Enterprise identity strategy: 3. Enhance

Loyal readers will recall my tour through enterprise identity management deployments (overview here). This approach includes doing an upfront identity strategy (and here) followed by three stages of deployment: establish the core infrastructure, provision key systems, and enhance the infrastructure.

Enhancement includes adding additional systems, including the remaining identity stores and applications, into the existing identity infrastructure. Even if these systems are disconnected from the network, you can still integrate them through some sort of semi-automated provisioning process. Provisioning is, now that I mention it, a major piece of this stage; simplifying employee new hire on-boarding processes, for example, or introducing role-based access controls (RBAC) to automatically provision systems to people based on their roles.

RBAC is a large subject in of itself, so I’m not going to do it justice here; a few notes will have to suffice. One of the challenges of RBAC is to set up the right number of roles; too many or too few and you get no real advantage. At one extreme, you could say that everyone in the company is in the role of “employee” and gets the same basic provisioning package. But that doesn’t really help. At the other extreme, the map begins to resemble the territory and you can easily end up with as many roles as people. (In really extreme situation, you could have more roles than people; I’ve heard stories about that happening, but they’re probably apocryphal.)

There’s two approaches to defining roles; bottom-up and top-down. Bottom-up is more of a tool driven mechanical approach where you mine identity stores to generate patterns. Top-down is a manual process in which you systematically go through BUs or departments to select groupings. I think the best outcomes involve a mix of the two, meeting in the middle somewhere. The tools-driven approach is comprehensive but also tends to generate garbage that needs to be manually culled. And the top-down approach allows some organizational constructs that may not be obvious in the data.

Beyond RBAC, which is sort of the state-of-the-art today, you start to get into specialized identity management issues. These are the 400-level classes, independent studies and directed readings, if you’ll pardon the metaphor, for upper level undergraduates and grad students. Novell, for instance, does a lot of work with hospital chains and we’ve built a custom clinician workstation that uses identity management as its basis but extends it to optionally include CCOW context management, fast log-in/log-out, proximity cards, and so on.

After these deployment stages, though, you get into the actual management of the deployed systems, which is another challenge entirely. I think of this as ‘governance,’ but that’s a loaded fancy word that tends to raise hackles. So we’ll discuss that next.

(By the way, Ritual Coffee Roasters in the Mission rules. This was a macchiato-powered post.)