On 26/01/2016 14:38, Martin van Es wrote:
Hi,
I was invited by Francesco to elaborate on my NetIQ IM vs. Syncope findings
to explore on what I think might help in Syncope so that it would become a
stronger competitor/alternative. Bear in mind that I'm a self taught NetIQ
developer, have not looked at many other products and lack the time to
profoundly dive into Syncope. I might have missed some things here and
there ;)
Hi Martin,
first of all thanks for this input: I personally don't have any
experience with NetIQ - while, at different degrees, I am familiar with
Sun IdM, OpenIDM, midPoint and few others.
The most important difference I guess is that customizing NetIQ IM does not
require me to program Java. Although I do have generic programming skills
and know Java, managing "big" Java projects is not my strong side. I
wouldn't know where to start if I wanted to create a custom functionality
or anything not implemented out of the box in Syncope e.g.
NetIQ does require programming, but that's allways in the Eclipse based IDE
they supply (or webinterface if you don't want the IDE) and is based on
rules/policies with ECMAscripting and/or XSLT stylesheets that only take a
reload to test. Deploying NetIQ IM feels more like "configuring", although
many would say it is a daunting programming task ;)
I think this poses a strong point: till now we have always considered
Java as the sole way to extend Syncope capabilities, and we designed
consequently.
The only exception to this is the Camel-based provisioning extension,
which allows to manipulate routes at runtime and control the whole
provisioning process.
While I believe it is crucial for Syncope to keep its pervasive
extendibility, I also recognize that this might be seen as a barrier for
adoption: if you want to enhance Syncope in any way, you need to be an
experienced Java developer, familiar with Maven and Spring (at least).
It could be an idea to offer the possibility, besides the current
Java-based options, to extend Syncope (PropagationActions, SyncActions,
PushActions, scheduled tasks, ...) by mean of Java 8's enhanced
ScriptEngine [1][2].
From the admin console, one can be given a nice web-based Javascript
editor to input the given extension, save and have it immediately available.
This will also enhance the effectiveness of standalone, installer and
deb distributions, which are currently very hard to extend beyond pre-sets.
If we see this as a good idea, we might design it
* as an extension for 2.0 (not necessarily to be released with 2.0.0,
it could also be for 2.0.4, say), especially because 2.0 only requires
Java 7
* as part of 2.1 - for which there are already few very good reasons
to move to Java 8 as requirement
NetIQ IM is built around a directory with LDAP interface, which makes it
widely usable as a reference Identity Store without even needing to
provision external applications. Together with reversible password policies
this is a very strong characteristic because:
PWM (https://github.com/pwm-project/pwm) is, in my opinion the best
Password Self-Service tool around, which relies on communicating with a
directory for (re)setting passwords, security questions and conforming to
password policies. PWM is now commercially adopted by NetIQ as the standard
password self-service interface for IM installations known as SSPR.
This is another good input: we have been discussing in the past [3] the
possibility to provide an LDAPv3 interface to Syncope, and the renewed
code architecture in 2.0 makes it possible.
It's quite a considerable endeavour though, and I am personally not 100%
convinced is worth the effort.
...by the way you're saing PWM is the best tool around only because you
haven't had the chance to take a look at the brand new Syncope Enduser ;-)
Although it takes getting used to, the "flow" of identities to and from the
central directory (called publisher and subscriber channels) are extremely
flexible to conditionally allow/place/rewrite indentities in target
applications or the local store. This concept of incoming and outgoing
channels, each completely programmable what to do with identities once they
"appear" is unmatched in my opinion.
With propagation, sync and push actions - alongside with matching and
unmatching rules, I believe Syncope is quite well equipped.
Clearly, you need to program such features in Java ATM, so it is
possible that you haven't got this power.
A special case is a "Loopback" driver
that fires as an identity gets created in the local directory, but loops
back to the directory, modifying/enchancing and emailing managers while
doing so on the fly. I know Syncope has virtual attributes, but it doesn't
even come close to what is possible in loopback drivers. This loopback
driver e.g. can take care of enabling accounts in connected systems on
first workday (based on startdate attribute) while being present in the
store long before, not because it's a feature of IM, but because the
loopback driver can inspect certain attributes and take actions under
certain circumstances in a not too difficult syntax embedded as a string of
policies.
Again, similar features can be achieved by empowering scheduled tasks;
once more, only in Java ATM.
Although a nightmare to develop, approval workflows are common ground in
NetIQ IM. There is no such thing as a single identity lifecycle (as I
understand Syncope) but many (approval) workflows depending on many
usecases. Differences like employee asking for new permission right (role),
which has to be approved by direct in line manager AND anyone from IT staff
pool (while sending mails to the web content manager to update workers
page). Which is different from Manager asking for an employee's role to be
removed or an IT Staff that has to push a break the glass emergancy button
(disable account anywhere, ignoring startdate). All these workflows have
(webbased) forms, which is why I'm investigating if Activiti could somehow
be used together with Syncope, but last time I checked making API/REST
calls from Activiti workflow was still in development.
The Activiti workflow engine in Syncope does not directly exposes
Activiti's REST interface and does empower Activiti forms for approval.
And such forms are built out of workflow definition you can edit from
admin console either in XML or via the embedded Activiti Modeler.
However, I must admit that I've been thinking to move from the current
single identity lifecycle managed by the given workflow engine (where
Activiti is the suggested option) to a standard lifecycle where you can
attach different approval workflows to every phase of such lifecycle.
Moreover, this latter seems to be the approach taken by most, if not
all, of our competitors.
This must be set (at least) for 2.1, requiring major rewrite of several
internal processes, but I believe it is also very important.
So, looking at the above rambling one could distill the ultimate Syncope
feature that would make it stand up against commercial products: make it as
easy as possbile to extend functionality by injecting (ECMA)script hooks in
as many identity/policy decision points as possible, preferably chaining
them together in a multitude of provisioning flows where applicable.
Agree - see what I've written above about ScriptEngine.
Please consider that Activiti already allows to write tasks in Groovy,
not necessarily in Java, so you can do that from the Activiti Modeler.
Hope this all makes some sense ;)
I think this reply of mine speaks by itself, yes, it definitely does:
IMO we need even more feedbacks like this, to extend and improve Syncope
beyond its (already quite wide) features.
Thank you very much.
Regards.
[1]
https://blogs.oracle.com/java/entry/nashorn_the_javascript_implementation_in
[2]
https://docs.oracle.com/javase/8/docs/technotes/guides/scripting/prog_guide/api.html
[3] http://markmail.org/message/5hi7lhnyfefibl6t
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC, CXF committer
http://home.apache.org/~ilgrosso/
