The Black Book of Identity Access Mgmt
This form does not yet contain any fields.

    Entries in internal external users virtual directory oracle (1)


    Eeeyew, your LDAP is stepping on mine: mixing internal, external users

    At a bank in Chicago recently, an IT manager asked me if I was seeing customers using Oracle Identity Manager as the HR for external users. It's kind of a loaded question, since OIM doesn't really handle payroll, taxes, that sort of thing.

    I do actually have a couple of customers who use IdM as their HR, and I definitely do NOT recommend it. It's not built for that. HR is your authoritative source for who belongs in the company, who can have a badge, who gets paid, the usual. IdM is the authoritative source for who has (or had or WILL have) access to what. Every app plays its part.

    IdM should be the keeper of access rights for ALL users. Where those users live in terms of the org is a different story. IdM should be able to reconcile users and profiles from wherever they're at, and it's common to have multiple authoritative sources, although a best practice is to keep these to a minimum.

    And I have commonly seen external users kept physically separate from internal ones. For example, managers seem to hate putting contractors in their Active Directory. AD is some sort of sacred cow.

    I can see not putting customers in there, because it can get out of hand, and AD already has a tendency to do that. I've had plenty of clients get in audit trouble because of AD, usually because they have too many groups.

    But it's so easy to segment users in standard business apps, such as Peoplesoft. You've got groups, attributes, organizations, and other constructs to isolate one group from another, all of which can be supported by OIM, which makes use of this kind of data to provision, route notifications, request approvals, and satisfy any other requirements in which membership is a factor for provisioning.

    You could still physically separate the users if somebody requires it, or if that's just the way you've been doing it, for legacy reasons. But you can still aggregate them when necessary through a tool like Oracle Virtual Directory.

    There are so many virtual ways, in fact, to separate groups of users, and not just internal and external, that it seems downright silly to say, “I don’t even want them in the same database. They have to be on separate machines, across the room from each other.”

    It’s called technology. Get used to it.