Novell has finally released its Identity Manager 3.6 with integrated role management. There are two points of view on this new feature:
In comparison to the integrated role management functionalities of other provisioning solutions.

• In comparison to the role management products out of the greater GRC market segment, including the business role specialists, GRC apps like SAP GRC Access Control or Identity Risk Management solutions.
• Both are valid approaches, like I’ve written in my other post from today. But it has to be kept in mind that you can’t solve every requirement with one solution – there are some which are best tackled with integrated role management and others which require a solution on top.

The implementation of Novell is pretty good in several areas, but there are also some missing elements. To start with the shortcomings: For example attestation isn’t really solved (by the way attestation is something which requires multiple levels), there are only a few standard reports and defining new approval workflows and making other more fundamental changes requires the not-that-easy-to-use Designer for Identity Manager. Designer for Identity Manager definitely is a great tool, but you really need to invest some time to understand the tool and its concepts.

The positive things are a flexible role model, integrated SoD rules (Segregation of Duties), a flexible concept with roles, policies and workflows which can be easily combined (given that you use the standard workflows or have managed to create new ones with the Designer), and an improved self-service interface, the user application which now is much more mature than for example in Identity Manager 3.0-days.

Thus, Novell has, with its first release, created a role management module which is good while there are better solutions in some (few) other provisioning products. But there is still a lot of work to do for Novell to become leading-edge in the provisioning quadrant. Compared to the GRC tools the dependency to a technical provisioning tool, even with the pretty easy user application, will always be a hurdle. Thus, Novell is competitive in the provisioning segment – but you still have to consider whether that is the right place for your role management (like with any other provisioning product).

Today, provisioning is the core element of Identity Management. Most of the products which are usually named “Identity Manager” are built around provisioning, with more or less additional features. But will that be still the case some three years from now? There are several trends which will influence provisioning significantly. The most important ones are

• Reuse of existing IT infrastructure components
• Business Role Management
• Enterprise Information Management

These trends will influence the market. One important area is the reuse of existing IT infrastructure components. There are clear advantages of using a standard workflow and business process management instead of proprietary implementations in provisioning products. For example processes can be better managed, integrated with existing supply chains and easily transferred to other systems.

Read the rest of this entry »

One trend observed is that the so called “Identity Managers”, e.g. the provisioning products, are constantly growing in functionality - and complexity. This isn’t surprising. There is strong competition between vendors and thus many vendors try to add all the functions which are offered by other vendors. The customers as well expect very complete products. But there are two things which should let us think about this strategy:

1. The increasing complexity: Thus it really make sense to create more and more complex products?
2. The still existing weaknesses: In many areas there are better solutions available as separate products than are implemented in most or all provisioning products. Have a look at business role management, GRC (Governance, Risk Management, Compliance) functionality, or workflows.

Besides this, there is not just one user group which has to deal with identity management. There are departmental managers which have to do some attestation and to invoke workflows. There are the persons which act as interface between IT and the rest of the organization which, for example, have to deal with the translation of business roles into system roles. There are technical administrators of the connected systems. With other words: There are several levels within the organization which have to be adressed - and there are several technical layers.

I personally don’t believe that more and more complex provisioning products are the best answer for the customer’s requirements. In contrast, a modular approach with defined interfaces and defined responsibilities would suit much better in most cases, especially in the larger companies. For smaller companies, a one-stop-solution might be appropriate. But in that case it has to be one which is pre-configured and easy to use, something which isn’t delivered today.

My expectation is that the market will change, with vendors who offer modular solutions (or just some modules) in a service-oriented architecture and others, who focus on the midsize market with integrated products. But todays approach to put more and more functionality (business role management, auditing,…) into a technical product will fail. Like yesterdays “Enterprise Systems Management Frameworks” have failed.