Identity feed management
As administrator, you need to take a number of initial steps to take employee data from one or more human resources repositories. You use the data to populate ISIM registry with an equivalent set of users. An identity is the subset of profile data that uniquely represents a person in one or more repositories, and additional information related to the person. For example, an identity might be represented by unique combination of the first, last, full name, and employee number of a person. The data might also contain additional information such as phone numbers, manager, and email address. A data source can be a customer's user repository or a file, a directory, or a custom source. Use IBM Security Identity Manager to add a number of users to the system by reading a data source, such as a user repository, directory, file, or custom source. The process of adding users based on a user data repository is called an identity feed, or HR feed.
Reconciliation for an identity feed is the process of synchronizing the data between the data source and IBM Security Identity Manager. The initial reconciliation populates IBM Security Identity Manager with new users, including their profile data. A subsequent reconciliation both creates new users and also updates the user profile of any existing users that are found. registry. We need to anticipate the effect of missing information in the user record. For example, the record that we feed into ISIM might not have an email address for the user.
The user does not receive a password for a new account in an email and must call the help desk, or contact the manager.
Common sources for identity feeds
ISIM supplies the following service types to handle many of the most common sources for identity feeds:
- IDI data feed
- Comma-Separated Value (CSV) identity feed
- DSML identity feed
- AD OrganizationalPerson identity feed (Microsoft Windows Active Directory)
- INetOrgPerson (LDAP) identity feed
We can populate initial content and subsequent changes to the content of the people registry from these sources"
INetOrgPerson identity feed Use an LDAP directory server. The data uses the objectclass implied by the person profile name specified in the service definition. We can use a global identity policy to select the schema attributes that create a user ID. The identity feed process ignores records that do not have the specified objectclass. Comma-Separated Value (CSV) Contains a set of records separated by a carriage return/line (CR/LF) feed pair. Each record contains a set of fields separated by a comma. We can use a global identity policy to select the schema attributes that create a user ID. DSML v1 file Use a DSML v1 file to populate the people registry. A DSML file represents directory structural information in an XML file format. If you run the identity feed more than one time, duplicate people are modified according to the newest file. A global identity policy does not apply to a DSML file. Active Directory From Active Directory, importing only the information found in the inetOrgPerson schema portion of a Active Directory user. We can use a global identity policy to select the schema attributes that create a user ID. The identity feed process uses all user objects in the specified base. Custom identity sources Use custom identity sources to populate initial content and subsequent changes to the content of the people registry. Depending on the identity source, we might use a global identity policy to select the schema attributes that create a user ID. For example, use an IBM Security Directory Integrator identity feed to obtain more flexibility than a standard data feed provides. For more information about providing customized identity feeds, see the information about IBM Security Directory Integrator integration in ISIM extensions directory.
Enabling workflow for identity feeds
Regardless of the method used, ISIM Server can be configured to call the workflow engine for identity feed records. Enabling the workflow engine results in enforcement of all applicable provisioning policies for incoming identities. The configuration results in slower feed performance. Persons are automatically enrolled in any applicable dynamic roles even if the workflow engine is not enabled for an identity feed. For initial loads, consider importing identities into the system and then enabling applicable provisioning policies to improve identity feed performance.
See:
- Comma-Separated Value (CSV) identity feed
- Directory Services Markup Language (DSML) identity feed
- AD Organizational identity feed
- Identity feeds that retain group membership
- Map of inetOrgPerson to Active Directory attributes
- User passwords provided by an identity feed
- Attributes in an identity feed that are not in a schema
- Supported formats and special processing of attributes
- Modifiable schema classes and attributes
- Person naming and organization placement
- Create an identity feed service
- Performing an immediate reconciliation on an identity feed service
- Create a reconciliation schedule for an identity feed service
Parent topic: Configure