Wednesday, November 30, 2011

IDM – too Complicated?

Based on what I’ve been hearing from the SAP NetWeaver Identity Management Community there have been some grumbles about the Complexity and Functionality in NW IDM. This is not going to be a slam on SAP, since almost everybody recognizes that IDM has improved immeasurably since the release of NetWeaver Identity Management 7.0.

I’d like to address some of the most common questions/ comments I’ve heard. Hopefully we’ll be able to start a little bit of a conversation here…

Q1. Why doesn’t IDM just work out of the box?

A1. Why doesn’t any Enterprise System just work out of the box?  Folks, Identity Management is not a project, it’s a program comprised of many little projects, with User Provisioning only being a small part of the whole pie. It also affects many other systems in your Enterprise. Based on this it cannot be simple. Adding in the context of SAP does not make it any easier. Consider your ERP roll out.  Was it Simple? Was it Straight forward? Did you need consensus before making decisions? Well here you go. In some ways SAP IDM is easier than other systems since it is so tightly integrated with the rest of the SAP Ecosystem.

Let’s face it SAP is tough and complicated since it touches so much of the organization, throw in a couple of more systems, maybe you’re using a different HCM system, or a couple of Directory Services.  That increases complexity as well. Compared to some other products it’s a real breeze. The product does not require you to work purely in XML and only uses Java and JavaScript to extend, not build the provisioning system. Also the connectors are flexible and robust. Compared to some other Provisioning Systems where we had to constantly contact the Development team to get connector source code so that we could make modifications.

Even for consultants setting up a new system, it’s not always so easy. While I’ve developed a nice little tool kit of jobs, passes and scripts, there’s always Pollicove’s Law of Provisioning to consider. Even in the same industry there are wide swings in the approach to IT Security and User Provisioning. This presents challenges for everybody.

Q2. Why is it so complicated? Why am I logging so many !@$# OSS notes.

A2. Well first off go to training.  It seems I get blank stares when I bring this up.  SAP has a great Training Class for 7.1 and 7.2.  Personally, I’d like to see more training offered, but that’s for another post.

Also in the case of SAP IDM, have you looked at the documentation? There are some excellent guides for setting up some common workflows and tips on how to customize them.

Note to SAP: Adding a section to SDN where people can post workflow samples would be a nice idea that could foster the exchange of ideas?  Maybe something that people can start getting involved with at TechEd DemoJam?

Also, refer to the previous question.  It can be complicated and the product is still maturing.  Give it time.  Believe me, from my talks with SAP, there is even more that they want to do than you want from it.  I think 7.2 is going to go a long way here in addressing functionality that people keep requesting via OSS.

Q3. Why don’t they support…

A3. See the Previous question.  If you want it, SAP probably wants it as well. I saw a recent thread on SDN about supported databases and why don’t we support…. Well the answer is there are certain things needed from a database system for IDM to even potentially work with it. (triggers and stored procedures) that believe it or not, are supported by every database out there. (At least no one asked about Access)

So what do these questions have and answers have in common:

  •  A need for a greater understanding of what’s involved in your Identity Management Solution 
  •  Good Administrator/Architect/Engineering preparation through training and research
  • An appreciation of how the entire Enterprise (SAP and non-sap) works together.

Kind of sounds like the first bullet is about defining requirements, the second point is about resources, and the third is about design.  Something to think about. While I'm not saying that it's all customer prep (or lack thereof) that raises issues, it certainly is a factor.

NetWeaver IDM is a product that is still maturing, and doing so at a nice clip. 7.2 is a major evolutionary milestone.  Of course, this gets me excited for what’s going to happen in the next version. But please, no more major database upgrades!

Post a Comment