User provisioning

User provisioning

I wonder if anyone had experience integrating your applications to provision corporate user accounts and roles using corporate IAM tools for example CA, Oracle or Tivoli IAM? What would you suggest as a preffered method - developing a webservice or provision directly to DB?
Hi Ignas, thank you very much for your question. From your description I cannot clearly understand the scenario you are looking at. Which of the two below are you trying to achieve?
  1. Users are provisioned manually in a third party IAM tool and you want those users automatically provisioned in the Outsystems platform users database;
  2. Users are provisioned manually in the OutSystems platform and you want those users automatically provisioned in a third party IAM tool;
Let me share with you an experience I had with a large customer in the Healthcare space. We implemented both use cases above: we automatically provisioned OutSystems users and we automatically provisioned users in third party systems. The user provisioning workflow that was implemented was the following:
  • User Initial Manual Provisioning in Active Directory - Service Desk personnel would manually provision users in the IAM tool (Microsoft Active Directory) and configure them (eg: a new Cardiologist user in the organization would be configured in the "Physicians" and "Cardiology" Active Directory groups);
  • Automatically provisioning users in the OutSystems platform - A batch process in the OutSystems platform would contact the IAM tool (Active Directory) and fetch all new/changed users and configurations and automatically create/update them in the OutSystems Security Model database. Integration with the IAM tool in this case was through LDAP;
  • Automatically provisioning users in third party systems - A batch process in the OutSystems platform would then be responsible for provisioning all new/updated users in several third party systems (using the specific APIs of each system).
You can see below a high level diagram of how the synchronization worked.

From a technical perspective, the interaction with the OutSystems Security Model to create OutSystems Users and granting them OutSystems Roles can easily be done using an API provided by the OutSystems platform that lets you programatically manage Users, Roles and Groups. You can read about this API here and you can see below the visual representation you get in Service Studio when you reference the key OutSystems security entities.

As explained before, the provisioning of OutSystems Users in third party systems was done using the specific APIs provided by those systems.  In some systems users were created directly in the database, but when possible proper  APIs should be used (eg. Web Service APIs).

I hope this helps!

Kind Regards,

Daniel Lourenço
Hi Ignas,

You also might want to checkout the Active Directory Import component.

Provisioning of Active Directory users can be done 100% transparently, just set it to use AD as the user source in the Users eSpace and when someone logs in, it authenticates them against AD and automatically generates a user, you just need to grant them roles through code (use the LDAP component to query important information and use that to determine what roles to grant) or through Users. I did this about a year ago for a demo, so I am not 100% certain on the details, but it worked very smoothly and was easy to figure out.

Hi Daniel, thanks a lot for your response!

My scenario is the 1st one: users and their corporate roles are manually manged (created, modified, deleted, suspended) in a third-party IAM tool (corporate user store) and changes should be automatically provisioned to the Outsystems platform users database and corporate AD. IAM tool is capable push changes to variety of systems using JCS connectors.
OutSystems batch job fetching user data from IAM is not a desired solution in our case, as it's against the compliance and security policies. IAM tool as a central user and access management tool must be "aware" of every user's account status accross the organisation (all the connected endpoints).
Currently users authenticate against corporate AD, but user accounts and role/group membership are managed manually on OutSystems. Our goal is to automate provisioning to OutSystems.
Is there any way to access those APIs from external application (like IAM) directly? According to documentation you referred these APIs are only exposed to Applications built and running on OutSystems. Or do I get it wrong?

Kind Regards,
Ignas Vaitkevicius

Hi Ignas,

You can implement an OutSystems application that exposes a webservice to signal a change in a user and them pull those changes from the IAM. I don't think there's already something built like this, you'll have to get your hands on it ;)

Hi André,

thanks for a quick reply. Webservice pulling changes from the IAM is not exactly what I'm looking for. The requirement is to push from IAM. Probably an OutSystems application that exposes a webservice to IAM to push changes would be something more appropriate.
On the other hand it's common to configure a custom connector (on IAM side) pushing changes directly to DB tables when users, roles, groups and membership data is stored on relational DB and there is no webservice available. Is there any reason why this should be avoided on Outsystems?

Hi Ignas,

I would avoid going directly to the database. I would create a logic interface for this. Remeber that these are System tables and there's an API to write on those, assuring that if ou upgrade your platform they'll continue to work as aspected.

Hi Ignas, If you want IAM to sychronously push users to the OutSystems platform, I agree with André - the best way is in fact to expose web services that the IAM tool can invoke when it needs to create, update or deactivate a user (see here a demo video of how to create a web service).

In this OutSystems Web Service, you can easily use the OutSystems Security API (an example of what this could look like it below).

As Justin said, using the OutSystems Integrated Authentication you can automatically get your users in just by having them "accessing" the application for the first time, but these users will have no configuration and no security roles. This means that the only way to get a fully configured "ready to loggin" user is this strategy where the IAM creates a fully configured user. Of course - you can then have these users logging-in with integrated authentication, if that is a requirement.

Kind Regards,


Some of our government customers built a component that integrates a smartcard physical access token and checking it against an Active Directory source. I have been trying to get them to upload it to the forge, but no luck so far. Short story is you can do some pretty sophisticated things with our APIs.