Introduction

The main purpose of identity management systems is to manage user and role provisioning.

User and role provisioning refers to the creation, maintenance, activation and deactivation of user and role objects and their attributes.

Provisioning operations can act on Apache Syncope only or be propagated towards external resources.

The propagation implements the provisioning on external resources. It depends on the assignment, directly or indirectly (via memberships), of users/roles to external resources.

Users and roles can be assigned or linked to an external resource in three different ways: with a soft link, with a hard link, without any link (see below for more details).

The provisioning operation can be initiated by an authorized user (for instance, working on Apache Syncope administration console) or by a synchronization process.

A synchronization process can be used to perform a bulk provisioning operation involving either Syncope and one or more external resources.

Propagation

A propagation towards a specific external resource occurs if and only if the external resource's connector instance capabilities permit.

Propagation will be tried on an external resource for each provisioning operation involving users or roles assigned to that resource.

Users and roles can be assigned to a certain external resource by defining a direct or indirect link between objects.

By the way, Apache Syncope empowers the possibility to control the existence of users/roles on external resources giving the possibility to manage remote provisioning directly.

In fact, an authorized user (or an internal task, a sync task, for instance) can ask for

• link / unlink users/roles to/from specific resources (soft link),
• assign / unassign users/roles to/from specific resources (hard link),
• provision / de-provision users/roles on/from specific resources (maybe, without any link).

Link/Unlink

...

Assign/Unassign

...

Provision/De-Provision

...