Level 1 – Initial Phase:

Catalog Content Creation
Consultation
Quotations
Hosting and Connectivity with Partner Application

Level 2 – Partial Integration:

Broker Registration
Demo Environment Setup and Enablement

Level 3 – Advanced Integration:

Widget Creation with Dynamic Live Data
SSO Enablement
API Gateway and Data Exchange

Additional Features for Seamless Adoption

Bidirectional Data Exchange:
Partner applications and Kyndryl Bridge expose APIs that allow data to flow both ways, enabling deeper integration and functionality sharing.
Partners must implement secure API protocols and provide necessary documentation for both data consumption and contribution.
User and Role-Based Access Control (RBAC):
Integration at this level includes managing users and roles within the Partner application via Kyndryl’s Identity and Access Management (IAM) system.
Partners must configure role mappings to ensure proper access levels and security.
Enhanced Value-Add Layer:
A specialized value-add layer is developed to create real-time insights, analytics, recommendations, and remedial actions.
This layer enhances offerings with advanced manageability features and contextual data sharing, improving usability for end customers.
Shidoka Design System Compliance:
All Partner application interfaces integrated at this level adhere to the Shidoka design system, ensuring a consistent and unified user experience.
Integration with Kyndryl Bridge Common Services:
Prebuilt integration with relevant Kyndryl Bridge Common Services enables seamless access to tools and frameworks, enhancing Partner service functionality.

Benefits

Unified User Experience:
Provides a consistent and cohesive interface for end users, adhering to Kyndryl’s Shidoka design standards.
Advanced Capabilities:
Supports enterprise-grade features like bidirectional data exchange, dynamic widgets, and API-based collaboration.
Operational Excellence:
Ensures scalability, performance, and security, meeting the needs of enterprise customers.
Deeper Collaboration:
Partners gain tools for real-time analytics, role management, and enhanced service customization.

Kyndryl Bridge User propagation implementation (SCIM)

Who’s responsible

: Kyndryl Bridge Partner Integration team

Introduction to SCIM

System for Cross-domain Identity Management (SCIM)

is an open standard protocol designed to simplify the management of user identities across multiple systems. By leveraging SCIM, Kyndryl Bridge enables identity propagation, synchronizing user resources (identities and roles) between Kyndryl Bridge Identity and Access Management (IAM) and Partner Services’ IAM implementations.

Key Features of SCIM

Standardized Operations:
SCIM provides HTTP-based RESTful APIs for creating, reading, updating, and deleting (CRUD) user resources.
Interoperability:
SCIM streamlines data exchange between identity providers (e.g., Kyndryl Bridge IAM) and service providers (e.g., Partner applications).
JSON Data Format:
SCIM uses JSON to represent user data, supporting features like filtering, sorting, and pagination for efficient data handling.
Ease of Management:
SCIM simplifies user provisioning and deprovisioning, attribute management, and synchronization across hybrid environments.

Commonly Used SCIM APIs

Create User:
Adds new users with a POST request containing user data in JSON format.
Retrieve User:
Fetches a specific user's details with a GET request using the user’s unique identifier.
Update User:
Modifies attributes of existing users via a PUT or PATCH request with updated user data.
Delete User:
Removes a user from the system with a DELETE request using the user’s unique identifier.
Search Users:
Searches for users based on criteria with a GET request and query parameters for attributes or conditions.

The endpoints and payload formats may vary depending on the SCIM implementation and version. The SCIM specification can be referenced Simple Cloud.

SCIM in Kyndryl Bridge

SCIM is implemented in Kyndryl Bridge as part of the Enterprise Account provision process. It allows user management through Access Management and synchronizes users to Partner applications via SCIM propagation.

User Propagation Workflow

Access Management in Kyndryl Bridge:
Kyndryl Account Managers sign in to the Kyndryl Bridge portal to manage users within the Enterprise Account via Access Management.
Admin Access Validation:
Admin-level access to Kyndryl Bridge applications is validated through
Global Switcher > Settings > Service IAM
in the Enterprise account.
User Invitation and Group Assignment:
New users are invited through Access Management, with assigned access groups determining their access levels.
SCIM Synchronization:
Upon user activation:
The user is created in both Kyndryl Bridge and the Partner application instances.
Default access level:
“Viewer”
in the Partner application.
Access Level Management:
Required access levels for users are assigned via
Global Switcher > Settings > Service IAM
in the Partner application instance.
Access levels align with policy-based access control (PBAC) standards and are determined by access groups or policies.

Benefits of SCIM Implementation

Simplified Identity Management:
Automates user synchronization and reduces manual provisioning efforts.
Consistency Across Systems:
Ensures uniform user identity and role management across Kyndryl Bridge and Partner applications.
Scalability:
Supports cloud and hybrid environments with standardized user management practices.

Kyndryl Bridge Roles propagation

Who’s responsible: Kyndryl Bridge Partner Integration team

Kyndryl Bridge Identity and Access Management (IAM) is a security framework that integrates technologies and processes to ensure that individuals and systems access only the assets they are authorized to use, at the right time and for legitimate purposes. IAM also protects against unauthorized access and fraud. Kyndryl Bridge incorporates multiple IAM layers:

GCP IAM (Global IAM):
Grants global access and manages roles at the Kyndryl Bridge platform level.
DCP IAM (Regional IAM):
Manages roles and policies at the regional service level.

This multi-layered approach ensures flexibility and scalability but introduces complexity in configuring and managing authorization policies for users operating in different regions.

Current Role Management

Separate Policy Management:
Users must manage authorization policies independently for both GCP (global) and regional DCP IAM layers.
Role Segmentation:
Kyndryl Bridge Roles:
Assigned at the GCP IAM layer to manage global platform access.
Service Roles:
Managed at the DCP IAM layer, tailored to regional service access.
Service roles include subcategories that define specific access levels, which will be elaborated further in this section.
Regional Interaction:
While IAM functions globally within the distributed architecture, services within a region primarily interact with their local IAM layer. This ensures better performance and reduced latency for region-specific tasks.

Kyndryl Bridge Roles

Definition:

Kyndryl Bridge Roles are part of the GCP IAM layer and control access to the global features of the Kyndryl Bridge platform.

Management:

Roles are managed through
Access Management
within Kyndryl Bridge Settings.
Access is governed by predefined
Access Groups
, which determine the features and capabilities users can access globally.

Purpose:

Kyndryl Bridge Roles enable users to:

Access and utilize global features of Kyndryl Bridge.
Interact with services that span multiple regions through a unified global interface.

Challenges and Opportunities

Challenges:
The dual-layer IAM model requires users to manage roles and policies in both global and regional systems, increasing administrative complexity.
Opportunities:
Future enhancements could integrate GCP and DCP IAM layers, simplifying role propagation across regions while maintaining local autonomy for services.

Service IAM roles

Service IAM roles are managed at the
DCP IAM layer
through the
‘Service IAM’ Service Settings
. These roles enable users to access and utilize the full capabilities of individual services or applications within Kyndryl Bridge.

Key Features

Usage Across Kyndryl Services:
Kyndryl Bridge Common Services:
All Common Services leverage
Service IAM
to grant users the required permissions to perform actions.
Other Kyndryl Bridge Services:
Services like Kyndryl I-AIOps may use
Service IAM
as their preferred authorization method. However, using Service IAM is not mandatory for services to operate on Kyndryl Bridge; they may opt for their own authorization mechanisms.
Platform Roles:
Definition:
Out-of-the-box roles available within
Service IAM
for grouping users and assigning capabilities.
Clarification:
Platform roles differ from
‘Access Management’ Kyndryl Bridge Roles
(managed at the GCP IAM layer).
Service-Specific Roles:
Service IAM roles are tailored to provide access to the full capabilities of individual services.
Examples include:
Specialized permissions for Common Services.
Unique roles for advanced functionalities in specific services like I-AIOps or other Partner-integrated applications.

Benefits

Granular Access Control:
Provides fine-grained permissions tailored to individual services, enhancing security and usability.
Flexibility for Services:
Services can choose between using Service IAM or their custom authorization methods, ensuring adaptability across the platform.
Alignment with Platform Roles:
Simplifies user grouping and role assignment within Service IAM, improving operational efficiency.

Service name	Role name	Description	Administrator	Editor	Operator	Viewer
Connections	iam.connections.create	Can create	X
Connections	iam.connections.delete	Can delete	X	X
Connections	iam.connections.test	Can test	X	X	X	X
Connections	iam.connections.update	Can update	X	X
Connections	iam.connections.view	Can view	X	X	X	X

For more details, refer to the Roles and Permissions Guide.

Important:

Kyndryl Bridge is actively working to simplify and unify the role and authorization policy setup. The goal is to integrate

Bridge Roles

and

Service IAM Roles

within a single authorization model, eliminating the need to assign access in multiple locations. This integration will reduce redundancy and improve the overall user experience. Full role propagation is planned as part of this enhancement.

API Gateway and Bi-Directional Data Exchange

Scope:

This integration level enables bi-directional data exchange, allowing Partner applications and Kyndryl Bridge services to send and receive data seamlessly.

Overview

At this level, the

API Gateway

and

Data Gateway

are configured to support both data retrieval (pull) and data submission (push) between Partner applications and Kyndryl Bridge services. This capability ensures enhanced collaboration, real-time synchronization, and deeper functional integration.

Key Features

Bi-Directional Data Exchange:
Data Pull:
Kyndryl Bridge retrieves data from Partner applications to render insights, populate dashboards, or support operations.
Data Push:
Kyndryl Bridge services send data to Partner applications, enabling updates, workflows, or enriched Partner functionalities.
Secure Communication:
All data exchanges are secured with encryption protocols (e.g., TLS/SSL).
API authentication and authorization are enforced using standards like OAuth 2.0 or API keys.
Enhanced Collaboration:
Partner applications and Kyndryl Bridge services integrate seamlessly to provide unified capabilities for end-users.

Placeholder Definitions

API Gateway Configuration and Usage:

The API Gateway is responsible for managing and routing API requests between Kyndryl Bridge and Partner applications.

Key functions include:

Request and Response Management:
Supports both incoming and outgoing API calls.
Rate Limiting and Throttling:
Ensures fair usage and protects against abuse.
Monitoring and Analytics:
Tracks API performance and logs activities for operational insights.

Configuration specifics will depend on the Partner application’s API documentation, including:

Endpoints for both pull and push operations.
Supported HTTP methods and payload structures.
Authentication and authorization methods.

Data Gateway Configuration and Usage:

The Data Gateway facilitates structured data exchange between Kyndryl Bridge and Partner applications. Key functions include:

Data Transformation:
Converts data formats as required for interoperability.
Real-Time Syncing:
Supports immediate data synchronization when needed.
Error Handling:
Manages retries and exceptions for robust data flows.

Configuration requirements:

Schema definitions for data payloads.
API or database connectivity details for accessing Partner application data.
Synchronization intervals for batch or real-time updates.