I am new to OIM so while installing and doing real-time scenario I always saw these terms configuration and integration. I want to know the exact difference please let me clarify all these related to OIM and as well as OAM terms.
In order to know the difference between Configuration and Integration, here are few examples with reference to OAM and OIM.
The term integration as in "integration of OIM with OAM", and here, for example, would mean how OIM software connects with OAM, or the plumbing between OIM and OAM. The primary function of OIM is to provide Identity governance and life cycle management of users. And primary function of OAM is to provide access management for users accessing applications in your environment. Now if OAM and OIM are integrated together (following the steps of integration between these OAM and OIM as published/supported by Oracle), then in your environment you achieve user access management to applications along with their life cycle management capabilities - i.e if a user is deprovisioned from OIM, this user is automatically unable to access any of the applications now, because now OAM and OIM are integrated together.
Compare this to the scenario if these two products were not integrated together, i.e. used as standalone, meaning there is no plumbing or connection between OAM and OIM - as you can see both the functions of user life cycle management and access management are now handled in silos or independent of each other. With Oracle Identity Management suite you get the power of integration with several supported products. e.g. with integration between OAM, OIM and OID, all three products are integrated together to provide a cohesive and a powerful Identity Management solution in your environment.
Now about the second term "configuration". Configuration means to configure settings, for example, when you are installing OIM or you could be configuring various ini files, timeout settings, various parameters, etc. Also one would also be configuring various settings/parameters during integration steps as well, for example during the OAM and OIM integration.
Some examples of configuration -
"Configuring the Server-Side session lifecyle".
"Preparing to Install and Configure Oracle Identity and Access Management"
Related
Is there a way to share Jenkins service endpoint credentials across multiple TFS projects? We have close to 30 projects, and each build requires us to configure the same set of credentials.
I would like to set an environment variable or something that would allow us to manage those credentials in one place for all TFS projects.
For a specific project, you click the gear here:
And then enter the credentials here:
This is not possible yet, there is a Feature Request about it, you can up vote there.
To automate the process you can create the Jenkins endpoints with the Rest API Endpoints - Create.
No. Service connections are scoped at the Team Project level. Team Projects are intended to be largely isolated from one another, so there is limited ability to share things between them. If you need to manage a service endpoint across many projects, you'll need to look at the REST APIs and write a programmatic solution.
I am trying to setup Spring Cloud Data Flow (SCDF) to run in Local mode and how few questions which may help me decide if its a suitable platform for my requirements.
Even though the recommendation is to use Cloud Foundry, Kubernetes etc as task execution environment my preference to run things on production is local mode mainly because I don't have a lot of workload and cant deal with all the additional complexity. Now in local mode will I be able to run all types of SCDF apps, namely Streams, Jobs and tasks with no limitations? Some parts of the document mentions that only Jobs can be run in local mode.
Security - I am looking to put controls in place around deployment of apps and operational access to the tool (dashboard) and do see the support for LDAP with roles as an option but the whole concept of using Cloudfoundry UAA, another product to drive the user managements seems like an overkill. Is there no way to configure the tool with an existing LDAP server? Found the following in one of the LDAP issues in Github but its not clear whether it uses UAA in its docker image. Worst case I wont mind if the dashboard can be run in a view/read only mode.
https://github.com/spring-cloud/spring-cloud-dataflow/issues/2871
If Spring Cloud Data Flow were a purely monolithic application, integrating all aspects of security directly into the app is definitely easier to to wrap one's mind around. This is how Spring Cloud Data Flow originally started out from a security perspective and thus, versions of Spring Cloud Dataflow <2.0.0 supported what we labelled traditional security.
However, even before 2.0.x Spring Cloud Data Flow:
Had to integrate with external platforms such as Cloud Foundry
Became more and more microservices oriented (e.g. by using Skipper)
As a result 2 parallel security architectures had emerged, one using traditional security and the other one driven by OAuth2/OpenID Connect.
This started to become increasingly harder to maintain and for 2.0.x we decided to exclusively focus on OAuth2/OpenID Connect. However, we still had to support a rich set of enterprise features such as Roles, LDAP integration etc. As such, we find that the open-source, production-ready CloudFoundry User Account and Authentication (UAA) Server is an excelling choice. Its LDAP support and features actually exceeds the features offered by Spring Cloud Dataflow <2.0.0.
So yes, in order to setup security for Spring Cloud Data Flow locally, you need to run the UAA. And the UAA would also provide the LDAP support. Technically, Spring Cloud Data Flow has no awareness of the LDAP setup at all.
I hope this provides some background regarding how the Spring Cloud Data Flow security architecture emerged. Please have a look at the reference documentation and the aforementioned SCDF Security with UAA + LDAP example. Don't hesitate to reach out in case of further questions!
Disclaimer: I am a committer on the project.
Starting from v2.0, we delegate to UAA for authentication and authorization. There are a variety of write-ups on this matter; a more comprehensive one to look at is the end-to-end sample on how all this could be put together locally. You do not need CF or K8s, all this can run locally also. We rely on UAA as the gateway to standardize on end-to-end SSO across all the client tools, including shell, dashboard, RESTful APIs, CTR, etc.,
Sample: SCDF Security with UAA + LDAP. For further reading, please refer to the security section in the ref. guide.
Lastly, we do not recommend Local for a production install, but I understand that resiliency and/or restartability of apps under failure condition is not a requirement for some workloads.
i have several databases running in RDS Service.
I'd like to know the best pratice to grant access to developers to these DB.
I tought a solution using jenkins but i dont think this is the best option.
I am trying to avoid give some password to developers.
Hope you can help me.
As #ceejayoz mentioned you can create a few users with restricted privileges, for example an user who only can run selects on few schemas, another user who can update registers in a few tables.
I can share what we do and what I've seen. We do A and use B where it is easy.
A) Standard Users
For all databases, we have 3 standard users with the following suffixes (_dba, _rw, _ro). Those all have their own passwords using a strong password generator.
_dba is used to deploy scheme and has all rights
_rw is used by the application (CRUD on all tables, but can't modify scheme)
_ro only has R on all tables and generally given to developers
Note: Developers have access to a bastion used for port forwarding and proxycap. They can query the RDS endpoints from their own machines (DB Tools) going through socks proxy and bastion.
This is lazy method - since creation of users is done programmatically and we feel comfortable giving some developers read only access. They could write a bad query and slow down system, but they could do that with a specific user so not much different and the bastion logs tell me who really was in if I had to investigate.
B) UI
Simple web app with login (ideally MFA) - that provides a way to run queries. If only for reporting, ideally against R/O copy of system. Stackoverflow offers one themselves (https://data.stackexchange.com/).
What would be nice is if RDS offered this themselves (linked to your IAM roles). They offer this on RDS Serverless (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/query-editor.html) and it may be a feature in other RDS versions. That allows fine control or even lazy control (IAM groups).
From what I understand, Intuit is no longer allowing proprietary integrations with QuickBooks Desktop editions through the Sync Manager and only allowing apps that are put into the marketplace. Is this really the case? If so, is there a timeline for when they will start allowing this? Also, it seems that the supported objects for desktop editions is way behind those supported for the online edition. Will these be available any time soon (I.e. reports such as balance sheet, profit/loss, budget, etc.)?
I ask because we have been using the web connector for a couple of years now and it is not built for the type of use we need. To be specific, we are a franchising company that has a hosted QB solution for each of our franchises. We then pull data and pass jobs to and from our proprietary POS application through the web connector. We run into all sorts of problems with multiple web connectors being open on the same system trying to connect to different files and a host of other issues. Because of this, we are hoping that a more reliable integration can be developed through the Sync Manager.
From what I understand, Intuit is no longer allowing proprietary integrations with QuickBooks Desktop editions through the Sync Manager and only allowing apps that are put into the marketplace. Is this really the case?
Correct. QBD integration with SM and V3/V2 REST endpoints are not supported.
Apps.com is the mainly the SaaS marketplace ( mainly focused on QBO).
No new integration using QBD V3 can be created.
Also, it seems that the supported objects for desktop editions is way behind those supported for the online edition. Will these be available any time soon (i.e. reports such as balance sheet, profit/loss, budget, etc.)?
V3 QBD APIs are already marked as deprecated. There will not be any development on this.
Ref - https://developer.intuit.com/docs/0025_quickbooksapi/0058_faq#Does_QuickBooks_API_support_QuickBooks_Desktop_and_QuickBooks_Online.3F
Please refer the following thread on similar topic.
Integrating with QB Desktop products
Thanks
Like SO, I am gonna depend on many Open ID providers to provide user authentication and I will use my own authorization methods. but I'm still in development phase, and don't want to work with real OpenID providers currently, what approach can I use to test my users and their activities in the website (w/o TDD), to emulate real users but not really use Open ID providers.
No need to make auto-transfer of users into real OpenID servers (when moving to production mode) since the current users are just for testing purposes and Unit-test code.
I guess, I need a User Service layer which provides a higly abstracted way to deal with users, so that the move to the real Open ID providers can be smooth in the future and doesn't affect the logic of my already written code.
Using C#.Net 4, ASP.Net MVC 3, Ninject
DotNetOpenAuth provides both server and client portions of OpenID and can be used to run your own OpenID provider for local testing.
Give your site members their own OpenIDs with the provider support included in this library.
Sample relying party and provider web sites show you just how to do it.
I simply register my test id as user with various organisations. I don't see anything wrong with that. I get to see the various responses and their differences.
I found it terribly easy to code for openid consumer. Just need to understand the sequence of responses. Draw the UML sequence diagram to aid your understanding before you start coding. No need to fake openId. Otherwise, whip up an openid server yourself.
Your services shouldn't depend on OpenID. Just have OpenID plug into an authentication module to provide a local user principal. In development, you can have the auth module return a fake user principal with the permissions you desire.
In a beta environment you could turn on OpenID and use test accounts from any OpenID provider. Having to log in during the development phase will just slow down all the developers. Any authentication bug or internet outage will kill everyone's productivity.