Role catalogue provisioning has a different behavior than the provision of identities. The main difference is the absence of a separate account management mechanism. In the case of identities, the Account management that creates and (depending on) the IDM account depending on the assigned roles.

In the case of role catalogue, account management is directly linked to the creation / modification / deletion event of the catalogue node.

  1. If we create a new role catologue node, the event is publish and catches by the processor (in the ACC module) RoleCatalogueSaveProcessor. This first creates an IDM account by calling ProvisioningService.createAccountsForAllSystems. It creates an IDM account (and associated bindings) for all systems that have provisioning mapping for role catalogue. Subsequently, the provisioning itself is triggered.
  2. If we modify a catalogue node, the event is publish and catches by the same processor and performs the same operations as the previous point.
  3. If we delete a catalogue node, the delete event is publisch and catches by RoleCatalogueDeleteProcessor. This processor delete all AccRoleCatalogueAccount relations and linked AccAccount (account on end system too).
By default, catalogue provisioning is provided by RoleCatalogueProvisioningExecutor, which primarily resolves the conversion between the parent IdmRoleCatalogue and the value of the parent attribute on the system.
  • by kotisovam