IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

ISVG HTTP Callouts

  • 1.  ISVG HTTP Callouts

    Posted Thu August 15, 2024 06:58 AM

    Hi, 

    We are doing a deployment with ISVG (Lifecycle module). Is there any way to call a http service when a user entity is added to ISVG users? entire purpose is to connect a system as a target system which supports REST apis as user management interface. 



    ------------------------------
    Supun Munasinghe
    ------------------------------


  • 2.  RE: ISVG HTTP Callouts

    Posted Thu August 15, 2024 05:54 PM

    Hi Supun, you can do that with workflow extensions.Every entitiy(person,account,etc) has his own operations(add,modifiy,delete,etc.) and you can make an extension to call from the operations.  You also might be consider to develop an adapter to the target system.



    ------------------------------
    Roberto Cristaldo
    ------------------------------

    Original Message


  • 3.  RE: ISVG HTTP Callouts

    Posted Thu August 15, 2024 09:40 PM
    Hi Roberto

    Thanks a lot for the eye opening answer. If you have, can you share with me any documentations or references to kick start. Which I couldn't find online yet. 

    Confidentiality Notice: This e-mail, including any attached files, may contain confidential and/or privileged information that is intended for the sole use of the intended recipient (s). Any review, use, distribution, or disclosure by others is strictly prohibited. Furthermore, in the event this e mail and/or any attachment thereto consists of any information or data originating from NCINGA, this Confidentiality Notice satisfies the marking requirements for any document, including this e-mail and each attachment, that contains confidential information being disclosed to the recipient(s) under any agreement that contemplates and governs the disclosure and receipt of confidential information. If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message.




    Original Message


  • 4.  RE: ISVG HTTP Callouts

    Posted Fri August 16, 2024 02:19 AM

    Hi Supun - I think the 2 other gentlemen in this thread is thinking ISVG Lifecycle == ISVG IM - but if I understand you correct you are running ISVG IGI which is not the same as ISVG IM - so no operational workflows as this is an IM feature (IGI has workflows - but they are targeting the frontend/request flows are not as flexible as the IM backend process workflows). 

    The IBM roadmap is to migrate all ISVG IGI governance functionality to ISVG IM so that in the glorious bright future there will be only one "component" in ISVG and not 2 as we have today. This will take some time and IGI and IM will coexist for the foreseeable future.

    But - to help the community here please mention that you use the IGI component - then you stay the chance that people answers more correctly :-) 

    HTH



    ------------------------------
    Franz Wolfhagen
    WW IAM Solution Engineer - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------

    Original Message


  • 5.  RE: ISVG HTTP Callouts

    Posted Fri August 16, 2024 01:55 AM

    Hi Supun,

    Handling account provisioning from operational workflows is a very bad design idea. This undermines the whole RBAC model you may have created or are planning to create.

    If accounts are provisioned via operations, the provisioning engine has no means whatsover to be part of the provisioning decisions. If you want to provision accounts, it generally has to be handled through roles -> provisioning policies -> services -> adapters concept.

    In your case, if you have to address an http interface as target system providing a REST API as integration channel, a custom adapter for the said service is the only reasonable way to go. Custom adapters can be built using IBM Security Verify Directory Integrator component that's included in the product license.



    ------------------------------
    Aki Virtanen
    Security Software Consultant
    IBM Security Software Lab Services
    ------------------------------

    Original Message


  • 6.  RE: ISVG HTTP Callouts

    Posted Fri August 16, 2024 02:01 AM
    Hi Aki,

    Thanks a lot. Is there any beginner guide to start with an SDI based custom adaptor which is compatible for IGI lifecycle? 

    Confidentiality Notice: This e-mail, including any attached files, may contain confidential and/or privileged information that is intended for the sole use of the intended recipient (s). Any review, use, distribution, or disclosure by others is strictly prohibited. Furthermore, in the event this e mail and/or any attachment thereto consists of any information or data originating from NCINGA, this Confidentiality Notice satisfies the marking requirements for any document, including this e-mail and each attachment, that contains confidential information being disclosed to the recipient(s) under any agreement that contemplates and governs the disclosure and receipt of confidential information. If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message.




    Original Message


  • 7.  RE: ISVG HTTP Callouts

    Posted Fri August 16, 2024 02:33 AM

    IBM provides the "IBM Security Verify Governance Adapter Development and Customization Guide" that contains the official guidelines on how to develop an adapter.  You can find the part number on download procedure (it has to be downloaded from PassPort Advantage) here IBM Security Verify Governance Adapters v10.x 

    That said - you will need to learn how to efficiently do developing in SDI - this is not something you learn in a day or 2 - SDI is incredible powerful but comes (for advanced stuff) with a learning curve.

    I normally recommend people to wrap all the CRUD functionality you need to perform in a (scripted) SDI Connector - that can be somewhat challenging but makes the adapter much more simple to build and maintain (and you get a powerful SDI connector to automate stuff on your target system as a result also).

    For SDI our old now retired SDI Jedi Eddie Hartmann has this very useful blog where the adapter building is also mentioned : http://www.tdiingoutloud.com/ - especially this article should be helpful How to make the Search/Reconcile AL for an RMI Adapter against a REST or WS API

    Alternative is to use professional services - either from IBM Expert Labs or a partner - but a certain skill level is required to ensure a successful development - also in professional services....

    HTH



    ------------------------------
    Franz Wolfhagen
    WW IAM Solution Engineer - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------

    Original Message


  • 8.  RE: ISVG HTTP Callouts

    Posted Fri August 16, 2024 02:48 AM
    Edited by Aki Virtanen Fri August 16, 2024 03:01 AM

    Hi,

    Depending on if you plan to implement just the IGI or Identity Manager to do the thing you are after, the same applies. You need to do it properly through an adapter. If you bypass provisioning engine in Identity manager or Rules engine in IGI, you will end up in quite a mess very soon.

    Verify Governance Lifecycle contains both products, IGI (Identity Governance and Intelligence) and IM (Identity Manager). Your post does not reveal which products from the Lifecycle license bundle you are planning to implement to fulfill your use case.

    The links/documents listed by Franz in this thread are a very good starting point, but as he states, there's a learning curve to implement something like a fully functioning adapter.



    ------------------------------
    Aki Virtanen
    Security Software Consultant
    IBM Security Software Lab Services
    ------------------------------

    Original Message


  • 9.  RE: ISVG HTTP Callouts

    Posted Fri August 16, 2024 05:48 AM
    HI Aki, I did not understand what exactly Supun wanted to do. That is why I recommended him to call an api from workflow. But ,now , I understand that he needs to develop an adapter.

    Its a good idea starting with people who has some experience doing that, especially if the customer want to see the roi of licenses soon.




    Original Message


  • 10.  RE: ISVG HTTP Callouts

    Posted Fri August 16, 2024 01:58 AM

    Hi,

    Here is a link to a slightly dated, but still generally valid document on custom adapter development: https://www.ibm.com/support/pages/system/files/support/swg/sectech.nsf/0/f2b462f7beb9d55585257a1e00552377/$FILE/ISIM6%20adapter%20developer%20reference%20guide.pdf



    ------------------------------
    Aki Virtanen
    Security Software Consultant
    IBM Security Software Lab Services
    ------------------------------

    Original Message


Related Content