Wednesday, August 6, 2008

No man is prophet in his own country

An Italian crazy approach to Identity Management projects

Preliminary remarks
  1. An Organization is launching an Identity Management Project where almost 80% of the foreseen IM processes require an authorization workflow.
  2. The Organization has selected an IM technology platform
  3. However, the requirements are so complex that it isn’t possible to meet them just with a customization of the web application of the vendor’s IM product
  4. Furthermore it is the Organization itself that suggests custom developments for the web application.
  5. … thus almost 80% of the IM project requires ex-novo software developments
  6. What a crazy world!!

Actual Story
We just received an Identity Management (IM) RfP from a large Italian company.
It seems that they have already done an internal technical evaluation, as they are asking mainly a system integration effort based on Oracle Identity Manager product.

From the RfP, translated from Italian: “(the company) wants to equip itself with an Identity Management system for supporting: the digital identity management processes, the software applications and other platforms authorization processes. To this end (the company): has identified in the Oracle Identity Manager product the technology to be used for implementing the system, has carried out a feasibility analysis, and has defined constrains and requirements for the implementation”.

Thus, just a system integration effort. They have done a rigorous vendor selection, and verified the feasibility of the project using the selected product.

Ok, fine, … but uhmm… they also want to develop new custom clients for specific functionalities not available from Oracle Identity Manager Web Application.

As a matter of fact, they have expressly invited the bidder not to customize the web application interface of the Oracle Identity Manager Administrative and End-User Console, but to implement the web interfaces using a “custom client” approach, i.e. a SW development based on Oracle Identity Manager Software Developer Kit (API).

Again from the RfP:
  • “From the (Company) requirements analysis, we want to draw bidder's attention to the following set of remarks pertaining to the requests management:
  • Roles (User Manager, Authorization Steward, Operator) of all users involved in a request approval process, need to have different scopes (or views), based on resource object attributes that represent the requested resource. For instance the User Manager doesn’t need to access fields like account identifier; this field, on the contrary, must be set by the AM function that creates the account on the target system. The first access password should be set by AM, displayed for the end user, not available by any other, and so on…”
  • A fill-in request process must be guided by specific wizards aimed at effectively supporting the end user. For instance a User Manager that wants to grant the access to an Application for one of his collaborator, must first of all select the user from a predefined list of all his collaborators. Then he must be able to select the application and related profile. The system must be able to guide him, by offering the standard profile (or in case, a list of standard profiles) associated both to the selected application and to the end user belonging Organization Unit.
  • ……..........
  • A user must be able to submit a request for modifying his assigned profile for application authorization, but the present release of Oracle Identity Manager doesn’t allow out-of-the-box to implement workflow for approval of modify requests of resources attributes already assigned to users.”
The questions is:
  • Does exist a product out there able to manage, out-of-the-box the above listed features, or at least able to provide a rich, exhaustive support for these functionalities?
Disclaimer
Yes, Engiweb Security can help with most of the above described missing features. For instance, reading from Engiweb Security IDEAS brochure:
“Administrator scope dynamic association in workflow processes. It is often necessary that workflow figures (delegated or peripherals administrators) have a limited scope both for users (only certain OU users) and Applications (i.e. this administrator only approves profile requests that belong to a specific application).”
There is no reason for me not to talk about it! ...but in short: is there someone who is interested? (certainly nobody in Italy).

Postscript
As soon as I ended this post, I discovered that some bloggers are discussing on FACTs and FUDs here and here.
The above described example well fits into the discussion.
We are a vendor used to face behemoths like ORACLE and SUN. In this post the Oracle products were mentioned, but I can give examples on SUN too. As the saying goes “People who live in glass shouldn’t throw stones!”