Identity and Access Management Framework Book

One of the reasons Oracle got into the security business is because it’s one of the largest business APPS companies. Siebel, Peoplesoft, E-Business Suite, and it just goes on from there. They probably figured, why let other people secure our stuff?

One of Oracle’s biggest competitors in the biz apps arena can easily require YEARS for installation and configuration. It’s a beast. Deploying any single one of their modules can kill a normal human. I always say, you don’t own that product; it owns YOU.

A big hassle with it is making it follow your business processes. You want anything system that runs your organization to KNOW your organization. It’s one thing if you put in a system and then follow its flow because it makes your life better. It’s another if you follow the flow because that’s all you get.  Reminds me of the old cartoon where a guy crawls in from the desert to an ice cream shop, where they have three flavors: wood, starch, and vanilla. The kid behind the counter tells the poor straggler, “Sorry, we’re out of vanilla.”

A lot of times, corporate calls us to California to show us the latest and greatest, and we say, yeah that’s cool, and we fall asleep until catering brings in the sandwiches. Sure, the stuff might be excellent, but it’s just software, right? One of the last times we actually applauded something was an outstanding demo of BI Publisher. I know, white knuckle ride,right?

This is what I love about Oracle Identity Manager 11gR2. OIM 9i was nice and stable, and the transition to 10g was even more powerful, but in that transition, the interface could have been just a tad easier to work with. 11gR2 solved some of those issues and THEN some.

First off, tabs and menus make it a helluva lot easier to figure out where you’re going. And if you’re an approver or provisioner, and you don’t have enough info to perform a task, you can pull up more data at any time so that you can make a more educated decision. If you’re one of the stops in an approval workflow, you can even view who else is in that chain, which can be pretty handy. For example, if you aren’t completely knowledgeable about the requester, you can see who else has already given an okay, and ask that person.

That’s the easy stuff. Here’s the better stuff. In the past, you had to know Java or ADF to modify the look and feel. There are advantages to doing that, but it also takes know-how and more time. And there may still be extreme customizations that still require those skill sets. Naturally, whenever you code changes, you have to consider migration of those changes when you upgrade the foundation app.

But now you can customize look and feel without necessarily coding a thing. 11gR2 comes with a feature known as a sandbox. This means the ability to create a view that might be specific for a user or, more likely, a group of users. You can perfect this view, with options and information tailored to that group, and then publish that view. Admins, non-admins, customer admins, external users, approvers, etc. can all have a look that suits them, exposes only those things the organization wants them to have, and makes the members of that group as productive as possible.

So what are those options, those features? Well, in a basic view, you’ve got some boxes, called regions, in which certain tasks are grouped. You can move these regions around, putting the most commonly-used at the top, and shoving the more seldom-used options to the bottom. This can be done with simple drag and drop. If you’re not an approver, you don’t need to clutter your view with approval tasks, so you can make that region disappear completely. Same thing with provisioning tasks.

You can also change which data elements show up. If you need additional items (columns, fields), then add those. Make extraneous ones go away. The idea here is, give me only what I need to know in order to do my job, and don’t confuse me with extras.

If you need custom attributes, here’s your chance to add those as well.

If you perform some redundant searches, you can create those searches, fill in the parameters, and save them, then just kick them off as needed. You’re the guy who provides desks or phones, so maybe you want a list of all new office employees each day, even before the workflow request reaches you, so you can prep in advance. Or you want to know everybody in accounting who’s been identified as a jerk, so you can go yell at them in advance before they have a chance to deny your expenses. I personally have that one set up.

It’s easier to create custom forms as well. If you need to attach an existing form to an access request, for legacy reasons, you can always do that. Scan it, attach it, send it along. I will say this: the sooner you make that form electronic and attach that instead, the better off you’ll be. So use OIM to design that custom form, with any necessary custom attributes (“You cannot have that permission until you have passed the course, read the book, caught the greased pig, whatever”), and make that part of your process. 11gR2 even makes it easier to migrate those when you upgrade to 12cR9, 13zR23-skidoo, 14vR19, or whatever goony name they come up with next.

It’s not often I rave about the next big widget, but in this case, it’s about coding-free customization, productivity, usability, and business-facing features. I don’t sell to engineers so much as business people, because the bulk of industry is not in the business of identity, they’re in the business of business. If the directory geek likes it, but it’s too confusing to the accounting guy who can’t spell LDAP, it’s pretty much a waste. If it makes MY job easier by making THEIR job easier, I can actually get excited about that.

A few years ago I traveled to Texas to perform a penetration test on the web site for an oil company. I landed at the Houston (Bush) airport, ventured out under the overhang and got on the rental car bus, got off the bus under another overhang, went out under another overhang and got in the car, drove to a parking garage, took the elevator up to an above-ground tunnel to the building across the street, visited the customer, then did all the same thing in reverse.

Sitting on the plane to go home late that day, something very strange occurred to me: not once during the entire day trip to Houston was I ever directly under the sky. The entire time there, I had something over my head.

This is how a good IdM system is supposed to work. Cradle to grave, you are always covered. You don’t get in, you don’t get stuff, you don’t get out, without the policies going along. You don’t get into the directory unless the authoritative source (hopefully the HR system) says you belong there. You don’t get group memberships or attribute values, unless your role or job code or hat size (as specified in said directory) are in agreement. You don’t get access to target systems unless those group memberships or attributes or roles say you can.

If you get access rights out of band, you don’t keep them if the policies don’t back them up. You can’t even request additional access unless you’re authorized. You can’t see possible access rights in the catalog unless you’re entitled to them.

(Kind of unrelated, but you don’t get to complain about the government unless you VOTE.)

You don’t get to make requests, perform approvals, perform provisioning tasks, perform other administrative tasks, access a resource, change your password, or do much of anything else, without your actions being captured for later reporting and auditing. Yeah, that’s kinda creepy, but that’s called security and compliance.

You are always covered. Until you leave.

No, you don’t get to see the sky. Unless you own the company, and you’re not publicly traded.

Man, I am eating too much on this trip. Not drinking any more than I need to, to schmooze with partners, reps, and customers. But eating way, way too much. My first full night in town, I had two dinners. The next day, I was not happy.

Lots of activity. Meeting with many customers. Introducing those many customers to many product managers and ma y partners. Helped run an OAM workshop. Over 50 people showed up. Unfortunately, only about half the network bandwidth showed up. Some genius erased some VM images we needed. But it went well.

Sat through a couple of very good sessions. Saw some third party trot out a couple of speakers who had great content but who could bore the pants off a sleeping dog. Say it like you mean it. Raise your voice a little. Pretend you care. Or else your audience sure won’t.

If you’re going to hire security guards and put uniforms on them and station them at all the critical junctures, give them an index card or cheat sheet so they can give even the barest of directions.

“Excuse me, they’ve closed off the shortcut for a special event, how do I get to Moscone North from here?”

“No idea. Ask that guy there.”

“Okay, excuse me, that guy there, how do I get to Moscone North?”

“Dunno.”

Now repeat this two dozen times.

I love how the company put real product managers at the demo pods and booth to answer real questions from real customers. Not demo dollies, guys who can run the little movie, but people who can actually answer the questions. That’s commitment. I very much appreciated that when walking my own customers up to these dedicated folks to authoritatively say when one product is merging with another, when additional functionality is expected, and when certain standards will be supported.

On Monday, got in a cab with some friends and it turned out to be Haydar’s Disco Cab. Every straight edge was lined with flashing lights, and he even had a couple of disco balls in there. Unbelievable.

Took the BART in each morning, which was remarkably easy and clean. But if you’re a rep and you want me to hang around at night to have martinis with your prospects, you’re going to figure out how I’m going to get back to my hotel. I’m not taking the BART back after midnight. In fact, does it even run that late?

And it’s a nice thought, but when the fire-breathing preacher with the bullhorn stands in front of Moscone West screaming how we’re all going to hell (and we’re in software, so we already know that), having the events guy stand in front of him doesn’t really help. We can still hear the guy. Just thought you’d like to know.

Being the Type AAA personality that I am, I often wonder how perfectly healthy-looking young people can get on an escalator or an airport people-moved and just stand there while it takes them someplace. Don’t they want to move? Don’t they want to get where they’re going? They’ll probably enjoy sitting longer at their destination than standing longer watching people who are walking alongside the people mover pass them up. Don’t they have a purpose in life? Don’t they want to avoid getting elbowed by me and a whole lot of other people who push past them?

But when it’s time to build your IAM framework, you can’t hurry. Case in point: I recently met with a customer who told me that, as the starting point for an IAM review, their Big Four partner began a role mining exercise. That’s what they started with. Sorry, but that’s just stupid. The customer recognized this, too. If you develop roles, but have no place to put them, what’s the point? How about a review of business requirements? Onboarding and(maybe more importantly) off-boarding? What about looking at the processes? Roles serve those processes, not the other way around.

You need a plan. Don’t waste your time, money, and resources building something that doesn’t help the business. It really IS all about processes. How do I enable, secure, and audit the business? That’s how this works. Inventory those individual processes, inventory what you need to fulfill those requirements, then inventory the pieces you already have in place, and figure out the gaps. There’s more to it than that, of course, but that’s the 10,000-foot view.

Once you have all that written down, of course, THAT is when you go nuts, and elbow those damn people off your people mover on the way to your new IAM framework.

Man, I am eating too much on this trip. Not drinking any more than I need to, to schmooze with partners, reps, and customers. But eating way, way too much. My first full night in town, I had two dinners. The next day, I was not happy.

Lots of activity. Meeting with many customers. Introducing those many customers to many product managers and many partners. Helped run an OAM workshop. Over 50 people showed up. Unfortunately, only about half the network bandwidth showed up. Some genius erased some VM images we needed. But it went well anyway, mostly due to the genius in charge, Chris.

Sat through a couple of very good sessions. Saw some third party trot out a couple of speakers who had great content but who could bore the pants off a sleeping dog. Say it like you mean it. Raise your voice a little. Pretend you care. Or else your audience sure won’t.

If you’re going to hire security guards and put uniforms on them and station them at all the critical junctures, give them an index card or cheat sheet so they can give even the barest of directions.

“Excuse me, they’ve closed off the shortcut for a special event, how do I get to Moscone North from here?”

“No idea. Ask that guy there.”

“Okay, excuse me, that guy there, how do I get to Moscone North?”

“Dunno.”

Now repeat this two dozen times.

I love how the company put real product managers at the demo pods and booth to answer real questions from real customers. Not demo dollies, guys who can run the little movie, but people who can actually answer the questions. That’s commitment. I very much appreciated that when walking my own customers up to these dedicated folks to authoritatively say when one product is merging with another, when additional functionality is expected, and when certain standards will be supported.

On Monday, got in a cab with some friends and it turned out to be Haydar’s Disco Cab. Every straight edge was lined with flashing lights, and he even had a couple of disco balls in there. Unbelievable.

Took the BART in each morning, which was remarkably easy and clean. But if you’re a rep and you want me to hang around at night to have martinis with your prospects, you’re going to figure out how I’m going to get back to my hotel. I’m not taking the BART back after midnight. In fact, does it even run that late?

And it’s a nice thought, but when the fire-breathing preacher with the bullhorn stands in front of Moscone West screaming how we’re all going to hell (and we’re in software, so we already know that), having the events guy stand in front of him doesn’t really help. We can still hear the guy. Just thought you’d like to know.