Currently to bind the Technical Roles in the RSA solution with new entitlements (groups) is a manual activity, since there is no REST API exposed by the RSA IGL solution to accomplish this.
We have lots of entitlements (groups in Directory Service) which represents authorizations in several applications.
Within the RSA IGL we do not allow direct request of entitlements, but only technical roles.
This implies we need new entitlements (groups) in the RSA IGL solution and assign them to proper Technical Role to provide availability for end users to request these new Technical Roles.
We are in the design phase of automating as much as possible, so we thoughed about the following steps to accomplish the above:
1. Request form / Self Service page of IT delivery (add new authorization group in directory service).
2. Based on the entered information in the selfservice page, the group is created within the directory (i.e. name=’newgrp’, description=’Access to new function in app’,owner=’johndoe’ … maybe more parameters )
3. Send a trigger to RSA IGL REST API to enforce the collection of groups from the Directory Service. (This webservice is available in RSA IGL)
4. Wait for couple of minutes (average collection window/duration)
5. Create a file called ROLE.XML:
i. Input Template XML (currently based on stripped export of 7.x Role/Entitlement)
1. Static value is the global APP definition/name and some more info.
ii. Input Variable from the initial form (i.e. name=’newgrp’, description=’Access to new function in app’,owner=’johndoe’ … maybe more parameters )
iii. Combine the above to create a properly XML file named ROLE.XML
6. Send the ROLE.XML file to the RSA IGL Operational Support Team with instruction to import the file instantly, to provide the glue between the existing entitlement and the new role. Once import is successful the Technical Role will be available through the RSA IGL Request Form for end users.
What options are available in RSA IGL to automate this last step or the last two steps? Can we trigger IGL to bind a discovered entitlement to a new technical role?
Does anybody have some suggestions to provide a step by step approach, based on code (automation) to perform the above automation.