The Identity Manager and Active Directory
In a distributed service environment, Web services typically manage a resource or implement business functionality that they provide to client services. Identity Manager enables provisioning capability for CSF services by providing a Web service interface to the Active Directory Service Interfaces. By sending messages to Identity Manager, you can create organizational units (OUs) to define organizational entities that use your services, create users inside these OUs, and add these users to groups that you can use to control access to your services.
Provisioning Scenarios and Identity Manager
Some sample provisioning scenarios that could be enabled by using Identity Manager are:
- Self-Service Web Portal: A self-service Web portal that is implemented by your enterprise enables a user who belongs to a valid customer organization to perform self-provisioning tasks, such as signing-up as a new user for a service that is provided by your enterprise or, alternatively, opting-out of a service.
- CSR Web Portal: A customer service representative (CSR) Web Portal that is implemented by a customer organization enables a CSR to provision and de-provision users directly through the Identity Manager or with an order request through the Order Handling Standard Business Event (OHSBE). In this scenario, some CSRs have administrative privileges that allow them to perform administrative tasks for the customer. These CSR administrators would have privileges only in the organizational unit allocated for the customer in the domian of your enterprise.
- Administrative Tool: An administrative tool built by using Identity Manager enables administrators in your enterprise to perform administrative tasks to provision and de-provision customer organizations and users.
- Standard Business Event (SBE): The OHSBE can provision and de-provision identity objects on the Identity Manager as part of order processing.
Identity Manager OUs and Multi-tenancy
Identity Manager provides an extensible Active Directory container infrastructure that your enterprise can use to enable an instance of a service application to provide services to multiple business entities and, at the same time, can maintain strict isolation of administrative functionality and visibility between business entities. All Active Directory objects that are managed by using Identity Manager are created under an Operator (Hosting) OU. You specify the name of the Operator OU during installation. The installer creates the OU and sets the <HostingOrganizationId> element in IdentityManager.config to identify the Operator OU to Identity Manager. For more information, see Identity Manager Environment and Configuration.
When you create an organizational unit by using Identity Manager, you specify an organization type for the OU and Identity Manager maps this organization type to an organizational template. The organizational template helps Identity Manager to determine what groups to create for the new OU and the access-control entries to apply to these groups. Identity Manager provides templates for three organization types:
- Reseller: An OU type that can be created directly under the Operator OU to contain users and customer OUs that are managed by a reseller of your services.
- Partner: An OU type that can be created directly under the Operator OU to contain users that are managed by business partners.
- Customer: An OU type that can be created directly under the Operator OU or under Reseller OUs to contain the users for specific customers.
The following diagram shows the OU structure imposed by Identity Manager for the default organization types provided by CSF.
You create a single Operator OU. Under the operator OU you can create any number (0 to n) of partner, reseller, and customer OUs. Under reseller OUs you can create any number of customer OUs, but no reseller or partner OUs. Administrators in each OU have visibility and administrative control only over that OU and its child OUs. Users have visibility only in the OU in which they are contained. You can change this organization structure by modifying the organization templates that are provided by CSF, or extend it by creating custom organization templates for organization types that are specific to your installation. For more information, see Managing Organizational Units.