17.3 Understanding the Components of CPRS

CPRS is integrated with Identity Manager Dashboard. The following figure depicts different components involved in synchronizing user permissions:

  • User interface - The following web pages are available:

    • Permission Reconciliation - Use this page for migrating permissions and to compute the difference in permission assignments between the connected application and Resource Catalog. Use the following icons to manage permission reconciliation, compute assignments, publish assignments, and to view the status of the processes triggered:

      • Manage Permission Reconciliation

      • Compute selected (driver/entitlement) assignments

      • Publish All (driver/entitlement) assignments

      • Status of the process

      For more information, see Permission Reconciliation.

    • Permission Reconciliation Settings – Use this page to view the CPRS settings.

    • Permission reconciliation Settings Edit – Use this page to modify the permission reconciliation settings for entitlements. For more information, see Managing Permission Reconciliation Settings.

    • Permission Reconciliation Configuration - Navigate to Administration > Configuration > Permission Reconciliation. Use this page to perform the following tasks:

      • Enable permission reconciliation

      • Set the polling time for status checker

      • Set the time for retention for computed permission assignments

      For more information, see Configuring Permission Reconciliation Settings.

  • User Application Database - Contains the computation and the published records.

  • Identity Manager drivers - Used to fetch permissions for data synchronization.

  • Connected System - Any system, directory, database, application, or operating system whose identity information you want to manage.

The following sequence describes how the permission differences between resource catalog and connected systems are computed and published.

  1. Log in as a Resource Administrator or User Administrator to Identity Manager User Interface > Administration > Permission Reconciliation.

  2. Click the Manage Permission Reconciliation icon and click Edit to enable the resources to be used for CPRS.

  3. In the Permission Reconciliation page, select a driver or entitlement you want to compute or publish.

  4. Select an entitlement and click or for a request to be triggered. This action leads to creation of an eDirectory object under a defined container. This object contains information such as, resource to entitlement mapping, operation type, status, and so on.

    The Identity Manager engine is notified when a request is created under the eDirectory container. On detecting a new request, the engine begins to process it. The request object is updated periodically.

  5. The difference or change in permission assignments between Resource Catalog and connected applications is called delta. The Identity Manager engine calculates the delta between the Resource Catalog and connected system and stores it in a persistence layer.

  6. The Status checker API updates the user application database process records. Once the process status is Completed or Error, it cleans the request object from the eDirectory container.

  7. The User Application REST layer receives the delta of permission assignments from the Identity Manager engine through an LDAP extension.

  8. The CPRS computed data is maintained for the configured value in the Permission Reconciliation Configuration page > Retention time for computed permission assignments.

    For more information, see Configuring Permission Reconciliation Settings.

The following video helps you configure and manage CPRS in Identity Manager Dashboard: