• United States

A wee drop of DEWR’s

Apr 19, 20043 mins
Access ControlEnterprise Applications

* Australian government agency gets decentralized

By far the most enjoyable session I viewed at the recent Identity and Access Management conference in Sydney, Australia was the one presented by Michael Glasson, manager of IT security for the Australian government’s Department of Employment and Workplace Relations (DEWR).

Glasson designed the security architecture for DEWR’s Job Network application (also called EA3000) and supervised the design of the agency’s multiple Windows 2000 Active Directory installations.  He also created a federated identity system to support Centrelink (Australia’s national welfare agency) users’ interaction with DEWR systems and the replacement of DEWR’s mainframe security system with one based on Active Directory. Yet, he remains even-tempered, mild-mannered and jovial. Or maybe he’s just bemused.

Glasson’s session was called “Decentralizing User Administration and Provisioning” and documented how his organization, which has to work with hundreds of third-party contractors throughout the country, has decentralized user management within a hierarchy of both government-employed administrators as well as outsourced ones. By “user administration” (what we’ve been calling User Management), Michael means:

* Creating an identity for a person.

* Giving the identity the right access roles.

* Replacing a forgotten password.

* Moving a user from one location to another.

* Retiring the identity when it is no longer required.

Here was the situation: a large government agency contracts with over 600 private employment agencies with over 2,000 office locations countrywide to assist in finding jobs for unemployed citizens. The citizens are the users who need to have their identities (and accounts) managed. Glasson said DEWR quickly decided on a decentralized model for the following reasons:

* Delegated user administration places the responsibility for specific tasks in the hands of the provider.

* Delegated administration contrasts with centralized administration in which the system user requests that a task be carried out, but the system owner retains the authority and the decision-making role.

* Delegation allows providers to perform all tasks using an online system, avoiding the delays and errors associated with a paper-based system.

* The provider may develop and exploit its internal administration systems to do identity management.

* Transfers costs (of a more efficient total system) to the system users.

* Allows users to choose between online and paper-based identity.

It’s more efficient, it costs less and those costs are more evenly distributed. No wonder Glasson retained his joviality.

DEWR’s technological partner through this implementation was Netegrity, which thought so much about the project that it commissioned a case study. That report is now available for you to read and learn from. Download it from (unfortunately it’s a PDF file), and then see if some of the lessons learned could be applied to your user management project.

Blatant Self Promotion: The first chapter of my new, free, electronic book “Administrator Shortcut Guide to User Management and Provisioning” (published by Realtime Publishing and sponsored by and read all about it.

Abridean) is now available. Head over to