Cloud Identity Govern (CIG) exposes a host of APIs for developers to connect, configure, and expose fulfillment and governance features of CIG. The three main Entities and their relationships are shown in the above diagram.
- Identity represents any entity whose life cycle is to be managed through Cloud Identity. In its basic form, this is Person - Employee, Vendor, Contractor etc.
- Applications are the target endpoints where Identity’s presence needs to be managed. In its basic form, this represents a target application such as Office 365, Salesforce, etc.
- Entitlements are levels of authorizations exposed by an Application. When assigned to Identity’s account, it allows that Identity to perform certain operations on that Application.
Identity
https://<Hostname>/developer/explorer/#/Users_Management_Version_2.0
APIs provide means to Manage individual Identities (Create, Modify, Delete) as well as means to upload identities through a CSV file.
POST /v2.0/Users
PUT /v2.0/Users/{id}
PATCH /v2.0/Users/{id}
POST /v2.0/CSV/importUsers
‘Manage users, standard groups, and reserved groups’ is a minimum API client privileges required to perform these operations.
Application
https://<Hostname>/developer/explorer/#/Application_Access
APIs provide means to on-board and manage an Application
POST /v1.0/applications
PUT /v1.0/applications/{applicationId}
Reconciliation is a process to detect out-of-band changes done to Identity accounts on the target application. APIs are provided to start, stop, and view status of a reconciliation process.
POST /appaccess/v1.0/applications/{applicationId}/reconciliation
GET /appaccess/v1.0/applications/{applicationId}/reconciliation/{reconciliationId}
‘Manage application lifecycle’ is a minimum API client privileges required to perform these operations.
Account
https://<Hostname>/developer/explorer/#/Application_Access
APIs provide means to list and view details of Identity accounts created on the target application. Separate APIs are available to transition state of an Identity account, such as Unmatched to Unmanaged or Orphan
GET /appaccess/v1.0/applications/{applicationId}/accounts
POST /appaccess/v1.0/applications/{applicationId}/accounts/{accountId}/{action}
POST /appaccess/v1.0/accounts/{accountId}/adoption/{identityId}
GET /appaccess/v1.0/applications/{applicationId}/reconciliationDelta/{reconciliationId}/{accountId}
Entitlement
Entitlements are permissions / authorizations assigned to an Identity to perform certain operations on the target Application. Upon assigning an application entitlement, the Identity
https://<Hostname>/developer/explorer/#/Application_Access
https://<Hostname>/developer/explorer/#/Entilement_Management
We provide two sets of APIs to manage Application level entitlements. Ones under Application_Access are configuration APIs to assign application permissions to Users and Groups. These enable default permissions for an account created for that User.
GET /v1.0/owner/applications/{applicationId}/entitlements
POST /v1.0/owner/applications/{applicationId}/entitlements
Additionally, the APIs under Entitlement_Management provide means to view and assign finer-access permissions, like groups in target applications etc., to Users and Groups
POST /v1.0/v1.0/entitlements/search
POST /v1.0/entitlements/user/{identityId}
GET /v1.0/users/{identityId}/entitlements
Fulfillment
Identity lifecycle events are typically summarized as Joiner – Mover – Leaver. These three phases collectively identify lifecycle of an identity in an organization. Joiner identifies start of managing an identity, events such as a Person joining an Organization. Mover identifies change of an identity’s field, such as a Person moving from one department to another. This typically involves loosing entitlements from previous department and gaining new entitlements from the new department. Finally, Leaver identifies end of managing an identity, events such as a Person retiring or quitting job.
Following events in Cloud Identity Govern cause changes to Identity and its accounts on target applications.
- Identity added, modified, or removed from Cloud Identity User repository.
- Application entitlements assigned, revoked to/from an Identity, Group.
- Manual adoption of an Unmatched target application account to an existing Identity.
One can set de-provisioning, adoption, and remediation policies on an Application. These policies affect the way reconciliation and fulfillment actions are carried out.
De-provisioning Policy
De-provisioning policy defines the action to be taken when an Identity is stripped off of all application entitlements, moved out of certain group(s) entitled to a target application, or quits an organization. The most relevant action in these situations is to suspend identity’s account on the target application. The choices of actions depend on what the target application offers. Certain applications provide one or more of the Suspend, Deactivate, Archive, or Delete actions.
Additionally, CIG provides a way to specify Grace period, a period where the deprovisioning implementation is kept waiting. Administrator can reverse the deprovisioning action during the grace period without having to wrongly deprovision an account
Adoption Policy
Adoption policy specifies one or more Identity attributes to be used in matching an application account with an identity in User registry. Currently this list is used as a union (AND), but in future will offer complex adoption rules including, but not limited to, expressions to modify attribute values before comparing.
Remediation Policy
A remediation policy assigns one or more actions to be taken when an account changes its state. A remediation may mean revoking an incorrect state on Cloud Identity or on target application. One may assign a ‘Let me decide’ policy whereby no action is taken upon a change in account’s state, but the change assessment can be made and selectively remediated.