mayeronline.it

Here I am going to provide a small set of identity and access management best practices that enterprises can benefit from to better approach new or revised IAM initiatives that, for their nature are, often complex and expensive.

Begin with a friendly department: start working with a department already interested in benefits that IAM projects can bring to its applications and look for demonstrable benefits sufficient to show management that the project is delivering value.

Fight for the fewest number of identity repositories: applications, operating systems, portals, and other platforms frequently require multiple directories. Even if converting from one directory product to another may be too expensive and directory consolidation should not be pursued at the expense of organizational efficiency, it’s important to try to reduce as most as possible the number of different identity repository.

Expect to use multiple authoritative sources of user information: as seen above, most enterprises rely on multiple sources of authoritative information, including multiple HR systems for employee profiles, e-mail systems for contact information and CRM applications for customer data.  Don’t expect to be able to use a single source.

Deliver IAM solutions through a phased approach: start selecting a small set of important resources as initial targets in order to accomplish achievable goals and limit complexity. Moreover, try to define a repeatable process usable to integrate new resources in future.

Exploit reduced solutions: when the ideal solution cannot be achieved in the next two or three years, attempt to provide a reduced solution offering the required functionality only to a politically acceptable level that, however, in most cases offer the most of the benefit of the complete solution.

Separate enterprise and authoritative repositories: authoritative repository for user provisioning, which stores profile and access control information about each user, plays a different role compared to enterprise directory that authenticates users to different resources. Using a single repository will have a negative effect on the performances of both functions.

Carefully select the user-to-role assignment approach: developing a role for every user is not usually a good idea because, even if some users will always require unique access, they should be managed as exceptions. Moreover, be careful also matching business operations with roles: HR titles, roles or job codes are not reliable for most enterprises, because they’re not detailed enough to map the authorization entitlements used for access control for business applications.

Assign many roles to each user: this approach provides flexibility in role management and aligns authorization entitlements to the different business functions the user performs. When assigning user roles, begin with a high-level set of roles to rapidly achieve automated provisioning, then develop more-granular roles over time. Remember to work toward a manageable number of roles but do not be constrained by fixed roles versus users’ number ratio.

Define stable interfaces among provisioning steps: one of the most important driver for IAM deployment is the ability to be flexible and ready to adapt to business changes. Especially in complex environments, it’s important to define some stable interfaces among different steps in the provisioning flow, in order to be able to change the logic of a given step without need to change the previous or the following one.

Consider external management activities: in an ideal world, the identity management suite should be the unique entity able to manage users’ profiles. Unfortunately, we don’t work in an ideal world. Designing your IAM solution consider external entities able to change users’ profiles (manual administration, additional provisioning solutions, custom batches, etc.) and try to evaluate how your system will interact with them.

Engage system integrators for major efforts: large-scale IAM projects inevitably involve business processes more than they do technology. Enterprises with limited IAM project experience, on processes or technologies, should rely on experienced integrators.

Thanks to “Developing IAM Best Practices” by Gartner Research for some good hints.

Tags: best practices, consulting, identity management, identity provisioning

This is a personal blog. The views and opinions expressed here represent my own and not those of the people, institutions or organizations that I may or may not be related with unless stated explicitly.
My blog includes links to other sites operated by third parties. These are provided as a means of convenient access to you to the information contained therein. I am in no way responsible for the content of any other sites or any products or services that may be offered through other sites.

This entry was posted on Monday, November 23rd, 2009 at 11:31 am and is filed under Identity & Access Management. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.