By far the most enjoyable session I viewed at the recent Identity and Access Management conference in Sydney, Australia was the one presented by Michael Glasson, manager of IT security for the Australian government's Department of Employment and Workplace Relations (DEWR).

Glasson designed the security architecture for DEWR's Job Network application (also called EA3000) and supervised the design of the agency's multiple Windows 2000 Active Directory installations.  He also created a federated identity system to support Centrelink (Australia's national welfare agency) users' interaction with DEWR systems and the replacement of DEWR's mainframe security system with one based on Active Directory. Yet, he remains even-tempered, mild-mannered and jovial. Or maybe he's just bemused.

Glasson's session was called "Decentralizing User Administration and Provisioning" and documented how his organization, which has to work with hundreds of third-party contractors throughout the country, has decentralized user management within a hierarchy of both government-employed administrators as well as outsourced ones. By "user administration" (what we've been calling User Management), Michael means:

* Creating an identity for a person.
* Giving the identity the right access roles.
* Replacing a forgotten password.
* Moving a user from one location to another.
* Retiring the identity when it is no longer required.

Here was the situation: a large government agency contracts with over 600 private employment agencies with over 2,000 office locations countrywide to assist in finding jobs for unemployed citizens. The citizens are the users who need to have their identities (and accounts) managed. Glasson said DEWR quickly decided on a decentralized model for the following reasons:

* Delegated user administration places the responsibility for specific tasks in the hands of the provider.
* Delegated administration contrasts with centralized administration in which the system user requests that a task be carried out, but the system owner retains the authority and the decision-making role.
* Delegation allows providers to perform all tasks using an online system, avoiding the delays and errors associated with a paper-based system.
* The provider may develop and exploit its internal administration systems to do identity management.
* Transfers costs (of a more efficient total system) to the system users.
* Allows users to choose between online and paper-based identity.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.