User provisioning for IBM Connections Cloud – You have the choice
Customers who use IBM Cloud for Connections, Sametime or other applications face the problem to manage their cloud accounts. For some single users you can use the Web frontend to add or change user accounts or to assign subscriptions and licenses to users. But in real world scenarios it is not possible to manage thousands of users manually or to keep them synchronized with an on-prem user repository or LDAP.
This can be handled smarter.
There is an API for this – of course. In fact there are at least two of them:
In one of our last projects we had to learn that both of them have advantages and disadvantages:
IBM Integration Server
Customers can request IBM to enable this feature. Then they are allowed to upload user information over ftp or http. The IBM integration server then processes these files in batch mode and provides result files which can be downloaded to check if everything was processed correctly.
The csv file format is quite simple and straight forward. A file can look like this:
emailAddress,action, isManager, description, experience email@example.com,update, N,"some description","user experiences" firstname.lastname@example.org,update, N,"other description","other experiences"
This is really simple and good especially for one time provisioning users.
But it has some crucial limitations you should be aware of:
- The csv files are limited to 200 lines, so you have to split it up, if you have more users.
- The processing is delayed, depending on the server load
- The batch processing approach doesn’t fit to handle more complex scenarios e.g if you try to create a user that already exists or try to assign more than the allowed number of users to a license.
- There are operations which are not supported for example if you want to assign users to applications without forcing each of them to accept a TOC.
There are solutions which utilize this approach.
In our case we had the additional challenge to sync IBM Cloud users periodically from a local LDAP.
IBM Business Support System API (or BSS)
… matches these requirements. This REST based API deals with JSON objects. It is really powerful and provides a wide range of actions managing user accounts and licenses. Also it is very easy to use. To read all users, whos email start with “julius”, you can simply use this one line of code:
curl -k -u <user>:<pwd> "https://apps.na.collabserv.com/api/bss/resource/subscriber?_namedQuery=getSubscriberByEmailAddress&emailAddress=julius*"
This API can easily be used with any programming language. In our case we used python language to implement a user sync process from the customers LDAP and to provide additional maintenance functions as well. This script is triggered periodically to keep Cloud users in sync with customer LDAP.
In this project the use of BSS API and a powerful script language was the key to solve the requirements with minimal efforts and costs.
If you plan to use IBM Connections in the cloud you should be aware of a limitation which is really hard to accept! The BSS API updates the users in the internal BSS cloud database that handles access and licenses. But only basic information such as DisplayName and JobTitle are updated in the users Connection profile which is visible for normal users. All other profiles fields are intended to be managed by the user themselves in their profile.
Also the IBM Connections profiles-admin API which would be an approach in an on-prem environment is disabled by the IBM Cloud team. At the moment the only way to update Connections profiles is to use the Integration Server. Not really convenient!
Currently we ask ourselves if a mixture of both APIs would be the best and somehow only way to solve this problem. But we are not happy with this. We`ll keep you updated once we found a smarter way.