Attributes instead of Roles – or better Roles and Attributes?

04.02.2014 by Martin Kuppinger

A recent discussion in the “Identity Management Specialists Group” on LinkedIn had the title “On point. Agree. Gartner says attributes are the new role for identity?”

I wondered a little about a rather old discussion appearing again. In fact, there rarely has been pure role-based access control. On the other hand, roles are one of the most important, if not the single most important attribute in attribute-based access control. There is no conflict, but we are just looking at the natural evolution.

I commented on another of these discussions nearly two years ago in another post. If you want more detail, have a look at the podcast recording of the KuppingerCole Webinar “Enterprise Role Management Done Right: Build the Bridge between Business and IT”.

We clearly will need some kind of abstraction – we might call that roles or something else. But clearly, the discussion about “attributes instead of roles” is an artificial one, miles away from practical experience and use cases.


Why is IBM TIM 5.1 just a minor release?

24.06.2009 by Martin Kuppinger

IBM yesterday has announced its Tivoli Identity Manager 5.1. If you read the list of new features you might end up with the same question like me: Why is it only version 5.1, e.g. a minor (.1) release instead of TIM 6? Amongst the new features are fundamental things like Role Management, SoD support, attestation and, last not least, support for some Privileged Account Management (or Privileged Identity Management, the term IBM is using). With other words: IBM has significantly expanded the feature set of its product, mainly adding a lot of IAM-GRC features to what TIM delivers. Given that they have some other interesting solutions in the GRC space, especially for analytics and dashboards, IBM definitely improves its positioning in that emerging market segment.

So the GRC stuff is one of the new areas in TIM 5.1. That’s nice, but we have seen that before. Many vendors have either added such features to their products or have released separate GRC platforms – with advantages and disadvantages in both approaches. IBM in fact has tied in that area.

Much more interesting is the addition of PIM capabilities to a provisioning solution. Even while not every aspect of PIM will be solved by what TIM 5.1 delivers, that fulfills my expectations of PIM becoming more and more part of provisioning tools – which is just logical, given that it is about managing accounts. IBM is the first vendor in the market who delivers an integration in that area. Novell might become a close follower given that they have recently acquired a PIM vendor.

With these additions, IBM would have gould reasons to name the release of TIM as version 6.0 instead of 5.1. But understanding the reasons for version numbers is definitely amongst the hardest things in IT.

However, IBM shows that they are intensively acting to improve their positioning in the IAM and GRC market space. Being one of the first big companies which had entered that market, there hasn’t been that much evolution for some time. But now IBM is definitely back and moving forward significantly, acting as a strong competitor for the other players in the market. And once they deliver on full GRC solutions, beyond IAM-GRC and access controls (and IBM is amongst the ones who might deliver on that given their strengths in areas like SIEM, ITSM, and others…) IBM might even further improve its positioning.


Lean Enterprise Role Management

28.01.2009 by Martin Kuppinger

Role Management projects sometimes are stated as too complex. Yes, there are projects which failed due to their complexity. On the other hand, a recent Kuppinger Cole report based on a survey proves that the average number of business roles is relatively small. On the other hand, the complexity of role models for specific system environments (even SAP) is manageable. Thus, defining and implementing role models with multiple layers can be done – and it can be lean.

The keys, from my perspective, are the use of multiple clearly defined, separate layers of roles, defined responsibilities for roles within a role lifecycle management approach, and a separation of the overall project into different projects for business roles, IT-functional roles and the role models of different systems. There are some other best practices. Anyhow, it is obvious that managing a few Hundred or, at the system level in some cases even some few Thousand roles is much easier than managing all the single entitlements at the system level we are dealing with today. Role Management can be lean. And you can learn more about this in a webinar we will do tomorrow together with some of the vendors in the role management market.

By the way: The emerging market of vendors with strong role management capabilities underlines that role management isn’t too complex. There are many vendors out there which have successfully deployed role management implementations, either as part of specific role management products or as part of their GRC or IAM products.


There is no role management market – there is a GRC market

10.04.2008 by Martin Kuppinger

For some time I planned to write a report on the segmentation of the role management market. There are many different offerings for role management which all use the same buzzwords but provide pretty different solutions. But I decided not to write this report – just because there is no role management market. It might appear that such a market segment exists. But in fact it is just a part of a larger market segment, the GRC (Governance, Risk Management, Compliance) market.

The GRC market, on the other hand, appears today as a very fragmented market, with a broad range of solutions and tools. Without telling on everything my upcoming report on the structuring of the GRC market will include, there are at least two levels of distinction between the offerings in the market. The first is around the general level, where you find methodologies, pre-defined solutions (for example rule sets for specific applications and compliance regulations which can’t be applied easily to other threats) and tools.

Within the tools, there appear, amongst others, the vendors of role management solutions. I personally define five core functionalities for GRC tools:

  • Analysis of entitlements and Reporting
  • Attestation – should, by the way, be multi-layered
  • Authorization Management, including SoDs (Segregation of Duties) and, in general a policy/rule definition and enforcement for entitlements 
  • Risk Management, including Risk Modeling and Analytics
  • Role Management

Within these functionalities, the management of roles is the centre, because the other features rely on this. Workflow features – best solved with the choice between internal and external workflows – are mandatory.

Currently there is no vendor who provides the entire big picture on a high level. But it is obvious that many vendors are working on this picture and are delivering more and more parts of the puzzle.

By the way – based on these tools there probably will be a solution market again which provides pre-defined implementations for specific industries or regulations.

This view gives as well an answer to the question whether GRC shall be limited to IAM. No, it is a broader market. IAM delivers to GRC solutions. But GRC is sort of a bracket across the entire IT infrastructure, building a bridge between IT and business. Thus GRC is going well beyond IAM, even while many of today’s IAM solutions can (help to) solve GRC threats and even while there won’t be a successful enterprise GRC implementation without a strong IAM foundation.


Novell releases Identity Manager 3.6 with role-based provisioning module

18.03.2008 by Martin Kuppinger

Novell has finally released its Identity Manager 3.6 with integrated role management. There are two points of view on this new feature:
In comparison to the integrated role management functionalities of other provisioning solutions.

  • In comparison to the role management products out of the greater GRC market segment, including the business role specialists, GRC apps like SAP GRC Access Control or Identity Risk Management solutions.
  • Both are valid approaches, like I’ve written in my other post from today. But it has to be kept in mind that you can’t solve every requirement with one solution – there are some which are best tackled with integrated role management and others which require a solution on top.

The implementation of Novell is pretty good in several areas, but there are also some missing elements. To start with the shortcomings: For example attestation isn’t really solved (by the way attestation is something which requires multiple levels), there are only a few standard reports and defining new approval workflows and making other more fundamental changes requires the not-that-easy-to-use Designer for Identity Manager. Designer for Identity Manager definitely is a great tool, but you really need to invest some time to understand the tool and its concepts.

The positive things are a flexible role model, integrated SoD rules (Segregation of Duties), a flexible concept with roles, policies and workflows which can be easily combined (given that you use the standard workflows or have managed to create new ones with the Designer), and an improved self-service interface, the user application which now is much more mature than for example in Identity Manager 3.0-days.

Thus, Novell has, with its first release, created a role management module which is good while there are better solutions in some (few) other provisioning products. But there is still a lot of work to do for Novell to become leading-edge in the provisioning quadrant. Compared to the GRC tools the dependency to a technical provisioning tool, even with the pretty easy user application, will always be a hurdle. Thus, Novell is competitive in the provisioning segment – but you still have to consider whether that is the right place for your role management (like with any other provisioning product).


One size fits all?

30.01.2008 by Martin Kuppinger

One trend observed is that the so called “Identity Managers”, e.g. the provisioning products, are constantly growing in functionality – and complexity. This isn’t surprising. There is strong competition between vendors and thus many vendors try to add all the functions which are offered by other vendors. The customers as well expect very complete products. But there are two things which should let us think about this strategy:

  1. The increasing complexity: Thus it really make sense to create more and more complex products?
  2. The still existing weaknesses: In many areas there are better solutions available as separate products than are implemented in most or all provisioning products. Have a look at business role management, GRC (Governance, Risk Management, Compliance) functionality, or workflows.

Besides this, there is not just one user group which has to deal with identity management. There are departmental managers which have to do some attestation and to invoke workflows. There are the persons which act as interface between IT and the rest of the organization which, for example, have to deal with the translation of business roles into system roles. There are technical administrators of the connected systems. With other words: There are several levels within the organization which have to be adressed – and there are several technical layers.

I personally don’t believe that more and more complex provisioning products are the best answer for the customer’s requirements. In contrast, a modular approach with defined interfaces and defined responsibilities would suit much better in most cases, especially in the larger companies. For smaller companies, a one-stop-solution might be appropriate. But in that case it has to be one which is pre-configured and easy to use, something which isn’t delivered today.

My expectation is that the market will change, with vendors who offer modular solutions (or just some modules) in a service-oriented architecture and others, who focus on the midsize market with integrated products. But todays approach to put more and more functionality (business role management, auditing,…) into a technical product will fail. Like yesterdays “Enterprise Systems Management Frameworks” have failed.


Sun is back…

15.11.2007 by Martin Kuppinger

It has been quiet around Sun Microsystems at least in the IAM space for some time. Being one of the companies pushing the market some four years ago, especially with their Waveset acquisition, there hasn’t been that much news for some time. For sure there were still a lot of improvements in the product. But other vendors like Oracle and SAP have had much more attention – especially due to their acquisitions. And some interesting things Sun has done like their early entry into the audit space or their virtual directory technology never obtained much attention, for different reasons.

The audit capabilities, for some time now part of the Sun Identity Manager, probably came a little bit to early. The virtual directory technology, on the other hand, is part of the Sun Directory Server and thus not a real competitive product to the standalone solutions in the market. From my perspective, Sun should decouple these products.

But back to the silence around Sun – it ended yesterday. Or, to be honest, it ended some days ago when the rumors around the planned acquisition of Vaau became more frequent. Yesterday the official information about that deal was released. Sun invests in the IAM space – and aquiring in the role management space for sure is a good thing today in these days because role management is one of the most important areas of the IAM space. Sun increases its competitive positioning with Vaau. That’s a good signal – for Sun as well as for the market, because more competition is always positive for the customers.

For sure we will have to observe the integration of Vaau technology into the Sun IAM portfolio. But with its audit capabilities, with Vaau and with being amongst the first vendors to support the new web service interfaces of SAP GRC Access control, Sun is definitely back and working on its positioning in the IAM space. So they are not only one of the early innovators, but they appear to be back in track for a leading position in the market also for the next years.


Enterprise Information Management

22.10.2007 by Martin Kuppinger

In some of my last entries in this blog (here and here) I’ve mentioned the concept of Enterprise Information Management, something I will cover in depth in a report within the next few weeks. Enterprise Information Management will be sort of the long term evolution of today’s Identity Management and some of the tightly related topics, as well as the integration of IAM with some other technologies. I started thinking about this concept when I developed a simple chart which describes the future of IAM.

It starts with today’s IAM, which is sort of “Identity Management for Administrators”, e.g. solving mainly technical issues in synchronizing information, with support for single sign-on or with provisioning. I’ve titled the next level “Identity Management for Applications”, describing the service orientation and the integration into applications. It includes aspect like Application Security Infrastructures. Many vendors are working on a service layer or the integration of business applications with their IAM products.

Read the rest of this entry »


Not invented here…

19.10.2007 by Martin Kuppinger

SAP tends to talk about its concept of business-driven Identity Management in these days and claims this to be a new approach. But honestly – neither the term nor the concept are really new (but valid). Business-driven Identity Management in SAP’s vision is role-based. Based on business roles, to clarify this, not on the technical system roles SAP supports today in its different business systems.

There is no doubt that business roles are becoming more and more important for IAM. SAP supports them today in its GRC Access Control product. SAP NetWeaver Identity Management in the current and near-term releases will use a separate role management approach. That might, from my opinion, change over time due to the fact that the integration between SAP GRC Access Control and SAP NetWeaver Identity Management is one of the major points on the SAP roadmap.

There are two things I’d like to add. First of all, what SAP delivers today in SAP NetWeaver Identity Management is a first step towards the right direction but definitely not the leading business role management approach in the IAM space. Second, business-driven IAM doesn’t end with business role management. In my vision for the evolution of IAM there is much more business control of information through the user, centered around “information objects” and the identities. I’ve talked about that in some of our webinars and will, probably by the end of November, write a report on this vision and the things I observe in the industry – and probably I will write a little about this in my blog even before publishing the report.


Services
© 2014 Martin Kuppinger, KuppingerCole