Return-Path: X-Original-To: apmail-syncope-dev-archive@www.apache.org Delivered-To: apmail-syncope-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9EE2217745 for ; Tue, 26 Jan 2016 13:38:27 +0000 (UTC) Received: (qmail 78649 invoked by uid 500); 26 Jan 2016 13:38:27 -0000 Delivered-To: apmail-syncope-dev-archive@syncope.apache.org Received: (qmail 78606 invoked by uid 500); 26 Jan 2016 13:38:27 -0000 Mailing-List: contact dev-help@syncope.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@syncope.apache.org Delivered-To: mailing list dev@syncope.apache.org Received: (qmail 78593 invoked by uid 99); 26 Jan 2016 13:38:27 -0000 Received: from Unknown (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 26 Jan 2016 13:38:27 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id C54121A04C3 for ; Tue, 26 Jan 2016 13:38:26 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.9 X-Spam-Level: ** X-Spam-Status: No, score=2.9 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id FBUWolwyZj7W for ; Tue, 26 Jan 2016 13:38:14 +0000 (UTC) Received: from mail-io0-f170.google.com (mail-io0-f170.google.com [209.85.223.170]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with ESMTPS id EA0B520E9B for ; Tue, 26 Jan 2016 13:38:13 +0000 (UTC) Received: by mail-io0-f170.google.com with SMTP id 77so184937051ioc.2 for ; Tue, 26 Jan 2016 05:38:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=FkohoRxJPdJFSfTbuHyWs63HIijyv7hGpUYgKUi2SWs=; b=K7fb4vM9yl+NEGx1mYDF7dztF1z037U3eAF0iwE7F8EDX9ZxNOQ3K3JZ5pM86bl2vA NPns1OOV5wHw6/F3NCnEBHmB09egpbqnRz0g6k+JSqVnFqR7391aqlkOoyApGBUFGb1I 94xalMkwvDYDlTN9Bj5U25irQToeUqli2VtQEKVk4P/BUZ0ksOjxGs1gp4BkkWRdX8sw /qrVtzRJFAr0YqWHoU45LogMfskRq+ybfh012TUqcKxEBghECauXGXSLgWtgW9Ek5k2i 3gj7CfHLy7vQjjMrdpW6ohJksdSeKvatcL3uwQziNQLfOL2sxLefGCkZjASNn499Tu+s euYw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=FkohoRxJPdJFSfTbuHyWs63HIijyv7hGpUYgKUi2SWs=; b=XvoQNTtqemM/rjuSiQWeLKc+xqVjDQ9Aa2VpyFmeTtGTMqoZsy4QWpeyWwHMrdQ+F1 /YBflE44jENrOUtGc/eQIQ5eb+rm227NOgiz44J8Zbk+RlttCSiiFDSLfhwAo1HDaLtX ZXwN/CZxwfCGmnRBtN61AiLZmS2RJo6inpIqciy3nkTiQaSFAOpH/Izfh6CuQDrrYdDG fRjywRKk0E6pwDDScma7H6IMBP5aJoLIjSZ+EoElQwQybiDLiLjjUowpV4lRqSnTGNKM CQWDYRhXbqNTSWDCXyu9XtOTRt7YQi3pGetnaTX0cAKvapq307ZGwuRf6DYoQ1sjnlZi rWAA== X-Gm-Message-State: AG10YOT+Xdu94geI1Ewul94kKGsrjM87/4qphsRe8qflwurBtV6svC3fIUyuGoIaWghVDFf2LKMD4/9wNgOHyg== MIME-Version: 1.0 X-Received: by 10.107.150.65 with SMTP id y62mr22219444iod.153.1453815487480; Tue, 26 Jan 2016 05:38:07 -0800 (PST) Received: by 10.79.0.42 with HTTP; Tue, 26 Jan 2016 05:38:07 -0800 (PST) Date: Tue, 26 Jan 2016 14:38:07 +0100 Message-ID: Subject: Syncope vs NetIQ IM From: Martin van Es To: dev@syncope.apache.org Content-Type: multipart/alternative; boundary=001a1140f0aab34c0c052a3ccbbc --001a1140f0aab34c0c052a3ccbbc Content-Type: text/plain; charset=UTF-8 Hi, I was invited by Francesco to elaborate on my NetIQ IM vs. Syncope findings to explore on what I think might help in Syncope so that it would become a stronger competitor/alternative. Bear in mind that I'm a self taught NetIQ developer, have not looked at many other products and lack the time to profoundly dive into Syncope. I might have missed some things here and there ;) The most important difference I guess is that customizing NetIQ IM does not require me to program Java. Although I do have generic programming skills and know Java, managing "big" Java projects is not my strong side. I wouldn't know where to start if I wanted to create a custom functionality or anything not implemented out of the box in Syncope e.g. NetIQ does require programming, but that's allways in the Eclipse based IDE they supply (or webinterface if you don't want the IDE) and is based on rules/policies with ECMAscripting and/or XSLT stylesheets that only take a reload to test. Deploying NetIQ IM feels more like "configuring", although many would say it is a daunting programming task ;) NetIQ IM is built around a directory with LDAP interface, which makes it widely usable as a reference Identity Store without even needing to provision external applications. Together with reversible password policies this is a very strong characteristic because: PWM (https://github.com/pwm-project/pwm) is, in my opinion the best Password Self-Service tool around, which relies on communicating with a directory for (re)setting passwords, security questions and conforming to password policies. PWM is now commercially adopted by NetIQ as the standard password self-service interface for IM installations known as SSPR. Although it takes getting used to, the "flow" of identities to and from the central directory (called publisher and subscriber channels) are extremely flexible to conditionally allow/place/rewrite indentities in target applications or the local store. This concept of incoming and outgoing channels, each completely programmable what to do with identities once they "appear" is unmatched in my opinion. A special case is a "Loopback" driver that fires as an identity gets created in the local directory, but loops back to the directory, modifying/enchancing and emailing managers while doing so on the fly. I know Syncope has virtual attributes, but it doesn't even come close to what is possible in loopback drivers. This loopback driver e.g. can take care of enabling accounts in connected systems on first workday (based on startdate attribute) while being present in the store long before, not because it's a feature of IM, but because the loopback driver can inspect certain attributes and take actions under certain circumstances in a not too difficult syntax embedded as a string of policies. Although a nightmare to develop, approval workflows are common ground in NetIQ IM. There is no such thing as a single identity lifecycle (as I understand Syncope) but many (approval) workflows depending on many usecases. Differences like employee asking for new permission right (role), which has to be approved by direct in line manager AND anyone from IT staff pool (while sending mails to the web content manager to update workers page). Which is different from Manager asking for an employee's role to be removed or an IT Staff that has to push a break the glass emergancy button (disable account anywhere, ignoring startdate). All these workflows have (webbased) forms, which is why I'm investigating if Activiti could somehow be used together with Syncope, but last time I checked making API/REST calls from Activiti workflow was still in development. So, looking at the above rambling one could distill the ultimate Syncope feature that would make it stand up against commercial products: make it as easy as possbile to extend functionality by injecting (ECMA)script hooks in as many identity/policy decision points as possible, preferably chaining them together in a multitude of provisioning flows where applicable. Hope this all makes some sense ;) Best regards, Martin -- If 'but' was any useful, it would be a logic operator --001a1140f0aab34c0c052a3ccbbc--