Attack of the YAMS: Thoughts on the Role Management Panel at Digital ID World

I was thinking about the role management panel at Digital ID World in New York this weekend. My first reaction to the panel discussion, which consisted of BearingPoint, Prodigen, Bridgestream, and Thor, was that roles are finally growing up. The idea that roles require lifecycle management just as identities do is, at first, a little shocking but then makes a great deal of sense. Working in the enterprise provisioning market for years, I got used to hearing how hard it was to complete a role deployment. At the same time you had Burton Group and others professing the value of roles. Customers were fighting both the difficulties in deploying identity management solutions as well as the difficulties in understand and leveraging roles. As the industry provided better automation for the provisioning problem, we saw deployment times go down. But, roles were still tough to deal with. We are now seeing tools to help truly automated the role lifecycle management problem.

One of the points that was agreed upon by the panel members was that business roles are separate from IT roles. Who I am in a company is very different than my privilege sets in target systems. Some provisioning products attempt to make this distinction. By elevating roles to a discipline that truly needs its own tooling, we will be able to manage that distinction far better than we can today. I do wonder if potential customers will still look at roles as too difficult and not address them appropriately. “Roles are hard. See… they have to have tools to deal with them,” I can hear a potential buyer say. To this, I often respond with a wink, “IT would be simple if we didn’t have end-users.”

My concern with role lifecycle management is not with the concept itself. I think this is a space that was long in coming. My concern is role lifecycle management is yet another “Management” or YAM. Our industry is full of YAMs. We’ve got the access YAM, provisioning YAM, strong authentication YAM, network security YAM, federation YAM. As we look forward to 2006, I think we are going to see pushback against YAMs. Customers are growing weary of yet another policy tool, yet another reporting tool, and another YAM. I think that some of the false hope in the past market consolidation and the IdM suite vendors was that they would cut down on the YAMs. The dream of a single tool that translated business goals and regulations into their various IdM components: access, privacy, provisioning, etc, has yet to be realized. I worry that the number of YAMs keeps increasing without unfiying language and tooling. I worry that the industry is over-specializing without having generalist tools to link these specializations together.

It’s good to see these vendors working together to tackle the role lifecycle management problem from different sides. In their own way, they are fighting the YAMs. We need more impromptu collaborations between solution vendors, deployment specialists, and visionaries. We need less YAMs.

With Thanksgiving fast upon us, I leave you with a yam recipe that will leave your guests in a food coma. If we can’t help fight YAMs in our products, we can at least fight yams one fork at a time!

Technorati Tags: