
What you describe her - running an application as one user and the switch to a specific user - is something you would normally do as a full fledged WebSphere application on the ISIM server (basically you are implement your own UI with full security context).
You CAN do this utilizing the ISIM Java APPS (external) API (or WS by utilizing the WSExtension extensibility) - but this is far from trivial and requires deep skills of ISIM and WebSphere (and not least understanding the security implication and how to remedy these - else you run the risk basically giving ITIM Manager access through your custom UI...)

I think you should seriously go back to the drawing table and evaluate what you really need - if this is something server functionality then you should implement it as such e.g. LCR/Workflow or API from Java or SDI - if it enduser - then customize your ISC/SSUI (SSUI is deprecated in newest 6.0.2 release).

My advice is that you contact IBM Security Expert Labs that has skills/resources helping on this on a service engagement.

HTH

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs

Original Message:
Sent: Mon February 03, 2020 06:36 AM
From: Deepak Singla
Subject: IAM Rest APIs for custom ISC like application

Hi Team,
I am building a custom application for ISIM for requesting accesses and application resides in ISIM, the functionality of this custom app will be like we have in ISC today, 
as of now I am able to request for access from my custom application and request is successfully submitted to ISIM as batch request and workflow started. Now the concern is that for every request, requester is same(the ISIM user account by which rest APIs(itim/restlogin/login.jsp) are getting authenticated), so mean to say if in my APIs I am using username abcd, then for every request, requester is abcd. I would like to know if there is any way where logged in user can be requester(keep in mind I don't have the logged in user's password.)?

another thing if someone has developed this custom application like ISC using ISIM Rest APIs, then are there known rest APIs limitations?

------------------------------
Deepak Singla
------------------------------