I would like to congratulate Ian Glazer on his new position at the Burton Group. Ian has been in the IdM business a long time (we both worked for Access360 albeit on different coasts) and knows this space well.
In his first post on the Burton Group IAM blog he points out that enterprises should not wait until they are ready to tackle roles before they start a provisioning effort:
To close, keep in mind that both role management and user-provisioning efforts can be done in parallel and each will find benefit in the other as they mature. Provisioning requires an understanding of process and procedure, role management an understanding of relationships and responsibilities. To be successful with either, clear scoping and small iterative projects as part of an overall well governed program are advised to ensure current success and future growth.
I couldn’t agree more. Role management and provisioning are separate efforts that can benefit each other, but have sufficient business value on their own to be worth doing. Perhaps there is a variation on the Deming Cycle for the interaction between a provisioning and role management effort. Instead of Plan, Do, Check, Act it could (from the provisioning side) be:
- Refine provisioning policies (Plan)
- Reconcile accounts (Do)
- Send the deltas to the Role Mgt system (Check)
- Mitigate deltas (Act)
But if your enterprise isn’t ready to do role management at all, there is at least one role for all employees that can be used to at least determine when their accounts (and other resources) should be deprovisioned: Employed. In other words you should at a minimum have a provisioning system in place that deprovisions all accounts for a user when HR tells you they are no longer with the company. Note the deprovision doesn’t mean delete, although it could in some cases. Usually it means suspend until reactivated or deleted.
Almost all provisioning systems today have a means to discover existing accounts and reconcile them with known identities. So even if you can’t provision users with your provisioning system, you should at least deprovision them.
Dave Kearns adds his thoughts here.