Hello, in my scenario all of the target systems will be their own golden sources ideally (please let me know if this is a poor decision after reading the below).
I will want IM (identity manger) to perform all provisioning requests on a mostly RBAC level with all approvals ect, these request will then be pushed out to the target systems where the access will be set as needed. Then I would like the IM to reconcile against them to ensure all data is set as expected.
Ideally I would like the target systems to be able to provision access outside of IM (although this should be on exception and certainly not BAU and should have their own incidents or tickets) although I would like IM to capture these changes for review and to complete an audit trail (so we can gather required evidance ect.) And after investigations have been complete either approve the change (replicate into IM) or reject (send a deprovisioning request to the target system), Is there any reason that this would not be possible with IM currently?
Lastly I would expect to have a large number of databases to connect to and at least 200 different system architectures to synchronize with, my question here is what to consider before building the links. Active directory seems fair easy to link into and manage although I am struggling with non-AD. These systems will range from IBM based RACF and ACF2 permissions down to bespoke applications with only a handful of users. I have heard about creating an application API for IM to tie into or about granting IM direct access to underlying tables although I would really appropriate it if someone could point me in the right direction to learn more about these options and if you have any advice from practice. Also if there are any similar options please let me know.