IBM Verify

Hi Champions,

We are doing a product using IVIG (latest version of IBM Security Governance) and have a requirement as below.

Users are getting onboarded from the HR application to IVIG using standard APIs given in the stack. Modifications also getting triggered from the same source via APIs.  Once the users are onboarded there are roles/policies that will evaluate the user and IVIG decides what target systems to be provisioned. We have standard adaptors for few target systems suck like AD and Google. for other systems the expectation to create a set of APIs for account Creation, Modifications, Activations Etc. This could be same set of APIs that will be parameterized the target system and act upon. 

How we can achieve this? Creating a outbound web service layer while it can fetch target system specific Roles/Permission and capable of recon while CRRUD operations are permitted. 

Thanks in Advanced. 

------------------------------
Supun Munasinghe
------------------------------

When IVIG (formerly known as ISIM/ITIM) is managing systems as for the OOTB adapters it using a layered architecture that ensures consistency in the handling of the accounts with a high level of flexibility and extensibility that ensure no problems doing future upgrades etc.

And you should follow that model - and IBM provides a toolkit to help you build custom adapters based on the included SDI product included in your license. In the list of officially supported adapters https://www.ibm.com/support/pages/ibm-security-verify-governance-adapters-v10x   there is also the "IBM Security Verify Governance Adapter Development and Customization Guide" (P/N M0D47EN) that is containing the needed guidance to develop your own adapters. This comes with a learning curve as you need both to understand the power of SDI and how IVIG works with accounts. So I would recommend that you connect with a Business Partner in your area that has done this or IBM Expert Labs professional services to get you started.

What you should NOT do is to do API call outs to target systems from the workflow engine - that will most certainly result in a system overtime that will become unstable and difficult to maintain and this is normally a road to a troubled project as a result. Again - IBM Expert Labs or a business partner can help you out on the architecture to avoid this.

HTH

------------------------------
Franz Wolfhagen
WW IAM Solution Architect - Certified Consulting IT Specialist
IBM Expert Labs
------------------------------

Original Message:
Sent: Mon February 24, 2025 07:48 PM
From: Supun Munasinghe
Subject: IVIG (Governance) web service for target system

Hi Champions,

We are doing a product using IVIG (latest version of IBM Security Governance) and have a requirement as below.

Users are getting onboarded from the HR application to IVIG using standard APIs given in the stack. Modifications also getting triggered from the same source via APIs.  Once the users are onboarded there are roles/policies that will evaluate the user and IVIG decides what target systems to be provisioned. We have standard adaptors for few target systems suck like AD and Google. for other systems the expectation to create a set of APIs for account Creation, Modifications, Activations Etc. This could be same set of APIs that will be parameterized the target system and act upon. 

How we can achieve this? Creating a outbound web service layer while it can fetch target system specific Roles/Permission and capable of recon while CRRUD operations are permitted. 

Thanks in Advanced. 

------------------------------
Supun Munasinghe
------------------------------

Supun,

You should take a look at the IBM Security Verify Governance Adapter Development and Customization Guide (M0D47EN) which will detail how you can go about doing this.

If you want to create a single adapter that can be flexible enough to be able to communicate to multiple downstream systems, I fear you may get into the realms of over-engineering and creating a problem for yourself later on when it comes to upgrades and updates.

------------------------------
Stephen Swann
Managing Director
Madigan Solutions
www.madigansolutions.com
------------------------------

Original Message:
Sent: Mon February 24, 2025 07:48 PM
From: Supun Munasinghe
Subject: IVIG (Governance) web service for target system

Hi Champions,

We are doing a product using IVIG (latest version of IBM Security Governance) and have a requirement as below.

Users are getting onboarded from the HR application to IVIG using standard APIs given in the stack. Modifications also getting triggered from the same source via APIs.  Once the users are onboarded there are roles/policies that will evaluate the user and IVIG decides what target systems to be provisioned. We have standard adaptors for few target systems suck like AD and Google. for other systems the expectation to create a set of APIs for account Creation, Modifications, Activations Etc. This could be same set of APIs that will be parameterized the target system and act upon. 

How we can achieve this? Creating a outbound web service layer while it can fetch target system specific Roles/Permission and capable of recon while CRRUD operations are permitted. 

Thanks in Advanced. 

------------------------------
Supun Munasinghe
------------------------------