IDENTITY MANAGEMENT Presentation at EuroCAMP 2009-05-17 by Roland Hedberg <roland.hedberg@adm.umu.se> Tuesday, May 19, 2009
WHAT IS IDM ? “Identity management is the management of the identity life cycle of entities.” --- wikipedia Tuesday, May 19, 2009
LIFE CYCLE Tuesday, May 19, 2009
STATE DIAGRAM, SIMPLIFIED HR Grace Pending New employment Not yet Active End active Tuesday, May 19, 2009
WHAT IS IDM ? “Identity management is the management of the identity life cycle of entities.” --- wikipedia Identity — the very essence of who we are and how we interact with others Tuesday, May 19, 2009
WHO WE ARE Tuesday, May 19, 2009
HOW WE INTERACT Tuesday, May 19, 2009
WHAT IS IDM ? “Identity management is the management of the identity life cycle of entities.” --- wikipedia Identity — the very essence of who we are and how we interact with others Y ou are who I say you are / I am whatever I say I am. Tuesday, May 19, 2009
VIEWS MAY DIFFER Tuesday, May 19, 2009
OUR NORMAL VIEW? Tuesday, May 19, 2009
Tuesday, May 19, 2009
FRANCIS BACON 1561-1626 knowledge of the essence of things the way things really are Ideals of the mind ideal of the tribe ( human nature ) ideal of the cave ( hobby horse, prejudice ) ideal of the market place ( social interaction, language ) ideals of the theater ( learned ) Tuesday, May 19, 2009
WHAT IS IDM ? “Identity management is the management of the identity life cycle of entities.” --- wikipedia Identity — the very essence of who we are and how we interact with others Y ou are who I say you are / I am whatever I say I am. Tuesday, May 19, 2009
THE INFORMATION Who owns it ? Responsibility Accountability Stability What does it mean ? Special / Universal Usage uncoupled from definition Tuesday, May 19, 2009
NEXT STEP Choose a central data representation that is rich and agile enough. Tuesday, May 19, 2009
OBJECTS PERSON PERSON UNIT UNIT givenName Roland name IT - unit surName Hedberg lin 7512 MSc Chemistry & Biology title MSc Mechanical Engineering Telephone Telephone extension 6844 Tuesday, May 19, 2009
OBJECTS AND RELATIONS WITH METADATA PERSON PERSON UNIT UNIT givenName Roland name IT - unit surName Hedberg lin 7512 MSc Chemistry & Biology title MSc Mechanical Engineering RelatedTo Relat other Employee Employee one status active position IT - achitect extent 100.00 one Telephone Telephone other extension 6844 email Tuesday, May 19, 2009
CONSTRUCT VIEWS Di ff erent applications - di ff erent needs There are so many ways of doing things, that we can not mandate one. LDAP/AD WS Provisioning T ransformation between data models Tuesday, May 19, 2009
LDAP VIEWS STRUCTURED RELATIONSSHIPS (I) dc=se dc=umu cn=person cn=org uid=rohe0002 ou=admin ou=umdac Tuesday, May 19, 2009
LDAP VIEWS STRUCTURED RELATIONSSHIPS (II) dc=se dc=umu cn=person cn=org cn=group uid=rohe0002 ou=admin ou=umdac ou=consult ou=production ou=support cn=members Tuesday, May 19, 2009
LDAP VIEWS STRUCTURED RELATIONSSHIPS (III) dc=se dc=liu ou=students ou=personell ou=org entries ou=system accounts ou=system groups ou=Linköpings universitet ou=nilsa77d ou=unit-123 roleOccupant liuPositionIdentity=nilsa77d-ida-123-1 LiuOrgEntry Tuesday, May 19, 2009
LDAP VIEW BY USE OF ATTRIBUTE OPTIONS cn: Roland Hedberg givenName: Roland uid: rohe0002 telephoneNumber;x - emp - 1: +46 90 786 68 44 telephoneNumber;x - emp - 2: +46 90 786 52 14 mail;x - emp - 1: roland.hedberg@adm.umu.se mail;x - emp - 2: roland.hedberg@umdac.umu.se eduPersonPrincipalName: rohe0002@umu.se Tuesday, May 19, 2009
REMAINING TASKS! Confidentiality Ensuring that information is accessible only to those authorised to have access Integrity Data cannot be modified without authorisation Availability The information must be available when it is needed Correctness/Coherence Tuesday, May 19, 2009
YOU NEED SOMETHING THAT CAN START LOOKING LIKE THIS ..... System MD System Tuesday, May 19, 2009
.. AND END-UP LOOKING LIKE THIS, WHILE YOU STILL FEEL YOU HAVE EVERYTHING UNDER CONTROL ! Tuesday, May 19, 2009
HOW? Set Strategy - A cohesive Identity Management strategy will set overall objectives and give guidance to individual projects or project phases. 1. Secure Sponsorship - Project sponsors must have a vested interest in the business objectives of the project, have spending and decision making authority, and retain a cross-functional view of the project. 2. Plan Quick Wins - By segmenting the overall solution into manageable parts, an organization can realize quick, visible business benefits. 3. Select Project Leadership - Full-time, proactive project management is essential to the implementation of an identity management strategy. 4. Define Business Process - Organizations should define as many of the end-state business processes as possible prior to designing the technology solution. 5. Select Implementation Team - Identity projects should be staffed with qualified, experienced, motivated, and dedicated resources. 6. Gain Commitment from Supporting Resources - Owners and administrators of managed resources throughout the larger organization must also be committed to identity management success. 7. Provide Proper Infrastructure - Investing in the proper technical environment for an Identity Mananagement project will ultimately pay off in reduced errors, more effective troubleshooting,and more efficient coordination of configuration components. 8. Assure Data Quality - Project managers should build time and resources into their project plans for an assessment of data quality and for remediation of any deficiencies. 9. Conduct Post Production Turnover - Following a formal process for post production turnover allows all parties to set proper expectations for ongoing support. http://blogs.sun.com/identity/entry/ten_best_practices_for_identity Tuesday, May 19, 2009
Recommend
More recommend
