Metadirectory, provisioning vendors need shotgun wedding
Using a combination of metadirectory, provisioning and security administration products, you can implement identity management and role-based access control across various computing environments. But doing so may require orchestrating a shotgun wedding among the different vendors.
Recent products from vendors such as Access360 and Business Layers have raised questions about the appropriate roles of metadirectory services and provisioning systems, and whether these tools should form two product categories or one. Access360's enRole and BusinessLayers' eProvision are offshoots of security administration products such as Computer Associates' eTrust series and IBM's Tivoli. But whereas the older products were mainframe-based, providing centralized account administration and role-based access control by manipulating data in Unix, the newer products have a directory- and workflow-enabled architecture. And with directory enablement, Access360 and BusinessLayers come close to inventing a low-end metadirectory capable of managing identity data in a centralized manner through account administration.
However, only metadirectories such as Critical Path's InJoin, iPlanet's MetaDirectory, Microsoft's MSS, Novell's DirXML and Siemens' MetaHub support a "join" feature. With join, identities can be created, merged and maintained from such fragmentary evidence as a "Daniel J. Blum" record in human resources, a "dblum" account in the network operating system and a "Daniel.Blum" mailbox in the e-mail directory. But in communicating with other systems, most metadirectories deal with higher-level APIs that don't enable password synchronization.
Directory-enabled provisioning products take a different approach. They include a built-in workflow engine for managing changes associated with adding or deleting users and revising roles, enabling role-based access control. Provisioning products can also use connector agents to dig into each computing environment's security APIs, enabling password synchronization.
So far vendors have made little effort to bridge the chasm between metadirectory and provisioning products. With its XML-based architecture and Novell Directory Services account management solutions, Novell has come closest to providing the best of both worlds. Critical Path and iPlanet have partnered with Access360. Access360 and BusinessLayers plan XML interfaces that can be used to create automated, interoperable communications between a metadirectory's join engine and the provisioning system. These efforts must continue and accelerate.
Bottom line is while metadirectory and provisioning tools are powerful, they are poorly integrated with one another. To achieve the Holy Grail of identity management and role-based access control, you must become your own integrator. Be sure to request plenty of time from upper management for upfront planning and design, as well as a large budget. More importantly, be careful to manage expectations as you launch ambitious identity and access management projects incorporating multiple integration technologies.
RELATED LINKS
Blum is a senior vice president and principal consultant with The Burton Group, an IT advisory service providing in-depth analysis for network planners. He can be reached at
