Semi-Manual Resources

Recently released MidPoint 3.6 “Comenius” brings a lot of new intersting features. But there is one feature that is almost invisible and it could be easily missed. That would be an enormous shame because this particular feature is quite unique and it is very interesting indeed. We like to call it “semi-manual resources”. But let’s start at the beginning …

From the very beginning midPoint was designed with fully automated provisioning in mind. We have assumed that every system will be connected to midPoint by a connector that can do automated provisioning, propagation, synchronization, fulfilment – or whatever you like to call it. And that all makes perfect sense. Provisioning automation is where identity management can provide the strongest benefits. However, there are many situations where such automatic approach cannot be used. There are systems that are difficult to integrate. There are systems that are too small to justify development of a connector. And of course, there are migration and roll-out processes that may need manual fulfilment during initial project phases. MidPoint always had some mechanisms to handle this. But midPoint 3.6 brings two essential improvements.

First improvement is ITSM integration. MidPoint 3.6 can automatically create tickets in the ITSM system for system administrators. When a new account needs to be created midPoint creates a ticket with description of the account. So system administrator simply executes the request. And even more importantly midPoint will create tickets to delete or disable accounts when needed. MidPoint 3.6 has a new interface that can be used to easily develop such ITSM integration adapter. And the adapter development is easy as vast majority of the logic is already in midPoint. All what the adapter needs to do is to create tickets and check their status.

This ITSM integration feature is very useful, but it is not unique just by itself. Many IDM systems have this capability. However, there is one major limitation: this is essentially a one-way communication channel. There is almost no feedback. And engineering tells us that a system without a feedback is doomed to fail in a spectacular way. Maybe the system administrator disables wrong account because he makes a typing error. Then the account of an employee who leaves the company remains enabled and active. As there is no feedback then this security threat may avoid detection for a very long time. Therefore, manual fulfilment without any feedback is still a major security risk. But midPoint can do better than that. MidPoint 3.6 now has an ability to easily implement the feedback channel for manual fulfilment.

The idea is very simple. Almost every system has an ability to easily export accounts to a CSV file. MidPoint can take that file and compare it with the policies that are set up for the accounts. Now midPoint can detect accounts that should not exist but are still in the CSV file. MidPoint can detect accounts that should be disabled but are still enabled. MidPoint can detect accounts that have too many privileges. And so on. If midPoint detects such a problem, it will automatically create tickets for an administrator to correct it. And this is all very easy to set up. Either schedule a periodic report from the target system to a CSV file that midPoint picks up. Or simply make manual CSV exports on a monthly basis and pass that file to midPoint. MidPoint will make sure that any security threats caused by wrong account management are fixed.

ITSM integration as a two-way communication.
This is what we call “semi-manual resource”. This is a system which is connected in two different ways. One way is manual and potentially error-prone. But the other way is automatic and reliable. Such resources can be connected easily, they do not disrupt existing processes and yet they significantly reduce security risks. This is yet another way how midPoint can improve overall security of your organization. Because there really is no security without good identity management.

Leave a Reply

Your email address will not be published.