Thursday, October 12, 2006

How easy is it to change the authoritative sources for Identities?

We had an interesting meeting today regarding our planning of the ITIM architecture. Since we are a service provider the initial goals of our Identity Management project revolve around delivering services to our customers. So we want to provision our customers to the applications they have "signed up for". We call it participation. If a customer participates in a service they are entitled to access a given application. Depending on what type of user is sponsored by that customer, they may have access to do certain things while others have access to do other things. In most normal Identity Management implementations the HR system is authoritative for staff identities. In our case we are building our ITIM with the identities of our customers as well as our own so what is essentially becoming the authoritative source for identities is some system that is easily accessible like an LDAP (Novell, Active Directory, or even Domino) where the bulk of the customer identities exist. But, what if later on we want to change this?

Some parts of our conversation today was about trying to see into the future. Lets say that today we want to deliver our customers to applications. So to do that we connect up to the customers' directory and pull out the Identities and attributes we are interested in to feed the ITIM. Since connecting up to that customers' HR system could be a political issue going after the identities in the customers' email system of file/print system is easier. Also, since many of these systems are LDAP's the connectors already exist in TDI to detect changes. So we can count on the customers to maintain their users as normal and as users get added or removed from their directories we will detect those changes and take action accordingly in the ITIM.

But, what if later on the customer asks us to provide a complete Identity Management solution for them using our existing ITIM. The relationship with our customers today make this a likely scenario since we are their primary technology service provider already. Maybe we would rather handle each customer on an individual basis doing a separate identity management project for each with separate ITIMs. Or, maybe it would be better to just architect our ITIM so that if we do choose to provide Identity Management to the customer sites we can do it with one big ITIM. This was one of the more complicated discussion items we are pondering. I think some more answers will flush out in the discovery phases of our Identity and Access Management project, but I thought it would be a good discussion item for the blog.

No comments: