Identity and Access Management Framework Book

I've been hanging out at a couple of clients where they have pretty decent identity products installed. They can open up user accounts, they can look up the status of those accounts. They can run a handful of reports.They even use workflow. And what does the workflow do? It sends emails that tell system admins to manually create, modify and delete accounts.

WAAAAAHHHHHH !!!!!  Holy crap, what good does that do? I see way too many of these. What is the point of having a workflow-driven, policy-based structure in place if all it does is NOTIFY? You could hire a monkey, stick his ass on roller skates, and save yourself the dough. It's the same as buying a pickup truck, loading it up with the furniture you need to move, then PUSHING it down the street. Ja forbid you turn the key and make the engine do the work.

So one client has recognized this shortcoming and specifically wants to automate. There's the key word: AUTOMATE. If the requesters have to tell the system who the approvers are, and the order they must approve, then again, you're wasting the electricity if takes to run IdM. Wait, there's another key word: POLICIES. The policies you create in your system, THOSE are the deciders. The policies decide who can and can't have something. They also decide who the deciders are. Rather, the approvers. 

Oracle has this thing called Database Vault. IT can create realms of security, like database firewalls. If you have this role, you can get at this section of data. Cool. Then Oracle went out and bought a thing called Secerno, which does the same thing, only at the perimeter. You can't send in this kind of query because I don't like you. Before the cycles even get wasted on the database engine, the outside db firewall stops the bad SQL statements. Okay, so your policies are like this. Before an approver even receives an obviously bad request, it's been stopped by the policies, so that the approvers only get the iffy ones. At the tail end of the policies that accept, route, and ultimately approve proper requests, the AUTOMATION also talks to the endpoints and says HERE, I've got a live one for you.

Automation and policy work hand in hand to make your IdM system worth it. If you're using a help desk system and its inherent ticketing, or a non-automated IdM thingy, then you have WASTED YOUR MONEY. I replaced a halfway decent Novell identity system once where I asked, "While I am happy to do this thing for you, I would like to know what you didn't like about it." And the answer was, "We never used the workflow." To which I replied, "Well, why the hell NOT?"

Automation. Policies. They are worth the time you put into defining and punching them in. That is to say, if your company's money and efficiency and user base are worth it. If they're not, well, then forget everything I just said.