user provisioning – Page 2 – ian glazer's tuesdaynight

Give me more to work with and I will

James recently picked up on my Identity leprosy or identity zombies post and writes:

Ian believes that identity needs brains but falls into the trap of thinking about identity solely from the perspective of provisioning and while avoiding runtime aspects. I wonder if he would blog on why enterprises should consider identity consolidation over identity management?

Before I respond I’d like to get some clarity. James, give me a more to work with and I’ll happily write more. Help me understand that which you are contrasting between “identity consolidation” and “identity management.” Help me understand how provisioning doesn’t have runtime implications.

Congratulations to IBM: Tivoli Identity Manager 5.0 is released!

A hearty congrats to my friends and old co-workers at Tivoli on a job well done. ITIM 5.0 has been officially released!

Having been part of the beta program, I can say that this is an amazing release. A great deal of thought and research has gone into ITIM 5.0 and in the bits I have seen, customers are really going to enjoy using it. Yes, I said enjoy. The new user interfaces are enjoyable to use. Amazing and true.

Good work everyone.

DIDW: Sun’s deployment of Sun Identity Manager

I love customer deployment stories. I especially love hearing about vendors deploying their own products. In this case, Sun and Deloitte were talking about deploying Sun Identity Manager internally at Sun.

They covered the usual tips for a successful deployment:

Involve the business
Planning makes all the difference
Don’t bite off more than you can chew

Pretty standard stuff that always bear repeating.
There were some very interesting other observations:

For complex systems, like ERP, get the vendor involved in the provisioning project
Plan for testing early in the project
Plan for sustaining the deployment, turning it from a project to a program early in the project

The idea of getting the complex system vendor involved in the provisioning project strikes me as both novel and extremely effective. The nuances of complex systems like ERP and mainframe security can bedevil a provisioning project. Might as well go to the experts early.

Their last point on planning for sustaining the project echoes a point the Phil Becker and I made last year on identity management as a lifestyle and not a project. You’re going to live with you decision for a lot longer than you probably expect. You have to plan on how to sustain the deployment and turn it into a key thread in the fabric of business services the organization relies upon.

Deloitte speaking across all of their deployments, not just Sun’s, had some interesting observations as well:

Half of all identity management deployments end up as shelf-ware (I think I hear Bill Malik chuckling somewhere)
The true return on investment is not in the technology but in the re-engineering of process

A common misconception is that deploying a user provisioning product requires a massive process re-engineering effort. That is not strictly true. Mature provisioning products these days can accommodate most business processes, no matter how arcane. That being said, deploying provisioning certainly encourages process re-engineering. The deployment gives an organization an excuse to examine what it does and how it does. “Do we really need five approvers just to give someone email and why do we have to fill these forms out to do so?”

So far, DIDW has not disappointed.

Partial automation is equivalent to partial deployment

Part two of my three part series on Audit Trail.