Have you ever encountered procedural problems while re-engineering your hiring process, retirement or resignation processes to adopt it to your brand new IAM solution? Did you feel that modifying your IAM system to cope with all the different requirements, access rights and approval chains might as well be tackled through writing your own IAM system? Fine! Then you are in the best company you can imagine, because almost everybody went through that deep sorrow you feel. Now imagine you have to do this all for each and every external identity your company deals with in every business unit - do I hear a muffled sobbing, or - is it somebody screaming loud and running away in pain?
The average IAM project either comes to ist limits with managing all internal identities, logins, usernames and access levels one can have. Adding external resources and having them provisioned with all necessary rights - and especially restrictions! - may well go beyond what your vendor claimed his software was capable of doing. That is seldomly a matter of technology, or better, seldomly ONLY technology related, but deals greatly with managing the rather weird processes of hiring and getting rid of external labour resources. Want an example? Here we go: imagine a big broadcasting company, or even better one of the monolithic public broadcasting services here in Germany. Now imagine this behemoth has to deal with new media, such as IPTV, on-demand content and the like - could and would this be done by internal resources? I bet there would be dire need for some technophilic and hip member of the blogosphere to chip in his techno-magic skills! With deadlines approaching fast and youngsters being too reluctant to get an official full-time emloyee (FTE) working contract (not that positions like these could not be generated out of thin air at a public broadcasting station!), one would aim for the "external editor" model. So far - so good! Now that our young heroe is NOT going to be a FTE, the usual way of getting him access to networks, laptops, servers and apps - the way through the HR hiring process - will definitly not work for him. He will not get a HR ID as he will not get regular payments, and as such he will not be provisioned through the official channels. Maybe HR does not even get involved until some later point in time if the chief editor has his own budget for external workers. In addition, the standard processes would not be of any assistance as the new guy would need access to systems that are probably not part of the global provivioning procedures or - even worse - that guy would need administrative access to some production machines! Therefore, designing special processes for hiring and changing externals as well as managing access rights and priviliges for them without having to get them into all the internal directories and databases is definitly a MUST for big IAM projects. Roles and rights management should accomodate for external and internal resources - thus making exceptions the norm. Really sounds like a nightmare huh? Come to EIC 2008 and join my colleague Felix Gaethgens and me in our session "Managing External Identities"! Looking forward to meet you in Munich and find ways to wake up from that nightmare!