Roles provisioning has a different behavior than the provision of identities. The main difference is the absence of a separate account management mechanism. In the case of identities, the Account management that creates and (depending on) the IDM account depending on the assigned roles.

In the case of roles, account management is directly linked to the creation / modification / deletion event of the role.

  1. If we create a new role, the event is publish and catches by the processor (in the ACC module) RoleSaveProcessor. This first creates an IDM account by calling ProvisioningService.createAccountsForAllSystems. It creates an IDM account (and associated bindings) for all systems that have provisioning mapping for that tree type. Subsequently, the provisioning itself is triggered.
  2. If we modify a role, the event is publish and catches by the same processor and performs the same operations as the previous point.
  3. If we delete a role, the delete event is publisch and catches by RoleDeleteProcessor. This processor delete all AccRoleAccount relations and linked AccAccount (account on end system too).
Provides role provisioning by default RoleProvisioningExecutor.
  • by stloukalp