IBM Verify

 View Only

LinkedIn Share on LinkedIn

PROVISIONING / DEPROVISIONING  VIA CD GROUPS IN ISV

By Ayushi Dewangan posted Fri March 07, 2025 06:13 AM

  

PROVISIONING / DEPROVISIONING  VIA CD GROUPS IN ISV

INTRODUCTION 

Provisioning in IBM Security Verify (ISV) allows you to create and manage user accounts in configured target applications. Typically, provisioning occurs when a new employee joins the organization, changes job roles, departments, or updates their contact details. A user must have an active account in the target application to access its resources. 

Similarly, deprovisioning ensures that users who leave the organization or transition to a different role no longer retain access associated with their previous position. 

When using cloud directory groups for provisioning and deprovisioning, managing user entitlements becomes more efficient. For example, suppose there is a group called "Software-Developers" that includes all employees in software development roles. Instead of assigning permissions individually, you can grant entitlements to the entire group. When a new developer is hired, adding them to the "Software-Developers" group automatically provides them with the required access. Conversely, if an employee leaves, removing them from the group revokes all associated entitlements. 

IBM® Security Verify supports provisioning and deprovisioning for various applications, including ServiceNow. The following section provides insights into how account provisioning and deprovisioning can be managed through a cloud directory group.

PREREQUISITE

IBM Security Verify tenant 

ServiceNow developer instance

CONFIGURE SERVICENOW APPLICATION FOR PROVISIONING / DEPROVISIONING

  • First, create a ServiceNow instance on the ServiceNow website. This will serve as the environment for your work.
  • Next, Log to IBM® Security Verify tenant as your administrative user  and navigate to Applications > Applications in ISV and click on the Add Application option to proceed.

  • Once you click the Add Application option, a list of applications will appear.

  • Select the ServiceNow application from the list and click Add Application to begin the onboarding process.

  • Follow the series of steps displayed in the right-hand corner of the screen to onboard the ServiceNow application onto ISV.

  • In the Account Lifecycle tab:
    • Ensure that Provisioning and Deprovisioning are enabled.
    • Configure ServiceNow for user provisioning and deprovisioning by following the steps provided on the right-hand corner of the screen.

  • Choose the desired Adoption Policy and Remediation Policy for the application from the Account Sync tab, then save your application configuration.

  • Once the application is successfully saved, the Entitlements tab will become accessible. In the Entitlements tab, set the access type to “Select users, groups, and assign individual accesses”.

  • Finally, you can find your onboarded application under Applications in ISV.

  • When you save the application, an account synchronization process starts automatically.

  • If you wish to manually initiate an account synchronization operation:
    • Navigate to Applications and locate the ServiceNow application.
    • Click on the three-dot action menu next to the ServiceNow application.
    • Select Accounts and then click on the Start Account Synchronization tab to begin the synchronization process.
  •  
  •  To monitor the account synchronization progress:
    • Navigate to the Applications menu and click on the Account Synchronization tab.
        
    • Select the row corresponding to the synchronization process you wish to review.
    • The right-hand pane will display a summary of the accounts fetched from ServiceNow, providing detailed information.

  • Once the account synchronization process is completed, all the entitlements associated with the target application are imported into ISV as target permissions. This allows ISV to manage these permissions effectively, ensuring that access control remains consistent between the target application and ISV.
  • To check whether the target permissions have been imported into IBM Security Verify, navigate to Applications > App role management and select the Permissions tab. Here, you will find all the target entitlements that have been imported into ISV as permissions.

PROVISIONING VIA CD GROUPS

  • Navigate to the Directory menu and go to Users & Groups. Click on the Add User button to create a user. Fill in the user details, such as:
    • Identity Source: Cloud Directory
    • Username: Jessica
    • Given Name: Jessica
    • Email: A valid real email address
  • Click Save to create the user.

  • Next, navigate to the Groups tab and click on the Add Group button. Create a group of your choice, such as Finance.

  • To add members to the group, click Add, search for the new user (e.g., Jessica), and select the user from the search results. Move the user to the Selected Users & Groups section and click Done.

  • Verify that Jessica is listed under the Group Members list and click Save. The group will now appear in the Groups List.

  • Navigate to the Applications menu and select App Role Management. In the App Role Management screen, you’ll find two tabs: Roles and Permissions.
    • Permissions: A list of permissions fetched from the target application after the account synchronization operation.
    • Roles: Compositions of application roles, permissions, or both, used to assign target permissions to user accounts.
  • Go to the Permissions tab and select a ServiceNow permission to grant to the Finance group. Click on the permission, and a right pane will display its details. Click on Manage Membership.

  • Under the Groups tab, click on Assign New Groups.

  • Select the Finance group and click Add Group.

  • The group will now appear under the Groups tab, indicating it is assigned to the permission.

  • To verify user provisioning, go to the Applications menu and select the Provisioning Results tab. Verify that the user (e.g., Jessica) has been provisioned to the application.

  • To further confirm, check your ServiceNow instance under Organization > Users, where Jessica will be listed along with the assigned permission.

  • To automatically provision new users to the group, add new users (e.g., Amy) to the Finance group. Navigate to the Groups tab, click on the pencil icon to edit the group, and add the new user.

  • Click Done and verify that the new user is listed under Group Members.

  • Save the group, and the user will automatically be provisioned to the ServiceNow application. Confirm provisioning by checking the Provisioning Results tab in ISV or by validating the user in your ServiceNow instance.

  • Repeat the steps to add more users (e.g., Albert) to the group. Once saved, the user will be provisioned automatically, just like the previous users.

DEPROVISIONING VIA CD GROUPS

Now that we know how to provision a group of members in ISV, let’s explore the deprovisioning process.

Scenario 1: Deprovisioning a single member of group

  • If you need to remove a specific member from the Finance group and revoke their associated permissions, follow these steps:
    • Navigate to the Directory menu and click on the Users & Groups tab.
    • Go to the Groups tab and select the Finance group.
    • Click on the Edit Group option to open the edit panel.
    • In the edit panel, select the user you wish to remove (e.g., Jessica). The Remove option will be enabled.

  • Click Remove verify that the user is now not present in the group members list and then Save the group.

  • After saving, navigate to the Provisioning Results tab to verify that the user (e.g., Jessica) has been deprovisioned and no longer has the permissions associated with the Finance group.
    • Use filters in the Provisioning Results tab to refine your search for better visibility.

  • Additionally, validate in the ServiceNow application under Organization > Users to ensure that Jessica no longer has the permissions linked to the group and that the account is no longer active.

Scenario 2: Deprovisioning an entire group

  • If you wish to remove the entire group (e.g., Finance) from a target permission:
    • Navigate to the Applications Role Management tab and go to the Permissions tab.
    • Search for the permission that was associated with the group.
    • Click on Manage Membership, then go to the Groups tab.

    • Select the group (e.g., Finance) and click on the Revoke Group option located on the right side.
  •  
  •  
    • A confirmation message will appear asking if you want to revoke the group. Click Revoke Group to proceed.
              
       
  •  
  • After revoking the group, navigate to the Provisioning Results tab to confirm that all existing members of the group (e.g., Amy and Albert) have been deprovisioned.
    • Verify using the Provisioning Results tab, the users Amy and Albert should now be deprovisioned.

 

    • Validate in the ServiceNow application under Organization > Users to ensure the users are no longer part of the permissions associated with the group.

THE WRAP

These provisioning and deprovisioning flows leverage several powerful capabilities provided by IBM Security Verify:

  • Use of cloud directory groups to efficiently manage user entitlements.
  • Seamless integration with target applications for synchronized account management.
  • Automated access control and entitlement assignments through group membership.
  • Streamlined processes for both onboarding and offboarding users with minimal effort.

AUTHOR

Ayushi Dewangan - Ayushi.Dewangan1@ibm.com


#Featured-area-2-home
0 comments
21 views

Permalink