Identity and Access Management Framework Book

Recently I flew to Minneapolis, and had reserved a rental car. Because of some computer snafu on their end, the rental folks didn’t have my name on the board to allow me to simply walk to a car. I had to get in the line, where I waited more than ten minutes despite having only one guy ahead of me. I had put my preferences for a vehicle and insurance in my reservation, but the rental lady insisted on pushing more options at me. For some insane reason they put in my profile a couple of years ago that I need hand controls. Every single time, I have to tell them, no hand controls, and can you please fix my profile.

I got to my car, and sure enough, no keys in it. So I had to schlep back to the counter and wave somebody down. NO WAY I’m waiting in line again. Keys. Now. But they couldn’t get me the keys, so they gave me a different car.

The car itself was okay, although the onboard GPS was terrible. My iPhone did a far better job. In fact, the GPS had an option to get me back to the rental returns, but sent me to the wrong one. Finally found the right one, through purely human intervention, and when I got there, the return guy informed me his little hip machine couldn’t print my receipt. He directed me to the counter, where the line was nine people long. Forget it.

I went to their website, which has a link for “Find a receipt.” Only it didn’t have my most recent one. I called the reservation line to ask for the customer service line. I talked to them, and was told I’d need to speak to the actual location. “I’ll transfer you,” I was informed. But instead of Minneapolis, I ended up with Oklahoma.

FINALLY I reached Minneapolis. They put me in touch with a lady in the back office. She said she’d push my receipt to the website, and that I should go back there. Sure, it showed up, but with literally no detail. At least not enough to put on my expense account. I called her back, and she asked for my email address, said she’s send it to me directly within two minutes. Two hours later, nothing. I called her yet again, and left her voice mail. “Hey, receipt?” By end of day, still nothing.

This is a place that could do with a good ticketing system, to drive issues to resolution. What’s funny is, every person who answered a phone for me that day asked me, “How do I resolve your issue quickly?” And then not a one of them could.

 The idea behind workflow is that you have something you need to accomplish, an ordered set of steps designed to accomplish it, a timeline in which it is to be accomplished, and fallbacks in case any of the steps fails to complete. For example, I hire a guy for a sales job. He has to get all the usual stuff an employee gets access to, such as an email address, some space on the file server, a login for the 401K, and an LDAP account. Then he has to get enabled for salesguy stuff: forecasting system, CRM account, accounts receivable, and expenses. I put him in HR, and I want some magical gremlin thingy to grab that entry and send off a workflow request to get the new hire approved by a director, a business unit manager, and VP. Then I need the functional stuff, i.e. the resource owners of those individual applications or whoever else is appropriate. If at any point one of those approvers isn’t available, or waits too long to do his job, that part of the request gets rerouted to somebody else. If something gets rejected, the workflow engine decides if the rest of the request goes forward, or gets rolled back. Maybe the new hire gets all or nothing. Maybe he can collect only those pieces that get approved. I should be able to check on the status of the request, see how far it’s gotten, who’s approved what up to now, what’s gotten rejected, where the request might be stuck, and so on. Ultimately, workflow drives the entire package to some sort of completion.

This should be driven by logic, not by emails, voice mails, sneakernet.

This sort of workflow engine accomplishes three major things. First, stuff gets done. Things don’t fall through the cracks. Second, consistency. Things get done the same way every time, as opposed to the random nonsense that happens when you rely on email and voicemails. This means you can bake your policies into those workflows. I need these steps, these requirements fulfilled, these approvals, these escalation procedures.

Third, it’s self-documenting. The order is already documented by virtue of the workflow definition, and as each step completes (whether it’s approved, rejected, or rerouted/escalated), the engine generates (or at least it BETTER) an entry, a report, a notification, or some combination thereof. If something happened or didn’t, I can discern the reason.

By the way, this is even more urgent a need when you’re talking about DISABLEMENT. Enabling users coming on board is a matter of convenience and productivity. Disabling them when they are terminated, especially for cause, it a matter of security.

Workflow Is a thing of beauty. In other words, things work, and things flow. They happen, and they do so according to a plain. Anything else is chaos, or a message shoved in a bottle and tossed into the sea. Email and voicemail for user entitlements is nothing more than a hope and a prayer. And you can’t run a business, or pass an audit, based on those.



A big competitor of my company likes to buy other companies and then suck their customers dry on maintenance. They really don’t care much about keeping those customers happy or keeping them in the family, they only want the maintenance base to fund future efforts.

But Oracle, like the Borg, wants to assimilate. They want to keep customers in the family. Maintenance is great, to be sure, but happy customers are paying customers are upsell customers are references. Happy is good.

One of the acquired customer groups is the Sun customers. There are all sorts of products that Sun sold, of course, but the ones I care about are the identity and access customers. When Oracle acquired Sun, they began the process of deciding which products from both companies would stick, and which ones wouldn’t. The products to be let go were deemed “non-strategic.” The ultimate aim was to create a truly best of breed selection. In other words, cherry pick the best possible components for the future offering. So Oracle Role Manager gave way to Sun Role Manager (formerly Vaau), the provisioning connectors became a mix and match exercise, the Fedlet and Secure Token Server stuck, and Sun Identity Manager was put into maintenance mode in favor of Oracle Identity Manager (same for the access management).

Oracle’s standard for workflow is BPEL, the evolution of BPM. It’s all about process, order, logical steps, open standards. This won out over SIM’s proprietary Express scripting. Now when old SIM customers ask about the level of effort to migrate from SIM to OIM, they tell me, “We have this many users. How long will it take?”

My standard reply is, “I don’t give a darn how many users you have. How many workflow definitions do you have, and how ugly are they?”

One or two step approvals are fairly easy to translate. But big, hairy workflows with lots of callouts and circular logic, exceptions, escalations, and so on, these get nasty.

There are migration tools available. People here this term and say, “Cool, I can feed my old workflows into the tools and get shiny, new workflows.” No, wrong, not gonna happen.

The migration tools, which are free, do this one thing very well: they create an inventory of what there is to be migrated. They help point the way. They will NOT eat your SIM architecture and spit out OIM. But they definitely help. In the end, it’s a fairly manual process of redesign. Also remember, the way you did it the first time is probably in need of an overhaul anyway. I guarantee that if you COULD wave a magic wand and turn Express logic into BPEL, you’d inherit a bunch of badness. A migration, if you can charitably call it that, is an opportunity to re-examine your processes, and refine them, make them better, stronger, faster.

You can get there. You might need some help. In fact, I’ll bet you will. But you will get there. I would never lie to you.

It sucks getting old. I have aged fillings that occasionally turn into broken teeth. Last year I got contacted by a college girlfriend on Facebook, and it was a frightening thing. I hadn’t spoken to her since 1986 for a reason. I’m getting a bad disk in my lower back.

But one of the advantages of getting old is keeping stuff that had become useless and then is suddenly useful again. I’ve seen my thin ties come in and out of style twice. On Ugly Day at school, the kids will always find something in my wardrobe that’s appropriate. The other day I actually found a purpose for some thirty year old shoelaces that have been in my drawer since my first apartment.

But it doesn’t always work that way. Some stuff you should consider canning. If not immediately, then within a reasonable timeframe. Nostalgia is one thing; clutter is another.

So I keep getting asked about end-of-lifed products in the IdM space. There’s been consolidation, mergers, re-alignment, that all point in a different direction for some old software. Typically there’s a very good reason a piece of code goes away. And sometimes the answer is the same one I give my kids when they want to know WHY they have to be home before midnight: BECAUSE. There’s the answer. A decision had to be made, and this is the decision.

Take a look at the Oracle-Sun coupling. They truly created a best of breed selection when they merged the IdM product lines. The more stable and viable products survived, and the others got put into maintenance mode. The customers of these mothballed products aren’t suddenly on their own; they get support. But they’re being strongly encouraged to contemplate the future.

The directory services area is a great example where Oracle has assembled a menu of options that include the best of what Oracle and Sun both had at the time of the acquisition. It’s coming to one dashboard, one management model, multiple directory models. Virtual, meta.

Access management is still anchored by Oracle Access Manager and Adaptive Access Manager, but with Sun’s Fedlet and Secure Token Service thrown in.

Open SSO? It’s still available, but know exactly what you’re going to do with it.

The elephant in the room has been Sun Identity Manager. Way back when, it was Waveset, and in fact it has been renamed Oracle Waveset, to prevent confusion over dueling identity managers. Its users have not been abandoned, but SIM has been deemed a “non-strategic” product. This means it doesn’t have a future. It is truly the vampire child of IdM: it won’t get any better, but it won’t get any older. It will simply exist as is, until support goes away altogether.

That’s not for a while. But if you’re a SIM customer, you need to seriously consider your future. Start planning a path for migrating that proprietary scripting language in your workflows into BPEL. There are tools that help point down that path, but there’s definitely still work to be done. If you’ve customized it or, worse yet, had some integration partner do it FOR you, you absolutely need to begin the process of envisioning your future without SIM.

Eventually, even those thin ties will hit the wall.



As part of my job, I often sit with customers in their meeting rooms, at long tables and at the whiteboard, figuring out where they’re at, and where they need to be. We discuss their business processes, as well as their security, corporate, and compliance requirements around those processes. We inventory their digital and human resources, and how these interact. Employees, contractors, partners, vendors, suppliers, the applications they touch, and the roles they touch them with. Databases and directories. What they need to secure, and to what degree. Which users should be able to access which resources. Which regulatory needs must be met. What reports are needed.

Quite often when I’m doing this, there are personnel from the customer who barely know each other, or only speak regularly via email. Another fairly regular occurrence is the fact that various corners of the business are unaware of what other corners are doing. There’s all sorts of redundancy in user stores, processes, provisioning.  

One of the mistakes made by even CIOs and others charged with maintaining an organization’s security posture is the failure to perform the most basic task: take inventory of the environment. They don’t know what they don’t know. It’s sad that it takes a visit from a vendor to prompt this exercise. Ideally, I should walk in and be handed a list of people (with their categories and roles), the directories they live in, the methods they authenticate with, the policies that authorize them, the applications they’re authorized for, the dashboards that govern the whole mess, and the reporting that comes out the tail end.

That inventory of assets and plumbing is the foundation for everything. If you don’t know what you’re protecting and who from and based on what, then you’re up a creek. ANY application or database that comes into VIEW should come into SCOPE. Homegrown or vendor-supplied, it needs to be included in the inventory.

Case in point: Years ago I visited a school where they regularly did data extracts. For purposes of chronic studies, analyses, departmental reports, and other odds and ends, they pulled data on students, finances, faculty and staff. These extracts were sitting in all manner of folders and hard drives all over the place. There were no controls on who could create them, who could access them, or where they ended up once they were created. The organization knew these extracts were a potential vulnerability, but never had the will to do anything about them. And despite knowing this, it wasn’t until I was on their premises and started drilling down did they begin a larger inventory and discover just how many of these extracts existed.

In the American utilities space, the organization known as NERC enforces regulatory compliance on water and electric providers. The very first and very wise provision they mandate is determining those assets and creating the perimeter around them.

Once you have that inventory, you can also start correlating a couple of other things. Different apps run on different roles. Can you create enterprise roles that encompass those more provincial roles, for universal provisioning? And can you now create authentication policies for universal, or at least reduced, sign-on (SSO)?

You can’t fix it if you don’t know it’s broke. And you can’t secure it if you don’t know you have it. If you’re the person in charge of security, then you must be the authoritative source on what you own, and what you’re going to do about it.



I’m often teaching customers how to migrate from their old, clunky, non-integrated non-systems to integrated, fully operational, and completely audit-friendly systems. A common non-system is back-door provisioning. As I’ve said here, and in many meetings, and especially in the book, a help desk ticketing system is not a sound basis for provisioning. You want a proper request process, showing only those things that should be on the menu for the given user, an/or you want automation based on roles and attributes. Then you want full blown approval workflow, documentation for approvals and disapprovals, you want target system connectors. And then you want automated DE-provisioning. None of this is available through the help desk.

Well, here’s another one I run into, not as often, but it’s just as bad, if not WORSE. It’s the use of synchronized directories for provisioning. In other words, I set up a schema in a virtual directory that synchronizes the necessary attributes to mimic rights in target system directories. So besides the usual attributes:

• First name
• Last name
• Phone extension
• Hair color
• Boxers or briefs

 you also have:

• SAP roles
• Peoplesoft roles
• AD group memberships
• Blah blah

The supposed goal here is to fill in the attributes, then allow the directory sync to populate those target directories. Sounds awfully easy. And there’s only a few things missing. A few big, fat, hairy things, such as:

Referential / transactional integrity

Rollback

Two-phase commit

Approvals / denials

Do you gather all the approvals in advance, then send everything off? What if one of the approvers says nay? Do you go back in and wipe out the attributes you DON’T want to sync? What happens when one or more of the updates doesn’t work? Can you undo the ones that did? If not, will your target systems themselves be out of sync?

How about dependencies? Are you going to write a whole bunch of LDAP or database triggers?

There certainly won’t be any parallel processing.

Many to one is easy. One to many is hard. And this architecture makes it even harder.

Oracle Virtual Directory is a wonderful tool for aggregating information from multiple sources, including other directories, databases, even web services, and presenting this data in a single LDAP interface. And bi-directional is also good. But using it for provisioning is NOT good.

A true meta-directory, like Oracle Internet Directory, at least allows for rollbacks and other intelligence. It is actual persistent storage, and allows for more robust updates in the other direction. But there are still pieces missing which makes it less than desirable for full blown provisioning, as with Oracle Identity Manager and its brethren.

Do you want to reduce complexity? Of course. But do you simplify to the point of not having what you need? Of course NOT.