Steffo's Echolot

It's the processes, stupid

What makes identity management difficult? For short: complicated business processes. Q: What's so complicated about business processes? A: the fact that many companies are not willing to change the processes as they are carved in stone. Q: Why should a company change a business process if all the want is an identity management tool. Can't the tool handle these processes?

Well, yes it can. Definitely. The only thing is, these processes need to be implemented and/or adapted. Identity Management software comes with a whole bunch of preconfigured processes that could easily serve a customers needs. The point is: many processes are the way they are because they use paper forms. Companies might want to change the processes if they change the media (i.e. moving from paper to electronic forms) or introduce a new tool.

How paper-implemented processes look like:

• Sending form sheets from A to B via interoffice mail.
• More approval steps than necessary.
• Rely on manual data look up.
• Contains data from a business perspective (i.e. personnel number instead of AD samAccountName).

Suppose you request access to an IT resource by filling out a paper form. Since processes are handled by sending the form from A to B, the inefficiency of these processes is not visible to everybody: it takes two or more days (or even weeks) for the process to complete. Here, noone cares if the person whose responsible for approving a request if off for one day. If, however, you apply for access via a web form which will be send to an approver via e-mail, you have higher demands on the approval time-frame. If you have more than one approver (which many companies with paper based processes have), it makes the whole situation worse. You should rethink you process here: are all the approvals really necessary or is it sufficient to notify the (fomer) approvers?

Another example is the data model. While most paper forms require a personnel number and a departement by which an employee can be uniquely identyfied, many Active Directory implementations try to identify a user by the X.500 cn (common name) attribute. Moreover, an employee's AD entry does not even contain his/her personnel number. Thus, there is no way to link the AD account to the employee automatically. You might be able to develop a rule by which an account can be linked to emplyoee but very often this is more a rule of thumb than a mathemetical function and requires adaptation of you Identity Manager product (no matter what product you have).

Does it makes sense to change your AD data model? Yes it does. An what about the amount of approvers? I think you should reduce them, but I am a computer scientist. Definitely you should talk to the process people in your company.

Posted at 05:13AM Feb 24, 2007 by steffo in Identity Systems  |  Comments[0]