Building SailPoint Workflows With Temporal.io
Author: Alex Kaszczuk
Identities within an organization typically follow similar paths, starting with onboarding and changes including roles, titles, and departments followed eventually by deprovisioning. Most all of the processes involved require some collaboration among teams and departments for specific tasks, and many of these processes require repetitive tasks that can be costly and time consuming.
Identity Governance and Administration (IGA) originated from Identity Management (IDM) which originally set out to solve the problem of automating access to the ever-growing number of business applications. IDM was extended to IGA where the focus was on applying governance based approach to repeatable processes ensuring identities have the right access to the right resources at the right time.
Businesses have taken a different approach to how their employees work since Covid-19: workforces are more dynamic and employment is no longer tied to onsite locations. The average career tenure is about 4.1 year according to the Bureau of Labor Statistics. This means additional strain on organizations to onboard identities with a focus on achieving productivity quicker. The rapid changes in organizational processes and access needs for the remote workforce also mean additional challenges to traditional automation. New software that enabled the remote workforce, and defining access based on a least privilege security model, put additional pressures on organizations to find ways to reduce costs and complexities through added automation.
Often times, these tasks are simplified as a point-and-click UI solution, relying on human interaction to facilitate these activities. Many of the tasks above can be defined within a workflow, distilled down to an expected set of tasks and criteria. Those tasks require orchestration of services to produce a meaningful outcome. There are two problems to solve here:
1. The Organization Problem
How does an organization create a workflow that facilitates a business need? Due to the repetitive nature, organizations desire to codify their business processes in a way that machines can understand them, execute those instructions reliably, and react to variations when they occur.
2. The Service Problem
How does the provider orchestrate services to efficiently meet an organization’s need? That human-readable workflow must be interpreted. The interpreter then marshals the appropriate services to perform the requested instructions. This requires organizing our microservice architecture so that high-level abstractions translate to the appropriate low-level interactions across our services. Additionally workflows must run reliably, over long periods of time, and with resiliency mechanisms built into the architecture.
Solving the Organizational Problem
There are several ways to approach this particular problem. Some of our readers may be familiar with other low-code and no-code solutions that are out there to solve this problem. The key idea is to provide a well-structured, domain-specific language (DSL) that is specialized for describing processes that fulfill business needs. SailPoint uses JSON DSL based blueprints to define an execution flow.
These blueprints can be represented within a visual workflow builder that allows organizations to specify their business processes as a managed workflow.
Using the visual editor, authors can quickly create and test a workflow that targets specific business processes without having to become experts in the underlying DSL.
Solving the Service Problem: Temporal.io
SailPoint explored different frameworks, including in-house implementations for creating a workflow engine before ultimately deciding Temporal.io was the best fit for our needs. Utilizing Temporal.io the workflow engine needed to address the following requirements:
- Tracking and management of workflows.
- Ability to pause, retry, and resume processes that could potentially be long-running.
- Ability to synchronously or asynchronously process tasks when needed.
- Ability to scale to millions of concurrently running process flows.
- Backed by a queuing service abstracted from the clients.
A fair amount of the resiliency and orchestration is handled by Temporal.io. This service cluster provides the necessary components to help orchestrate our microservices, described by the workflows that are executed in our workflow service group. Each step in a workflow can be described as its own activity that can then be used to facilitate a business function that is provided by one or more microservices.
SailPoint’s current architecture takes advantage of a centralized workflow engine for work distribution. The intent is to closely observe and instrument how users solve their business problems with workflows. Using this feedback loop, the team can make informed decisions on how to add capabilities into the workflow service, where to iterate on the architecture, and scale infrastructure to meet user needs.
Conclusion
Data integrity is definitively the most important consideration when managing identities. Identities should be managed flawlessly when any defined business scenario is performed. By orchestrating SailPoint infrastructure, these guarantees can be provided with easy, human-defined, parameters.
