Identity Management Tips, Thoughts and Opinions

Matthew Pollicove

Subscribe to Matthew Pollicove : eMailAlertsEmail Alerts
Get Matthew Pollicove via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Blog Feed Post

IDM – too Complicated?

Based on what I’ve been hearing from the SAP NetWeaverIdentity Management Community there have been some grumbles about the Complexityand Functionality in NW IDM. This is not going to be a slam on SAP, sincealmost everybody recognizes that IDM has improved immeasurably since therelease of NetWeaver Identity Management 7.0.

I’d like to address some of the most common questions/ comments I’veheard. Hopefully we’ll be able to start a little bit of a conversation here…

Q1. Why doesn’t IDM just work out of the box?

A1. Why doesn’t any Enterprise System just work out of thebox?  Folks, Identity Management is not aproject, it’s a program comprised of many little projects, with User Provisioningonly being a small part of the whole pie. It also affects many other systems inyour Enterprise. Based on this it cannotbe simple. Adding in the context of SAP does not make it any easier. Consideryour ERP roll out.  Was it Simple? Wasit Straight forward? Did you need consensus before making decisions? Well hereyou go. In some ways SAP IDM is easier than other systems since it is sotightly integrated with the rest of the SAP Ecosystem.

Let’s face it SAP is tough and complicated since it touchesso much of the organization, throw in a couple of more systems, maybe you’reusing a different HCM system, or a couple of Directory Services.  That increases complexity as well. Comparedto some other products it’s a real breeze. The product does not require you towork purely in XML and only uses Java and JavaScript to extend, not build theprovisioning system. Also the connectors are flexible and robust. Compared tosome other Provisioning Systems where we had to constantly contact the Developmentteam to get connector source code so that we could make modifications.

Even for consultants setting up a new system, it’s notalways so easy. While I’ve developed a nice little tool kit of jobs, passes andscripts, there’s always Pollicove’sLaw of Provisioning to consider. Even in the same industry there are wideswings in the approach to IT Security and User Provisioning. This presentschallenges for everybody.

Q2. Why is it so complicated? Why am I logging so many !@$#OSS notes.

A2. Well first off go totraining.  It seems I get blank stareswhen I bring this up.  SAP has a greatTraining Class for 7.1 and 7.2.  Personally,I’d like to see more training offered, but that’s for another post.

Also in the case of SAP IDM, have you looked at thedocumentation? There are some excellent guides for setting up some commonworkflows and tips on how to customize them.

Note to SAP: Addinga section to SDN where people can post workflow samples would be a nice ideathat could foster the exchange of ideas? Maybe something that people can start getting involved with at TechEdDemoJam?

Also, refer to the previous question.  It can be complicated and the product isstill maturing.  Give it time.  Believe me, from my talks with SAP, there iseven more that they want to do than you want from it.  I think 7.2 is going to go a long way here inaddressing functionality that people keep requesting via OSS.

Q3. Why don’t they support…

A3. See the Previous question.  If you want it, SAP probably wants it aswell. I saw a recent thread on SDN about supported databases and why don’t wesupport…. Well the answer is there are certain things needed from a databasesystem for IDM to even potentially work with it. (triggers and storedprocedures) that believe it or not, are supported by every database out there.(At least no one asked about Access)

So what do these questions have and answers have in common:

  •  A need for a greater understanding of what’sinvolved in your Identity Management Solution 
  •  Good Administrator/Architect/Engineeringpreparation through training and research
  • An appreciation of how the entire Enterprise (SAPand non-sap) works together.

Kind of sounds like the first bullet is about definingrequirements, the second point is about resources, and the third is aboutdesign.  Something to think about. While I'm not saying that it's all customer prep (or lack thereof) that raises issues, it certainly is a factor.

NetWeaver IDM is a product that is stillmaturing, and doing so at a nice clip. 7.2 is a major evolutionarymilestone.  Of course, this gets meexcited for what’s going to happen in the next version. But please, no moremajor database upgrades!

Read the original blog entry...

More Stories By Matthew Pollicove

Matt Pollicove is an Identity Management architect, engineer, trainer, project manager, author and blogger with experience in user account provisioning, data synchronization, virtual directory and password management solutions. As a MaXware Technical Consultant and later as a System Engineer, he worked extensively with MaXware (now SAP) software products in large customer environments. In the past Matt has worked with several leading national and international consulting firms and is currently a Sr. Principal Consultant for Commercium Technologies. He is currently the Practice Lead for SAP NetWeaver Identity Management and SailPoint IIQ.