In order to take full advantage of all the functionalities offered by the midPoint software, this technology was upgraded from version 3.4.1 to version 3.6.During the year, work was continuously carried out on connecting other end systems, the dynamic organizational structure, which is based on the SAP system, was implemented into the solution and other minor developments were implemented to make the work of users more efficient. An interesting feature was the use of the midPoint tool capabilities for the implementation of contract management, including the development of interactive links for users’ work with contracts. These defined bindings allow dynamic clicks between objects across the midPoint system.

When deciding which system to use for IdM, the Evolveum product – midPoint Identity Manager – was chosen. MidPoint is offered as open source, so it can be downloaded from the company’s website for free and even without any registration. According to the high activity on the product forums, midPoint is widely used, and new functionality is being added by the development team. According to feedback from its users, midPoint is a very popular identity management tool and is implemented in both commercial companies and universities. The product offered all the required functionalities or could be implemented in a documented and officially supported way.  The winner of the tender was the implementer AMI Praha a.s.

Connecting new applications

The main point of IdM development in Czech Television was the connection of other important applications used by Czech Television.

It was necessary to connect the following applications:

• ProVys,
• Infos,
• Organizational Tree,
• Alvao.

The following figure schematically shows the current connection of applications to IdM midPoint and the data flow.

Connecting ProVys, Infos

The above applications use database tables as a data store, so DB connector was used to connect them. The connectors for the database tables are based on ForgeRock’s ICF connectors. Their implementation and connection to the necessary database tables did not bring any significant problems. In this case, the ScriptedSQL connector was used, which is highly variable when using complex SQL queries to retrieve data from the above applications. The applications are connected in read-only mode, IdM extracts data from them, transforms it, and then propagates it to Active Directory.

Connecting outsourcers to responsible parties

The CEE registers external workers and also provides information about their responsible person (internal employee). This information is linked similarly to the previous applications in read-only mode using a ScriptedSQL connector.

In this case, the IT management of Czech Television requested a modification and extension of the user interface to include a form (user tab) that displays a list of external staff for whom the current person is responsible (if he/she is an employee). The creation of this link allowed the CEE administrator to be automatically notified of the termination of an employee’s employment when he/she was the responsible person for some external staff.

Alvao application linking

The Alvao application is used to record ICT assets (HW, SW) and was connected in a similar way to the previous applications using a ScriptedSQL connector. However, in this case, it was necessary to write users from IdM to Alvao.  On the Alvao side, a set of prepared triggers react to changes in the table and perform the required operations in the application’s internal database.

Reading the Organizational Tree

In the first stage of the IdM project, the choice was made to build the organizational structure by computing from user information. For the needs of the other IS, a view was added in which the actual Organizational Tree is read from SAP HR.

Connection of Brno and Ostrava sites

Until 2017, IdM managed identities only at the CT in Prague. In spring 2017, it was decided that IdM midPoint would also manage identities from the TV studios in Brno, and Ostrava. The configuration adjustments in IdM were mostly technical, as the processing logic of the Prague, Brno and Ostrava users did not differ significantly. The connection of the new users was seamless and currently, IdM manages the identities in all three CT studios.

Notification extension

During 2017, notification emails for HelpDesk staff were modified and extended. In connection with the addition of CT Brno and Ostrava branches, notifications of user changes were sorted to the Helpdesks according to their local jurisdiction. Roles were also created for access to the IdM environment for helpdesk staff from Brno and Ostrava.

Extension of reports

Based on the requests of the Czech Television IT department management and helpdesk staff, additional user reports were created in PDF or XLS formats. At the request of the helpdesk staff, a simple report was programmed to provide daily information about the processing of nightly tasks in IdM. This gives the helpdesk staff an immediate overview of the status of user processing from each connected application.

Further development work

In addition to the above development work, many minor adjustments, optimizations, and improvements were made throughout 2017.

Conclusion

After the pilot deployment of the midPoint software in the Czech Television environment, continuous and successful development of the entire IdM solution was carried out in 2017, as required by the IT management. The expansion took place in the form of incremental changes, which brings the advantage and possibility of thorough testing of each partial modification before its deployment into production. This process minimized the need for downtime and the occurrence of IdM solution outages.