Identity and Access Management Framework Book

Recently I flew to Minneapolis, and had reserved a rental car. Because of some computer snafu on their end, the rental folks didn’t have my name on the board to allow me to simply walk to a car. I had to get in the line, where I waited more than ten minutes despite having only one guy ahead of me. I had put my preferences for a vehicle and insurance in my reservation, but the rental lady insisted on pushing more options at me. For some insane reason they put in my profile a couple of years ago that I need hand controls. Every single time, I have to tell them, no hand controls, and can you please fix my profile.

I got to my car, and sure enough, no keys in it. So I had to schlep back to the counter and wave somebody down. NO WAY I’m waiting in line again. Keys. Now. But they couldn’t get me the keys, so they gave me a different car.

The car itself was okay, although the onboard GPS was terrible. My iPhone did a far better job. In fact, the GPS had an option to get me back to the rental returns, but sent me to the wrong one. Finally found the right one, through purely human intervention, and when I got there, the return guy informed me his little hip machine couldn’t print my receipt. He directed me to the counter, where the line was nine people long. Forget it.

I went to their website, which has a link for “Find a receipt.” Only it didn’t have my most recent one. I called the reservation line to ask for the customer service line. I talked to them, and was told I’d need to speak to the actual location. “I’ll transfer you,” I was informed. But instead of Minneapolis, I ended up with Oklahoma.

FINALLY I reached Minneapolis. They put me in touch with a lady in the back office. She said she’d push my receipt to the website, and that I should go back there. Sure, it showed up, but with literally no detail. At least not enough to put on my expense account. I called her back, and she asked for my email address, said she’s send it to me directly within two minutes. Two hours later, nothing. I called her yet again, and left her voice mail. “Hey, receipt?” By end of day, still nothing.

This is a place that could do with a good ticketing system, to drive issues to resolution. What’s funny is, every person who answered a phone for me that day asked me, “How do I resolve your issue quickly?” And then not a one of them could.

 The idea behind workflow is that you have something you need to accomplish, an ordered set of steps designed to accomplish it, a timeline in which it is to be accomplished, and fallbacks in case any of the steps fails to complete. For example, I hire a guy for a sales job. He has to get all the usual stuff an employee gets access to, such as an email address, some space on the file server, a login for the 401K, and an LDAP account. Then he has to get enabled for salesguy stuff: forecasting system, CRM account, accounts receivable, and expenses. I put him in HR, and I want some magical gremlin thingy to grab that entry and send off a workflow request to get the new hire approved by a director, a business unit manager, and VP. Then I need the functional stuff, i.e. the resource owners of those individual applications or whoever else is appropriate. If at any point one of those approvers isn’t available, or waits too long to do his job, that part of the request gets rerouted to somebody else. If something gets rejected, the workflow engine decides if the rest of the request goes forward, or gets rolled back. Maybe the new hire gets all or nothing. Maybe he can collect only those pieces that get approved. I should be able to check on the status of the request, see how far it’s gotten, who’s approved what up to now, what’s gotten rejected, where the request might be stuck, and so on. Ultimately, workflow drives the entire package to some sort of completion.

This should be driven by logic, not by emails, voice mails, sneakernet.

This sort of workflow engine accomplishes three major things. First, stuff gets done. Things don’t fall through the cracks. Second, consistency. Things get done the same way every time, as opposed to the random nonsense that happens when you rely on email and voicemails. This means you can bake your policies into those workflows. I need these steps, these requirements fulfilled, these approvals, these escalation procedures.

Third, it’s self-documenting. The order is already documented by virtue of the workflow definition, and as each step completes (whether it’s approved, rejected, or rerouted/escalated), the engine generates (or at least it BETTER) an entry, a report, a notification, or some combination thereof. If something happened or didn’t, I can discern the reason.

By the way, this is even more urgent a need when you’re talking about DISABLEMENT. Enabling users coming on board is a matter of convenience and productivity. Disabling them when they are terminated, especially for cause, it a matter of security.

Workflow Is a thing of beauty. In other words, things work, and things flow. They happen, and they do so according to a plain. Anything else is chaos, or a message shoved in a bottle and tossed into the sea. Email and voicemail for user entitlements is nothing more than a hope and a prayer. And you can’t run a business, or pass an audit, based on those.