At its most basic level, provisioning software helps automate the creation of user accounts. The processes and workflows a company uses to create, assign, approve, and audit user accounts all can be managed through this type of software.
Workflows can be configured to automatically create Active Directory, PeopleSoft and Lightweight Directory Access Protocol (LDAP) accounts for new employees from one administrator screen once some basic information about the new user is entered. This greatly improves efficiency by drastically shortening the amount of time it takes to create new accounts or modify current user groups. The provisioning process also can include approvals, such as requiring manager approval before the new user accounts are created, making a central provisioning server key for audit compliance.
Xellerate's architecture comprises the Xellerate Server, an administrative console and a database. The Xellerate Server is the central component of the product, providing the intelligence to implement the configured processes and workflows. It enables the integration with external resources such as LDAP, Web services and custom applications . The administration console includes a Java console application, a Web front-end accessible through a browser, or a custom application built on the API. The database, usually Oracle, but SQL Server also is supported, contains all the processes.
How we did it
We installed Xellerate on Windows 2000 Advanced Server (SP 4), using Oracle 9i (22.214.171.124) as the database and JBoss 3.2.2 as the application server. This was installed on a 3GHz Pentium 4 server with 800MB of RAM.
We integrated with Active Directory, Exchange Server 2000 and SunOne LDAP servers for account creation. We then defined several corporate scenarios to implement that provide varying levels of complexity in creating accounts, automating processes and approving requests.
After implementing all scenarios, we tested report generation and created reports detailing which user accounts had accessed each application and reports detailing provisioning tasks by date.
Workflow and integration
Xellerate is very flexible, supporting simple and complex account maintenance workflows. This flexibility lets organisations implement provisioning around current processes.
Integration support is provided through resource adapters - pieces of code that run inside the server - for a number of enterprise products, including SAP, PeopleSoft and Active Directory. The resource adapters let the Xellerate Server communicate and control how applications create accounts or modify attributes of current accounts. These resource adapters could just be directly writing user information to an LDAP database or making a specific user account function call through an API to make the change. Custom resource adapters can be developed for nearly any application using Thor's developer kit.
We installed Xellerate on a Windows 2000 Advanced Server running Jboss - an open source Java 2 Platform Enterprise Edition application server - and Oracle as the database back end. We integrated with Active Directory, Exchange Server 2000, and a SunOne LDAP server.
Xellerate is a complex product with a relatively steep learning curve, although it is pretty intuitive once you understand the basics. We would like to see some configuration wizards help with the integration and creation for new users.
We implemented a number of scenarios to test the flexibility and complexity Xellerate can support. We set up a policy that would automatically place any new user with "full-time" or "part-time" status in the Employees group of our schema and any user defined as an Intern in the Intern group. We then expanded these processes to automatically have Exchange and Active Directory accounts created when a new user is placed in either the Intern or Employees groups. Testing several accounts, this process worked seamlessly. However, it's important to note that to create the Exchange and Active Directory accounts, you need to have a detailed understanding of how your Active Directory implementation is configured, which might add some complexity to the set-up process.
Self-service for users
Xellerate also supports self-service and approval workflows. Self-service workflows provide forms and processes that users can complete themselves, further automating tasks and alleviating over-worked administrators. Approval workflows automate the review and acceptance processes of user requests that are often required for compliance. We tested the process of receiving a request from an employee for access to an internal site controlled through a SunOne LDAP server. We implemented a process that receives the request through a Web interface, routes the request to the employee's manager for approval and, once approved, automatically adds the user to the LDAP server. We tested several accounts with this process, and everything worked as expected.
We also extended the first process without incident to add a layer of manager approval for new Active Directory and Exchange accounts. We also created more complex workflows, providing different approval paths based on the requesting user. We established a separate approval chain for contractors requesting access to the internal site than employees, who just required manager approval.
We built processes to pre-populate configuration information for resources, such as Active Directory and Exchange. This lets the provisioning process be completely automated from end to end.
Finally, we set up direct integration with Oracle 9i to Crystal Reports software to create a number of reports from stored procedures, such as what users have which accounts, by application, provisioning date, user ID and the like. The standard reports are useful and easy to read. With the Crystal Reports engine, custom reports can be easily created with any data in the database.
With all the regulations and audit requirements now required for many organisations, provisioning products help automate implementation and track adherence to defined policies for creating and approving application access. Thor's Xellerate is a very powerful, complex tool. While the learning curve is a bit steep to get everything going, once the base is set up and all the integration is complete, you are only limited by your imagination when it comes to process implementation and automation.
Up there with authentication and authorisation, account provisioning is one of the big three components in any identity management scheme. We found that Thor Technologies' latest version of Xellerate Identity Manager (8.01) provides flexible account provisioning across a multitude of products and technologies, supporting even the most complex of workflows.