Thoughts on Sun Identity Manager

I have made some comments about FIM, and Oracle Identity Manager.  I want to talk briefly about Sun.   After I read through the architecture documents and looking at the development my initial thought is that the performance should be quick and scalable but development and creation of workflows slow and cumbersome.  I contacted people I know who use the product in large enterprise to verify if my prediction was accurate or not and I was 100% successful.  This little sample should only be considered anecdotal, the sample was not significant and I would welcome comments from others using Sun’s solution.

For me the most bizaare element of the product is XPRESS language.  It is symbolic of the idiocy that saw XML as an answer regardless of the question.  “XPRESS is an XML based expression and scripting language,” the documentation reads.  We have symbolic expressions (S Expressions) with the ugliness of XML tags.  When Jon Bosak began to argue for XML in 1997(?), it was stated that that the tags would tell the computer what the information was,  unlike html that said what it should look like.  It was to be a data interchange standard with industry groups agreeing on standard ontologies.  It was just five years later some people on XML-Dev argued that the semantic aspect of XML never existed that it essence was syntactical so by 2003 some had already forgotten why it was first proposed.  No need to worry because it quickly morphed into a data model with it’s own query language.  In short order we were back to the seventies with the network database.  So it comes as no surprise that a language like XPRESS arrives (based on the XML fad) which is back to the 1950’s and LISP.

Importing the SAP Provisioning Framework

One of the main reasons that one goes with SAP NetWeaver Identity Management is for the integration with other SAP modules.  The main way that this is done is through something called the SAP Provisioning Framework which comes bundled with the product.

There are a couple of challenges to accessing the framework.  The first is how to load it.  By default, the Framework exsists as an import file which needs to be located. By default the import file exists in “C:Program FilesSAPIdMIdentity CenterTemplatesIdentity CenterSAP Provisioning frameworkSAP Provisioning Framework_Folder.mcc”

Now that we know where the Framework is located, we can load the import/export from the NW IDM MMC console. However when loading the Framework you might get the following Error Message: “Could not import global script ’67/custom_generateHRID’ to identity center” I could not find any setting in import/export that allowed me to prevent the script from being processed.

After some research and poking around, I remembered that the SAP Provisioning Framework_Folder.mcc file is actually XML code.  So I went through and searched on the phrase “custom_generateHRID” and found exactly one reference (Highlight added):

         <SCRIPTLASTCHANGE>2007-10-04 12:52:52.7</SCRIPTLASTCHANGE>
So being the intrepid guy that I am, I deleted the highlighted line and tried the import again.  It worked like a charm!  Not sure what to take away from this, but I’m glad I solved the problem.  Has anyone else seen this problem and solved it a different way?

Whitepaper – Creating a multi-step workflow for a Netweaver IDM 7.0 Workflow task

I’ve written a whitepaper that describes how to create a multi-step workflow for a Netweaver IdM 7.0 Workflow task, using a modal dialog window and Javascript; The hope is to improve the overall usability of IDM 7.0’s workflow tasks.

Link to whitepaper

Project Scope and Sustainability

(This post was written by Matt Pollicove)

One thing I’ve noticed when talking to people about Identity Management projects involves how to determine the project’s overall scope.  “How do I scope this?” they will say to me.  Now that’s kind of tough to answer right off the cuff, especially when considering Pollicove’s Law of Provisioning  which basically says there’s no guarantee that companies that are in the same vertical will work the same way.


However, I think there are some best practices that can be worked with when considering implementing an Identity Management solution:


1.       Make sure you have executive sponsorship.  C-level support is going to be important in balancing the needs of your stakeholders and their budget dollars.

2.       Make sure you have a good plan of what you want your Identity Management solution to cover.   An essential part of this is conducting a thorough assessment.  Document everything, diagram existing processes, then take them apart and put them back together the way they should be, then do it again.  This should be done with a combination of internal and external sources.  Internal resources know how current systems are configured and interact.  External resources will offer an impartial assessment of how these systems can interact more efficiently. External resources will also be helpful in determining which Identity Management products will work best in your infrastructure.

3.       When building your plan, know where you’re starting from.  What will be used as your authoritative store?  How will it be built?

4.       Where are you going to? What will you provision to?  What will you control access to?

5.       How are you going from 2 to 3?  How will you engineer your changes?  What will the phases of your project consist of?


Item 4 is probably the most important part of the process.  Many a project has suffered due to overreaching phase objectives. Carefully define what you want to achieve in each phase. 


Data cleansing and analysis is almost always your first phase.  If you don’t have clean data, you won’t have a clean project.  Future phases can deal with:

·         Creating an Authoritative Store

·         Provisioning to essential systems

·         Password management

·         Role management

·         Provisioning to secondary systems

·         Etc.


So the big question is what order does this happen in?  How long will it take?  I always suggest attacking “low hanging fruit” first by attacking the easiest objectives that will show the biggest net gain?  As a part of number 1 above, think about solving automation needs, compliance needs, addressing password management request costs to the helpdesk? 


How long will it take?  As long as it has to.  This is going to be a major project that will affect many systems and departments.  Take it slow and easy.  Test it thoroughly and make sure there’s a good knowledge management/training initiative to let your users know what happening and how everyone will benefit.  It’s never good if your users equate an Identity Management initiative with a foul tasting medicine.  This includes your stakeholders.