The messiest part of any job is usually the cleanup. Think about what your kitchen looks like after a festive holiday meal. Or Main Street after the horse brigade marches in the annual parade. But in the field of identity management, often the messiest part of the job comes at the very beginning.

I say the beginning, because before embarking on a major identity management project you would be well-advised to first clean up your user records. In a paper sent to banking officers, Deloitte Canada said: "If you are like other financial institutions of your size, you have about 100,000 active login credentials that you cannot match to a person."

Eurekify Founder Ron Rymon shared with me the results of a survey at one enterprise, which found that there were more than 450,000 user accounts (including system accounts and "generic" accounts) of which almost 114,000 were no longer needed or required major changes in access rights. That's roughly 25% of all accounts! Most troubling to me was that 73% of remote access accounts fell into the "problem" category.

It was just over three years ago (see "E-provisioning's dirty little secret") that I first mentioned this problem and it saddens me to see that it still is a problem. And, unfortunately, it's still a messy job.

Eurekify's Sage is one tool that can help with the cleanup effort (which is probably why Rymon wanted to point out those numbers to me!). There are others, and your provisioning vendor (Sun, Courion, Oracle, Novell, M-tech and more) should be able to either provide a tool or connect you to a vendor with a tool that can aid in the account cleanup.

But cleaning up accounts - that is, matching the account name "jdoe" with "jane.doe" and "janed" - is only part of the solution.

You also need to clean up the authorizations and privileges, especially those that have "accreted": gradually built up over time, but never removed. Sage and other role-mining or privilege-mining tools can also help with this process. It goes beyond finding the related accounts and builds up a privilege profile of the accounts over all resources on the network.

Without this messy, but essential, cleanup operation your identity management project is at least slated to have a lengthy, oft-delayed rollout and could very well be doomed to ultimate failure because of the frequent system breakdowns to accommodate manual manipulation of accounts and privileges.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.