This guide will help you get started with the new Controlled Permission Reconciliation Service (CPRS). Firstly, we will review the old PCRS feature and then I'll give an overview of the new CPRS feature which is shipped along with IDM 4.7 release. As CPRS is a new feature with a completely new UI it might seem difficult, but I have tried to simplify it here and will explain the differences between the old PCRS features and the new CPRS features.
In CPRS along with IDM 4.7 release, we support 3 drivers:
1. Active Directory driver
2. Multi Domain AD driver
3. LDAP driver
When we say we support CPRS for the above 3 drivers, these drivers will not require any type of policy modifications / any extra changes to be performed if IDM 4.7 is installed or upgraded from previous releases. These drivers will work straight away and start working without any extra modifications required in IDM 4.7 engine or the drivers. For other drivers, we still support the old PCRS without any changes done to it.
If you still want to use old CPRS for the above 3 drivers, even after upgrading to your engine to IDM 4.7 you can still use them, but without upgrading the driver packages to the latest IDM 4.7 released packages. You will have to stay with IDM 4.6 packages for the drivers and your engine can be on IDM 4.7.
IDM 4.6 release
PCRS - Permission Collection Reconciliation Service
The PCRS feature is targeted towards keeping the IDM Catalog in sync with the application state. Hence when PCRS is configured on any driver, all the permissions of the user in the Application gets reconciled into IDM Catalog seamlessly based on PCRS configuration. IDM administrator has no control over these reconciliation requests. This may result in unwanted assignments in RBPM if there is any mistake in permission assignment in the application and also causes performance issues:
Security – No security as there is no control over the permission reconciliation model as reconciliations are not controlled by an Administrator.
Performance – PCRS severely degrades the driver’s performance.
Permission Onboarding job should be installed on the driver to use PCRS feature. Which is an overhead task.
Reading CSV files containing Entitlement Values and populating <name>_Values objects>Creating a Dynamic Resource for assigning Entitlement Values to Users
No control over the configuration of the job, instead there are special policies that try to configure the job automatically when the driver starts.
A common package (Permission Collection and Reconciliation Service Package) should be installed on the driver to use PCRS
Added to this, the configuration and troubleshooting of the existing PCRS solution is quite complex because of many floating components (polices, job, mapping tables, and some engine apis).
Figure showing the PCRS Overview
IDM 4.7 release
CPRS - Controlled Permission Reconciliation Service
CPRS comes by default with the installation/upgrade of IDM 4.7. The primary goals of CPRS is to resolve the above mentioned issues/problems faced in the PCRS. So, the implementation of CPRS will solve the following concerns:
Security – Secure the permission reconciliation model so that the reconciliations are controlled by an Administrator.
Configuration – There should be minimal or no configuration required for CPRS installation.
Performance - CPRS will address the degradation and the performance issues seen in the PCRS and should be under applicable limits.
Initial Permission On-boarding - Allows the administrator to select each entitlement/driver and migrate the permissions of the managed users from the application to Resource Catalog.
Select a driver/entitlement/entitlement Value and monitor the user permission updates in the Resource Catalog. The administrator can publish the permission changes to the Resource Catalog for the selected or all the users.
Existing PCRS will not be supported from IDM 4.7 release for the 3 drivers for which driver packages are also upgraded to IDM 4.7
CPRS feature is available for all drivers supporting entitlements.
New CPRS comes with a new UI which is integrated with the idmadmin dashboard
Troubleshooting CPRS is simpler as the components are all integrated with the Identity Application user interface.
To use the Controlled Reconciliation feature the CPRS common package has to be consumed by the driver.
Example: LDAP Driver with the CPRS package installed from the designer shown in the below picture, for upgrade consume the latest released IDM 4.7 Entitlements and CPRS Common packages for your driver.
Example (CPRS Usage) along with any one driver LDAP or AD will be covered in the next article.