The OpenSSO community has just released an iPhone app which is a portable administration console for OpenSSO. Too cool! Check it out.
Thursday May 14, 2009
Based on the Connector discussion earlier this week, Identigral twittered a question about exceptions:
"... How do devs respond to interface not allowing checked exceptions to be thrown?"
Our Lead developer on Identity Connectors had the following response:
"All interfaces are expected to throw runtime exceptions. While not explicitly declared for each operation (which would be syntactically redundant in Java), all applications must be prepared for exceptions. The framework already knows to expect exceptions from SPI calls.
Connector developers are allowed to throw any RuntimeException, but are encouraged to throw those already defined in org.identityconnectors.framework.common.exceptions. There are also some operations which declare in the javadoc when a specific RuntimeException is expected.
There is ongoing debate over the merits of checked vs unchecked exceptions. While many developers are used to the assistance that declaring exceptions give the developer, it often results in the swallowing of exceptions, or unnecessary extra coding."
Monday May 11, 2009
The good folks over at Identigral are talking about the notion of generic connectors. To summarize, generic connectors in the context of a provisioning solution have a reputation similar to that of the holy grail; it sounds wonderful, but practical implementation lends it self to myth and urban legend. Read the post for yourselves; it's excellent.
At Sun, we have come a long way in the area of connectors. See my last post on Identity Connectors. It sounds like Identigral likes our approach as well.
Wednesday Apr 22, 2009
One of the great things about working for Sun is being surrounded by truly innovative people, people who are much smarter than me. It's always amazing to hand off a set of seemingly mundane requirements to engineering, only to have them return to you something brilliant and wonderful. Such is the case with Identity Connectors.
Rewind for some context... as we all know, any provisioning system must connect in some way with the target resources and applications to which it will provision accounts. Until the release of 8.1, Sun Identity Manager did this almost exclusively through the use of what we call Resource Adapters. Given our large install base and the very complex and heterogeneous environments represented by our customers, we naturally have a lot of Resource Adapters (over 60). However, until 8.1, new Resource Adapters or updates to existing Adapters could only be released with new versions of Identity Manager. Given the demand for new and updated Resource Adapters from our customers, we needed a better solution.
Fast forward to the release of Sun Identity Manager 8.1... Identity Connectors! There are two key benefits to Identity Connectors: 1) they can be released and downloaded independently of the core Identity Manager server, and 2) they are open source. Decoupling Connectors from the core server should give us much more flexibility in terms of releasing support for more resources more frequently. Open sourcing them helps us tap into the large Identity Manager community for new connector development. We're already seeing the fruits of this approach, which is a community contributed connector for Google Apps (thanks, Warren!).
There's one other nifty piece to Identity Connectors... they're not just for Sun Identity Manager! That's right, any third party application that chooses to interoperate with the Connector Framework can use Identity Connectors as well. Another beautiful aspect of open source; Daniel Raskin is also talking about it on The Smoking Monkey.
Learn more about Identity Connectors and the Connector Framework here.
Thursday Apr 09, 2009
Two weeks ago I hosted two sessions on roles and role management at a user group in London. In my experience, folks tend to be split into two distinct groups on the topic of roles; they've either implemented or are in the process of implementing some type of RBAC solution, or they're still struggling to understand what roles really are in the context managing access. Between these two groups, most people tend to fall in the latter. The benefits of using roles to manage access are huge, but getting started can be daunting.
As part of the Everyday Identity webinar series, Nick Crown, Product Line Manager for Sun's Identity Administration and Compliance products, will be hosting a webinar next week on this very topic. The goal of the webinar (and also the title) is to "Humanize Access with Role Management." Details below:
Date: Wednesday, April 15, 2009
Time: 10:00 am PST / 1:00 pm EST / 19:00 GMT (check my time zone)
Register now - https://www2.sun.de/dct/forms/reg_us_2703_405_0.jsp
On a related note, Mr. Crown has started his own blog. I don't want to give away too much, but I get the impression that he's a very bad date... read more here. 
Friday Mar 13, 2009
It's been a while since my last post, but for good reasons. We've been very busy visiting customers, gathering and validating requirements for the next major release of Identity Manager. HOWEVER, before I get ahead of myself, I wanted to share with you news about our most recent release of Identity Manager, 8.1. Although this is a 'dot' release, it includes two very cool features aimed at helping our customers better manage provisioning to applications in the enterprise.
The first feature provides functionality for External Resource Management. What's that, you ask? External Resources are those applications and resources in the enterprise that aren't directly connected to Identity Manager through a resource adapter. Most large organizations have hundreds, sometimes thousands of internal, proprietary applications. The simple fact of the matter is Identity Manager will never have a resource adapter for each and every of these applications, but there's still the need to centrally manage access to these applications from a provisioning and auditing perspective. Identity Manager 8.1 provides out-of-the-box functionality for managing these disconnected resources as well as providing an audit trail when they're provisioned.
The second feature is the introduction of Identity Connectors, a new framework for connecting Identity Manager to target systems and resources. The primary driver behind Identity Connectors was the desire to decouple resource adapters from the core Identity Manager server so that they could be released independently of Identity Manager. Now, Connectors can be downloaded independently of Identity Manager builds. This inaugural release of Identity Connectors includes the Connector Framework and two connectors (AD and SPMLv2), all of which are open source. That's right, Identity Connectors are a new open source project on dev.java.net (website will be live very soon!).
Identity Manager 8.1 is available for download here.
Friday Nov 14, 2008
I returned from Gartner IAM Wednesday night, having survived the swamps of Orlando and another industry event with only minor scars to nurse. The event was held at the Gaylord Palms, which was effectively a massive bio dome; I only stepped outside of the compound twice during my stay. Now that I'm back, it's time to reflect on a couple of things I learned at the Gartner event.
First, I learned that there are still a great deal of organizations out there just starting their identity journeys. I'm still not sure what was different about Gartner versus some of the other industry events this year, but I spoke with a lot of people who are just now starting to look at provisioning, role management, single sign-on, and even directory implementations. This is especially true in the financial services industry where M&A activity has increased due to the current economic environment.
The other thing I learned is that people are still trying to understand how roles can be used in their organizations, and where roles may or may not fit into their current identity projects. Earl Perkins had a session at the event on roles and entitlements management where he made the distinction between IT roles and business roles. I think this is an important distinction, and helps to explain where we're going with roles and how they can simplify both the provisioning and auditing processes. The use case I find myself explaining most often is how roles can greatly simplify the process of onboarding a new employee. Part of approving a new employee's access often involves a business unit manager who doesn't speak "IT." In other words, this business unit manager isn't going to know or care what AD groups his employees belong to, or whether they need access to the mainframe; however, he is going to know the appropriate job title and function for his employees. By using business roles to determine and assign access, it's no longer necessary for the business unit manager to understand access described in terms of raw IT entitlements, such is typically the case with what Earl and we call IT roles.
The distinction between business and IT roles again becomes important in the context of an auditing use case, specifically when doing an attestation or recertification. Again, let's go back to the business unit manager that doesn't speak "IT." Is it easier for this manager to understand access described in terms of raw IT entitlements (IT roles), or in terms of job title or job function (business roles)? The obvious answer is the latter.
The reason I like Earl's distinction between IT and business roles is because Sun Identity Manager also makes this distinction in its approach to role based provisioning. We've had IT roles for some time, and we added support for business roles in our last release (8.0 which was released in June). You can download 8.0 here.
Our good friends on the OpenSSO team have released OpenSSO Enterprise 8. You can download it here; check out the features here.
Wednesday Nov 05, 2008
Next week I will be attending Gartner's Identity and Access Management Summit in Orlando. Ironically, this will be my second trip to Orlando in a month's time; I took the family to Disneyworld for the first time a few weeks ago. Although Disneyworld was absolutely amazing, I was unpleasantly surprised to find out that Florida's hot weather rivals that of Texas, and the humidity is actually worse than in Houston. I actually saw Mickey in the pharmacy buying prescription deodorant. Apparently the mouse has some serious sweating issues, but I digress. I'm crossing my fingers that things have cooled off a bit in the last few weeks. At least I'll be inside for most of this trip.
At the event Sun will be hosting a booth promoting our Identity Hero game. Given the typical content and climate of these types of events, hopefully a little gaming action will be a welcome change of scenery. Strangely enough, we've been given instructions by Sun Marketing to adhere to a strict dress code. We were actually measured for Catholic school uniforms earlier in the week, much to the chagrin of Mr. Raskin given his Jewish heritage.
In keeping with the theme of having a little fun while we're all there, Sun will be hosting an after hours party on Monday night (Nov. 10) in the Emerald Bay Presidential Suite. We'll have beer, pizza, and Monday Night Football, as well an additional opportunity to shame your peers with a high score on Identity Hero. Come join us, bring your friends, and let's enjoy some gaming and MNF!
“Dial it Down” is my attempt at steering the dialogue around Identity Management back to what's really important, which, in my humble opinion, is solving real customer problems. After all, customers are and should be the primary reason we're even having a discussion about Identity Management, yet it seems like the majority of the discussions happening in the blog community and industry at large tend to focus on largely academic conversations about utopian solutions, or how certain components of an identity solution should be positioned or marketed. As intellectually stimulating as these discussions may be, many of them provide little practical guidance for real customers that are embarking on the long road of implementing some type of identity management solution.
Take the GRC discussion, for example. When I meet with our customers to discuss our roadmap and theirs, and listen to their requirements for their particular deployments, it's safe to say that they have never asked us when we are planning on solving their 'Governance, Risk and Compliance' problems. The term simply doesn't resonate with them in any practical capacity. I think most of the analysts are right when it comes to the topic of GRC; it's not a problem that can be solved by technology alone. However, the overemphasis on what is and isn't a true GRC solution isn't helping solve the problems companies are facing when managing their risk and ensuring compliance with regulatory concerns and their own internal policies and procedures. In other words, any prolonged conceptual discussion of GRC distracts us as an industry from solving some of the very real problems that our customers are facing today.
This begs the question, what should we be focusing our attention on? The answer to this question is very simple: we should be listening to our customers. This is not to say that every customer has a problem representative of the entire market; however, every customer is in a unique position to share their individual challenges around managing large numbers of users in extremely heterogenous environments and ensuring compliance across their respective organizations. Customers are worried about reducing costs, increasing productivity, ensuring compliance and avoiding fines; they really have no interest in a debate about whether or not attestation capabilities belong in a role management solution, or if provisioning and role management are two separate problems.
That said, what's one of the major problems our customers are facing today? Usability is a big one, especially in terms of a provisioning solution. This is obviously a solution or product focused issue; however, at the end of the day, this is what customers are using to solve very real problems related to user access and compliance. They're looking for a good answer to the question, “How can I delegate administration or policy definition down to the business users that should really own those processes?” This is where usability considerations become paramount. Whatever the solution may be, it must be easy to use and understand, even for the business user with little IT acumen.
This blog copyright 2009 by Craig McDonald
