My in-laws live in western Oklahoma. After the requisite tour of town, I find myself with a decent amount of time on my hands. I usually pack a few books along to fill the time.
I’m not sure how I came to buy Notes on the Synthesis of Form by Christopher Alexander. I thought I’d give it a try and see how it went. It was a real page turner. Seriously. It is a very dense read that is surprisingly approachable.
At its core, Notes presents a system for decomposing complex design problems. Alexander builds up to this system by examining two types of cultures: unselfconscious and selfconscious. Unselfconscious cultures approach problems with a rich set of traditional solutions in which the builder (problem solver) is reduced to an agent implementing a solution learned by imitation, an informal form of apprenticeship. These cultures’ designs evolved over a sufficiently long period with their environment as the primary constraint. To become a repeated solution, the solution had to fit well within all aspects of the culture’s environment. Selfconscious cultures, in contrast, exist outside of any environmental feedback loops or environmental constraints. These cultures approach design problems with a learned set of principles that impose rules of design.
The system Alexander lays out (and I am paraphrasing greatly here) relies on the decomposition of the problem into subsets of related features. These subsets, or subsystems, must be as independent as possible to accommodate misfits (problems). Misfits within the subsystems must not impact the design as a whole, but be contained within the subsystem.
The vital point that underlies the following discussion is that the form builders in unselfconscious cultures respond to small changes in a way that allows the subsystems of the misfit system to work independently – but that because the selfconscious response to change cannot take place subsystem by subsystem, its forms are arbitrary.
The arbitrary nature of form… When I hit this, I immediately drew parallels to software design. How many of you have seen software that exhibits arbitrary design choices? How many “simply enhancements” balloon into rebuilding core functions?
Notes is equally applicable to the software industry as object design. Product managers, software architects, CTOs – get a copy of this. Oh, one more thing, don’t let the set theory scare you off – you can get a lot out of Notes without working out all the math.
On one hand I can’t say I am that surprised. SAP has been itching to get into the IdM market. There was speculation that they were going to build their own. It is interesting to see that they have chosen, as many others have, to buy instead. I am, however, a little surprised in who SAP purchased.
MaXware was known, primarily, as one of the three major meta/virtual directory companies out there. Maybe SAP saw wisdom in Oracle buying OctetString? (I’d be feeling pretty lonely right now if I was Radiant Logic.) Maybe SAP really just needed the connectivity that MaXware could provide?
I wonder what this means for corporate SAP partners who are already in the identity management space? If I am a provisioning vendor who has spent resources developing integration to SAP and the Virsa bits, I am going to be pretty annoyed that SAP just bought a provisioning technology. Integration partner one day, direct competitor another.
The real reason SAP made this move is the continuing SAP – Oracle War. SAP needs to be able to check the boxes off in an RFP that they have provisioning and identity management services. If SAP is looking to even the playing field, there’s at least one more acquisitions they have to do. They need to buy a large services company likes of Accenture or Booz Allen Hamilton. Granted, doing that will agitate their service partners, but that being said, it would round off SAP and enable them to go toe-to-toe with Oracle.
In closing, I wanted to include a few insightful thoughts from Jackson Shaw. I just discovered his blog… good stuff. Jackson writes:
SAP AG is acquiring MaxWare because they believe that if they can control identities, security and roles from within SAP NetWeaver then they can “own” an organization. They can be the tail that wags the dog.The few systems that SAP GRC can connect today stands out like a sore thumb. Who could take them seriously? Now, with MaxWare they’ll be able to connect to many more systems but will they be taken seriously?
If IBM can’t do it with WebSphere and Tivoli, I don’t see how SAP can do it with NetWeaver.
Apologies to Lewis Carol and the Cheshire Cat.
Mark MacAuley makes me laugh. He is a funny guy, but that’s not why he makes me laugh. He makes me laugh when he finds situations like this one:
I spoke to a non-US Government Agency yesterday about their Identity Management initiative. Turns out they are hung up on an architecture. Why? Because there is no identifiable (or identified) business process for them to build for. The business users are saying – Just buy a tool and it’ll take care of it that’s what their workflows are for’. Those of us who do this for a living are probably smirking or laughing out loud at the comment. Typical, but one of the leading causes of unsuccessful projects.
Why is this funny? Because I already know this project is doomed to fail and all you can do is shrug your shoulders and laugh.
Having “the business” abdicate its role as the driver of any project like this is criminally irresponsible. (For you hardcore cynics, I don’t care that this is a government example; that’s not an excuse.) Identity Management is waking up from its speed and feeds adolescence. More importantly, the market is starting to snap out of its IT-induced hypnosis, and it is business that will benefit. The business cannot simply punt on an opportunity like this.
I literally just got out of Courion’s user conference, Converge. I would say that about half of the presentations from customers, analysts, and Courion staff alike related to the business drivers and the business view of identity management projects.
Simple example – from a business perspective, identity management often gets attestation wrong. Unless you have the absolutley most friendly Active Directory group names in the world, presenting a list of groups to a manager and asking, “Are these the groups that Ian should have?” is essentially useless. Now presenting a list of business functions as the content of an attestation event – that makes sense. Instead of sending AD group SHRPT1_ENG and CITRIX_PRESSRV_02_SAP863 to my manager, send “Access to the Engineering Sharepoint server” and “Access to SAP Instance 863 via Citrix Presentation Server.” It is simple things like this that turn IdM projects into true business enablers.
I’ll be back soon with some other thoughts from Converge and an interesting conversation Phil Becker and I seem to always be in the midst of.
I have spent a fair amount of time recently, ruminating on compliant provisioning and what comes after it. It is a fascinating mental exercise and if it remained as such, it would be useless. Yesterday, I got to see it in action.
I was at a customer, watching our integration with their provisioning system get installed and configured. It was, as all good software installs should be, quite boring. But what did captivate me was the business case and drivers for compliant provisioning. Though our customer has a mature provisioning system in production, they have yet to achieve fully automated provisioning. Why? Certainly not for lack of trying. Because their SAP environment is large, complex, and ever-changing, they cannot implement a comprehensive set of automated provisioning rules for fear of SoD creeping in.
They already rely of Approva BizRights to do “What If” analysis. It verifies on an ongoing basis that role definitions do not generate separation of duty problem as well as make sure accounts don’t contain any SoD problems as well. Currently, their outsourced help desk fields access requests. They gather up the roles being requests and use BizRights to perform What If analysis on the proposed account changes and then route the request on for provisioning.
Instead of an access request flowing to the help desk then into BizRights for analysis, they plan on automating the access request via their provisioning system. By using our “What If” analysis within the provisioning system they can cut out the help desk all together, eliminating that manual step. A handful of their SAP systems generate the vast majority of their ticket call volume. By implementing compliant provisioning, integrating BizRights with their provisioning tool, they are looking to cut that call volume down to 0 and save a bundle in the process.
A couple more of these kinds of deployments and compliant provisioning will be the norm in the provisioning market… and then I’ll be talking to you about what comes next.