Soll-ist engine

The most important thing to understand about NIM is that it is built on a soll-ist engine. The provisioning process runs according to a soll-ist loop:

  1. When your Sync tasks run, NIM first performs a Collection to update the ist (the "is"; the current state of your Systems as represented by the data in your Vault).

  2. NIM compares this ist against the Mappings and Roles defined in your Jobs (the soll, or "should" differentials).

  3. According to the result of this soll-ist comparison, NIM writes the necessary changes into the systems targeted by the mappings and roles. In other words, NIM equalizes the soll differentials.

The soll differentials, defined by mappings & roles and operating upon the ist data in the vault, drive the provisioning process. This is the soll-ist loop. This is the essence of NIM. This is dynamic provisioning.

The second most important thing to understand is that Filters are NIM's "workhorse" feature. A filter's output represents some subset of your vault data, which, when fed into a mapping or a role, defines the soll differentials that drive the provisioning process (the soll-ist loop). Filters always, and only, operate upon data in the vault. Almost everything you do in NIM depends on filters.

A simple example of a filter is one which selects all people in the engineering department of your HR (source) system who do not have accounts in a target Active Directory system. The output of this filter is thus a soll differential. You would then feed this filter's output into an account creation mapping function for the Active Directory system. Subsequently, you'd then put this mapping inside a job, and the job inside a sync task. The sync task would then run on a schedule. This is the soll-ist loop.

This is a dynamic (i.e., automatic) process, because a filter's output dynamically varies with its input. This means you simply "set and forget" your filters and mappings. NIM then runs your sync tasks (runs the soll-ist loop) on a scheduled basis, continually equalizing the soll and ist. Using the previous example, the filter will only ever return the current set of engineering employees without an AD account. Duplicates are thus avoided. The soll-ist loop responds only to dynamic changes in your data.

You are not limited to creating user accounts. You can perform a full range of CRUD operations on any resource type for which the necessary mapping functions and roles have been defined in the target systems' Connectors.