The new Identity Manager 8.0 data exporter is a major new feature. As mentioned before, the architecture for Identity Manager is "data sparse", meaning we mostly store meta data about users and accounts, not the actual value. This greatly reduces the chance of passing "stale data" to systems under management. When you want to know a user's email address is, Identity Manager retrieves it from the email system, not from a repository. You have the freshest data, not what you think it was the last time you sync'd up.

This model has proven to be the correct approach in provisioning design. But it comes up short when customers want to do more auditing and performance analysis. When all you have is current fresh data, its tough to ask the question "who had access to the financial system the first two week of the month when a security breach occurred?" or "how long on average does it take for a user to be provisioned?". We can do it, but it gets messy in the audit logs.

So now 8.0 has a data exporter sub-system built in. It allows the deployment team to determine what objects in IdM they want to report on and capture that data from within IdM and post it to a series of staging tables. These staging tables can then be accessed by the warehouse ETL to bring the data into the warehouse.

The process is really quite elementary. A data exporting task is started that will form the data from the underlying IdM objects. You can run the task to only bring out information that has changed from the last time the data export task was run. The data is then loaded into the staging tables. This data is then transferred into the customer's dataware house of choice.

There are two schemas that need to be used. The first is an ObjectClass schema that helps form the object data within IdM into something that matches the staging tables schema. IdM 8.0 comes with scripts to build these staging tables in all of the supported repositories. They represent most of the important objects within IdM. If you want to export extended attributes, you will have to modify these ObjectClass schemas and tables. IdM also provides export schemas to read the staging tables and help modify the data into something the warehouse beans can consume. As shown above, we also provide a way to connect to the external tables and perform basic forensic reports from within IdM.

The beauty of this staging table dual schema approach is it abstracts the underlying structure of IdM from the data export interface, allowing changes to be made to IdM in future versions and not "break" existing export configurations. It allows IdM to be changed and the warehouse to change and not require a complete reconfiguration.

The new data export feature uses Java Hibernate as the underlying transformation engine, which aids in the mapping of the IdM Java Objects into relational database table structures. IdM 8.0 provides default Warehouse Interface Code (WIC) that are Java classes that define the underlying schema of common IdM objects. Not all IdM objects are defined, but the important one are. They should work in a majority of the IdM deployments, but if extended or custom attributes need to be exported, these WIC classes will need to be redefined and regenerated. We include both binary and source versions of this code to help in the deployment configuration.

If you are considering using the data exporter feature, be sure to consider the impact it will have on the server it is deployed on. You may want to consider having a dedicated server for the exporting engine, as it is resource intensive. You definitely do not want to run it on a server that has a user GUI interface running, as this will slow the response time. You can schedule the exporter tasks to run in off hours to lower this impact. Good news, the new data exporter subsystem has JMX interfaces on both the pre and post staging tables beans to allow performance monitoring on how fast the exporter is working.

More in future posts. For now, good documentation is available from our public website.

Big week this week with the release of Sun Identity Manager 8.0. Many of our partners are already trained and working with the new version. Plans are already being discussed on upgrades to client sites to the new IdM 8.0 to take advantage of roles and the data exporter.

Before we get into more of the details of the new features, wanted to get off a quick entry on what features are no longer available or not supported yet. Knowing what is and is not in the product is important.

So, without further ado. Here is what is not in Identity Manager 8.0:

1) Java based Business Process Editor (BPE) - originally shipped with Waveset products and enhanced over the years. In 6.0, we started to migrate the configuration capabilities into a Netbeans plug in. Each new release improved on the integration with Netbeans (meaning, originally, the plug acted like the BPE, but now it is more aware of the features and capabilities of the Netbeans platform). So as of IdM 8.0, all BPE type work will be done through the Netbeans plug in. Thus, the old BPE is deprecated and going the way of the dodo. Good news though, Sun has open sourced these plugins for all to participate in. Again, who else in this business does that.

2) Meta View - This was a good idea that never really took hold. Meta Views allowed abstracting the attributes so they can be centrally managed. Workflows and views could reference the Meta View attribute and it could be managed in one location. However, Meta Views worked great when starting out, but were order sensitive and got tricky to implement. Never really caught on. IdM 8.0 will still support Meta View upgrades, but they are deprecated and should be replaced. So to both of you who implemented them (sorry, trying to make gallows humor) should be aware the are on the way out.

3) MySQL in Production - Still not there yet. This is filed under the category real soon now. As many know, we permit MySQL in development, but do not support it in production environments. MySQL 5.1 has a known bug in parsing nested selects, which unfortunately, we use within IdM. The query will run, but the parsing engine does not always take advantage of the available indexes, so performance will suffer as the system scales, as is possible in production.

But don't we own MySQL? Isn't it fixable? Yes it has been fixed in MySQL 5.2, which never got to general release mode, and in MySQL 6.0, which is in pre-release test mode. No effort was made to fix it in 5.1. Since neither 5.2 or 6.0 is officially released, we cannot support it in production environments. Yet. Unfortunately, the code freeze for IdM 8.0 occurred before our acquisition of MySQL, so we will have to wait for the official support in a future release of IdM. Trust me, this is a priority. Real soon now.

We have also discontinued support for many older versions of software (really, who is seriously still working with Red Hat Server 2.1). Check here for a complete list of deprecated software support.

Was told to hang on until the press releases went out, but here it is on the public website: Sun's industry leading Identity Manager 8.0 has been released. You can read about it here, you can download it here (yes, download. Can you do that with Oracle or IBM?), and you can read all the documentation you want from here.

So, what's new.

Roles, thats what.

And Data Exporting.

And additional resources supported.

Will be blogging about these features and other information from the release notes in the coming weeks. Don't want this to become a marketing shout out blog, because the intended purpose of this is to discuss identity projects and problems, not product features. But sometimes these new features help with the delivery of identity projects.

So what's new in 8.0 and why is it important to me? First off is role management. Identity Manager had the concept of a role in it, but at a basic level. An administrator could group a series of entitlements together and give it a role name. Then the role could be assigned to a organization node and thus have some owner be responsible for it.

But it was never really a solid role management approach. Our engineers have worked long under the hood to create a more generic object type and give roles a life (think Dr. Frankenstien "its al-i-v-e"). Roles now behave like UserObjects - they are created, they are approved, they have an owner, they can be modified, they can be audited, they can be scheduled, and they can be deactivated.

Identity Manager 8.0 has also define two types of roles - the traditional IT role, where the role gives entitlements on specific resources (this is the traditional IdM role) and business roles, which are roles that are aggregations of IT roles. They have no entitlements, but help business users better understand what a group of entitlements does.

Quick example: The role of employee identifies me as a employee, but does not really tell the world what I can do as an employee. But the "employee" role could have the IT roles of email user, phone account holder, and medical insurance account. Each of these "IT" roles have specific entitlements that give the user capabilities. They can even change based on other criteria, such as location. An employee in England or Taiwan is still an employee, but will have different IT roles compatible with their local systems.

One way to think of it is an egg carton analogy. IT roles are gathered together into a business role (an egg) and the user account is an egg carton, collecting eggs. An employee account might include "employee", "Sales Manager", "Equity owner", and "Project X Lead", each of which a non-technical business person can understand in plain language. You then peel back the business roles to get to the underlying IT capabilities through the business roles.

More on this going forward. But quick side bar; why did we buy Vaau? Is this role management from that acquisition? The answer is no; the acquisition of Vaau was completed after IdM 8.0's code was frozen for release. The two still are integrated via SPML and can work together as well as stand alone. The new Sun Role Manager (formerly RBACx from Vaau) will remain the tool of choice for full role architecture and management. But the new role management capabilities of IdM 8.0 may be sufficient for your project.

The other big new feature is the data exporter. One key feature of Sun IdM architecture is the data sparse "meta" nature of our user account repository. We don't carry all the data in the underlying database, which greatly simplifies account management because you don't have to worry about synchronicity across accounts (which of three locations has the right user email string?).

However, this data sparse model limited the ability of the repository to help in historical auditing and data analysis. Without data, you can't really do any data analysis.

So, we have a new capability within IdM. You can now "snapshot" data while it is in flight to an exporting queue. Then an exporting task is executed to push the data into an external table or bean. From there, you can massage the data to your hearts content and IdM's repository is not cluttered with vast quantities of data. We have even included a simple forensic reporter that can connect to this data and query it for answers. More on this later.

So, go download and start reviewing. We will bring more information in the coming weeks and go over the new features in detail.

Never can tell in a large organization who is driving the bus.

One group tells me we have to be patient and not blog about the new Identity Manager 8.0.

We want to make an announcement soon about the new Identity Manager 8.0 in a couple of weeks (PR new releases and the like). Keep it all hush hush.

So, I don't know. I guess I will have to remain silent about the new Identity Manager 8.0 until it is available on a public web site.

Til then, stay busy.

Getting towards the end of the morning presentations of the identity roadshow.

I see a recurring theme through many of the presentations, which usually means you should put this on the emerging concern radar to keep an eye on it. The presenters are analysts, partners, and Sun thought leaders in this area. These are not wild rants in the wilderness. But I am not sure they see the common thread.

What divine from several presentation is the future of identity is to be viewed as a core competency for Security and Risk Management. Identity Management has always been positioned as an area of interest to help in the general overall Security and Risk Management strategy of a company. Many of our large SI partners have their identity practice within their Security and Risk Management practice.

However, what I am thinking I am hearing now is that instead of being a supporting pillar in the overall solution, identity management is become a core competency required to have a successful program. This is significant. No longer is identity management a nice-to-have in an overall Security and Risk Management program (oh wait, isn't the buzz word GRC (Governance, Risk, and Compliance) fit here? More on that in a future entry.) but a required feature of to a successful program.

What does this mean? A enterprise must have a real and solid approach to identity management built into their overall Security and Risk Management model/program. in order to have a viable Security and Risk Management program, a solid Identity Management strategy is strategic to success. Perhaps we should call it Security, Identity, and Risk Management?

Finally, after years of believing this and evangelizing the importance of a rock solid identity management program, we are finally getting a seat at the big table. We are no longer optional, but mandatory.

So as you slog away into the night trying to implement a new branch in a workflow or control an new set of attributes in a newly assigned resource, have heart. You toil not on the fringes, but on a project that is becoming a recognized must have within your organization. More and more what you work on will have more and more respect going forward. The knowledge you gain today will become key fundamentals in future directions of your organization.

Congratulations. But get that change done today. Your day will come. The blip is on the radar.


On another topic (teaser) - Mark down June 19th - Good things come to those who wait!

Usually not one who likes to read blogs and wade through "what I am doing now" entries (please, my life is fairly mundane, no need to bore the world with it), but just wanted to put in a quick note.

On the bus now (horrible hour of 6:30 AM) to join the Sun Identity Roadshow in our New York City offices. Lots of customers, partners, and Sun Identity folks. Heading in early for a "NYC power breakfast (I'm still stuck in the 80's) with Mark Dixon. He is one of our troupers and is speaking at all of the roadshows. Catch him if you can.

So how far have we come with technology? Here is my nugget for the morning. Surprisingly, Mark's contact information was a little dated on my laptop here on the bus, so I VPN'd into Sun's directory and downloaded his contact info in a VCF file. Then I remembered Thunderbird does not have the ability to bring that into my contact database (shame on Thunderbird - for open source, open formats should be a given. Great product, but missed an easy feature).

However, a little Googling on the net turns up an extension that give Thunderbird that capability. And I am downloading it from Germany. On a moving bus. Going through the Lincoln tunnel. Under the Hudson River and getting nearly 1 mbps). Like how cool is that. Oh, and it works. Will blog later on the road show.