My dog looks like me, so why not my IAM system?
Saturday, December 8, 2012 at 11:14AM One of the reasons Oracle got into the security business is because it’s one of the largest business APPS companies. Siebel, Peoplesoft, E-Business Suite, and it just goes on from there. They probably figured, why let other people secure our stuff?
One of Oracle’s biggest competitors in the biz apps arena can easily require YEARS for installation and configuration. It’s a beast. Deploying any single one of their modules can kill a normal human. I always say, you don’t own that product; it owns YOU.
A big hassle with it is making it follow your business processes. You want anything system that runs your organization to KNOW your organization. It’s one thing if you put in a system and then follow its flow because it makes your life better. It’s another if you follow the flow because that’s all you get. Reminds me of the old cartoon where a guy crawls in from the desert to an ice cream shop, where they have three flavors: wood, starch, and vanilla. The kid behind the counter tells the poor straggler, “Sorry, we’re out of vanilla.”
A lot of times, corporate calls us to California to show us the latest and greatest, and we say, yeah that’s cool, and we fall asleep until catering brings in the sandwiches. Sure, the stuff might be excellent, but it’s just software, right? One of the last times we actually applauded something was an outstanding demo of BI Publisher. I know, white knuckle ride,right?
This is what I love about Oracle Identity Manager 11gR2. OIM 9i was nice and stable, and the transition to 10g was even more powerful, but in that transition, the interface could have been just a tad easier to work with. 11gR2 solved some of those issues and THEN some.
First off, tabs and menus make it a helluva lot easier to figure out where you’re going. And if you’re an approver or provisioner, and you don’t have enough info to perform a task, you can pull up more data at any time so that you can make a more educated decision. If you’re one of the stops in an approval workflow, you can even view who else is in that chain, which can be pretty handy. For example, if you aren’t completely knowledgeable about the requester, you can see who else has already given an okay, and ask that person.
That’s the easy stuff. Here’s the better stuff. In the past, you had to know Java or ADF to modify the look and feel. There are advantages to doing that, but it also takes know-how and more time. And there may still be extreme customizations that still require those skill sets. Naturally, whenever you code changes, you have to consider migration of those changes when you upgrade the foundation app.
But now you can customize look and feel without necessarily coding a thing. 11gR2 comes with a feature known as a sandbox. This means the ability to create a view that might be specific for a user or, more likely, a group of users. You can perfect this view, with options and information tailored to that group, and then publish that view. Admins, non-admins, customer admins, external users, approvers, etc. can all have a look that suits them, exposes only those things the organization wants them to have, and makes the members of that group as productive as possible.
So what are those options, those features? Well, in a basic view, you’ve got some boxes, called regions, in which certain tasks are grouped. You can move these regions around, putting the most commonly-used at the top, and shoving the more seldom-used options to the bottom. This can be done with simple drag and drop. If you’re not an approver, you don’t need to clutter your view with approval tasks, so you can make that region disappear completely. Same thing with provisioning tasks.
You can also change which data elements show up. If you need additional items (columns, fields), then add those. Make extraneous ones go away. The idea here is, give me only what I need to know in order to do my job, and don’t confuse me with extras.
If you need custom attributes, here’s your chance to add those as well.
If you perform some redundant searches, you can create those searches, fill in the parameters, and save them, then just kick them off as needed. You’re the guy who provides desks or phones, so maybe you want a list of all new office employees each day, even before the workflow request reaches you, so you can prep in advance. Or you want to know everybody in accounting who’s been identified as a jerk, so you can go yell at them in advance before they have a chance to deny your expenses. I personally have that one set up.
It’s easier to create custom forms as well. If you need to attach an existing form to an access request, for legacy reasons, you can always do that. Scan it, attach it, send it along. I will say this: the sooner you make that form electronic and attach that instead, the better off you’ll be. So use OIM to design that custom form, with any necessary custom attributes (“You cannot have that permission until you have passed the course, read the book, caught the greased pig, whatever”), and make that part of your process. 11gR2 even makes it easier to migrate those when you upgrade to 12cR9, 13zR23-skidoo, 14vR19, or whatever goony name they come up with next.
It’s not often I rave about the next big widget, but in this case, it’s about coding-free customization, productivity, usability, and business-facing features. I don’t sell to engineers so much as business people, because the bulk of industry is not in the business of identity, they’re in the business of business. If the directory geek likes it, but it’s too confusing to the accounting guy who can’t spell LDAP, it’s pretty much a waste. If it makes MY job easier by making THEIR job easier, I can actually get excited about that.