E-provisioning’s dirty little secret

It was just four years ago, that I was strolling through “Start-up City” at NetWorld+Interop Atlanta in 1999 and stumbled across a new company, Business Layers, touting a brand new application called “eProvision Employee.” I was intrigued, and I had a few minutes to kill. I fell in love. Here was the application that could finally bring directory services and identity management into the mainstream.

In the intervening years I’ve often written about electronic provisioning. I’ve preached about it whenever someone will give me a little space and an audience. I’ve proclaimed the wonders and the benefits of e-provisioning, the seemingly impossible combination of reduced cost with increased productivity.

What I didn’t mention, because it would just discourage you from even trying an e-provisioning solution, was that running e-provisioning applications was the easy part. The hardest part was the slow slog of manual data gathering, analysis and normalization you needed to do even before you begin to deploy the provisioning application.

I can mention it now, because there’s hope on the horizon for a better way to handle this onerous task.

Consider that those who benefit most from e-provisioning are those who have the greatest variety of identity repositories. If you only have one directory system and all of your network, e-mail and Web accounts are tied to it then you really don’t need to spend big bucks for e-provisioning. On the other hand, those with 100+ data repositories, authentication points and authorization methods need to have the e-provisioning software already in place. But first you have to “cleanse” your data.

Cleansing the data means gathering all the object IDs into one list and finding which refer to the same physical thing (user, printer, router, etc.). Is Jjones, Joe_Jones and JDJonesJr all referring to one person? Two people? Or even three people? How many of these data repositories have references to your company, clients companies and suppliers? Are they all spelled correctly? Are the addresses and phone numbers identical? Is there a scheme to identifying printers and their locations? Do you differentiate between locations when a user logs in either locally or remotely? Are there “role” accounts (Administrator, Buyer, Helpdesk, etc.) as well as individual accounts?

So many questions, so much data, so many decisions to make. Anyone who has implemented an e-provisioning application will tell you that it seems to take forever to cleanse the data. But you still aren’t halfway home because you still have to construct policies to govern the distribution of authorizations and data dispersal.

It seems like a daunting task because it is a daunting task – but I wouldn’t be mentioning it unless I had a suggestion for a way to reduce the drudgery, and I do. Come back next issue and I’ll tell you all about it.