Planning for Provisioning

What is the user master directory: DirX Identity or others?

Is there only one, or are there several?For example, there could be a master corporate directory, a Human Resources directory that contains full-time employee data, another directory for external employees such as consultants, a customer database, and so on.

What are the target systems that must be integrated?

Do these target systems already exist?

What are the characteristics of the target systems in terms of authentication and authorization?

How should these target systems be migrated into the DirX Identity Provisioning environment?Can there be an initial load of accounts and/or groups into DirX Identity?

Is reconciliation a requirement?

Is there a need for a virtual target system?

What permissions are needed?

Does it make sense to use permission parameters?If so, how should they be applied to permissions?

Do the permissions - as generalized access rights - fit the existing groups?

Are you using permission parameters?If so, you must assign values for them to the groups

How should permissions be assigned to target system groups?

Have approval workflows been established for the assignment of the permission to users or to roles?Approvals must be established and the workflows must be set up.

Have all the necessary roles been defined?

What should the role structure be?That is, how should the roles be structured in the role subtree presented by DirX Identity Manager, as organized by role folders?

Are there any role hierarchies?If so, what is the aggregation of access rights for the hierarchy?

Which roles shall have role parameters and corresponding match rules?

How should roles be assigned to permissions?

Have approval workflows been established for assignment of the role to users or to other roles?Approvals must be established and the workflows must be set up.

Are the roles delivered with the DirX Identity role catalog sufficient, or does an integrator workflow need to be developed to load customer-specific role definitions into the directory?

Are all the pre-existing groups assigned to at least one permission?

Do you need additional groups?(Look at the permissions to determine the need)

Have the groups for new target systems been defined?

Have approval workflows been established for the assignment of the group to users or to permissions?Approvals must be established and the workflows must be set up

Which access policies are necessary for read and modify access rights?

Should the read / modify policies be applied on attribute level?

Which access policies for object creation and deletion are necessary?

Are there access policies for grant operations to be built?

Are access policies for request workflow execution and control required?

Which access policies for approval are necessary?

Which access policies for delegation make sense?

Which access policies shall be delegatable?

Do you intend to use menu policies?

Which attributes to protect against not approved changes?

Are there objects where changes shall result in event notification?

Which event-based workflows are necessary to process these change events?

Are there objects where deletions shall result in event notification?

Which event-based workflows are necessary to process these deletion events?

Which groups should be assigned directly to users?

How should permissions be assigned to users?

Can you use any of the delivered default policies in your environment?

Do you need any other rules to maintain or document your environment?

How should groups and accounts be cleansed after initial load from the target systems?

Which rules are necessary after validation with target systems?

Do you need any other purify rules to keep your provisioning environment up to date and correct?

Which types of password policies are necessary (for administrators, users, services)?

Must your password policies be compliant with the Microsoft Windows password policies?

Which privileges must be approved before assignment to a user?

Which privileges require regular or scheduled certification campaigns of the users or privileges that they are assigned to?

Which structural links between privileges have to be approved?

Which attribute changes have to be approved?

Which object creation workflows do you need?

Which object deletion workflows do you need?

Are copies of the pre-configured request workflow templates sufficient or do you need additional ones?

Is the standard configuration of the DirX Identity audit trail mechanism sufficient for your needs?

Is the tracing configuration of the target system workflows sufficient for your needs?

Who will administer DirX Identity Provisioning?

What are the access rights to be assigned to these administrators (use access policies)?

Set up consistency checks

Set up privilege resolution

Set up processes for object cleanup

Set up event-based processing workflows

Set up certification campaigns

Do the Provisioning objects (the relevant part of the directory schema and DirX Identity Manager property pages) need to be customized?

Do the DirX Identity Manager property pages for the target system accounts and groups need to be customized?

Do the user integration workflows (the workflows that synchronize the master entries into DirX Identity) need to be customized?

Do the target system initial load (the workflows that export account, group, and account-group data from the target systems and import it into the Identity Store) and validation workflows (the workflows that detect deviations between the target systems' accounts and groups and their representations in the Identity Store) need to be customized?

Do the target system synchronization workflows (the workflows that synchronize accounts and groups to the target systems) need to be customized?

Are any other workflow types necessary (for example for password synchronization or restore)?

What are the naming rules or JavaScripts that apply for creating target system accounts and default passwords?

Are all necessary policies set up?

Have you customized the necessary request workflows?

What about customized certification campaigns and their related processes with certification campaign user hooks?

Does Web Center need to be customized? Are menu policies required to restrict access to certain functions for specific user types (end users, administrators, and so on)

Have you customized the Identity Store and status report workflows, especially their schedules? Make sure that you perform this task.

Have you optimized the workflow schedules? Make sure that you perform this task.

Have you thought about using nested workflows to run synchronization or validation tasks in parallel or in sequence? It is a good idea to consider this methodology.

Have you customized audit policies and set up the connection to your audit system?