Saturday, August 10, 2013

Nothing is scarier than a business user with a credit card - collaboration

Over the last couple of months there has been some interesting discussions about the ability of NSA to get access to all kinds of data that enterprises puts in the hands of US based IT firms. The discussion itself is not new as the same kinds of worries have been raised about data entrusted to entities in countries such as China. Most companies outside the sectors that work with technology or other information that is considered vital for national security are usually more concerned that the Chinese authorities will leak the information to Chinese competitors than about the fact that the Chinese authorities has the info.

Could the same thing happen in the US? I would say perhaps so perhaps it is time to consider alternatives to sending all your docs to a US based company if you yourself is non US based.

Back in the old days when IT actually was in control of IT systems it was possible to stop the business from utilizing useful services such as Dropbox to share documents. Today this is largely no longer true as any middle manager in the business who believes that the lack of a good document sharing solution is holding his team back can simply use his credit card to buy some space at Dropbox or Google Drive and then expense the cost just as he would expense a hotel room or a flight. This means that IT has to offer a collaboration platform that is as good, will be ready in days or worst case weeks rather than months and shouldn't cost much more than the SaaS option. If the business perceives that you can't deliver fast enough the credit card comes out and there is usually very little IT can do to stop them.

There are a number of pages such as Prism break that lists different open source alternatives but sometimes you have a specific need and not the time and resources to find, customize and implement an Open Source solution.

When it comes to collaboration the classical choices are Sharepoint or some of enterprise file share portal such as Axway with web and SFTP interfaces. Either of these options can be used to build very competent solutions but neither is really fast or cheap.There are some quite interesting new products in the market place that fits between the pure SaaS offerings and the traditional enterprise collaboration platforms. One such product is called Anchor and is marketed by Cloud Distribution in the Nordic and UK regions.

I have been playing around with an installation for a week and overall it looks like a very useful product for the SMB segement. Anchor gives you Dropbox/Google Drive like web file management capability as well as as an app that enables automated file system level synch on most platforms including smart phones (not on Chromebook, sigh). It also offers automated backups.

Anchor has a quite nice user interface that makes it easy to setup user accounts as well as guest accounts. There is also good out of the box reporting and lot of advanced features. There is even an AD synch option and remote wipe functions for the smartphones. The product has not got support for things like UMA, OAuth or OpenID Connect which may be useful for companies that likes to live close to the edge of what is technologically possible but for 98% of the SMB market that just isn't needed at this point.

If you don't have an agile collaboration solution in place and you are feeling that your business would benefit by one, or at least the business perceives that they need one, Anchor may be a good option.


Thursday, May 30, 2013

IT Service Catalog in OIM11G R2 - filtering objects

In the post "IT service catalog evolution" I discussed how the set of entitlements that IT offers to the business have been presented to the business in the various request interfaces that have been available in various provisioning products. A major and ongoing issue has been how to expose the entitlements that the business cares about. Traditionally the solution there were a couple of different ways to solve that problem if you are using OIM but if you wanted to solve the problem within the confines of the standard web interface you often ended up with a very large number of resoure objects (ROs aka application instances). Another reason for ending up with "too many ROs" could be that you have large numbers of independent target systems and each system has been modeled as an RO.

A large number of ROs comes with a number of issues but the biggest is usually that it can make it hard for the business to pick the right entitlement in the request interface.

In this post I will take a closer look on how you can resolve this problem in OIM11G R2 by utilizing the catalog concept.

The catalog offers the ability to not only present resource objects (application instances) but also use enterprise roles and entitlements. This gives you a very rich tool chest when it comes to displaying options but sometimes what you need to do is to selectively not showing certain options based on the attributes of the user that is using the request interface.


Daniel Gralewski has written an excellent introduction to the Catalog concept that is a very good starting point if you are unfamiliar with the feature. A more in depth discussion can be found in the OIM manual.


The object filtering approach requires that it is possible from a business standpoint to divide the objects in the request interface into a number of different buckets and then map these buckets to different groups of users. A typical situation may be that the following "buckets" exists:

  • Birthright objects such as a base AD account
  • Enterprise applications
  • Applications that are used by a specific department such as HR or Finance apps
  • Applications used in a specific geographic region i.e. EMEA

The discovery and categorizing exercise is very similar to role mining and if you drive it too far you will run into the same issues that plagued role mining projects. That said it is usually decently easy to perform some form of coarse grained sorting of the apps.

Once you have the apps sorted you can map the users through their cost centers or departments so that the users only see the objects that are interesting for them.

Daniel Gralewski has written a detailed howto that shows how to change the shopping cart icon based on if the user already is associated with an object or not. The same approach with some modifications to hide objects that the users really doesn't need to be able to request.

Alex Lopez has written a more advanced example that also uses multi step drop downs where the content of the first drop down is determined by the requesting user's attributes and the content of the second is determined by the pick in the first drop down. Very nice example that shows the versatility of the interface.

The catalog does offer a number of advanced capabilities and really gives the implementation team an ability to create a very customized user interface within the core product. This means that you don't have to take the very large base investment that a "ground up" user interface means and that the implementation also is decently upgrade safe.

The downside of the catalog approach is that you do need to do some business analyzes work up front to understand the who should be able to request what. The implementation team does need to have quite deep webcenter/adf skills to be able to perform the customization.

Overall the catalog is a very nice feature and clearly puts OIM clearly ahead of some of it's competition i.e. IBM SIM/TIM 6.0.

Wednesday, May 29, 2013

IT Service Catalog evolution

One of the eternal problems in Enterprise IAM is to bridge the gap between how the business looks at an entitlement and how this entitlement is actually provisioned and managed by IT into the target systems.

If look back to the 2001-2005 area when the first provisioning tools like Thor Xellerate (later OIM) and Access 360 ( later TIM and now ISIM) entered the market the tools basically offered a capability to automate the creation of core identities and the associated target system identities. The approach that these systems took closely followed how the enterprise access administrators within IT looked at the world. Most of these systems came with a request interface of variable level of usability (they were user friendly, they were just very picky about who they wanted to be friends with).

Move forward a bit to the 2005-2006 era and the request interfaces became more understandable but as they were meta data driven they were hampered by the basic data structure that basically dictated that a line item in the request interface should be a resource object which out of the box usually mapped to a user account in a target system. This is not very useful if what the business wants is to manage business entitlements which maps to one or more attributes such a group membership on the target system.

One way to solve this problem was to get yourself on of the new role management tools such as Vaau Role Manager (later Sun Role Manager and now Oracle Role Manager) or Bridgestream (later Oracle Role Manger and now dead). This approach worked if you could get the business to consolidate their access profiles into a set of distinct business roles that could then be mapped to IT roles that contained the actual entitlements.

Sometimes you could even map the users to business roles through user attributes such as physical location, cost center or reporting chain. If this was possible you had reached the nirvana of totally automated provisioning.

In practice this approach turned out to be hard to implement as it was very hard to capture the very complex nature of an enterprise entitlement management in a set of discrete rules. By the time you had finished one role mining the business had reorganized and you needed to start more or less from scratch. It was also very hard to get the business to spend time on working on defining and maintaining business roles.

If you couldn't get the money to buy a role mining and management tool what did you do then?

One option was to write your own which I did for an IBM IAM stack implementation that ran 2010-2011. This worked decently well to generate a base set of entitlements that should be given to each user upon user creation but the challenge was to keep the configuration files updated as the business evolved.

You could of course create a custom user interface that encapsulated all the complexities but that was a very expensive approach both from a time and cost perspective. I followed that approach in a Oracle eBusiness provisioning enablement project using IBM TIM in 2008 and it worked great but the project cost was substantial and the scope was limited to a single target system. Sena system as well as other system integrators have done a number of very successful implementations using this approach and if you have the time and funds and have a very complex it landscape this is clearly the approach that gives you the best result.

Another approach was to encapsulate the atomic entitlements into requestable objects and then present the business with a very long list of objects that they had to chose from. This approach was favored by the major analyst houses back in the 2010-2011 time frame and certainly works.

If you want to follow this approach using OIM I wrote some articles on how to do it back in 2010 that may be of interest:




As always there are downsides with taking this approach. One major downside is that the list of entitlements tends to get rather large in a major enterprise which makes it very hard for the business to pick the right entitlement which in turn makes the business very unhappy.

In OIM11G R2 there is a new concept called the catalog that gives you a new tool to address this particular issue. I will take a deeper look at catalog in a later post but it is a really nice addition to OIM and give you a low cost alternative to the custom interface.

Tuesday, April 16, 2013

Persona based access control

One of the design goals of an access control system be it RBAC, ABAC or raw entitlements based is that the user interface should only display options that are actually available to the user. The purpose of this is of course to create a smoother user experience especially for occasional users that don't need complex functionality to perform their tasks. In RBAC based system the classical example is to hide or grey out buttons based on what roles the user has.

This works well if there is a base UI that all users of a specific category needs and a specific user does not belong to more than one category. These assumptions are unfortunately not always correct.

If you for example look at the health payer space a single physical user can take a number of different personas. The same person could be a consumer of health services ("member"), work as a health insurance broker ("broker") or for a health service provider doing billing or similar work ("provider"). It is even common that the same person works for multiple providers but may need a completely different interface for each provider as the line of business is sufficiently different. The same person may code dental claims on Monday and GP claims for her other employer on Tuesday through Friday.

You could of course implement this use case by building a different portal for each type of user with different URLs and then federate the identities between the portals but that gets expensive and very complex both from a developer as well as a user standpoint. You could also implement the logic in custom code but that gets expensive.

Another option is to use some form of persona based access control. There are a couple of different approaches with one being using ABAC and XACML and the other of establishing the persona as a concept in the authorization model.

SecurIT is hosting a webinar on using their Trustbuilder product to implement persona based access control and if you are interested in PBAC I strongly recommend registering.

Saturday, March 2, 2013

SecurIt Trustbuilder

One of the sessions I am looking forward to at Pulse is "IAM-1390 : A Cloud Security Platform Offering Simple, Secure and Fast Digital Access to Flemish Authorities Resources" which is presented by Marc Vanmaele from SecurIT.

This implementation was done leveraging a product from SecurIT called Trustbuilder which looks like a good way to implement a couple of quite thorny but very interesting use cases.

Healthcare payers and provider 

In the US healthcare systems there is a lot of billing transactions happening between the provider of services and the payers of services as well as intermediaries in the chain. The actual entering of claims is usually done by specialized professionals called medical coders. It is very common that a specific medical coding professional works for multiple provider organizations which requires that a single physical user can take on multiple roles (i.e. on Monday GP coding for hospital A, on Tuesday to Thursday oncology coding for practitioner group B, on Fridays dental coding for doctor Z). This requirement is hard to meet in OOTB TAM but it seems like you have added an abstraction layer to better support context aware identification. 
This capability is also very useful in Medical Health Record systems such as drug manufacturers patient registries. The conventional solution would be custom code or XACML but it would be interesting to see how Trustbuilder stacks up. A little more detail on patient registries.

FDA regulated organizations and digital signatures 

The step up authentication capability could be used to meet the regulations from Food and Drug Administration on digital signatures (21 CFR part 11). Standard TAM lacks the ability to enforce an additional atomic authentication event triggered by access to a certain sets of URLs. You could of course implement this with a callback from the application code to the TAM authorization server but this requires modification of the application code which may be impractical or impossible if you’re a using a commercial of the shelf application. 

Pre pulse 2013

Pulse 2013 is coming up fast and furious and I am packing my bags.

If anyone of my readers is interested in meeting me in person and are attending Pulse I will be part of the panel for "IAM-2297: Best Practices in Adopting Identity and Access Management" which will take place in MGM-Grand  Room 122 at Tuesday 5-6 pm.

The talk will be centered around two questions:
  • How do you run a successful IAM program?
  • How do you mature the IAM program to a business service?
If this sounds interesting then please come and listen to me and hopefully I won't bore you too much.

This years program contains a long list of very interesting sessions but as I have been unable to figure out how you make the Pulse homepage when and where a specific session happens still haven't got a real plan for what sessions to attend.

One session I will make sure to attend is the "IAM-1390: A Cloud Security Platform Offering Simple, Secure and Fast Digital Access to Flemish Authorities Resources" that is presented by Marc Vanmaele from SecurIT. SecurIT won the IBM 2012 Beacon award for TrustBuilder which is an extension of IAM/TAM that adds some very interesting capabilities in some areas that are quite far away from the state och federal government sectors.

Thursday, February 21, 2013

Access recertification in the cloud with CA and Nördic Döts

Being born and raised in Sweden I keep a little eye on the Nordic IDM Market and CGI (formerly Logica, formerly WM Data) just closed a deal on building a cloud based access recertification platform for ABB.

The funniest part of reading the Swedish press release was to see what Swedish words they were using for the English concepts. I actually think that the copywriter did a really good job.

For my readers who don't speak Swedish the CA English press release about the technical platform may be more interesting. It is good to see that CA continues to invest in their IAM platform. It is also very interesting to see that the IAM as a Service delivery model now clearly has become mainstream.

Tuesday, January 15, 2013

Pulse 2013 - Best practices in IAM

Pulse 2013 is coming up soon and I am planning my yearly trip to lovely Las Vegas.

This year I will be on a panel titled "Best Practices in adopting Identity and Access Management - a panel discussion". The Pulse panels are always a lot of fun so I am really looking forward to it.