Tuesday, December 19, 2006
Architecture is a critical success factor for Identity Management Projects
Mike Wyatt of Sun blogged on Project Managers as a Critical Success Factor for Identity Management Projects and while important, misses something even more important...
How about sharing with the blogsosphere in your next blog entry, why do enterprises take years just to rollout identity management toolsets? Why not talk about the lack of architecture within most enterprises as being more important than basic project management. After all, many identity management toolsets are incomplete as they only provide tools necessary to provision/deprovision identities via workflow constructs but don't effectively provision users as this would require a centralized understanding of authorization.
Let me counter this statement. The only way that provisioning of identity in today's identity management tools are effective is if my enterprise applications only have at best two roles: An Administrator who can do everything and a User who can do whatever users can do. Have anyone from Sun ever blogged on the fact that enterprise applications need finer-grained role models than just Administrator/User? What would it take for Sun to ping all those Portal, ECM, BPM, CRM, ERP and so on vendors to get them to a better place?
Oops, I forgot another scenario in which provisioning works. It is when your enterprise applications all want to have their own identity store and you simply use your tool to spray identity creation all over the place in a centralized way. What happens if enterprises decide to externalize out identity to a single enterprise directory based on ADAM? Would this work?
Could you acknowledge at some level that provisioning via spraying says that you are entitled to access a particular application but if you consolidate identity stores then something other than provisioning needs to account for entitlements?
Sorry for being so harsh, I am simply hoping that folks from Sun will provide more insight than just the need for project management. You know if I wanted that message, all I have to do is call up my favorite large analyst firm to echo the same sentiment. They may even charge me a lot of money and also stress the importance of IT aligning with the business, the need to have a positive ROI and the need to find a stakeholder preferably at the executive level. Cliche information is remotely interesting to some, but frustrating to others especially those with a clue.
Maybe you could tell me from a reference architecture perspective, should I when using identity management tools get my enterprise vendors to consider putting the SPML specification into their products? How about sharing with me better ways to integrate entitlements management with identity management or even how I should think about identity management in a federated way where folks outside my enterprise can also use your tools?
Mike, the next time we meet, I'll buy you a beer if you share insights not found elsewhere...
| | View blog reactionsHow about sharing with the blogsosphere in your next blog entry, why do enterprises take years just to rollout identity management toolsets? Why not talk about the lack of architecture within most enterprises as being more important than basic project management. After all, many identity management toolsets are incomplete as they only provide tools necessary to provision/deprovision identities via workflow constructs but don't effectively provision users as this would require a centralized understanding of authorization.
Let me counter this statement. The only way that provisioning of identity in today's identity management tools are effective is if my enterprise applications only have at best two roles: An Administrator who can do everything and a User who can do whatever users can do. Have anyone from Sun ever blogged on the fact that enterprise applications need finer-grained role models than just Administrator/User? What would it take for Sun to ping all those Portal, ECM, BPM, CRM, ERP and so on vendors to get them to a better place?
Oops, I forgot another scenario in which provisioning works. It is when your enterprise applications all want to have their own identity store and you simply use your tool to spray identity creation all over the place in a centralized way. What happens if enterprises decide to externalize out identity to a single enterprise directory based on ADAM? Would this work?
Could you acknowledge at some level that provisioning via spraying says that you are entitled to access a particular application but if you consolidate identity stores then something other than provisioning needs to account for entitlements?
Sorry for being so harsh, I am simply hoping that folks from Sun will provide more insight than just the need for project management. You know if I wanted that message, all I have to do is call up my favorite large analyst firm to echo the same sentiment. They may even charge me a lot of money and also stress the importance of IT aligning with the business, the need to have a positive ROI and the need to find a stakeholder preferably at the executive level. Cliche information is remotely interesting to some, but frustrating to others especially those with a clue.
Maybe you could tell me from a reference architecture perspective, should I when using identity management tools get my enterprise vendors to consider putting the SPML specification into their products? How about sharing with me better ways to integrate entitlements management with identity management or even how I should think about identity management in a federated way where folks outside my enterprise can also use your tools?
Mike, the next time we meet, I'll buy you a beer if you share insights not found elsewhere...
