Challenge
An identity management solution is a sophisticated environment and organizations expect it to function as originally designed and as modified for its specific business needs. To meet those expectations, it must be managed in a consistent and sustainable manner. Part of that management requires adequate testing of customized functionality before deploying the changes into a production environment. Proper configuration management requires that modified system functionality first be tested in a development environment and then moved to a test environment before finally being migrated into production. This process helps ensure that the changed processes will work as expected to support the business requirements. But moving the components is often a challenge. One must ensure all necessary objects have been accurately moved between each environment for proper functioning of the production system.
Opportunity
ConfigXpress is a CA IdentityMinder™ utility that provides system administrators several useful
capabilities, chief among them is the ability to easily move components between staging environments for simplified configuration management. It reduces the time and effort a system administrator must spend while moving components between configuration environments and thereby allows for more functional testing time. It also provides a change-analysis report that highlights differences between environments as compared to a current and baseline installation. It provides a “push-button” system documentation process that records the many system components for future reference or as a part of a system recovery plan. ConfigXpress also provides a convenient and efficient method to display component relationships. For example, it shows which screens are used by specific tasks and which administrative roles grant access to those tasks.
Benefits
Considerable time can be saved with the ability to easily identify component differences and quickly promote these components between development, test and production environments as part of a configuration management process. As a result, the organization can better depend upon the identity management solution to provide consistent results and with a savings of time and effort. Using ConfigXpress, administrators can quickly perform these changes, document the system and quickly understand the relationships between objects, roles, and access to more easily manage the system. All of these factors are likely to contribute to a more easily maintainable identity management system and provide for a lower total-cost-of-ownership (TCO).
SECTION 1: Business need
Managing an identity management solution
Organizations depend upon consistent and known processes. A number of these processes are often implemented by an identity management solution in order to automate them. However, to ensure these processes perform as expected; they must be tested before moving or promoting the logic into a production environment.
An identity management solution is often a critical enabler of a business’ flexibility, if managed well. It can also be a significant impediment to the business if it cannot adjust quickly and reliably to the fast changing needs of today’s organizations. Every organization has specific processes that an identity management solution must implement. CA IdentityMinder enables that business flexibility through a number of features and one of them is PolicyXpress (please see related technology paper titled: “CA IdentityMinder: customization without coding”) where customized business logic can be defined without writing code. However, even with PolicyXpress the logic should still be tested before it is promoted to a production system environment.
Any identity management solution has many components and determining which objects have changed and which ones to move from test to production is a common challenge for any administrator. This process is similar for any identity management solution today. The process to move a component like a portal screen or a business policy requires the administrator to export an XML file that defines the environment, then search through the rather large file for the desired objects, cut-and-paste these objects into a separate file and then finally upload these selected objects into the target environment. This assumes that the administrator accurately determined the appropriate and related objects that were needed to accompany the screen or business policy. If the administrator doesn’t include all of the objects the promotion and test process from one environment to another will fail and the process will have to be reviewed and attempted again. This is a manual process that every administrator must learn and remember. However this is not an everyday occurrence so it is easily forgotten between attempts.
SECTION 2: Solution
Simplified configuration management & more
ConfigXpress provides CA IdentityMinder administrators with several significant productivity capabilities. This utility included with CA IdentityMinder is installed as a part of the standard product installation and has been available since r12.5 SP4, but the utility can actually be used with any CA IdentityMinder version from r8.1 and later. In this section, we will review those ConfigXpress capabilities.
ConfigXpress quickly analyzes a current CA IdentityMinder environment and displays the system’s components and their relationships to other objects within the system. This is especially useful for any administrator that needs to quickly understand the system or just to review impacts of proposed changes to an environment. For example, it shows which screens are used by specific tasks and which administrative roles grant access to those tasks. How much more productive could an administrator be if the time it normally takes to understand the identity management components were significantly reduced?
The next few screen captures show some of the display and analysis capabilities of ConfigXpress.
Figure A.
System envirnoment: access definition and configuration
ConfigXpress displays all of the environment’s graphical user interface screens along with their relationships with Tasks and details of data elements displayed on the screens. Also useful is the ability to see whether a screen is an unmodified out-of-the-box (OOTB) screen, a modified or a completely new screen developed by the implementing organization.
admin roles that grant access
to tasks screens used by the task ConfigXpress displays all of the environment’s tasks along with their related roles which grant access to the tasks. Each task makes use of one or more screens and this is shown to the administrator. Like the screens, the tasks are also analyzed to determine which are OOTB, modified or defined by the implementing organization.
Figure C.
This utility also provides a “push-button” system documentation capability that records the many system components for future reference or as a part of a system recovery plan. This document and the environment file could also be imported to a version control tool as files for long term storage.
With the click of a button all of the graphical components and configuration views provided by ConfigXpress can be deposited within a single document that is exported to an Adobe PDF file. The administrator can customize aspects of this document such as parts of the title page and a free-format introduction section to meet specific documentation needs.
Figure D.
Additionally, each object can be inspected at a detailed view as source XML for further analysis and understanding.
While browsing any of the CA IdentityMinder components the administrator can view the object’s XML source for additional clarity of the object’s definition and behavior.
Here is a review of the configuration management capabilities provided by ConfigXpress and how this utility can simplify the process.
ConfigXpress can reduce an administrator’s time and effort while promoting components (business logic, screens, roles) between configuration environments through the following capabilities: • Environment import from live systems or through exported files
Connect to live systems and perform the configuration management process or use archived and previously exported Environment files.
• Quick comparison between environments
For example, it displays the objects that have been changed between test and production environments. It is easy to compare against a current or baseline installation.
Show XML button provides this detail of any system component
Figure E.
• Can display only the changed or new components for targeted review
Administrators often need to know what has changed and ConfigXpress quickly shows this view. • Ensure all required objects are moved with the selected component
When business logic is moved into production, the associated and required portal screens are also promoted as well. The administrator does not need to know and search for such information. This avoids system crashes and errors by appropriately migrating all needed objects.
All of these features can allow for more functional testing time by reducing the time previously used in searching for and the moving of objects.
This display screen shows the differences between two environments for quick promotion of objects between the development, test and production environments.
This shows two environments for quick comparisons
Figure F.
SECTION 3: Conclusions
Simplified configuration management
Identity management solutions require the flexibility and adaptability to implement business logic and integration to many heterogeneous enterprise systems. In today’s environments, because of the dynamic and competitive nature of business environments and shifting government regulatory requirements nothing stays the same for long. The end result: business processes and systems must be changed, and the identity management solutions supporting these systems must ebb and flow to meet the demands of the business. The question is often asked: “How can this be done quickly and in a cost effective manner?”
The CA IdentityMinder solution provides tools and utilities to enable customization without coding using PolicyXpress. Those same business policies can then easily be managed using ConfigXpress. ConfigXpress provides the administrator the needed capabilities to promote business logic easily, document the system for efficient knowledge transfer and easily display relationships between CA IdentityMinder objects. These capabilities all provide time savings for the administrator and in turn contribute to overall reduction in TCO and better facilitates system suitability.
During a promotion of objects, ConfigXpress will inform the administrator of additional and required objects related to the promoted object. This better enables the target environment to operate properly with all of the required objects.
Figure G.
CA Technologies is an IT management software and solutions company with
expertise across all IT environments—from mainframe and distributed, to
virtual and cloud. CA Technologies manages and secures IT environments
and enables customers to deliver more flexible IT services. CA Technologies
innovative products and services provide the insight and control essential
for IT organizations to power business agility. The majority of the Global
Fortune 500 rely on CA Technologies to manage their evolving IT ecosystems.
For additional information, visit CA Technologies at ca.com.
SECTION 4:
About the author
Bob Burgess is an Advisor and a member of CA Technologies Security Center of Excellence team. His industry experience spans more than 20 years as a developer, technical evangelist, manager of a development team and stints in product marketing and sales. Prior to this experience, Bob served 11 years (active and reserve duty) in the in US Air Force involved with future weapons systems at Strategic Air Command Headquarters and served among other positions as a Squadron Commander. Bob has a Bachelor of Science in Computer Science in addition to a Bachelor of Science in Engineering Technology, both from Texas A&M University.
