IBM Security Verify

Dear IAM colleagues,

we have a homemade IAM solution which was developed in zOS and progressed since 1991. This is our identity central management point, I mean, where the identities are born, the authorisations are approved, reviewed and recertificated, and so on, being ISIM the provisioning solution, ie, the responsible for granting the authorized groups in the managed system. Thus, when an authorization is needed, and once it is approved in our homemade development, it has to be done manually by a set of users in ISIM. Taking into consideration most of the functionalities can't be provided by Verify Governance, we have started a project to integrate both solutions to minimize the manual interactions.

 Prerequisites:

• Use zOS Connect for the communication from zOS to LINUX (ISIM)
• Use ISIM WS API since REST API doesn't provide all the operations required

 Handicap:

• Provide all the WS API operations by REST

 Questions

• Any of you have a similar situation?
• Do you know if it is foreseen to provide the whole of WS operations by means of REST API?
• Could IBM Datapower convert REST to WS in a easy way?
• Maybe IDI?

1. A technical question on how to expose certain functionality through REST APIs
2. How to automate integration between an external identity source and request system to an IGA (ISIM/IGI/SVG or whatever) environment.

Dear IAM colleagues,

we have a homemade IAM solution which was developed in zOS and progressed since 1991. This is our identity central management point, I mean, where the identities are born, the authorisations are approved, reviewed and recertificated, and so on, being ISIM the provisioning solution, ie, the responsible for granting the authorized groups in the managed system. Thus, when an authorization is needed, and once it is approved in our homemade development, it has to be done manually by a set of users in ISIM. Taking into consideration most of the functionalities can't be provided by Verify Governance, we have started a project to integrate both solutions to minimize the manual interactions.

 Prerequisites:

• Use zOS Connect for the communication from zOS to LINUX (ISIM)
• Use ISIM WS API since REST API doesn't provide all the operations required

 Handicap:

• Provide all the WS API operations by REST

 Questions

• Any of you have a similar situation?
• Do you know if it is foreseen to provide the whole of WS operations by means of REST API?
• Could IBM Datapower convert REST to WS in a easy way?
• Maybe IDI?

Hi Franz,

sorry for the delay, I prefered to wait for the User Group hold 2 weeks ago to have a best understanding about the ISIM REST API future. As we supposed, IBM's intention (in line with the market) is to increase the number of ISIM REST operations. Indeed, there are new ones in ISIM 10 for password policies management.

 Thus, after getting in contact with the Product Manager and a team member, and as you suggested us before, we have made a RFE to accelerate the delivery of some REST API such as, provisioning policies.

Meanwhile, we will use IBM Datapower for exposing the WS provisioning policy modify operation as REST (it would be our POC). As you can see here, it is documented as one of the features where DataPower can help us in an easy way. As soon as it will be delivered, we will invocate the official one.

https://www.ibm.com/cloud/garage/dte/tutorial/expose-soap-service-rest-api/

Moving to the integration topic, nowadays the procedures for "Authoritative Identity Sources", "Request flows" and "Provisioning" are defined and working, but not in the best way (they work in a semi-automatics or even manual manner). Some of them need to be updated, like using DSML files for create/modify identities in ISIM. Others (to be honest) are not supported, like executing LDAP commands (years ago ISIM hadn't got A2A interface). And the latest, as easy as sending a list of tasks to be done in ISIM console by the Administrators. Thus, a manual intervention is required in ISIM for all of them, and in additional, neither are executed "immediately". 

As summary,  more than redisigned our solution (as I said it is a work to be done in the future - probabbly when we move to a hybric model) we are going to make a little effort to automatic the integration between ISIM an our homemade IAM solution.  

Nevertheless, thank for your valuable advises.

I keep you posted about our progression.

 PS: BTW, our zOSConnect colleagues are asking the SWAGGER of ISIM REST API. Does some of you know how to get it? As far as I know, it is a OpenAPI specifications required for designing REST clients, but it is not provided in the ISIM documentation. It there is no way, we will open a request to IBM.

1. A technical question on how to expose certain functionality through REST APIs
2. How to automate integration between an external identity source and request system to an IGA (ISIM/IGI/SVG or whatever) environment.

Dear IAM colleagues,

we have a homemade IAM solution which was developed in zOS and progressed since 1991. This is our identity central management point, I mean, where the identities are born, the authorisations are approved, reviewed and recertificated, and so on, being ISIM the provisioning solution, ie, the responsible for granting the authorized groups in the managed system. Thus, when an authorization is needed, and once it is approved in our homemade development, it has to be done manually by a set of users in ISIM. Taking into consideration most of the functionalities can't be provided by Verify Governance, we have started a project to integrate both solutions to minimize the manual interactions.

 Prerequisites:

• Use zOS Connect for the communication from zOS to LINUX (ISIM)
• Use ISIM WS API since REST API doesn't provide all the operations required

 Handicap:

• Provide all the WS API operations by REST

 Questions

• Any of you have a similar situation?
• Do you know if it is foreseen to provide the whole of WS operations by means of REST API?
• Could IBM Datapower convert REST to WS in a easy way?
• Maybe IDI?

Hi Franz,

sorry for the delay, I prefered to wait for the User Group hold 2 weeks ago to have a best understanding about the ISIM REST API future. As we supposed, IBM's intention (in line with the market) is to increase the number of ISIM REST operations. Indeed, there are new ones in ISIM 10 for password policies management.

 Thus, after getting in contact with the Product Manager and a team member, and as you suggested us before, we have made a RFE to accelerate the delivery of some REST API such as, provisioning policies.

Meanwhile, we will use IBM Datapower for exposing the WS provisioning policy modify operation as REST (it would be our POC). As you can see here, it is documented as one of the features where DataPower can help us in an easy way. As soon as it will be delivered, we will invocate the official one.

https://www.ibm.com/cloud/garage/dte/tutorial/expose-soap-service-rest-api/

Moving to the integration topic, nowadays the procedures for "Authoritative Identity Sources", "Request flows" and "Provisioning" are defined and working, but not in the best way (they work in a semi-automatics or even manual manner). Some of them need to be updated, like using DSML files for create/modify identities in ISIM. Others (to be honest) are not supported, like executing LDAP commands (years ago ISIM hadn't got A2A interface). And the latest, as easy as sending a list of tasks to be done in ISIM console by the Administrators. Thus, a manual intervention is required in ISIM for all of them, and in additional, neither are executed "immediately". 

As summary,  more than redisigned our solution (as I said it is a work to be done in the future - probabbly when we move to a hybric model) we are going to make a little effort to automatic the integration between ISIM an our homemade IAM solution.  

Nevertheless, thank for your valuable advises.

I keep you posted about our progression.

 PS: BTW, our zOSConnect colleagues are asking the SWAGGER of ISIM REST API. Does some of you know how to get it? As far as I know, it is a OpenAPI specifications required for designing REST clients, but it is not provided in the ISIM documentation. It there is no way, we will open a request to IBM.

1. A technical question on how to expose certain functionality through REST APIs
2. How to automate integration between an external identity source and request system to an IGA (ISIM/IGI/SVG or whatever) environment.

Dear IAM colleagues,

we have a homemade IAM solution which was developed in zOS and progressed since 1991. This is our identity central management point, I mean, where the identities are born, the authorisations are approved, reviewed and recertificated, and so on, being ISIM the provisioning solution, ie, the responsible for granting the authorized groups in the managed system. Thus, when an authorization is needed, and once it is approved in our homemade development, it has to be done manually by a set of users in ISIM. Taking into consideration most of the functionalities can't be provided by Verify Governance, we have started a project to integrate both solutions to minimize the manual interactions.

 Prerequisites:

• Use zOS Connect for the communication from zOS to LINUX (ISIM)
• Use ISIM WS API since REST API doesn't provide all the operations required

 Handicap:

• Provide all the WS API operations by REST

 Questions

• Any of you have a similar situation?
• Do you know if it is foreseen to provide the whole of WS operations by means of REST API?
• Could IBM Datapower convert REST to WS in a easy way?
• Maybe IDI?

Hi Franz,

sorry for the delay, I prefered to wait for the User Group hold 2 weeks ago to have a best understanding about the ISIM REST API future. As we supposed, IBM's intention (in line with the market) is to increase the number of ISIM REST operations. Indeed, there are new ones in ISIM 10 for password policies management.

 Thus, after getting in contact with the Product Manager and a team member, and as you suggested us before, we have made a RFE to accelerate the delivery of some REST API such as, provisioning policies.

Meanwhile, we will use IBM Datapower for exposing the WS provisioning policy modify operation as REST (it would be our POC). As you can see here, it is documented as one of the features where DataPower can help us in an easy way. As soon as it will be delivered, we will invocate the official one.

https://www.ibm.com/cloud/garage/dte/tutorial/expose-soap-service-rest-api/

Moving to the integration topic, nowadays the procedures for "Authoritative Identity Sources", "Request flows" and "Provisioning" are defined and working, but not in the best way (they work in a semi-automatics or even manual manner). Some of them need to be updated, like using DSML files for create/modify identities in ISIM. Others (to be honest) are not supported, like executing LDAP commands (years ago ISIM hadn't got A2A interface). And the latest, as easy as sending a list of tasks to be done in ISIM console by the Administrators. Thus, a manual intervention is required in ISIM for all of them, and in additional, neither are executed "immediately". 

As summary,  more than redisigned our solution (as I said it is a work to be done in the future - probabbly when we move to a hybric model) we are going to make a little effort to automatic the integration between ISIM an our homemade IAM solution.  

Nevertheless, thank for your valuable advises.

I keep you posted about our progression.

 PS: BTW, our zOSConnect colleagues are asking the SWAGGER of ISIM REST API. Does some of you know how to get it? As far as I know, it is a OpenAPI specifications required for designing REST clients, but it is not provided in the ISIM documentation. It there is no way, we will open a request to IBM.

1. A technical question on how to expose certain functionality through REST APIs
2. How to automate integration between an external identity source and request system to an IGA (ISIM/IGI/SVG or whatever) environment.

Dear IAM colleagues,

we have a homemade IAM solution which was developed in zOS and progressed since 1991. This is our identity central management point, I mean, where the identities are born, the authorisations are approved, reviewed and recertificated, and so on, being ISIM the provisioning solution, ie, the responsible for granting the authorized groups in the managed system. Thus, when an authorization is needed, and once it is approved in our homemade development, it has to be done manually by a set of users in ISIM. Taking into consideration most of the functionalities can't be provided by Verify Governance, we have started a project to integrate both solutions to minimize the manual interactions.

 Prerequisites:

• Use zOS Connect for the communication from zOS to LINUX (ISIM)
• Use ISIM WS API since REST API doesn't provide all the operations required

 Handicap:

• Provide all the WS API operations by REST

 Questions

• Any of you have a similar situation?
• Do you know if it is foreseen to provide the whole of WS operations by means of REST API?
• Could IBM Datapower convert REST to WS in a easy way?
• Maybe IDI?