Identity and Access Management Framework Book

One of my kids saw me struggling one day to pack all my spaghetti into my tech bag. Power cords, iPad, USB cables, you name it. She partially cured my ills by sewing for me, out of a set of old PJs, a little bag, complete with drawstring, for my wi-fi, the cord, and the battery pack. She made me a second for my iPhone peripherals.

You could say I added something else to my bag, but it’s lightweight, and simplifies my life. I can open one zipper and quickly locate, by feel or vision, the soft, purple bags with my stuff.

Well, Holy Analogies, Batman, you can do the same thing with IAM. No kidding. Sure, out of the box, the Oracle suite can do a whole bunch of good stuff, including 99% of your use cases. But when you need that extra percent, that little tweak, you can always extend.

In Oracle Identity Manager, there are tons of canned libraries for approvals, reconciliations, escalations, orchestrations. But if you need to incorporate some weird, out of band, external resource or call into your workflow, it’s easily enough done. You just can’t part with that shell script for creating unix accounts? Weave it into your workflow.

One of my higher ed clients worked in a call to an external service for background checks. For non-students, the second stop after the initial business approval is a shout-out to a security company. Everything gets put on hold until that comes back (or times out, prompting a phone call). They had previously had two situations where a candidate was pretty much ready to step into a classroom, and then it was discovered they were naughty people. This led to last-second, expensive, and expedited substitutions.

(By the way, it ain’t cheap to get such an online service, so most schools still do it manually.)
On the access side, authentication and authorization policies can also be extended. A transportation client of mine goes out and calculates, in real-time, a customer’s current balance. If a customer is delinquent, their access is either limited or blocked altogether.

Let’s be honest about all this. NO package, at least in the enterprise space, will work exactly the way you want. You will always, always tweak. I don’t count customization, by the way. In Oracle Identity Manager 11gR2, you can customize the snot out of the interface with drag and drop. That’s window dressing (although extremely useful in terms of productivity). What I’m talking about today is process. And it’s process that models HOW YOU DO BUSINESS. I’ve always said, when you buy some big honker like SAP, you don’t own it. It owns YOU. And you will do business the way IT does business. For some people that may be a good thing. But if you want it your way, then it’s not.

Oracle adds new endpoints, certifications, platforms, and standards all the time. I used to say that SPML wasn’t going anywhere because nobody was adopting it. Oracle kept pushing it, as did others, and now it’s gaining a lot of ground.

ESSO now supports proximity cards for auth. These scare the hell out of me for other reasons, but if customers demand it, Oracle and others eventually get around to it.

There’s usually no solution that will deal with every single one of your use cases every single time. But you want a solution that gets you as close as you can get, then lets you shoehorn in the rest.