Wednesday October 31, 2007
Wednesday October 31, 2007 One of the new features that adds to the flexibility of setting up roles, organizations, and users is the addition of a new End User Group Object in Sun Java System Identity Manager 7.1.
The purpose of this new group, which automatically is assigned as a member to the TOP organization node, allows the administrator more flexibility in insuring basic privileges are given to all users, or at least, rules are tested on each user IdM handles.
Before, say all employees get access to an email account and a building security card; there are two locations they can be assigned (Campus East or Campus West). Before, the administrator would create two organizations under TOP (Campus A and Campus B) and had to write policies to assign emails account and security accounts and assign the right one to the right organization. If any changes were made, they had to insure both organization rules and policies were corrected for the new change. And what about the new "work from home policy" where employees get a different security account at either one of the two campuses. Makes for some creative account writing.
Now, the administrator can write just one set of rules and policies and assign them to this new End User Group. It is a catch all group that theoretically every employee account will be tested against after they have been run through all other org based tests and assignments. Once the employee is placed in their correct organization and the rules and policies are applied to the user account, they are then run through the End User Group for final determination of end user privileges.
This is very similar to the "Default User" account in Windows. When a user logs in, they are given not only their own account privileges, but are also given additional access based on the "Default User" account. Now a policy (for determining campus security access) can be written once and applied to the End User Organization. The user accounts will be processed according to traditional organization assignments (Campus A, Campus B, and WorkFromHome) and then the end user will run through the End User Group to determine final account privileges.
Now when the end user logs into the end user interface, they will be automatically evaluated against the built-in End User Controlled Organizations rule, which can return one or more organizations the user can control. The centralizes some of the tasks in determining the end user capabilities and should be considered a best practice going forward for assigning Roles, Resources, and Tasks.
To manage this new capability around end users assignments, a new End User Administrator capability has been added to the system and is initially assigned to Configurator. Note that this is assigned during user log in, so any changes in assigning this capability will not affect current users logged into the system; they would have to log out and back in to gain the capability.
The purpose of this new group, which automatically is assigned as a member to the TOP organization node, allows the administrator more flexibility in insuring basic privileges are given to all users, or at least, rules are tested on each user IdM handles.
Before, say all employees get access to an email account and a building security card; there are two locations they can be assigned (Campus East or Campus West). Before, the administrator would create two organizations under TOP (Campus A and Campus B) and had to write policies to assign emails account and security accounts and assign the right one to the right organization. If any changes were made, they had to insure both organization rules and policies were corrected for the new change. And what about the new "work from home policy" where employees get a different security account at either one of the two campuses. Makes for some creative account writing.
Now, the administrator can write just one set of rules and policies and assign them to this new End User Group. It is a catch all group that theoretically every employee account will be tested against after they have been run through all other org based tests and assignments. Once the employee is placed in their correct organization and the rules and policies are applied to the user account, they are then run through the End User Group for final determination of end user privileges.
This is very similar to the "Default User" account in Windows. When a user logs in, they are given not only their own account privileges, but are also given additional access based on the "Default User" account. Now a policy (for determining campus security access) can be written once and applied to the End User Organization. The user accounts will be processed according to traditional organization assignments (Campus A, Campus B, and WorkFromHome) and then the end user will run through the End User Group to determine final account privileges.
Now when the end user logs into the end user interface, they will be automatically evaluated against the built-in End User Controlled Organizations rule, which can return one or more organizations the user can control. The centralizes some of the tasks in determining the end user capabilities and should be considered a best practice going forward for assigning Roles, Resources, and Tasks.
To manage this new capability around end users assignments, a new End User Administrator capability has been added to the system and is initially assigned to Configurator. Note that this is assigned during user log in, so any changes in assigning this capability will not affect current users logged into the system; they would have to log out and back in to gain the capability.
Powered by ScribeFire.
Tuesday October 30, 2007 When an approver needs to delegate a work item (provisioning approval, audit remediation, mitigation, attestations, etc.) due to vacation or some other reason, the approver would enter IdM and assign a delegate to handle the approvals for a set period of time. This was a powerful and needed capability. But deployments in real life production found some short comings that have been addressed in IdM 7.1.
First is the all or nothing based approach to delegation. All work items were treated the same and you could delegate all of them to one or more delegates (thus giving them temporary super powers they may not already have). But real life is more complex than that. A manager going on vacation may want approvals to go to the department supervisor running things while they are gone, but audit type attestations and remediations to go to the department finance person, just to keep everyone honest.
Now in 7.1, as a developer, you can treat the different work items differently when it comes to delegation. First off, work items come out of the box in the following flavors:
Now when you go into IdM 7.1, instead of the delegations, there are work items (as there are more than just delegations possible) and the screens let the user filter different work items and delegate them to others. This is a powerful feature that allows the implementor to address a slew of need capabilities that were not available before (and certainly not in our competitors products). The ability to classify work items, extend them, and create a hierarchy adds a great deal of flexibility to the Sun IdM Product.
One other fix to mention is what if the person delegated to is deleted or disabled? In prior versions, someone would have to go in and either delete or redirect the work items back to the delegator. In the new version, if the target person is deleted or disabled, the delegator will be able to see the work items they have delegated have been returned with the disabled delegatee's name in (parenthesis) to indicate they can no longer manage the delegation. They delegator can then reassign the work items to someone else.
First is the all or nothing based approach to delegation. All work items were treated the same and you could delegate all of them to one or more delegates (thus giving them temporary super powers they may not already have). But real life is more complex than that. A manager going on vacation may want approvals to go to the department supervisor running things while they are gone, but audit type attestations and remediations to go to the department finance person, just to keep everyone honest.
Now in 7.1, as a developer, you can treat the different work items differently when it comes to delegation. First off, work items come out of the box in the following flavors:
- Approvals
- Organizational Approvals
- Resource Approvals
- Role Approvals
- Attestation
- Review
- Access Review Remediation
Now when you go into IdM 7.1, instead of the delegations, there are work items (as there are more than just delegations possible) and the screens let the user filter different work items and delegate them to others. This is a powerful feature that allows the implementor to address a slew of need capabilities that were not available before (and certainly not in our competitors products). The ability to classify work items, extend them, and create a hierarchy adds a great deal of flexibility to the Sun IdM Product.
One other fix to mention is what if the person delegated to is deleted or disabled? In prior versions, someone would have to go in and either delete or redirect the work items back to the delegator. In the new version, if the target person is deleted or disabled, the delegator will be able to see the work items they have delegated have been returned with the disabled delegatee's name in (parenthesis) to indicate they can no longer manage the delegation. They delegator can then reassign the work items to someone else.
Powered by ScribeFire.
Wednesday September 12, 2007 Promised to get some new features out, so here goes. In no particular order, will review the new features in 
Sun Java System Identity Manager 7.1.
One of the most important new features is the updating of all host access resource adapters that previously used the IBM Host on Demand (HOD) libraries to access IBM style mainframe security systems. This would be RACF, ACF2, Scripted Host Adapter, etc.
We had employed the HOD libraries to drive the Sun IdM resource adapters. You would install the HOD on the same machine or include the "freely" available habeans.jar (which has the following habase.jar, hacp.jar, ha3270.jar, hassl.jar, and hodbase.jar) so the resource adapter would be able to create a session and speak to the host at a level sufficient access to manage user accounts.
I put "freely" in quotes because IBM's documentation and licensing agreements encourage you to use these jars within your own application. But true to their heritage, once you use the HOD libraries for free, they try and nail you for licensing fees on the back end in production. This is not a competitor going ouch, I used to be an IBM Websphere Platinum Partner. Why do you think I work for Sun for the last 5 years.
What was happening, since we have been beating bloated Tivoli Identity Manager is the IBM sales team has turned on its own customers and try to rape and pillage them for using these jar files. Their warped sense of humor had their sales reps interpret the license agreement, which says any account that access the mainframe through the jar files needs a license. Since Sun's IdM provisions all accounts into the host, IBM tried to enforce every account had to purchase a HOD license. This is just plain stupid; only the admin account connected to the mainframe needs a license (read your own software agreement) not every user in the company.
This led to the problem in several accounts where IBM, who lost out to Sun on the IdM software, tried to "impart a license fee" (there are better words for it, but would you really do this to your best customers?) of literally millions of dollars in HOD's use. Often the HOD jars cost more than the entire IdM project. How IBM customers can still remain loyal with such bad vendor behavior is a topic for another blog.
Anyway, we have a solution here at Sun. Instead of relying solely on HOD, we have come to an agreement with Attachmate to implement their WRQ libraries as an alternative to IBM's HOD. You will have to license the library through Sun even if you already have an Attachmate license, as we use a slightly modified version of the library for support purposes. Hey, thats the way the corporate suites and lawyers set it up.
Now all Sun IdM host adapters will default to using the Attachmate libraries instead of IBM's HOD, though they are still supported (through v9, seems IBM moved from the OHIO interface in v10); see...we try not to lock in our customers. You will need to upgrade to Sun IdM 7.1 for full support, but there are no changes to your code, as the changes are done under the resource adapter covers.
If you are interested in more details, contact your local Sun software rep for more information.
IBM. Seems we like your loyal customers better than you do.
One of the most important new features is the updating of all host access resource adapters that previously used the IBM Host on Demand (HOD) libraries to access IBM style mainframe security systems. This would be RACF, ACF2, Scripted Host Adapter, etc.
We had employed the HOD libraries to drive the Sun IdM resource adapters. You would install the HOD on the same machine or include the "freely" available habeans.jar (which has the following habase.jar, hacp.jar, ha3270.jar, hassl.jar, and hodbase.jar) so the resource adapter would be able to create a session and speak to the host at a level sufficient access to manage user accounts.
I put "freely" in quotes because IBM's documentation and licensing agreements encourage you to use these jars within your own application. But true to their heritage, once you use the HOD libraries for free, they try and nail you for licensing fees on the back end in production. This is not a competitor going ouch, I used to be an IBM Websphere Platinum Partner. Why do you think I work for Sun for the last 5 years.
What was happening, since we have been beating bloated Tivoli Identity Manager is the IBM sales team has turned on its own customers and try to rape and pillage them for using these jar files. Their warped sense of humor had their sales reps interpret the license agreement, which says any account that access the mainframe through the jar files needs a license. Since Sun's IdM provisions all accounts into the host, IBM tried to enforce every account had to purchase a HOD license. This is just plain stupid; only the admin account connected to the mainframe needs a license (read your own software agreement) not every user in the company.
This led to the problem in several accounts where IBM, who lost out to Sun on the IdM software, tried to "impart a license fee" (there are better words for it, but would you really do this to your best customers?) of literally millions of dollars in HOD's use. Often the HOD jars cost more than the entire IdM project. How IBM customers can still remain loyal with such bad vendor behavior is a topic for another blog.
Anyway, we have a solution here at Sun. Instead of relying solely on HOD, we have come to an agreement with Attachmate to implement their WRQ libraries as an alternative to IBM's HOD. You will have to license the library through Sun even if you already have an Attachmate license, as we use a slightly modified version of the library for support purposes. Hey, thats the way the corporate suites and lawyers set it up.
Now all Sun IdM host adapters will default to using the Attachmate libraries instead of IBM's HOD, though they are still supported (through v9, seems IBM moved from the OHIO interface in v10); see...we try not to lock in our customers. You will need to upgrade to Sun IdM 7.1 for full support, but there are no changes to your code, as the changes are done under the resource adapter covers.
If you are interested in more details, contact your local Sun software rep for more information.
IBM. Seems we like your loyal customers better than you do.
Powered by ScribeFire.
Wednesday September 05, 2007 Yeah, yeah, I know. Have not been blogging recently. Have a new role in partner technical enablement and been busy, busy with them getting everyone moving forward. Now that the kids are back in school and the Great Dane puppy is sleeping through the night (its a rescue, but been like having another baby in the house) things should be settling down. May even get the canoe down to the lake and finally put it in the water.
But that brings me to this good news - Gartner has Sun as the Leader in Identity Management again. We don't take this lightly. A copy of the report will be available shortly for public consumption. What is particularly pleasing is the analysts point out one of Sun's strengths is the partner delivery eco-system we have been able to generate. That's right, one of the strengths of our products are you folks out there who have made the commitment to our Identity Management product line and are executing in the trenches everyday.
Which explains why I have been so busy recently with partner technical enablement. We are committed to improving you ability to execute, making the product more powerful, yet easier to implement.
So to all Identity Crisis loyalists who spend the long hours working for clients implementing our products, we just wanted to say thank you, you do make a difference for us. We also want to let you know, just because we are in the driver's seat, we are going to relax and enjoy the success. Quite the opposite; we are going to redouble our efforts to move even further ahead in the industry.
Now pat yourself on the back and get back to work! We are!
But that brings me to this good news - Gartner has Sun as the Leader in Identity Management again. We don't take this lightly. A copy of the report will be available shortly for public consumption. What is particularly pleasing is the analysts point out one of Sun's strengths is the partner delivery eco-system we have been able to generate. That's right, one of the strengths of our products are you folks out there who have made the commitment to our Identity Management product line and are executing in the trenches everyday.
Which explains why I have been so busy recently with partner technical enablement. We are committed to improving you ability to execute, making the product more powerful, yet easier to implement.
So to all Identity Crisis loyalists who spend the long hours working for clients implementing our products, we just wanted to say thank you, you do make a difference for us. We also want to let you know, just because we are in the driver's seat, we are going to relax and enjoy the success. Quite the opposite; we are going to redouble our efforts to move even further ahead in the industry.
Now pat yourself on the back and get back to work! We are!
Powered by ScribeFire.
Monday June 25, 2007 One of the key improvements to IdM 7.0 was the re-integration of Sun's Identity Auditor back into the core Sun Identity Manager product. The original idea was to fork the core code and offer an auditing product that could look down the same resource adapters to view user account information and check for security audit and separation of duty violations. That is the way it works in 6.X.
But fortunately, clearer heads prevailed and in 7.0, the code fork was removed and the two became one again (and so did the license, saving you money by not having to purchase two products). The reason was simple; provisioning and auditing go hand in hand, ying and yang, Abbott and Costello, etc. With the products split, you only had the ability to do postmortems on problems introduced into your identity infrastructure. Create a security violation and it may be a week before an audit catches it, if it does at all.
What if you could catch it a priori to creating the problem. With 7.X, you can add a policy check to your provisioning workflows to do an on the spot audit check before you create a problem you then have to find later. In your work flows you can basically say "Ok, I know how I want to provision this user, but before I do, let me check with the current auditing and security policies and insure the user's provisioning does not violate any of them". Don't forget, the auditing security policies can change at any time. So this step saves creating a problem you may not detect until you do an audit scan.
The big improvement now in IdM 7.1 is improved attestation or periodic access review. One of the new burdens for systems managers due to Sarbanes-Oxley is the need to periodically (once a quarter, month, week) is to review who has access to your systems and should the continue. This PAR requirement has identity management teams scrambling to issue reports to managers to attest the user accounts are valid and insuring the systems managers respond in a timely fashion.
But fret no more; Sun's IdM 7.1 has a new PAR subsystem built into it to make PAR's almost OOTB. You can set a review task to start on a regular basis to scan all user accounts and send a report to the manager of a resource or organization unit (or to both of them) to validate the user accounts on their system. There are new reports available to help managers review the user accounts and to quickly attest or challenge (or pass on to a delegate) the users access. There are summary reports that can help auditors see the state of each PAR and help them determine what managers have not responded yet.
One other feature I will mention in passing, which I will go into more detail in a future posting, is the ability of an attesting manager to request a user's account information is refreshed from live data at the time of attestation. This insures the audit is working on current state data, not the data at the time of the original scan. More later.
But fortunately, clearer heads prevailed and in 7.0, the code fork was removed and the two became one again (and so did the license, saving you money by not having to purchase two products). The reason was simple; provisioning and auditing go hand in hand, ying and yang, Abbott and Costello, etc. With the products split, you only had the ability to do postmortems on problems introduced into your identity infrastructure. Create a security violation and it may be a week before an audit catches it, if it does at all.
What if you could catch it a priori to creating the problem. With 7.X, you can add a policy check to your provisioning workflows to do an on the spot audit check before you create a problem you then have to find later. In your work flows you can basically say "Ok, I know how I want to provision this user, but before I do, let me check with the current auditing and security policies and insure the user's provisioning does not violate any of them". Don't forget, the auditing security policies can change at any time. So this step saves creating a problem you may not detect until you do an audit scan.
The big improvement now in IdM 7.1 is improved attestation or periodic access review. One of the new burdens for systems managers due to Sarbanes-Oxley is the need to periodically (once a quarter, month, week) is to review who has access to your systems and should the continue. This PAR requirement has identity management teams scrambling to issue reports to managers to attest the user accounts are valid and insuring the systems managers respond in a timely fashion.
But fret no more; Sun's IdM 7.1 has a new PAR subsystem built into it to make PAR's almost OOTB. You can set a review task to start on a regular basis to scan all user accounts and send a report to the manager of a resource or organization unit (or to both of them) to validate the user accounts on their system. There are new reports available to help managers review the user accounts and to quickly attest or challenge (or pass on to a delegate) the users access. There are summary reports that can help auditors see the state of each PAR and help them determine what managers have not responded yet.
One other feature I will mention in passing, which I will go into more detail in a future posting, is the ability of an attesting manager to request a user's account information is refreshed from live data at the time of attestation. This insures the audit is working on current state data, not the data at the time of the original scan. More later.
Powered by ScribeFire.
Monday June 18, 2007 One of the nice features in 7.0 is the ability to delegate your responsibility to someone else. All delegation chains are recorded for a legitimate audit trail, are checked to avoid circular delegation (the buck passes all the way back to you), and set for a time limit (just for next week while I am on vacation!).
In 7.1, you can now do delegation types. This is an extension of the work item types and can be extended by your development team to handle any delegation types you want to do. Out of the box, delegations can now be split along task types.
Examples are best. In 7.0, you could pick Jerome to handle all of your delegations next week while you are on vacation. In a 7.1 deployment, you could have Jerome handle your approvals, Kathy your account attestations, and Chick, your role request approvals.
The out of the box tasks include:
There is now a new configuration type "workItemTypes" which is an extension of either the above tasks (Attestations, Review, etc.) or of the base workItem. This allows your project complex flexibility to add its own custom tasks and permit their delegation separate from the other types of delegations.
Delegations in 6.0 will be upgraded to the new configurations on an upgrade to 7.1.
In 7.1, you can now do delegation types. This is an extension of the work item types and can be extended by your development team to handle any delegation types you want to do. Out of the box, delegations can now be split along task types.
Examples are best. In 7.0, you could pick Jerome to handle all of your delegations next week while you are on vacation. In a 7.1 deployment, you could have Jerome handle your approvals, Kathy your account attestations, and Chick, your role request approvals.
The out of the box tasks include:
- Approvals
- Organization Approvals
- Resource Approvals
- Role Approvals
- Attestation
- Review
- Access Review Remediation
There is now a new configuration type "workItemTypes" which is an extension of either the above tasks (Attestations, Review, etc.) or of the base workItem. This allows your project complex flexibility to add its own custom tasks and permit their delegation separate from the other types of delegations.
Delegations in 6.0 will be upgraded to the new configurations on an upgrade to 7.1.
Powered by ScribeFire.
Sun Identity Manager (IdM) 7.1 New Features - Forgot Your User ID
Ok, time to start reviewing the new features in Sun Identity Manager version 7.1. Should cover all the major points in the next few blogs.
The first change you can see
We have added the "Forgot Your Password" functionality to login screens. . Clicking on this takes you to the answer security questions screen.
User will have to match with a known IdM account. The user Id will be forwarded to the known mail address on file with IdM and the password will be reset and require reset on login.
All OOTB.
The first change you can see
We have added the "Forgot Your Password" functionality to login screens. . Clicking on this takes you to the answer security questions screen.
User will have to match with a known IdM account. The user Id will be forwarded to the known mail address on file with IdM and the password will be reset and require reset on login.
All OOTB.
Tuesday June 05, 2007 Doing some more research on where the competition is at and have been asked some questions around Microsoft's offering of MIIS, which our IdM has a resource adapter to. Actually, its our SQL Server adapter customized for managing the MIIS tables directly.
Decided to catch up on the announcements that Microsoft made at the RSA 2007 conference and got a chance to watch the Microsoft clip on the newly announced Microsoft Lifecycle Manager 2007. You will have to watch it through IE, as MS cannot seem to get a clip to stream through Firefox, even into its own Media Player 10.
All I can say is wow, are they far behind. The product leads discusses the yet to be release MLM will handle user life cycle identities (like "provisioning" and "deprovisioning" user from multiple directories).
And, hold on to your hats, in the middle of 2008, MLM v2 will be introduced that will allow "end user complete control of their lives, like password resets". It will even "implement password policy enforcement". Wow, like how cool is that!
Waveset and the subsequent Sun Identity Manager versions (as well as many of our competition) have had these features for years, some out of the box. Why would anyone think waiting a year for features that we have implemented (not just introduced) nearly 5 years ago?
Microsoft is known not to be on the forefront of technology, but this is way late to the game. And they seem proud of their announcement.
As many of you know I normally am not into the bashing of competition (we let our products speak for themselves), but this was just too entertaining not to share.
Maybe, by 2010 they can have version 3 out that will help with compliance auditing, attestations/periodic access reviews, and separation of duty review. Oops, we have had that for nearly two years and are on our third iteration.
You must really buy into the MS dogma if you find MLM 2007 exciting and bet your identity infrastructure on the future deliverables.
Decided to catch up on the announcements that Microsoft made at the RSA 2007 conference and got a chance to watch the Microsoft clip on the newly announced Microsoft Lifecycle Manager 2007. You will have to watch it through IE, as MS cannot seem to get a clip to stream through Firefox, even into its own Media Player 10.
All I can say is wow, are they far behind. The product leads discusses the yet to be release MLM will handle user life cycle identities (like "provisioning" and "deprovisioning" user from multiple directories).
And, hold on to your hats, in the middle of 2008, MLM v2 will be introduced that will allow "end user complete control of their lives, like password resets". It will even "implement password policy enforcement". Wow, like how cool is that!
Waveset and the subsequent Sun Identity Manager versions (as well as many of our competition) have had these features for years, some out of the box. Why would anyone think waiting a year for features that we have implemented (not just introduced) nearly 5 years ago?
Microsoft is known not to be on the forefront of technology, but this is way late to the game. And they seem proud of their announcement.
As many of you know I normally am not into the bashing of competition (we let our products speak for themselves), but this was just too entertaining not to share.
Maybe, by 2010 they can have version 3 out that will help with compliance auditing, attestations/periodic access reviews, and separation of duty review. Oops, we have had that for nearly two years and are on our third iteration.
You must really buy into the MS dogma if you find MLM 2007 exciting and bet your identity infrastructure on the future deliverables.
Powered by ScribeFire.
Monday June 04, 2007 Friday was the official release of IdM 7.1. Will be the basis for the next couple of blogs.
Please down load it from http://www.sun.com/download/products.xml?id=465c7d96
New in this release 7.1:
Please down load it from http://www.sun.com/download/products.xml?id=465c7d96
New in this release 7.1:
Periodic Access Review
Enhancements
- Dashboard view
- Remediation request during PAR
- Entitlement history
- Advanced Auditing Capabilities
- Audit policy scan scheduling
- "Test" mode ability for audit policy scans (What-If analysis)
- Audit Log Publishers (JMX, JMS, and Scripted)
- Hybrid LDAP/RACF Mainframe Adapter (New)
- SAP GRC Access Enforcer (Virsa) (New)
- Lotus Notes 7.0 (updated)
- PeopleSoft HRMS 9.0 (updated)
- BMC Remedy Service Desk 7.0 (updated)
- Novell GroupWise 7.0 (updated)
- Hybrid LDAP/RACF Mainframe Adapter (New)
- SAP GRC Access Enforcer (Virsa) (New)
- Lotus Notes 7.0 (updated)
- PeopleSoft HRMS 9.0 (updated)
- BMC Remedy Service Desk 7.0 (updated)
- Novell GroupWise 7.0 (updated)
- Other Improvements to:
- Administrative and End User Interface
- Identity Manager IDE
- Role delegations
Powered by ScribeFire.
Friday June 01, 2007 Hi all.
Been busy as anything for the last few months and have kind of dropped out of the blogging habit, but ran across something today that I thought might entertain a little.
Was doing some research on IBM's TIM versus Sun's Identity Manager (we have replaced TIM implementations on a regular basis).
Was utilizing the IBM public website to review information about the latest on TAM.
Middle of the page is a link for "Analyst Report: Gartner's Magic Quadrant for User Provisioning for 1H06". After you pass through one screen warning you that the next screen is out of IBM's control, you go to the Gartner site and see a Magic Quadrant report with IBM clearly in the upper right.
But here the funny thing - its not the report you think. Its for Magic Quadrant for Security Information and Event Management, 1H06, a category Sun does not have an entry for. If you weren't paying attention, you would think IBM is the leader in Identity Management.
If you look at the real Gartner report, you will see IBM up there. Well behind Sun.
Nice bait and switch. Made my day!
Anyway, hope to blog more now that Sun IdM 7.1 is on the way.
Been busy as anything for the last few months and have kind of dropped out of the blogging habit, but ran across something today that I thought might entertain a little.
Was doing some research on IBM's TIM versus Sun's Identity Manager (we have replaced TIM implementations on a regular basis).
Was utilizing the IBM public website to review information about the latest on TAM.
Middle of the page is a link for "Analyst Report: Gartner's Magic Quadrant for User Provisioning for 1H06". After you pass through one screen warning you that the next screen is out of IBM's control, you go to the Gartner site and see a Magic Quadrant report with IBM clearly in the upper right.
But here the funny thing - its not the report you think. Its for Magic Quadrant for Security Information and Event Management, 1H06, a category Sun does not have an entry for. If you weren't paying attention, you would think IBM is the leader in Identity Management.
If you look at the real Gartner report, you will see IBM up there. Well behind Sun.
Nice bait and switch. Made my day!
Anyway, hope to blog more now that Sun IdM 7.1 is on the way.
Powered by ScribeFire.
Thursday January 18, 2007 Questions keep arising around Sun's Identity Manager's MetaViews. Thought a brief attempt at an explaination might help.
As a workflow engine, IdM's raison d'etre is to collect and manipulate attributes about users and their accounts through the IT infrastructure. FirstName and LastName attributes may be retrieved from the HR system, passed through a rule that manipulates the string to create a userid perhaps (Lastname + First two letters of first name), and then pushes that down a resource adapter as an attribute. Individual forms can then validate and further manipulate it during this process.
In the end of the project, you end up with a intricate tapestry of workflows and manipulations. Any change to the attribute logic/manipulation means you have to figure out where it is being used and what forms, rules and resources work with it. Gets sticky fast.
MetaViews flip this problem inside out to greatly simplify the building and maintenance of provisioning workflow logic. A "Meta View" of the user is logically created within the workflow as an object and each attribute is responsible for expressing itself. The meta view attribute knows where to gather its "inbound" user information (from HR perhaps) and how to manipulate the information (perhaps running the above mentioned rule). Then, every resource adapter that needs that information just maps to the meta view attribute.
This centralizes all of the information within the workflow into one location. Need to make a change? Only modify the metaview and all references to that attribute receive the update. Need to change an authoritative resource? In the old method, you would have to find all references to the resource attributes and logic and update them to reflect the shift in source. But in the meta view approach, all you have to do is repoint the attribute to the new resource. All other references stay the same.
Its a new concept and we realize it will take some time to get use to for designers and developers. In Sun IdM 6.X, the concept was introduced as an option. In IdM 7.X, it is a clear choice and encouraged by the administration screens. Logic would indicate in 8.X, it will continue its move to center stage.
So review the documentation on Meta View and at least get the concepts down. Perhaps buid some simple logic using the approach; it will take some getting use to. If you are just starting out on an IdM development project, give a serious look at perhaps going the meta view route for the project.
As a workflow engine, IdM's raison d'etre is to collect and manipulate attributes about users and their accounts through the IT infrastructure. FirstName and LastName attributes may be retrieved from the HR system, passed through a rule that manipulates the string to create a userid perhaps (Lastname + First two letters of first name), and then pushes that down a resource adapter as an attribute. Individual forms can then validate and further manipulate it during this process.
In the end of the project, you end up with a intricate tapestry of workflows and manipulations. Any change to the attribute logic/manipulation means you have to figure out where it is being used and what forms, rules and resources work with it. Gets sticky fast.
MetaViews flip this problem inside out to greatly simplify the building and maintenance of provisioning workflow logic. A "Meta View" of the user is logically created within the workflow as an object and each attribute is responsible for expressing itself. The meta view attribute knows where to gather its "inbound" user information (from HR perhaps) and how to manipulate the information (perhaps running the above mentioned rule). Then, every resource adapter that needs that information just maps to the meta view attribute.
This centralizes all of the information within the workflow into one location. Need to make a change? Only modify the metaview and all references to that attribute receive the update. Need to change an authoritative resource? In the old method, you would have to find all references to the resource attributes and logic and update them to reflect the shift in source. But in the meta view approach, all you have to do is repoint the attribute to the new resource. All other references stay the same.
Its a new concept and we realize it will take some time to get use to for designers and developers. In Sun IdM 6.X, the concept was introduced as an option. In IdM 7.X, it is a clear choice and encouraged by the administration screens. Logic would indicate in 8.X, it will continue its move to center stage.
So review the documentation on Meta View and at least get the concepts down. Perhaps buid some simple logic using the approach; it will take some getting use to. If you are just starting out on an IdM development project, give a serious look at perhaps going the meta view route for the project.
Wednesday January 10, 2007 Happy New Year. Don't know about you, but its been busy and bloggin had to take a back seat for a while.
Start off the year with a reminder to be sure to balance you Identity Project between ROI type goals and compliance. Again and again we see projects that are started for compliance reasons and are soon in the weeds due to lack of funding.
Remember, compliance projects are expense projects. There is no direct add to the bottom line. Its a cost avoidance. Once the project spends its first wad of funding to get the system up and running, unless there is some ROI to the mix, funding will start to dry up as management tries to lower compliance costs using your system. Could even mean the project dies a slow, cruel death.
So, as a new year's resolution, work some password resets into the mix or user self service. This IdM utility cuts down on the administration support (more than you think; try our free ROI calculator). Even if you put in a simple "demo" version of these functions, it will give management the idea that there is money hidden within all that compliance spend.
Start off the year with a reminder to be sure to balance you Identity Project between ROI type goals and compliance. Again and again we see projects that are started for compliance reasons and are soon in the weeds due to lack of funding.
Remember, compliance projects are expense projects. There is no direct add to the bottom line. Its a cost avoidance. Once the project spends its first wad of funding to get the system up and running, unless there is some ROI to the mix, funding will start to dry up as management tries to lower compliance costs using your system. Could even mean the project dies a slow, cruel death.
So, as a new year's resolution, work some password resets into the mix or user self service. This IdM utility cuts down on the administration support (more than you think; try our free ROI calculator). Even if you put in a simple "demo" version of these functions, it will give management the idea that there is money hidden within all that compliance spend.
Thursday November 09, 2006 Now I try and keep this blog, even though it appears here via the good graces of my humble employer and warlord, Sun Microsystems, I try and make it vendor neutral (you are all smart people and realize anything from blogs.sun.com comes with its own set of spices). However, did want to give some space to the newly announced Sun Identity Manager 7.0.
Loaded it on my development space and actually have it running with NetBeans 5.5 as the front end. This allows me to view the script files, scan underlying waveset classes, quickly look at the repository tables in mySQL, and start and stop application servers. It also allowed me to view two IdM's on the same box, so I can play with one and have another environment for play. Also get CVS capabilities too to track any changes I make to the code.
One other nice feature of running with Netbeans interface is I can hook the included Tomcat environment in debugging mode. Runs really slow, but can stop and look at specific points within the product within the IDE. Need to play some more with this, but a good debugger to me is more important than a good editor. More later on this.
As for IdM 7.0, it looks great so far. The Lockhart interface is continued from 6.0 and has been cleaned up to match other Java System products. The biggest change to IdM 6.0 users is the inclusion of Auditing and Service Provider, which use to be separate products. Now all aspects of the IdM, IdA, and IdM SPE can be managed and viewed through the same admin station. Have not seen that in any other vendor's offering.
And it may be me, but the system runs a lot more snappy (don't you love technical terms?). Have not had time to do comparison trials to 6.0, but just working with 7.0 just feels more solid. Have not run into any major problem areas.
Kudos to the product team on an excellent upgrade. For those outside the wall, look for general release in a few weeks.
Loaded it on my development space and actually have it running with NetBeans 5.5 as the front end. This allows me to view the script files, scan underlying waveset classes, quickly look at the repository tables in mySQL, and start and stop application servers. It also allowed me to view two IdM's on the same box, so I can play with one and have another environment for play. Also get CVS capabilities too to track any changes I make to the code.
One other nice feature of running with Netbeans interface is I can hook the included Tomcat environment in debugging mode. Runs really slow, but can stop and look at specific points within the product within the IDE. Need to play some more with this, but a good debugger to me is more important than a good editor. More later on this.
As for IdM 7.0, it looks great so far. The Lockhart interface is continued from 6.0 and has been cleaned up to match other Java System products. The biggest change to IdM 6.0 users is the inclusion of Auditing and Service Provider, which use to be separate products. Now all aspects of the IdM, IdA, and IdM SPE can be managed and viewed through the same admin station. Have not seen that in any other vendor's offering.
And it may be me, but the system runs a lot more snappy (don't you love technical terms?). Have not had time to do comparison trials to 6.0, but just working with 7.0 just feels more solid. Have not run into any major problem areas.
Kudos to the product team on an excellent upgrade. For those outside the wall, look for general release in a few weeks.
Monday November 06, 2006 Monty Python had a great skit years ago on both record and television - "How to do it..." where they promised to show you how to play the flute (blow in one end and move your fingers over the holes), etc. So basic were the instructions, they are really useless.
Within such a context, today we discuss some "how to do its" rules of thumb and identity architecture. This came up recently in sizing out a client architecture when the client wanted to know "how to do it". In the end, you won't be that much closer to being a real architect, but you could play one on TV.
First, we work with a series of "rules of thumb". Don't ask where they come from; many are based on years of trial and error on many projects, but you cannot point to a definitive study that proves them right or wrong. Here are some we work with:
1) When you start working with 1 million users that are frequently updated, consider using IdM Service Provider Edition (SPE).
2) Its tough to justify IdM projects for user populations under 5,000. Not enough users to justify the investment usually and they are most likely an entrenched MS AD user who has not out grown it yet.
3) While LDAP directories can scale to millions of users, you have to really optimize your DIT as you get to 15 million entries and really should consider partitioning the data set when the entries get into the 25 million to 30 million range. Not that the directory cannot handle more, but back up and recovery times are so long as to be unacceptable.
There are others out there, but these are quite handy.
So how does one architect an IdM architecture? Everyone wants to do this before the project so they can buy the needed hardware. Which, of course, is a pretty backwards way to do it. Would you order all of the supplies to build a house if you have not architected it yet? Why does everyone want to buy before the project has had a chance to got through its "Design and Analysis" phase.
By waiting to order gear til then (okay, order some to start development), the actual payload the system must handle will be clearer and the rate of transaction will be better understood. An IdM system may manage 1,000,000 entries, but the overall load might be light. One user record change per week in a field of 1M users is a light load. Each user record changing once a week is a different story.
So, try and determine payloads you will need to support. Its not the number of users, but the number of updates per hour/day/week thats important. Its not the number of entries in the LDAP directory, but the number of updates the system must handle. Its not number of password resets of critical importance, but how many concurrent users doing password resets online that matters.
So make some good estimates on the payloads the system will support. That will give you transactions per hour, concurrent user sessions needed, etc. Then size up the hardware needed to support that payload. This can be done from published performance and stress testing.
Granted, there is much more to properly architecting a system during design and analysis, but I did say this was "how to do it...". Your systems integrator and software partners should be able to help you in this area. However, you need to be able to tell them how much power you need.
Within such a context, today we discuss some "how to do its" rules of thumb and identity architecture. This came up recently in sizing out a client architecture when the client wanted to know "how to do it". In the end, you won't be that much closer to being a real architect, but you could play one on TV.
First, we work with a series of "rules of thumb". Don't ask where they come from; many are based on years of trial and error on many projects, but you cannot point to a definitive study that proves them right or wrong. Here are some we work with:
1) When you start working with 1 million users that are frequently updated, consider using IdM Service Provider Edition (SPE).
2) Its tough to justify IdM projects for user populations under 5,000. Not enough users to justify the investment usually and they are most likely an entrenched MS AD user who has not out grown it yet.
3) While LDAP directories can scale to millions of users, you have to really optimize your DIT as you get to 15 million entries and really should consider partitioning the data set when the entries get into the 25 million to 30 million range. Not that the directory cannot handle more, but back up and recovery times are so long as to be unacceptable.
There are others out there, but these are quite handy.
So how does one architect an IdM architecture? Everyone wants to do this before the project so they can buy the needed hardware. Which, of course, is a pretty backwards way to do it. Would you order all of the supplies to build a house if you have not architected it yet? Why does everyone want to buy before the project has had a chance to got through its "Design and Analysis" phase.
By waiting to order gear til then (okay, order some to start development), the actual payload the system must handle will be clearer and the rate of transaction will be better understood. An IdM system may manage 1,000,000 entries, but the overall load might be light. One user record change per week in a field of 1M users is a light load. Each user record changing once a week is a different story.
So, try and determine payloads you will need to support. Its not the number of users, but the number of updates per hour/day/week thats important. Its not the number of entries in the LDAP directory, but the number of updates the system must handle. Its not number of password resets of critical importance, but how many concurrent users doing password resets online that matters.
So make some good estimates on the payloads the system will support. That will give you transactions per hour, concurrent user sessions needed, etc. Then size up the hardware needed to support that payload. This can be done from published performance and stress testing.
Granted, there is much more to properly architecting a system during design and analysis, but I did say this was "how to do it...". Your systems integrator and software partners should be able to help you in this area. However, you need to be able to tell them how much power you need.
Monday October 16, 2006 Once you've done your research (or its been done for you) and the software license purchased, we all know what the next question will be... How will this software get implemented and how much will it cost.
Beware of boiling the ocean IdM projects (check out the "boil the ocean" analysis for Solaris 10's ZFS) IdM Projects. As mentioned before, IdM can address several different areas within the organization, including:
The last article warned of getting trapped in the compliance death spiral. Helps you get started, but your budget could end up on the cutting block.
Can't tell you how many large clients try and go after a big project and have unrealistic expectations of what it costs to implement these projects (see our ROI calculations before to help justify the costs). But we continually run into clients trying to IdM for $100K or less.
Any of the analysts within the space will tell you this is an ongoing ERP type project. There is no end, just evolution. So be realistic to your upper management. It will cost six figures, and possibly seven (oh, no, Mr. Bill!) and it may be a while before savings recover outlays.
At a recent client, where we reviewed their attempt at implementation and consuled them the amount targeted for the type of installation they were trying were unrealistic. Well, a new CIO has come on board (gee, what happened to the last one; he was cutting costs!), who actually worked for a competitor of ours. He looked at the budget and claimed that it was way underfunded and needs a review to recalibrate expectations and costs.
Look, we are not in the business to drive up professional services as much as we can (and to the disbelief of some). But be realistic, this is a complex topic that will affect your business and will save money in the end. As we tell many clients, this is brain surgery. You will be messing with the core directory and authentication mechanisms that run your companies systems. One slip of the knife, and you can serious maim or kill the patient. Permanently.
So, how many people have the expectation that brain surgeons should be shopped around for the lowest cost?
Beware of boiling the ocean IdM projects (check out the "boil the ocean" analysis for Solaris 10's ZFS) IdM Projects. As mentioned before, IdM can address several different areas within the organization, including:
- Provisioning/reduced system administration
- Compliance Implementation
- Compliance reporting
- Compliance auditing
- User Self Service
- Password Resets
- "Meta" directory functions
- Reduced support tracking
- Authentication and Authorization
- Centralized directory consolidation
The last article warned of getting trapped in the compliance death spiral. Helps you get started, but your budget could end up on the cutting block.
Can't tell you how many large clients try and go after a big project and have unrealistic expectations of what it costs to implement these projects (see our ROI calculations before to help justify the costs). But we continually run into clients trying to IdM for $100K or less.
Any of the analysts within the space will tell you this is an ongoing ERP type project. There is no end, just evolution. So be realistic to your upper management. It will cost six figures, and possibly seven (oh, no, Mr. Bill!) and it may be a while before savings recover outlays.
At a recent client, where we reviewed their attempt at implementation and consuled them the amount targeted for the type of installation they were trying were unrealistic. Well, a new CIO has come on board (gee, what happened to the last one; he was cutting costs!), who actually worked for a competitor of ours. He looked at the budget and claimed that it was way underfunded and needs a review to recalibrate expectations and costs.
Look, we are not in the business to drive up professional services as much as we can (and to the disbelief of some). But be realistic, this is a complex topic that will affect your business and will save money in the end. As we tell many clients, this is brain surgery. You will be messing with the core directory and authentication mechanisms that run your companies systems. One slip of the knife, and you can serious maim or kill the patient. Permanently.
So, how many people have the expectation that brain surgeons should be shopped around for the lowest cost?