Building a Business Case for Identity & Access Management

When I worked for a large corporation I was frequently tasked with building a business case without a budget, that is, I wasn’t able to hire any consultants to assist me.  In some cases deadlines were relatively short so it was fairly difficult to get it completed.  When the Internet came around more than once I was saved by people willing share business cases they had developed.  Therefore I have uploaded a economic impact model that comprises two documents, an excel spreadsheet and word document that should cover the basic needs of a user.  I have other more sophisticated models besides this one (for example, a business process and knowledge management re-engineering model that compares the economics of the current state versus the future state) but for the majority this should suffice to help you get started.  If you find it useful just leave me a comment.

It can be downloaded here.

Update 20120801:  Fixed the link again

Preventing SUNburn?

So it’s finally beginning.  Identity Management vendors are percieving the departure of Sun IDM from the landscape.   CA is now offering Sun Users the ability to switch over to CA’s IDM product.

I’ve not heard much lately about what the eventual plans are for Sun IDM, but something’s going to have to be announced soon before the other IdM vendors pull the rug out from under Sun/Oracle.

How Many Problems with Persistent Data Does a Unique Identifier Solve?

The answer is zero.  A unique identifier adds nothing to any logical problem we have with our data.  Let’s see why this is true.  I have two sets of data from different systems, which represent information or attributes about a real world user.  Those data elements are indistinguishable from each other.  Perhaps they are first name, last name, city and state.  They are identical as far as I can tell.  If I add a unique identifier do I know anything more about them?  I just know they are no longer identical and yet they may be in the real world the same person. By adding a unique identifier I may have made a distinction, which is false.  It’s impact will only be deleterious never beneficial.  The unique identifier becomes ornamental.  Metaphorically it is like placing a medallion around the neck of the famous twins and still not knowing if it’s Tweedledee or Tweedledum.  At least in this case I could re-name them to something like Dee and Notdee, which would be meaningful to an observer.  However, in the foregoing example, we are dealing already with a representation of an entity and it adds nothing. Now let’s add several more attributes, for example, title and department.  If I can now distinguish easily whether they are the same person or not I have accomplished my goal and I still have not added a unique identifier.  The smallest subset of elements that distinguishes one set from another is a suitable key if the data is in a database and I still haven’t added a unique identifier.  So then how are unique identifier’s useful?  They are useful within a context in which we are programmatically creating many closely similar but not identical objects whose existence is ephemeral.  When we are combining data from many different contexts, they solve nothing; they are just another attribute.

HCM and NetWeaver Identity Management Integration Tips

The landscape document from SAP that explains how to export from HCM to VDS to Identity Center has sections that are less than clear so I thought I would list common issues that have caused problems in the past.  First the architecture.  The way the export works is as follows:

  1. A report is run in SAP HCM which extracts the necessary data formated as LDAP data.
  2. SAP connects to the VDS and pushes the data.
  3. VDS connects to the Identity Center information store and uploads the data.

A couple common problems I have seen.

  • The field names inside SAP are misnamed or the export names to LDAP are.
  • The LDAP libraries in SAP Basis are not installed.
  • VDS Template:  The one you want to use is this one “HR Export to IdM Identity Center.xml” this one will not work “HCM LDAP EXTRACT for IDM.xml”
  • Bad credentials or passwords (of course)
  • VDS Tree for HCM is broken in some way.  If in doubt recreate your setting from the template.

Troubleshooting Tips.

  • First determine where you are broken.
  • Turn on verbose logging at VDS and see if HCM is even connecting.
  • If you are connecting to VDS but no data is reaching the Identity Store then check the LDAP extract for misspellings.   One error in your path and the whole thing breaks.
  • If VDS shows database errors then check the error logs in the identity center for problems with the task configuration

Finally, because HCM does not support event triggers — which can be tricky — I usually filter at HCM LDAP report for the data I want.  In most cases a nightly run is sufficient.  SAP recommends a full upload every time but this is not practical for large numbers of employees.

Application Centric Identity?

I’ve been listening / reading to information lately on “Application Centric Identity ” and how it’s supposed to be the new wave in Identity Management.  Frankly I’m a bit confused.

Basically it sounds like what’s being discussed is the creation of an authoritative store, something I’ve been working with in Identity Management for about 5 years now.

The “newness” to this offering seems to be the implementation of SOA / Web-services architectures to make it more interesting and accessible to authentication / authorization services.

I’ve always felt that by gathering the authoritative attributes from each enterprise repository and linking them together in an authoritative store (metadirectory) you create the clearest picture of what each identity “looks” like.  Furthermore, these authoritative entries can then be used as the basis for provisioning new application entries and update existing ones.

To me it seems like the backers of this school of thought are finding a new way to talk about the integration of Enterprise level ERP systems with Identity Management.  This is not a bad thing.  The one thing we need to do is break out of the idea that Identity Management is solely provisioning or Access Management. One without the other is worse than useless given the potential for malicious behavior.

Thoughts on Sun Identity Manager

I have made some comments about FIM, and Oracle Identity Manager.  I want to talk briefly about Sun.   After I read through the architecture documents and looking at the development my initial thought is that the performance should be quick and scalable but development and creation of workflows slow and cumbersome.  I contacted people I know who use the product in large enterprise to verify if my prediction was accurate or not and I was 100% successful.  This little sample should only be considered anecdotal, the sample was not significant and I would welcome comments from others using Sun’s solution.

For me the most bizaare element of the product is XPRESS language.  It is symbolic of the idiocy that saw XML as an answer regardless of the question.  “XPRESS is an XML based expression and scripting language,” the documentation reads.  We have symbolic expressions (S Expressions) with the ugliness of XML tags.  When Jon Bosak began to argue for XML in 1997(?), it was stated that that the tags would tell the computer what the information was,  unlike html that said what it should look like.  It was to be a data interchange standard with industry groups agreeing on standard ontologies.  It was just five years later some people on XML-Dev argued that the semantic aspect of XML never existed that it essence was syntactical so by 2003 some had already forgotten why it was first proposed.  No need to worry because it quickly morphed into a data model with it’s own query language.  In short order we were back to the seventies with the network database.  So it comes as no surprise that a language like XPRESS arrives (based on the XML fad) which is back to the 1950’s and LISP.