Wednesday, December 12, 2007

Dialogue on Enterprise Role Management Integration Challenge

Ian Glazer, in a recent dialogue to his “TuesdayNight” blog makes this comment to a previous comment of mine, on The Enterprise Role Management Integration Challenge.

“I may not have been clear. What I meant by integrating role management into user provisioning as a no brainer is that from a product and market strategy position. It is a straightforward decision for product managemers and marketers.

I don’t agree with your point that the majority of user provisioning technology is intended for synchronization. If that were the case, then user provisioning products we be worth nothing more than a meta-directory with a pretty face. The ability to add policy governing who gets what is a core part of user provisioning. Role Management can ease the provisioning policy construction and can certainly provide a great deal of value is the person to role mapping process, but in these capacities are acting as augmentation to a user provisioning systems policy and workflow capabilities.”

Ian, thanks for getting the dialog going.
I am in general agreement with your assessment that from the marketing standpoint the integration is logical and plain. The two components must be integrated and collaborate.

The purpose of my comment (perhaps a little bit extreme) was to highlight that when integrating user provisioning and role management, most policy related functions can’t be managed by the user provisioning component.

In fact, current user provisioning products have the ability to add policies, but cannot handle the complete view of an Identity management solution (that includes aggregation, storage, and management of business relationships, roles and related resources, multiple views of the business based on policy-driven roles, supplies relevant privileged data of enterprise systems, meet compliance and auditing requirements, ..).

The current systems implement policies using rules both at the central level and, unfortunately, rules directly coded in the connectors themselves. Since this cannot be scaled an already difficult situation becomes impossible to manage: no high level tool , no global vision, no comprehensive compliance management.

Why? Mainly because they were designed for “historical” synchronization needs; and when policy requirements arrived functions were added-on without first discussing the general picture.
Actually, other aspects on this integration are covered in my post: A Role Management Manifesto.

Finally, (again using an extreme metaphor) it’s like implementing an HR system using Microsoft Excel. YES, nobody can tell you that’s impossible, but what are the costs?

What are the perspectives from user provisioning vendors? I would welcome a dialogue on this topic going forward.