The Enterprise Role Management Integration Challenge

Nishant, in a light hearted manner, took my post on Sun acquiring Vaau as a bit of a dare. This is how I responded to his comment:

Since I don’t believe that ERM is an end in and of itself, I am more curious where the market and technology will go now that two “suite” vendors have made acquisitions. If, by orchestrating some sort of challenge between Oracle and Sun to integrate and innovate, I can help move things along, then yes, by all means, consider it a challenge. Maybe the gang at Burton Group can referee this?

How vendors like Sun and Oracle integrate their ERM acquisitions will have a very tangible impact on the future direction of identity management. Both are in a position to unlock the true value of enterprise role management.

The step of integrating ERM in user provisioning is a no brainer, though it will be interesting to see how fast each vendor can do it. What is more interesting is the step beyond that. I started to ruminate on that before… guess we’ll have to wait and see what comes.

In the meantime, it would be great if someone like Kevin Kampman would weigh in on this.

4 thoughts on “The Enterprise Role Management Integration Challenge”

  1. “The step of integrating ERM in user provisioning is a NO BRAINER” ??? Perhaps I’m missing something, but I don’t think that a Role Management solution can be just an add-on module for a user provisioning system, unless the role management system is intended as an “aggregation of permissions” as opposed to a complex implementation of business policies in order to achieve good governance, risk management and regulatory compliance (GRC).

    Actually, considering the present solutions available on the market, integrating User Provisioning and Role Management components is far too complex an effort. Clearly there are overlaps that can result in data duplication between the two components.

    We at Engiweb Security have a significant amount of experience in developing complex Role Based Identity projects, integrating our Enterprise Role Manager product with several User Provisioning systems. In summary, the technological integration – considering just the resource provisioning (connectors) is quite simple. Yet, making them work together is no trivial task. It requires several issues to be better investigated.
    To this aim we have started an open discussion here ( where we consider various aspects of the Identity Management model and technology.

    As an example of this critical point, consider the fact that the majority of User Provisioning technology is intended for synchronization. However, Identity Management is not mere synchronization. Take, for instance, the typical example of inconsistency management. When a bi-directional connector carries out an operation directly on the target system (e.g. permission-user association) it is still the central system that must define the policies to be applied. Clearly, in a User Provisioning system (users-permissions management) everything boils down to synchronization or, at the most, a “go/no-go” policy In a multilayer model, like that of Role Management, such an action can lead to the modification of many relations and decisions depend on many factors that will be shaped into appropriate policies. Actually, many resource provisioning systems (connectors) are not even equipped with an “anti-loop” system for events they themselves generate as it is not necessary for simple synchronization actions.

    I’d love to hear your feedback.

  2. I may not have been clear. What I meant by integrating role management into user provisioning as a no brainer is that from a product and market strategy position. It is a straightforward decision for product managemers and marketers.

    I don’t agree with your point that the majority of user provisioning technology is intended for synchronization. If that were the case, then user provisioning products we be worth nothing more than a meta-directory with a pretty face. The ability to add policy governing who gets what is a core part of user provisioning. Role Management can ease the provisioning policy construction and can certainly provide a great deal of value is the person to role mapping process, but in these capacities are acting as augmentation to a user provisioning systems policy and workflow capabilities.

    Great comments… let’s keep the dialog going.

  3. Ian,
    I am in general agreement with your assessment that from the marketing standpoint the integration is logical and plain. The two components must be integrated and synergically collaborate.

    The purpose of my comment (perhaps a little bit extreme) was to highlight that when integrating user provisioning and role management, most policy related functions can’t be managed by the user provisioning component.

    In fact, current user provisioning products have the ability to add policies, but cannot handle the complete view of an Identity management solution (that includes aggregation, storage, and management of business relationships, roles and related resources, multiple views of the business based on policy-driven roles, supplies relevant privileged data of enterprise systems, meet compliance and auditing requirements, ..).

    The current systems implement policies using rules both at the central level and, unfortunately, rules directly coded in the connectors themselves. Since this cannot be scaled an already difficult situation becomes impossible to manage: no high level tool , no global vision, no comprehensive compliance management.

    Why? Mainly because they were designed for “historical” synchronization needs; and when policy requirements arrived functions were added-on without first discussing the general picture.

    Finally, (again using an extreme metaphor) it’s like implementing an HR system using Microsoft Excel. YES, nobody can tell you that’s impossible, but what are the costs?

    What are the perspectives from user provisioning vendors? I would welcome a dialogue on this topic going forward.

  4. Identity and role management are an approach to the difficult task of determining authorization. I have long held the position that IdM is only one component of an effective approach to this problem. Classifying users with roles focuses on access and there are two other dimensions that must be considered when making an authorization decision; They are purpose of the request and type of data being requested. A great example of regulation that requires this approach is HIPAA by requiring the classification of transactions with a purpose and data as PHI or non-PHI. Just one scenario. My struggle with RBAC as always been the two dimensional approach to authorization. If we approach RBAC as part of a three dimensional model that includes classification of transactions and data classification we can implement a robust authorization system and limit the number of roles needing management. It is interesting that IBM has stayed out of this acquisition space but I speculate that Eurekify would be their targets since it is used in their consulting practice. I am not sure that ERM has a lot of value to offer a robust IdM product suite except in the area of discovery and the two dimensional approach that has been used to date lacks the granularity necessary to support supply chain authorization needs much less cross divisional or organizational needs. I would love to hear your opinion and experience of role discovery and automating the development of and implementation of roles in large organizations that use dynamic teams to complete projects.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: