I've been waist deep in this Identity Management project for the past couple weeks so I haven't posted in a while. So here's what's been happening on that front:
The hardest part about a project like this is the analysis of your applications and network so that you can do proper data modeling and architecture of the solution. We have many different applications scattered all over the WAN and somewhere around 300,000 potential users not including the people outside our network boundaries that might touch an application. While there are many factors leading to how the ITIM organization tree should be defined there are a couple of key questions:
Who will be administering the system? Will you delegate administration to lower levels in the tree? How deep might you do whith that?
Where will roles be defined? Some roles can apply to objects in the subtree where the role exists so depending on how you design the tree could make assigning roles either more or less flexible it seems.
Analyzing applications is enough to give anyone a headache by lunch time...
For the identity and access management system we need to understand a few things about each application:
Who are the users that access your application?
How do they request access to that application and who approves of that access?
Are there different levels of access to the application?
How does that application determine who is in what access level? Groups? Attributes about the user?
Are there any special attributes about a user that the application requires?
Once we start to flesh out and document this information we can beging to do the data modeling - list the attributes and objectclasses we may need to include in the enterprise directory.
For the access management component we will also need to understand what type of application it is. .Net? Java? Mainframe? Is it known to work with Tivoli Access Manager? Is there a Tivoli Identity Manager adapter for it already or will we likely have to develop one? Does the application expose an api so that an adapter can be created for it.
Next week I plan to setup TAM in our sandbox environment so I'm sure to have something to say about how that goes.