IdM Thoughtplace

Calling all Dispatchers

2012-01-30T11:20:00.003-05:00

There are two items of general NetWeaver Identity Managementmaintenance that I get asked about frequently.

How do you prevent deadlocks
What is the best way to configure my dispatchersin IDM?

All too often these issues are actually related asinefficient dispatcher setup can cause database deadlocks. In this blog entryI’d like to recommend some possible architecture scenarios that will help outwith this. For the purposes of this discussion, we’ll be talking about aNetWeaver IDM 7.1 installation on Microsoft SQL Server 2008 R2. According to Microsoft:

A deadlock occurs when two or more tasks permanently blockeach other by each task having a lock on a resource which the other tasks aretrying to lock. The following graph presents a high level view of a deadlockstate where:

· Task T1 has a lock on resource R1 and hasrequested a lock on resource R2.

· Task T2 has a lock on resource R2 and has requesteda lock on resource R1.

· Because neither task can continue until aresource is available and neither resource can be released until a taskcontinues, a deadlock state exists.

Attaching multiple dispatchers to the same task would thenseem to create the potential for deadlocks to occur in the database,particularly if they are all trying to access the same rows in the various IDMtables. But wait, we’re supposed to be able to do this to encourage HighAvailability, Load balancing and failover, so what gives?

Well the secret lies in the architecture, of course. If therequests come from separate physical hosts, it is much easier for the both IDMand the database to manage the threads and requests. Let’s look at a couple ofexamples. First here is a basic dispatcher setup assuming one server with acouple of dispatchers on it.

This setup is OK since each dispatcher (D) is connected to adistinct Job (J) or set of jobs. Sometimes there is a need to have aconfiguration like this, which usually something like one dispatcher for provisioningjobs, one for housekeeping(HK) and one that provides some sort of elevatedaccess for Directory Services(DS) access.

Based on this there might be a temptation to set up thedispatcher/job relationship to look something like this to provide additionalfail over and support for some specific jobs. Consider the following examplewhere I outline a scenario with a crossover between multiple dispatcherspointing to jobs in a many to one relationship:

This scenario is exactly what we do not want to have as itis most likely to create a deadlock scenario as having multiple dispatchers accessingthe same jobs that are accessing the same database resources. What we have hereis a potential for deadlocks as the system is trying to manage multipledatabase resources (rows) at the same time.

What tends to compound this situation is the way that thedatabase is being accessed. Using the To Identity Store Pass creates the leastamount of deadlock strain on the system, since this is under the direct controlof the workflow system and its dispatchers, while using techniques such as the uIS_SetValue function, that can becalled from anywhere, at any time, create the greatest possibility as thesystem is managing standard job based access with unforeseen access via uIS_SetValue.

This scenario should be replaced by something like this:

In this case the potential for deadlocks is significantlyreduced since there is separate management of the database connections. It alsoprovides a degree of load-balancing and failover since if the D₁ or D₃Dispatchers are busy or unable to process an assigned task then the D₄or D₅ dispatchers respectively can take over. A good resource forthis can be found in the SAP document SAPNetWeaver Identity Management Identity Center Implementation Guide OptimizingDispatcher Performance.

What also needs to be recognized is that it’s not always asmuch “where” the requests come from, but when the requests come. Care should betaken to monitor the frequency and duration of the larger and more intensivetasks and workflows to make sure that the more involved tasks do not run at thesame time (For example the HCM load should probably not happen the same timethat the Directory Service reconciliation is occurring). These should be thefirst candidates for having their down dedicated dispatchers if there is a needto run them on similar schedules and this cannot be avoided.

Given all of this, the thing to remember when consideringdispatcher allocation is to make sure that there are not multiple dispatchersthat are competing for the same set of Identity Store resources at the sametime. As long as this is kept in mind when setting up dispatchers, thepossibility of deadlocks is minimized.

A related question to this is how many dispatchers are neededto assign for provisioning and de-provisioning operations. I have always used25,000 objects per dispatcher as a general rule. Based on this the scenarioshown above would be good for an enterprise where there are a maximum of 50,000users, roles, privileges or groups that are being managed in any given task.

As a final note, it is a good thing to remember that thedispatchers do not need to be installed on Microsoft Windows based systemsonly. Any UNIX/LINUX environment is just fine for setting up IDM Dispatchers.For more information, check out the SAP document: HowTo: Setting Up An Identity Management Dispatcher On A Unix Host Flavor.

Tutorial Follow up

2012-01-15T23:03:00.001-05:00

One thing that I forgot to mention in my last post was about the content of the tutorials. When you take a look at them you're going to notice two things.

First off they are incredibly detailed and easy to follow. If you've just come off of training, there's plenty of screenshots showing you how IDM should be configured which is great if you're learning something new (or seeing how it's been updated since last version)

If you're more familiar with IDM, the tutorials are great too. They're all based on real life scenarios which you'll need to implement in your organization's IDM setup. They're also very open ended, making it easy for IDM Pros to evolve the tutorial scenario into something that you can use.

Good luck and enjoy those tutorials!

Cutting the Gordian Provisioning Knot

2012-01-13T15:24:00.001-05:00

I mentioned in a previous posting that SAP NetWeaver Identity Management has been called too complicated. I've even heard some people referring to it as the Gordian knot of IT Security. Well, anyone can "hack" through the knot, but smart people find a way to untangle it.

New versions of the product don't make this any easier, however there is a resource that is often overlooked. The SAP IDM team has created several fantastic tutorials that talk about many of challenges that we face on a daily basis.

I've found that with the release of 7.2, referring to the documentation in general and the tutorials in particular has been most helpful. I recently had an issue with Role and Privilege assignment that was driving me nuts until I looked at the new documentation. Along the way I learned some new things about Pending Values, the UI and of course, about how Privileges are assigned in IDM under the new release.

So remember, when the going gets tough, the tough read documentation and tutorials!

SQL Server Fulltext search updates

2012-01-10T20:54:00.003-05:00

If you are using Fulltext search with a SQL Server implementation of IDM, be advised that there is a new installation guide that contains updated information about Fulltext search. I was recently passed this information that you might find helpful...

There is a noiseword (2005)/stop-word(2008) list that contains words thatare not indexed. Most of these makes sense (a, the, or, and, etc.) and does notaffect searches in IdM. Our naming of privileges with the word "only"was slightly more unfortunate as its also considered a noiseword. This requirescustomization of the noiseword/stopword list for customers that want to searchfor the repository privilege.

Customizing stopwords in SQLServer 2008:

SQL Server 2008 uses stopwords stored in the database. To customize the listyou need to make a copy of the system stopwords list and assign it to be usedwith the IdM full-text index (ftfull). This can be done using these commands orfrom the user interface of the SSMS.

CREATE FULLTEXT STOPLIST idmStopList FROM SYSTEM STOPLIST;
-- Remove the words you want to include in the index:
ALTER FULLTEXT STOPLIST idmStopList DROP 'only' LANGUAGE 1033;
ALTER FULLTEXT INDEX ON mxi_values SET STOPLIST idmStopList

Its also possible to view the stopwords using queries. An example listinglanguages blocking the word "only" follows:

-- To list all entries of 'only' stopwords in the stoplist (can be manylanguages):
SELECT * FROM sys.fulltext_stopwords WHERE stoplist_id = (SELECT stoplist_idFROM sys.fulltext_stoplists where name = 'idmStopList') and stopword = 'only'

-- To test a stoplist
SELECT special_term, display_term FROM sys.dm_fts_parser (' "a text likesystem priv ad only somethingsomething" ', 1033,(SELECT stoplist_id FROMsys.fulltext_stoplists where name = 'idmStopList'), 0)

Here we see that "a" and "like" are considered noise andnot indexed, while "only" is indexed for exact matches.

Customizing noisewords in SQLServer 2005:

Modify the noiseZZZ.txt files in sql server folder, remove "only"and other things you want to include from ENG,ENU (and others) and then drop& recreate fulltext index:

drop fulltext index on mxi_values
drop fulltext catalog ftfull
CREATE FULLTEXT CATALOG ftfull WITH ACCENT_SENSITIVITY=OFF AS DEFAULT;
CREATE FULLTEXT INDEX ON mxi_values(searchvalue) KEY INDEXIX_MXI_VALUES_Value_ID; 

Hope you found this helpful! Thanks again to the folks that passed this info along!

Welcome, Microsoft

2012-01-02T20:43:00.002-05:00

I'm always happy to see that IdM is gaining acceptance from customers and the Industry in general. In a list of The 10 sexiest Microsoft business teases for 2012 from ZD.NET by Mary Jo Foley, Identity Management finally makes the list, coming in at number 5.

Glad that IdM is finally being noticed as a core technology. Sad to see that it's taken this long and only in the context of a major player like Microsoft, nothing about firms such as Sun (and Oracle), SAP, SailPoint, Aveksa, Siemens, etc., who have been doing this for years. not to mention that Microsoft has been in the IdM business for a few years now.

Provisioning Dynamically

2011-12-13T19:59:00.001-05:00

Iwas having an extended email conversation with some peers about some issuesthey were experiencing with Pending Value Objects in SAP NetWeaver IdentityManagement. Now for sure, I’ve never been a fan, but I monitored theconversation because you never know when you might learn something. For awhile, my most interesting comment was that “Pending values are something I’mstill “pending” on.” And I figured that would be about it.

Aftera bit, I decided to re-read the original question, thinking there’s got to bean easier way to handle the issue, which involved designing a mechanism todetermine which repository a user should be provisioned to, based on the migrationstatus of a specific system, and then of course, do the provisioning.

Ithen remembered that I had created a “dynamic” provisioning mechanism some timeago for a client that might help. Since I like to share my knowledge far andwide, I will describe the solution.

Theway I originally prototyped the process was to create the new user in IDM andthen have the next task in the workflow create the user in Active Directoryusing the appropriate repository, which would be based on Business Unit (EachBU had different starting points and exchange servers so a single IDMRepository was not going to cut it) that the user belonged to. I used an ActionTask with a “To Custom” pass that contained a script that looked something likethis:

//Main function: DYNAMIC_CREATE_USER

functionDYNAMIC_CREATE_USER (Par){

//Description: Initiates a provisioning task for a given entry in the identitystore.

//Syntax:AuditRef=uProvision(Int MSKey, Int TaskID, Int RefAudit, Int Repository,String // UserID, Int Delay[, Int Standalone);

//Parameters: MSKey The entry's ID (MSKey).

//TaskID-The ID of the task to be initiated.

//RefAudit-Reference audit, if available. If the function is called from aprovisioning // job, the audit reference of this task can be submitted to thetask initiated by // uProvision and inserted in the audit log. Use 0 if noreference audit is available.

//Repository-Repository ID. 0 means no repository.

//UserID General user ID or message that will be inserted in the field USERID inthe audit log.

//Typically this can be a distinguished name or Active Directory login name.

//DelayDelay in seconds until the task should be initiated.

//Standalone - Optional. Normally, when a task is started with uProvision andRefAudit is // given, the task will be an event task of the original task. Thisparameter specifies // whether the task should be an event task or not.

//Possible values:

//0: The task is started as an event task. (Default)

//1: The task is started "standalone" (not as an event task).

//AuditRef Audit reference or error message prefixed with !ERROR:.

//Example MyAudit=uProvision(2,5,0,0,"",50);

//Run task 5 on MSKey 2 and wait for 50 seconds before the task is initiated.

varRepName = "";

varRepository = 0;

RepName= Par.get('BUSINESSUNIT');

uErrMsg(1,"Repository Name - " + RepName);

if(RepName == "Corporate ")

{

Repository = 10;

}

elseif (RepName == "Widgets")

{

Repository = 9;

}

elseif (RepName == "Gadgets")

{

Repository = 11;

}

elseif (RepName == "Thingys")

{

Repository = 12;

}

else

{

// Use the Default repository

Repository = 1;

}

uErrMsg(1,"Repository Number - " + Repository);

varMSKey = uGetEntryID();

varTaskID = 123;

varRefAudit = 0;

varUserID = Par.get('DISPLAYNAME');

varDelay = 20;;

varAuditRef = uProvision (MSKey, TaskID, RefAudit, Repository, UserID, Delay);

uErrMsg(1,"MSKey: " + MSKey + " TaskID: " + TaskID + "RefAudit: " + RefAudit + " Repository: " + Repository + "UserID: " + UserID + " Delay: " + Delay);

uErrMsg(1,"AuditRef: " + AuditRef);

}//FUNCTION

Ofcourse the names of the Business Units and Repository values will depend onyour project, and you might use a completely different attribute to base yourRepository decision on.

Thetrick to this solution lies with the uProvision function to executethe task using the correct repository. Now I know this could have been doneusing a standard “To-LDAP” pass with some lookups, but I wanted something moreflexible. By using this technique, you are matching the provisioning action toa repository which gives us much more flexibility in the workflow.

Creating Secure Methods of Accessing Identity Store Data in NetWeaver IDM

2011-12-06T15:33:00.001-05:00

At its core,NetWeaver Identity Management’s Identity Center is a metadirectory basedapplication. This means that informationis taken from various sources (e.g., HCM, AD and other feeds) and then broughtback into the IDM database to create a single authoritative store. By bringingall of the data in the form of attributes, into a single place, data access iseasier and more efficient.

This being said, not all attributes are created equal andshould be easily accessible, thus necessitating some level of “protection”. Theseattributes are defined as personal or significant to the owner of the Identity,and do not need to be readily shared, but might be needed by organizationalpersonnel and thus should be accessible via a tool such as IDM.

What kinds of data might this be? That’s kind of hard to pindown. Each organization has its own determining factors on what data should beprotected based on Compliance, Legal, Cultural and other factors. Should allthis data be stored in the Identity Management solution? That’s tough to say,all I know is that if it’s required in the project, we discuss the pros andcons, come to a consensus and move forward.

As we move forward it is necessary to develop a methodologyto properly protect the data and plan for its use in a secure way. In NetWeaverIDM, I have come up with the following methodology:

All protected data is stored in an encryptedformat. By default, IDM uses 3DES as its reversible encryption. (MD5 and SHA-1are used for one-way or hashed encryption
Access to protected data via the IDM Web UI isdone using ROLE based tasks in the Web UI.
To access the data, a separatetask must be used to log their access of the protected data, using the AccessUser Info task. This task will decode the relevant secure data to clear textattributes. An additional task in this workflow will clear the clear textattributes after a specific time period has expired.
Once this has been done, we canthen access the Web UI task that contains the sensitive information. In thisexample, a task that allows Administrators to Edit user data. Presumably someprotected data can be viewed from this task.
Once the task with the secure data has beensubmitted the attributes holding the clear text data will be cleared. The taskin step 3 above will still execute as a double check.

Now why do it this way you might ask? There are two reasons:

There is an additional audit entry showing thatthe user requested “elevated access”
NW IDM does not allow for “on the fly”decryption of attributes, citing it as a security breach.

I’ll tell you, at first I really did not like SAP’sreasoning on this, but the more I thought about it, it made sense, given thatnow the person requiring access must log their request for elevated viewingrights providing for more detail about what is happening. This way the ServiceDesk user can still just examine the user’s record and the secured attributesjust appear blank. Is there a right or wrong way to do this?

Does this solutionbreak “best practices” or define them? Again, I’m not 100% sure. What I do knowis that this methodology offers the most pragmatic compromise and offers thesmallest “data access window” and as long as the decisions and details aredocumented, we should be good to go.

Thoughts?

Why are feeds bad?

2011-12-01T17:24:00.001-05:00

I was recently asked to take a look at an architecture in use by a client. As I started the analysis, Inoticed that there was a high reliance on Web Services for communicating databetween systems. Now Web Services are not necessarily a bad thing, but when Ilooked at the back end systems that were involved, it seemed ratherunnecessary. There was no overwhelming requirement for security and there weresimpler, but still effective means to move the data. Adding in a Web Servicescomponent introduced extra hardware, software and network hops that in my analysisprovided inefficient service and an unneeded, overly complicated architecture.

When moving data between systems, there is nothing wrongwith using temporary ASCII files or SQL Tables. SQL Tables areparticularly useful since they can be optimized for read/write operations andcan have some extra security placed on them. Also most IdM systems allow forencrypting data to provide an extra layer of security. Sometimes, these systemsare the easiest means of communicating between disparate systems. Let’sface it, how many mainframe or AS/400 systems have native SPML support?

For instances where there is a native LDAP interface, don’tbe afraid to use it, NetWeaver IDM is excellent at both reading and writing toany LDAP v3 compliant system. Heck, any User Provisioning system worth its saltneeds this anyway.

So as a final word to those considering how to connectwidely (or even not so widely) disparate systems, think again to the basics anddecide if the use case, the customer, and the technology really require WebServices and could not be better served by the big three: ASCII, SQL and LDAP.

IDM – too Complicated?

2011-11-30T11:03:00.001-05:00

Based on what I’ve been hearing from the SAP NetWeaverIdentity Management Community there have been some grumbles about the Complexityand Functionality in NW IDM. This is not going to be a slam on SAP, sincealmost everybody recognizes that IDM has improved immeasurably since therelease of NetWeaver Identity Management 7.0.

I’d like to address some of the most common questions/ comments I’veheard. Hopefully we’ll be able to start a little bit of a conversation here…

Q1. Why doesn’t IDM just work out of the box?

A1. Why doesn’t any Enterprise System just work out of thebox? Folks, Identity Management is not aproject, it’s a program comprised of many little projects, with User Provisioningonly being a small part of the whole pie. It also affects many other systems inyour Enterprise. Based on this it cannotbe simple. Adding in the context of SAP does not make it any easier. Consideryour ERP roll out. Was it Simple? Wasit Straight forward? Did you need consensus before making decisions? Well hereyou go. In some ways SAP IDM is easier than other systems since it is sotightly integrated with the rest of the SAP Ecosystem.

Let’s face it SAP is tough and complicated since it touchesso much of the organization, throw in a couple of more systems, maybe you’reusing a different HCM system, or a couple of Directory Services. That increases complexity as well. Comparedto some other products it’s a real breeze. The product does not require you towork purely in XML and only uses Java and JavaScript to extend, not build theprovisioning system. Also the connectors are flexible and robust. Compared tosome other Provisioning Systems where we had to constantly contact the Developmentteam to get connector source code so that we could make modifications.

Even for consultants setting up a new system, it’s notalways so easy. While I’ve developed a nice little tool kit of jobs, passes andscripts, there’s always Pollicove’sLaw of Provisioning to consider. Even in the same industry there are wideswings in the approach to IT Security and User Provisioning. This presentschallenges for everybody.

Q2. Why is it so complicated? Why am I logging so many !@$#OSS notes.

A2. Well first off go totraining. It seems I get blank stareswhen I bring this up. SAP has a greatTraining Class for 7.1 and 7.2. Personally,I’d like to see more training offered, but that’s for another post.

Also in the case of SAP IDM, have you looked at thedocumentation? There are some excellent guides for setting up some commonworkflows and tips on how to customize them.

Note to SAP: Addinga section to SDN where people can post workflow samples would be a nice ideathat could foster the exchange of ideas? Maybe something that people can start getting involved with at TechEdDemoJam?

Also, refer to the previous question. It can be complicated and the product isstill maturing. Give it time. Believe me, from my talks with SAP, there iseven more that they want to do than you want from it. I think 7.2 is going to go a long way here inaddressing functionality that people keep requesting via OSS.

Q3. Why don’t they support…

A3. See the Previous question. If you want it, SAP probably wants it aswell. I saw a recent thread on SDN about supported databases and why don’t wesupport…. Well the answer is there are certain things needed from a databasesystem for IDM to even potentially work with it. (triggers and storedprocedures) that believe it or not, are supported by every database out there.(At least no one asked about Access)

So what do these questions have and answers have in common:

A need for a greater understanding of what’sinvolved in your Identity Management Solution
Good Administrator/Architect/Engineeringpreparation through training and research
An appreciation of how the entire Enterprise (SAPand non-sap) works together.

Kind of sounds like the first bullet is about definingrequirements, the second point is about resources, and the third is aboutdesign. Something to think about. While I'm not saying that it's all customer prep (or lack thereof) that raises issues, it certainly is a factor.

NetWeaver IDM is a product that is stillmaturing, and doing so at a nice clip. 7.2 is a major evolutionarymilestone. Of course, this gets meexcited for what’s going to happen in the next version. But please, no moremajor database upgrades!

Exchange 2010 Provisioning

2011-11-17T21:45:00.001-05:00

A long time ago when I first started working with MaXware Identity Center, I had to pass a hands on test to demonstrate my proficiency with Identity Center and Virtual Directory. The part of this whole exam that scared me the most was provisioning to Microsoft Exchange. Long story short, I aced the exam and successfully provisioned to all of my target systems including Exchange.

Recently I was asked to set up provisioning to Microsoft Exchange 2010 specifically via PowerShell. So I got to earn a little education along the way.

To start with there are a few pre-requisites that you need:

Ensure 64 bit PowerShell 2.0 is installed on the server
Ensure that the Exchange 2010 Console is installed on the server

There are a few steps that I’m going to skip along the way mostly because they deal more with PowerShell scripting than Identity Management.

You’ll need to create a script which I refer to as exchprov.ps1. PowerShell will need to be configured to store the password for the Service Account as a PowerShell Credential object.

#Gather Parameters
Param($MSKEYVALUE,$EXCH_URL,$EXCH_DB)
#user info
$user = "IDMSERVICEACCOUNT"
$password = (get-content d:\pshell\zservice.idm) | ConvertTo-SecureString
$cred = New-Object -TypeName System.Management.Automation.PSCredential -argumentlist $user, $password
#session info
$session = New-PSSession -Configurationname microsoft.exchange –ConnectionUri $EXCH_URL -Credential $cred
Import-PSSession $session
#actual work!
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010
enable-mailbox -Database $EXCH_DB $MSKEYVALUE
#close session
Remove-PSSession $session

The code receives three parameters to hold the MSKEYVALUE, Exchange Server and Exchange Database. Then reads the service account ID and password. It then opens a session and imports it to the local system. When this is done the Exchange Snap-in gets loaded and the mailbox is created based on the Exchange Server and Database that were passed. When this is all done the session gets closed out.

In closing, as usual there were a number of people who helped out with the creation of this process, Exchange Admins, PowerShell experts and other smart people. However, there are a couple of people that I’d like to thank because you stood behind me all those years ago when I provisioned Exchange for the first time. Thanks, guys!

There's a new version in town!

2011-11-04T16:43:00.000-04:00

If you've checked the SDN Marketplace lately, you'll notice that NetWeaver Identity Management 7.2 has finally come out of Ramp-up and into General Availability! There's also a slew of new and updated documentation available for the new product.

I'm anxious to try it out. Looks like it is somewhat involved and you will need to read carefully to make sure that you do the correct steps in the correct order. This will be unlike any other IdM/Identity Center upgrade I have ever done. I have started to review the documentation and it looks fairly straightforward. Rest assured that I will be recording any "gotchas" I experience during the upload.

What I can tell you from what I have seen so far is that it is important to make sure of the following:

You have good backups
You make sure your dispatchers and event agents are stopped
The provisioning queue is empty
There are no approvals or pending values hanging

I'd also advise taking a good look at the Staging Environment guide from SAP as the installation guide is framed in the context of this document.

Looking forward to hearing what people are experiencing with the upgrade.

Good Luck!

PS -- Forgot to add a link to this great IDM 7.2 Overview. Valuable reading!

Common Identity

2011-10-25T21:37:00.001-04:00

I do a lot of research to keep up with the goings on in the Identity Management world. A lot of it is based on the goings on with SAP NetWeaver Identity Management, monitoring SDN, and the new documents that can be found on the main NW IDM page.

However there is a lot that goes on in the overall study of Identity Management. I found Dave Kearns article from Network world to be very interesting and informative, and was sad to see it end. Unfortunately many of the best sources for overall IdM information come from the various consulting groups, which require subscriptions.

There are, however several good blogs that one can find out there. In particular I like to follow Matt Flynn, Jackson Shaw, Dave Kearns new blog, and Nat Sakamura.

There is also of course, the Planet Identity blog, which I think is one of the best overall sites that monitors IdM related information.

However, one source that always seems to teach me something new all the time is the Identity Commons website and mailing list. These folks don't just talk about user provisioning or access control or authentication or single sign-on or anything so simple. These folks talk about how all of these things come together. Not just Identity Management, but the Management of Identity, on line, off line, between the lines and every other which way. I don't often participate in the discussions, but I always learn something from them and they have changed the way I approach the discipline of Identity Management.

For instance, a recent discussion about the use of various types of encryption and security turned into a whole discussion about the nature of Identity and what is required to track how Identities prove themselves between Relying Parties and that before we can worry about security we need to consider the overall model that Identities use to relate to each other and transact with various organizations (Relying Parties)

One of the posts pointed to a paper that starts to describe the terminology of how this all works. It's some fascinating reading that I think will again change the way I view identities as they relate to the various simple tasks of user provisioning, access control and authentication.

BTW, you might have noticed that the blog has gone through some formatting changes to take advantage of some of Blogger's latest advances. Due to this I lost some of the gadgets and the blogroll. I'll be getting them back up again as soon as I can.

Automating Database Installation in SP4

2011-10-18T21:57:00.002-04:00

There's a known issue where the database does not install correctly from the mxmc-install batch file. There seems to be a problem with the vbscripts that transports the passwords the script to the database server.

I've taken the liberty here of editing a copy of mxmc-install that bypasses the vbscripts that move the passwords from the script to the database.

@echo off
:* ------------------------------------------------------------------------

:* ------------------------------------------------------------------------
:* -- SAP NetWeaver Identity Center
:* --
:* -- This script installs the Identity Center database
:* -- FileName: mxmc-install.cmd
:* -- Platform: MS-Windows

:* --

:* -- Copyright 2007 SAP AG. All rights reserved.
:* -- http://www.sap.com:*
:* ------------------------------------------------------------------------
:* ------------------------------------------------------------------------
echo *****************************************************
echo *** Install an Identity Center database mxmc_db for
echo *** NetWever Identity Management 7.1, SP5
echo *** Assumes MSSQL User: sa, database prefix "mxmc "
echo ***
echo *** This command will install a new Identity
echo *** Center database.
echo ***
echo ***To continue press ENTER, otherwise CTRL-C
echo *****************************************************
pause

SET MC_PREFIX=mxmc
SET MC_HOST=localhost
SET MC_SAUSER=sa

set MC_SAPWD= @dmin123
set PWDOPER= p@55word
set PWDADMIN= p@55word
set PWDUSER= p@55word
set PWDRT= p@55word
set PWDPROV= p@55wordcall mxmc-xinstall %MC_PREFIX% %MC_HOST% %MC_SAUSER% %MC_SAPWD% %PWDOPER% %PWDADMIN% %PWDUSER% %PWDRT% %PWDPROV%

pause

Nothing too complicated, just specifying the Prefix (by default MXMC) and then the passwords for SQL Server, MXMC_OPER, MXMC_ADMIN, MXMC_USER, MXMC_RT and MXMC_PROV.

Hope this helps you when working with NetWeaver IDM 7.1 Service Pack 4.

LDAP Pass Job Log issues

2011-09-26T19:20:00.000-04:00

Have you ever noticed when looking at the Job Log of a To/From LDAP task that the HTML and XML views of the log are empty, but the text views works fine? I know I have and it bugged the $#@* out of me.

I asked around at TechEd about this and got a good answer: This happens where there is binary data in the log file that has not been converted. Unfortunately this seems to happen when you most need a nicely formatted log during the troubleshooting process.

Well at least we don't need to worry any more why we are only getting 1/3 of the log content we were expecting!

Dispatcher Errors

2011-09-24T16:36:00.000-04:00

Recently when working on a new QA system based on a copy of the PROD database when I encountered an error that I had never seen before when starting up the first dispatcher. I highlighted it below:

Running MxDispatcher_d1.
[21.09.2011 18:37:19-539] - Initialized log for com.sap.idm.ic.services.api.MXMCApi. Log level is Debug
MxDispatcher version: 7.10.5.2 Built: 07.06.2011 16:20:24 (c) Copyright 2008 SAP AG. All rights reserved.
Java VM: Sun Microsystems Inc. Version: 1.5.0_22
Java home: C:\Program Files (x86)\Java\jdk1.5.0_22\jre
Java lib/ext: C:\Program Files (x86)\Java\jdk1.5.0_22\jre\lib\ext
CLASSPATH: d:\sap\idm\Java\mxdispatcher.jar;d:\sap\idm\Java\mxmcapi.jar;D:\jdbc2.0\sqljdbc_2.0\enu\sqljdbc.jar;
[21.09.2011 18:37:19-557] - MxDispatcher:Reading prop files
[21.09.2011 18:37:19-557] - MxDispatcher:Loading driver: com.microsoft.sqlserver.jdbc.SQLServerDriver
[21.09.2011 18:37:19-639] - MxDispatcher:Creating connection to : jdbc:sqlserver://NWIDMSBX:1433;databasename=mxmc_db;user=mxmc_rt;password=********
[21.09.2011 18:37:21-369] - MxDispatcher:Reading main MxDispatcher configuration ...
[21.09.2011 18:37:21-593] - MxDispatcher:Dispatcher configuration d1 not found
[21.09.2011 18:37:21-594] - MxDispatcher:Error reading main MxDispatcher configuration ...
[21.09.2011 18:37:21-594] - The first config load failed:Dispatcher configuration d1 not found

I went through all of the normal dispatcher configuration checks, JAVA configuration, drivers, and database configuration. Everything looked OK, My ODBC checks were ok, and I knew that I was contacting the database server and that the ports were open. One suspicious thing was the extremely long length of the dispatcher name, however was not the the cause.

What we actually found was that the server names were not correct after all. The ODBC connection was pointed to the correct server, but the Java runtime connection was to the wrong server. Nothing like the confusion in moving configurations from one environment to another! After ensuring once again, that I had the correct configuration, I regenerated the dispatcher scripts and all was fine.

So the cause of this error is when there is a connection string mismatch if you should see this in the future.

Thursday and Friday @ TechEd 2011

2011-09-17T20:27:00.001-04:00

What can I say? The last two days of TechEd completely blew me away!

I started off by seeing a demo of the latest version of NetWeaver Identity management (7.2). Not even sure where to start! Role and Privilege Contexts, more on RESTful interfaces, increased dispatcher tuning, additional event tasks! Wow, I can't believe how much more powerful this application has become!

The Context concept is fully integrated into NW IDM 7.2. Adding a context layer when working with NW IDM Roles and Privileges is going to greatly simplify management of these objects. I'm looking forward to reading and learning more about them as we begin to determine best practices. I know this is going to become a large part of my toolkit when planning new deployments.

Troubleshooting IDM has always been a challenge, however after learning about the new tracing functionality and the new script debugger, I think some of my headaches will start to go away. I'll be blogging more about these features in the near future.

The presentation on IDM workflows was very interesting. I was pleased to see that the Development Team continues to simplify workflow approvals in general and Pending Value Objects in particular.

Finally I attended a fantastic presentation on how SAP is using IDM and other Identity and Access Management technologies internally. This was an amazing insight into how a company manages several million users and objects in a live setting.

I can't wait to get my hands on the product. Rumor has it that 7.2 is very close to release, hopefully early in the 4th quarter of this year.

Wednesday @ Teched 2011

2011-09-15T16:57:00.001-04:00

Some great sessions on the RESTful interface and integrating with SAP BW.

It looks like NW IDM 7.2 is going to have some really killer features. From the looks of the RESTful interface presentation, it will be possible to have quite a bit of NetWeaver Identity Management functionality in a number of different environments, including iOS and Android devices. (The live iPad demo blew me away) I'm thinking the days of complaints about the NetWeaver IDM interface are coming to an end.

There is a misconception in SAP-land that Identity Management is a stand-alone and peripheral part of SAP. The presentation on BW integration sure put that to rest. With a few steps (including a VDS Configuration) IDM data can be pushed to BW and used in all kinds of interesting ways. Once the data is in IDM the standard reports show all kinds of historical and entry based information. lots of it one might think is not available from outside of IDM. The additional ability to create custom reports means that the sky's the limit! Can wait to start taking advatage of this technology.

This could also be a rare two post day if I can get the Thursday update in as well. Stay Tuned!

TechEd 2011

2011-09-13T20:09:00.000-04:00

Time for a new series of TechEd Reports. Had a great time Sunday night meeting up with a bunch of folks from IDM, SSO, and SAP Security. Interesting conversation about some new features coming out in the near future. Hopefully we'll get some official announcements this week.

Strangely enough Day 1 did not have a lot of specific IDM related content. However, that's not to say that I did not attend any sessions. Had an interesting overview of RESTful interfaces and how they are used in other parts of SAP-land and an interesting session on some BASIS basics, which unfortunately was more about tuning than administration, but it was still interesting!

There was also a POD session about the 7.2 release which was a nice showcase of new functionality. It also seems that we're getting close to a release date for 7.2. Rumor has it that we are now looking at mid-to-late October.

I wonder what's coming out first, IDM 7.2 or the iPhone 5? Both products we're hearing lots about and we know are just about ready, but no one's giving any firm dates.

Tomorrow promises to have a number of hands on sessions. Can't wait!

Setting the Driver Straight

2011-09-08T15:07:00.001-04:00

Been working on setting up a new environment for SAP IDM 7.1 SP5 (yes I know 6 is available). This installation is notable for me since I am configuring it around:

Windows Server 2008R2 64Bit
Microsoft SQL Server 2008R2 64Bit

So it's my first pure 64 Bit system. I'm pretty excited. So I got the OS installed no problem. Got SQL installed. (gotta say, 2008R2 is probably the smoothest SQL install I've done since SQL Server 7. Very much a fan) Got the IDM DesignTime and Runtime installs completed with no problems. Installed JAVA 1.6 and Installed the 3.0 SQL Server drivers. Then the skies began to darken...

Kept getting driver not found errors when I went to test the dispatcher. VERY Frustrating! Tried regenerating the dispatcher scripts, tweaking the Java configuration from MMC, even took a look a look at the dispatcher's .prop file and jdbcdefs.xml. Tweaking some of these shed some light on the issue, but did not bring complete success. That's when I started rethinking things and went back to basics.

First I hit up Google and did some searching on SQL Server 2008, JDBC drivers and related topics. Based on this I decided to roll back to the 2.0 SQL Server drivers and recreate the JDBC connection string. This time I installed the SQL Server 2005 option instead and I got a little closer. It seems that when one is using Java 1.6, the level 4 driver (sqljdbc4.jar) is required rather than the level 3 driver (sqljdbc.jar.)

What kept throwing me off in this is that I was reading theoptions, I read them too literally. What the SQL Server 2005 option should readis SQL Server 2005 and later… The connection string syntax and thedriver name that is called see,different starting with 2005.

I was able to confirm the level 3/4 driver issue when troubleshooting between the configuration on my various sandbox systems. My latest one is running 1.6 with sqljdbc4.jar and one of my older systems is using Java 1.5.

So to wrap it up, what I've found is this:

Use the Microsoft SQL Server 2.0 drivers DO NOT use the SQL Server 3.0 drivers
When building the JAVA connection string for an IDM Configuration DO NOT use Microsoft SQL Server option, rather, use Microsoft SQL Server 2005
If you are using Java 1.5, you’ll need to use the sqljdbc.jar
If you are using Java 1.6, you’ll need to use the sqljdbc4.jar

That's about it for the moment. I still need to install a trial version of NetWeaver to get the sandbox up and running.

Upcoming Events

2011-08-12T11:08:00.000-04:00

I am very excited to announce that I will be at this year's TechEd in Las Vegas, NV. Looks like I have a pretty filled week of learning all about the new 7.2 version (maybe we'll get a release date!), along with Best Practices, Troubleshooting tips and other good stuff.

I also plan on taking part in a couple of other sessions on NetWeaver BASIS, REST Programming and GRC. I plan on reporting from the event as I did last year, and maybe even a Tweet or two.

Should be a great week. If you're going to be at TechEd this year, post a comment or contact directly, let's plan a meet-up!

Going Fishing for IdM

2011-08-02T22:55:00.000-04:00

I think it's a given that Oracle's Identity Manager has been the 600 pound Gorilla in the provisioning space over the last few years. From what I've been seeing, Microsoft's FIM and a resurgence of SAP Netweaver Identity Management will present a challenge with the new versions that are coming out, but first we need to get past the "Eye"

What Eye is this? Well, it's the FishEye group. Currently specializing in OIM, this practice features some pretty savvy architects, engineers and old friends. I'm looking forward to seeing what they can do!

Fitting It Into the Schedule

2011-07-28T16:43:00.000-04:00

This title applies to more than one aspect of my Identity Management life these days. I've been very busy which accounts for the lack of blog entries lately. It's not that I don't have what to write about. It's more about finding the time to do it.

I was given an interesting challenge lately. We have a number of tasks on the current project that only need to run once a month., which is not a frequency that is supported by the IDM scheduler. There's actually a few ways to handle this. Most of which revolve around finding the batch file that is created when job is first run and tying this into the scheduling utility of your choice.

However, I was really interested in finding a way that would work within the IDM framework. So I came up with this little script:

// Main function: scheduler

function scheduler(Par){

//Only run the task on a particular day of the month.

//Should only be called from the Initialization script of a maintenance job.

//Created by: Matt Pollicove 7/7/11

//NW IDM Functions used in this script:

//uStop();

//uGetPassSubject();

//uWarning();

//*****

//NOTE: Requires an external Job Constant called Runday that is set to the

//two digit day of the month that the task should be executed on or this value

//must be hard coded

//Parameters for the task. Name of the pass/task and what the legal execution day is

var strJobName = uGetPassSubject();

var strRunOnThisDay = '%$runday%';

//What's today's date and what is the actual date.

var strDate = '%$ddm.date%';

var strToday = strDate.substring(3,5);

//Put it all together

if (strToday != strRunOnThisDay){

uWarning(strJobName + " is not scheduleItd to run on " + strDate);

uStop();

}

As you can see, it's not terribly complicated, but let's break it down:

The task first grabs the name of the running task for informational purposes. Then it goes out to find a local constant (feel free to make an adjustment so that it works with a repository or global constant) which holds the day of the month the task should run on.

Once we have this, we do basically the same day with the current date, by getting it from the system parameter %$ddm.date%, and retrieving the date part of the current month.

Then we can compare the two values. If they're equal go ahead, if not, we log a message (another thing that can be taken out if desired) and call uStop().

Now to use this functionality we need to do the following:
Copy/Paste the script listing above into a NW IDM script.
Create the RUNDAY constant. Remember if you choose to create this as anything other than a job constant, you need to edit the script accordingly.
This script could be used in either a managed task (yellow folder section) or a work flow task (although I'm not sure why). But the script should be placed in the "Initialization script" entry on the source tab of the first pass in the job. When running as a managed task, it should be scheduled to run once every 24 hours.

That's about it. Hope this works for you. Please remember to share any edits or improvements.

More from the JAR

2011-07-26T10:41:00.000-04:00

An ugly issue came up not too long ago on my project. We were seeing the error messages referencing an mxmc_admin based connection string as mentioned in Too Much in the JAR

So, I said to myself, I know how to deal with this, and proceeded to show off my knowledge by going to the MMC Console, selecting Tools/Option and selected the JAVA tab and found… nothing wrong. Only one extension present, JDBC driver JAR was right. Felt the virtual pie in the face.

So we started looking. I did insist that the root of the issue was a JAVA conflict and no one on the team had any real reason to doubt me.

Eventually we found the issue, and it was indeed related to JAVA. It seemed that there were multiple JDBC drivers installed and like the JARs, this can be a bad thing.

There were two SQL Server drivers specified. It turns out one was for SQL Server 2000 and one for SQL Server 2005. For reference here are the drivers:

2005: com.microsoft.sqlserver.jdbc.SQLServerDriver
2000: com.microsoft.jdbc.sqlserver.SQLServerDriver

Hope this helps you next time you get a conflict!

The Tao of IDM

2011-06-13T19:46:00.002-04:00

The best soldier does not attack. The superior fighter succeeds without violence. The greatest conqueror wins without struggle. The most successful manager leads without dictating. This is intelligent non aggressiveness. This is called the mastery of men.

So why would I lead an Identity Management blog entry with a quote from the Tao Te Ching? Basically it sums up a recent issue I had in my current project.

As a part of this project, I am helping to get a young engineer familiar with IDM. Working together we needed to create a query that would return only specific types of users for an IDM export Job. I explained the basic process for executing the export and watched him work on various queries to return the correct users, while advising him about database structures and useful techniques. As an elaborate query began to take shape it was starting to look way too complicated. I started thinking that there had to be a better way to accomplish our task.

Then I remembered that since we were doing a "To Database" task we could specify the Identity Store as the source and used the built in editor to build the correct query. It took seconds to build and we quickly checked the query by doing a copy/paste to Microsoft SQL Server. It worked perfectly and we were up and running.

Here's an example of the query that we created:

So what's the takeaway on this? Look to see what the system can do rather than build something from the outside. At the very least, use the tools to build the query and then customize it (just remember that using an external query editor on the edited query make using the built in tool not work).

And here's how easy it was to generate the query:

There's no need to reinvent the wheel

IDM MMC Navigation Tip

2011-06-10T11:40:00.000-04:00

Ok, I won't make this all about the problems with the MMC Console. We all know what they are. However, one thing that's always ticked me off is navigating through a long list of attributes or scripts. If that list gets to be too long, it turns into a scrolling list. Of course good naming conventions help, but we'll talk about that another time.

Quite by accident, I discovered that you can click on the list of attributes then scroll through with the arrow keys, and more importantly, if you go to the very top, you are automatically brought to the other end of the list so you can keep on scrolling.

Hopefully this will save you some time, effort and aggravation!

If you didn't write it down, it didn't happen!

2011-06-07T22:01:00.003-04:00

We've all been there. It's crunch time. Where did the time go? Weeks of requirement gathering, architecture, development, unit test, integration test, and now go-live with a whole bunch of dependencies and C-level attention is right on top of us. There's only time to address the last minute issues.

Throughout the project, the PM has been screaming for documentation. Where's the completed architecture Where's the test plan that you said you worked against? How about a run-book? And on, and on and on...

Too many architects, leads and engineers regard documentation as a necessary evil at best. Until it comes time that YOU are the one inheriting the project and YOU have to try and understand what some guy did in the past. If you're really lucky, you know the guy or he's still with the client, or maybe even your practice if you're a consultant.

We all seem to forget that documentation is just as important as any piece of code, fancy database query or complex workflow. It's the basis for the whole project. It needs to be focused on just as much as any piece of development or testing.

The fact is, if you have a good design, any engineer can build the solution. If you have a good test plan, the QA meeting flies right by and the change control board meeting becomes a coffee break rather than a Homeric battle to prove that your solution is up to snuff.

It also benefits you as an architect/engineer/consultant. If it's written down, it's easy to reference for future work. Remember, when you're sitting in the corner office as the CIO and someone comes up to ask you "back when you were the IDM lead, how did we do ... ?" Well if it's written down, you'll know!

What ticks me off even more, is that it's SO easy to create even basic documentation in NetWeaver IDM. Fill in the documentation tab for tasks and folders with a few notes, references and examples. Put some comments in your scripts and then run the system report. The most you might have to do is install the MMC console on your desktop so that you have access to Office. Then just run a bare bones system report. Voila!

Just in case you haven't figured it out, I have inherited Phase II of a project with sparse technical documentation and everyone involved in this Phase is paying for it. In reality this is seldom any one person's fault. There's limited time and multiple pressures as I mentioned in the opening of this essay, however that needs to stop being the excuse.

Based on the lack of documentation created in the past, there's increased attention on design and architecture documents, so at least the lesson has been learned in this situation.

It sure would have been easier to write if there was even some documentation. Now I'm living in a world where nothing was written down, so I don't know what happened!

Setting up Remote Dispatchers

2011-05-08T21:48:00.001-04:00

On the project I just wrapped up, we realized that we would need additional runtime dispatchers for load balancing. After taking a quick look at the environment, I realized that I did not have any current documentation on installing a remote dispatcher, so of course I needed to create some. Based on the SAP documentation for creating a UNIX Dispatcher, I generated some documentation. I've reproduced part of it here. The documentation I did for the client included some extra content, but since they paid for this and you aren't, here's the bare-bones (but complete) process.

Copy the IC Runtime Folder from the IDM Server to the Target System.
Go to the \setup folder and run setupwin32.exe.
Go back to the IDM server create and create a new dispatcher, to create the new dispatcher, right click on the Dispatcher node of the SAP NW IDM MMC console, and select New and Dispatcher.
The Dispatcher should be renamed to reflect the target system that it will be running on (e.g., IDM_SERVER2).
After you have named the dispatcher it will be necessary to generate the dispatcher scripts by clicking on “Create dispatcher scripts…” button.
Navigate to the service scripts folder or wherever you installed the files. Copy these files to the other server, which will have the same name as the dispatcher node named in the step above. There will be three files generated that end in .BAT, .PROP and .SH. The files can be placed in the Program Files\SAP\IDM\Identity Center folder or in the folder of your choice.
Make edits to the batch file that was just copied: The JVMDLL and MXDISPATCHERPROP lines will most likely need to be changed to reflect updated locations on the target server.

There you have it, this is the basic process for setting up a dispatcher on a remote system.

A Penny for Your Query?

2011-05-02T20:58:00.003-04:00

Over the years, I have begun to build up a small library of useful queries and query techniques, some of which I have shared in past posts.

Probably my most frequently used query is actually a two parter, the first part is pretty straightforward:

select distinct mskey from mxiv_sentries where searchvalue = ‘mapo’

This is a pretty basic query that simply grabs the MSKEY of a given Identity Store object. This is really interesting when you combine these results with this query:

select attrname, searchvalue, aValue from mxiv_sentries where mskey = 123456 order by attrname

Basically, it grabs the relevant attributes that match up with the MSKEY that we just found. Most of the time, I'm using this to find user information, but I've been known to use it on roles and privileges as well. For extra visibility, I'll also throw an "order by" clause on the end to get better access to custom attributes depending on which side of the alphabet they are in. Possibly the only good thing about all of those "MX_" attributes is that they all sit in the middle of the list.

What queries do you use a lot?

UPDATE:

Just as an idea of what you can do to expand on this basic technique, here's a query I developed that gets the user's Manager name assuming that the user's PerNr and PerNr of the user's manager is in IDM (this usually happens from the HCM feed)

select searchvalue from mxiv_sentries where attrname='DISPLAYNAME' and mskey in(select mskey from mxiv_sentries where attrname = 'MX_FS_PERSONNEL_NUMBER' and searchvalue in (select searchvalue from mxiv_sentries where attrname = 'MX_FS_PERSONNEL_NUMBER_OF_MANAGER' and mskey in (select distinct mskey from mxiv_sentries where searchvalue = 'MAPO')));

In a script the searchvalue ("MAPO" in this case) would most likely be the users MSKEYVALUE.

I also too the opportunity to update the first query to read "select distinct..." per my comment to the original post.

The Crew of the Enterprise

2011-05-01T21:26:00.000-04:00

Enterprise projects require Enterprise tools. We all know this. There's no way you're running an Identity Management system in an Enterprise Environment on Microsoft Access (No insult intended, Microsoft!)

By the same token, Enterprise projects require Enterprise Staff. Your Identity Management project requires top of the line staff. A team of talented DBAs, Operating System Admins and local security experts are required to make your project run smoothly.

Several times in this blog I've talked about what goes into a successful project. We can plan all we want, outline the project and put in proper controls, but without the right team in place, the project won't go anywhere.

Here's to the supporting staff of the IDM project, the DBAs, system admins, and IT security staff. Thanks, folks!

It’s Iteration Time

2011-04-27T19:30:00.002-04:00

Recently, I had an interesting problem presented to me today that I was able to solve using a seldom used piece of IDM functionality.

The project I am working on had a requirement to read some information in from Active Directory and write it into IDM, but with a twist, we only needed to get information from certain OUs, about 30 of them. With this many, it did not make sense to write a separate pass for each and every OU. That would be unwieldy and a complete pain to administer you’d have to make a new copy of the pass for each OU to be added or delete the pass if it should be removed, too much room for making a mistake. Now if IDM could somehow iterate through the list, we'd be set!

Instead, one of the talented people on the project built a PowerShell script to create a list of OUs that need to be processed and dumps it to a text file. IDM can execute this script using a Shell execute pass. When it’s done we take that output and dump it into the database using a From ASCII pass. Now here’s where the fun comes in…

The next pass is a From LDAP pass as one would expect in a reconciliation process. However we’re going to set it up a little differently by using the “Advanced” button to set up a process by which we can iterate through the OUs that we just moved into the database table from the PowerShell script.

To start, configure the Pass as you usually would, set a repository; populate the login name, password and a starting point using one of the OUs that you will be reconciling from. When it’s all configured correctly, go to the Destination tab and read in the Source Template, now come back to the Source Tab and hit the “Advanced” button.

Set up your database source and SQL statement as you would in any other task. When you’re done, it should look something like this:

Note that I use a Constant to hold the database connection string. It saves some time since I don’t have to keep generating it and provides an easy way to update everything when I move from DEV/TEST to PROD.

Now as you recall, up above we set a Starting Point based on one of the OUs from our list. Now we’re going to change that. Go back the LDAP URL configuration and replace the OU with the value from our query. It will look something like this:

Now you might be wondering, why we can’t determine the Datasource Template with the dynamic configuration, well the simple answer is that you just can’t and if you try you’ll be told that it is not possible to discover the schema from a dynamic starting point. However, if you’ve configured everything correctly, go ahead and run the task. You’ll see that you have just gathered AD User information from a number of different OUs. Good work!

Time for a REST

2011-04-21T09:01:00.000-04:00

Ok, now I really want to work with 7.2!

The REST interface is now available. Using REST and JSON it is now possible for users to create their own interfaces. Hopefully I'll be able to start learning more about this soon.

For more information look here: http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/24322

Account Logins and Anonymous Access

2011-04-13T14:58:00.000-04:00

For a process that is supposed to be all about promoting access, NW IDM certainly has enough ways to prohibit access to the system.

We recently enabled Anonymous Password reset and had a user that just could not authenticate. No matter what they entered they kept getting access denied when they answered their authentication questions.

As a test we had them reset their authentication answers to a single character. We even tried clearing all the answers by dropping their MX_AUTHQ_00x entries (Set MX_AUTHQ_001 --> {D}, and so on) which had been the previous extreme solution to these problems.

Finally one of the other engineers on the project noticed that MX_FAILEDRECOVER was currently at 4 for the user with 3 being the limit in the system. We then executed our unlock IC user task which resets this value. The user was then able to authenticate.

Kind of an interesting situation, since the "user" was logging in anonymously, the system was still checking this value before they could reset their password. Nice to see that SAP IDM is on duty and guarding the points of entry to the system. Time for this user to call the help desk!

Warping Labels to Blank lines

2011-04-01T09:45:00.002-04:00

Ahhh, to experience the joys of designing and implementing an Identity Management solution. It doesn't matter how many bugs you quash, what desired impossible functionality that you pull out of the hat, there's always that something more that's needed to make the project "Perfect." For me, as an old timer with MaXware Identity Center and now with SAP NetWeaver Identity Management, perfection lies in the user interface.

I love the fact that I don't have to know PHP to customize the UI with the migration to NetWeaver and that I can add in all kinds of neat things like tabs, lines and columns. However, I just wish that it would work a little better.

The biggest frustration I've had recently is how to get a blank line to appear in the UI. Sometimes a blank line just works better than putting in a horizontal line. Every now and then I would be able to get one to appear, but just not consistently. After a while, I began to determine some trends and after some testing I think I have the process down pat for including blank lines in the UI:

Create the label and put some text in it.
Apply the change. IDM Service restart via NetWeaver Administrator might be needed
Change the label text to some spaces.
Apply the change. IDM Service restart via NetWeaver Administrator might be needed

There you have it. I’ve found more often than not the first restart is not needed, but you just never know. As I’ve thought about what’s happening behind the scenes, my theory is that the system rejects a NULL value as a label, which is what you have when you create the label. After it’s been populated and then cleared, the value is no longer NULL. It is, however, empty and is represented that way in the UI. (Thanks also to my friends on the development team who commented on this as well)

To date, I’ve only been able to test this in NetWeaver Identity Management 7.1, SP5. I would be very interested to hear if this works in other 7.1 patch levels (it probably should) and in 7.2 (Can’t wait to get my hands on it!)

Personally, I think it would be better for all concerned if there was just a blank line object. Maybe next version…

Troubleshooting "To passes"

2011-02-24T10:55:00.001-05:00

Now on to a different troubleshooting tip.

Sometimes when executing a "To Pass" you'll have an error in writing to that destination be it a database or a directory service. When writing to a database, you might encounter an error saying something like "the table cannot be created" or the dreaded LDAP 49, "Unwilling to perform"

Basically, what's going on here is that there's a problem writing to the database or the directory service, so you should check a couple of basic things:

1. Is the data format in the destination actually supported? In regards to a database, just because the destination grid says tinyint, this does not mean your Oracle database back end supports it (or smallint on the Microsoft SQL side for that matter) Always double check this first.

2. Try disabling all of the destination attributes except for the first one and run the task again. If it works, enable the second destination attribute and keep on with it, leaving attributes that work enabled and ones that don't work disabled. Don't forget that the first line in the destination grid refers to an key, so if this isn't working, make sure that the value must be unique and properly formatted for your destination in terms of type and format.

You can then look back at the disabled attributes and see what works and what does not. More likely than not there's a formatting issue going on or something in an attached script. When working with Directory Services in a "To LDAP" pass, I've also found it helpful to change the output type to LDIF as shown below.

After this is done the results of the pass will be sent to a text file, which is sometimes easier to review, just don't forget to change it back when you're done!

Good luck and feel free to post your own favorite troubleshooting tips as comments!!

Too much in the JAR

2011-02-23T15:19:00.003-05:00

Recently had a problem where Import/Export was not working. I kept getting an interesting Error Message:

What was really interesting about this was the user that was referenced, mxmc_admin. Now this is interesting, because during the Identity Store creation process, you are prompted to use mxmc_rt as the user and there is no time during the install that you are asked to create a JAVA based connection string using mxmc_admin.

This started a great deal of troubleshooting and conversations with people who have a great deal of knowledge with IDM's moving parts. Ultimately we wound up looking at the options in IDM's MMC interface.

The problem was in the Classpath Extension. It seems in this installation we had the old Microsoft SQL 2000 JARs loading before the SQL 2005 JAR. Since the MS SQL 2000 drivers were no longer needed, I removed them, regenerated my dispatcher scripts and restarted the dispatcher services. I was now able to export without a problem. I'm saying it's the order that the JARs are ordered in since I looked at my personal sandbox system and saw that I had the following Classpath:

And my Import/Export works just fine, thank you very much.

Some more good troubleshooting to come...

Strategic IDM

2011-02-22T17:17:00.000-05:00

Interesting post on SAP's IDM Blog. Basically. the author is stating that if you want to plan your SAP implementation in a strategic manner, you must use IDM and not CUA (Central User Administration). This is a nice follow up to SCI104 from TechEd, which I reported about as well.

Nice to see that SAP is starting to get a little more aggressive here. If you are a SAP Shop and rely on CUA, it might be time to start thinking about how you plan to deploy. Additionally, if you're a SAP Shop on SUN IDM, and not too keen on a switch to Oracle, SAP IDM might be the something to look into!

As always, leave a comment or email me if you have questions about what needs to happen in these implementations!

Learning from your mistakes

2011-02-03T16:41:00.000-05:00

I love making mistakes. It's probably the best teacher in this world of Identity Management. In honor of that (and before the technical content, some thoughts on making mistakes:

Never say, "oops." Always say, "Ah, interesting." ~Author Unknown

It's always helpful to learn from your mistakes because then your mistakes seem worthwhile. ~Garry Marshall, 'Wake Me When It's Funny'

Lost some time on my current project while NetWeaver needed to be reinstalled, no big deal since I could prototype a few things on my local environment and try and prepare for some of the challenges we knew would be coming up. Nevertheless, as soon as the server was ready, I was eager to get going.

Reconfiguring NetWeaver went through without a snag. We even were able to observe a few things that were done differently the rebuild and documented some best practices. When things are going this well, I should know better and start concentrating on what I'm missing. There's just too many things going on for things to be going this smoothly.

We configured the JDBC Driver and then the JDBC Datasource (IDM_DataSource) which went through without a problem (and part what caused us grief before) My "Spidey Sense" should have been going off like crazy now.

We then went in and configured the Roles and a test user. Then we setup that same user in the Identity Store via the MMC console. Now it was time for the big test, loading the Web UI, which came up with no errors (We were also getting Access denied, service down messages from the Web UI last time around). We logged in, which was further than we got before, but we still had a problem.

We only saw the Monitoring tab. I checked the assigned roles for the user and removed idm.monitoring.admin (my read/write role for monitoring), logged back in and still only saw monitoring. How strange.

Did some thinking, did some Googling, read some slightly related SDN posts with no clear relation or answers and did some more thinking.

As I pondered the install process and the login process, it hit me! Turns out we were so excited that we skipped an essential step! We never configured the JMX layer and set the Identity Store value or the Keys.ini location. (Good thing I only tried to log in and not change any passwords!)

Loaded NetWeaver Visual Administrator, navigated to the Configuration Adapter node and found the tc~idm~jmx~app node and flipped on edit mode, made the two changes and I don't even think I needed to log in again, all my tasks came up on a Web refresh.

I made a dumb mistake and got ahead of myself. Fortunately we got it all working without too much time lost.

So what did I get from this:

Always follow the documentation. It's the best way to make sure you don't forget anything.
If you're having a problem, use tools like Google and SDN. Even a "slightly related" posting can help you brainstorm.
Get another set of eyes to look things over. People from the BASIS team can be your best friends here. Even if they've never heard of IDM, they probably know more NetWeaver than you.
When all else fails, go back to #1 and RTFM, most likely you misread something!

One of the interesting things about mistakes is that a lot of people (including famous ones) make them all the time. So in honor of that, here's some more quotes:

Do not fear mistakes. You will know failure. Continue to reach out. ~Benjamin Franklin

I've learned that mistakes can often be as good a teacher as success. ~Jack Welch

Another Blogger comes up to Bat

2011-02-01T21:12:00.000-05:00

I was quite happy to discover a new person blogging on SAP's NetWeaver Identity Management. Ian Daniel, of Adventures in SAP IdM. Of course in Ian's case it's a Cricket Bat as he works and lives in the United Kingdom.

Ian seems to be the first of a new breed of IdM consultants making the change from traditional SAP consulting to Identity Management. From reading the first few posts, it seems clear that he has both theoretical and field experience, which is always a welcome combination. I'm looking forward to seeing what he has to say in the coming months, and I think you will too.

Look for posts on his blog and on SAP SDN.

Welcome to the team, Ian!

Setting Passwords in Microsoft Active Directory

2011-01-31T16:13:00.002-05:00

The project that I am currently working on is starting in a different way than any other Identity Center (or Identity Management!) project that I have ever worked on. Rather than starting with AD/LDAP provisioning, role management or synchronization, they are starting with password management.
Usually I’m not a fan of this but there were a few reasons that this worked. First off, their authoritative source is SAP HCM, which is a relatively new implementation, so we know that the identity data is good and clean (They actually did a cleansing project when moving the data from their old legacy system). Also password management is a key need for the organization that will go far in proving the value and effectiveness of SAP NetWeaver Identity Management.

I have to admit that I went into this project with a lot of confidence. I’ve been successful in password management Proofs of Concept and done some work with the Password Hook that is a part of the SAP IDM offering. However as I’ve seen many a time there’s a world of difference between a PoC and a productive system.

What could the difference possibly be, you wonder? Well a lot of PoC systems have IdM and AD on the same host. Not so in production. This brought up a number of differences and changes that I needed to make the basic change AD password task that comes with NW IDM.
One of the things I’ve noticed in several Password Management projects with NW IDM is that even though the JAVA engine is preferred for most operations, that never works where Microsoft Active Directory is concerned. In this case, the Windows engine is still superior.
Here is the code I developed


' Main function: pwdnext

Function pwdnext(Par)
 HOST = ugetconstant("rep.LDAP_HOST")
LOGIN = ugetconstant("rep.LDAP_LOGIN")
PORT = ugetconstant("rep.LDAP_PORT")
strPassword = ugetconstant("rep.LDAP_PASSWORD") 

RD= par("RD")
 PWD = par("PWD")
 strPath="LDAP://" & HOST &  "/" & RD

strUsername = LOGIN
Set adsNamespaceLDAP = GetObject("LDAP:") 
Set adsMyObject = adsNamespaceLDAP.OpenDSObject (strPath,strUsername,strPassword,200) 

strPath="LDAP://" & HOST &  "/" & RD 
 'Find user
 Set adsUser = GetObject(StrPath)
 'Set initial password
 adsUser.SetPassword PWD
 adsUser.SetInfo
 'Set flag to NOT force user to change the password on first login
 adsUser.Put "pwdLastSet", -1
 adsUser.SetInfo

End Function

Since I didn’t mention it before, this script works with a TO GENERIC pass type. Always the best when you need to bring in lots of information from the target screen. This code is also pretty much the “bare essentials” and lacks support for handling encrypted passwords, validation logic, etc. The big changes I needed to make to the script from the original were the inclusion of the adsMyObject which allowed for a bind to Active Directory. This code also exists in the pwdopen script, but it seems that the bind does not carry over.

The other very important thing that needs to happen is that the dispatcher service setup must also be properly configured. It is essential that the service be running with credentials that can make Active Directory changes. The following screenshot provides an example.

Dispatcher Service Log On Configuration

One of the key benefits of this approach is that there is no need for SSL to be setup between the IDM server and the Domain Controller. A working SSL configuration is still required, however, when setting passwords in SAP's UME.

I hope this post has helped you out with understanding how password management can be achieved in SAP NetWeaver Identity Management 7.1, SP5. This example should work for any NW IDM 7.x implementation.

Good to see SAP IDM movement!

2011-01-21T09:40:00.000-05:00

Just saw this courtesy of Google Alerts. Always nice to see a big win! Just like to see more of them here in North America. (For my international followers, I am open to consulting abroad :) )

I have just started a new project down in South Carolina. Should be some good things coming out of this one that I will be blogging about shortly. Also upcoming will be some thoughts on the management of identity based on some conversations I've been having with some folks over the past few weeks.

Some quick reads in SAP IDM and IdM in general.

2011-01-13T11:38:00.000-05:00

Reporting, Metrics, Audit, whatever you want to call it, relies on being able to extract information from your identity management systems. This article is a brief discussion on the topic. I was fortunate to meet one of the authors, Gerlinde, during TechEd last year.

It's also nice to know our market is growing!

Identity up in the Cloud

2011-01-03T14:53:00.001-05:00

This was a topic that I thought I would really be getting into during 2010, but somehow the Cloud never really seemed to become the story. On the whole, I think there were more discussions regarding the definition of Identity and the Federation of those identities between systems. However there's still be some discussion of what the "cloud" actually is and how it should function in various disciplines, including Identity Management.

I thought that David Kearns recent article on Avoiding "cloud anguish" had an interesting point that I would also like to comment on.

"...the “year of” any technology isn’t recognized until long after it has passed. 2010 may well be labeled as the Year of the Cloud, but that won’t be for some time to come and I’m beginning to doubt that it will."

So my interpretation is that moving to the Cloud is going to be something that we realized has happened, not something that is happening. Yeah, this is going to be a slow but fast process. So what does this mean? Well, to tell the truth almost everything on the Internet and in the enterprise is essentially a cloud process, particularly when we consider the concept of the "private cloud" Connections to Email/SharePoint/Document Management/Identity Management/Access Management all happen this way. We interact with a client (usually web-based these days) and then authenticate in using VPN or the corporate network.

What's going to make this something that has happened? Well I think when we start making it easier to connect various private clouds through some sort of Identity Federation and the process starts moving towards something we touch each and every day. We see the beginnings of this now with social networks that allow us to communicate with different Internet sites and applications.

Dave also talks about one of my biggest concerns with Cloud computing, and that's security. I've always had some concerns when things I am responsible for are parceled out to people that have no real stake in the project/organization/what have you to begin with. Don't get me wrong, these people have a professional responsibility to maintain security, but it's just another data silo to them, not sales contacts, customer lists, identity data that are your organization's life-blood. To me there's always been a slight difference between data owners (the organization that owns the data) and data custodians (those who take care of the data in the cloud) All in all, I like to keep it all close to me where I can keep an eye on it.

Of course this means that as the data owner, if I'm not putting my data in the hands of the "professionals" it's my responsibility to keep it all safe and secure, which means I need to make sure I have backups, redundant data centers, high availability, and secure communications to keep everything protected. Sounds like a cloud to me.

The whole point of this is that we don't really know where the cloud begins and where it ends. When we figure out what or where that is, then the cloud will be here to stay, until then it's anyone's guess.

2010 and the Year in Identity

2010-12-29T11:26:00.000-05:00

As the year draws down, I've been thinking a bit about the year and what's it's meant in Identity Management. There's certainly been a bit of discussion about the nature of Identity, authentication and authorization controls. As technology, process and legislation grow closer, there's a greater need for Governance and Compliance controls than ever before. We're also seeing the beginning of the Cloud truly being a part of the IdM solution.

We're also seeing consolidation on the business side in both the product and implementation branches with Oracle, SAP and Microsoft all making purchases.

Related to this, one thing I've been wondering is what will happen with SAP systems if you rely on either CUA or SUN Identity Manager. What are your plans, if any, for migrating off? I've started a discussion on LinkedIn about this. Please take a moment and share your thoughts about what you are considering or planning.

On a personal note, I wish all of my readers a happy and healthy New Year.

The meaning of Identity?

2010-12-23T11:12:00.000-05:00

I’ve been involved in a number of conversations lately with colleagues and the Identity Commons mailing list about the nature of identity. The fact of the matter is that as far as the Information Technology / Information Security arena is concerned, there truly is no such concept as an identity. Rather what we truly have is a collection of descriptors or “attributes” that when brought together and agreed upon by an organization or group of organizations that describes what we choose to call the identity. Why the vagueness here? Well that’s because an identity can be more than just people, but that’s another story. Regardless, once we have determined what goes into an identity, we can begin to discuss how technology can process it.

The thing that I’m hearing more and more is that just having an identity is not enough. As mentioned previously, the identity is just an agreed on set of descriptors and does not really do anything. So how do we make this happen?

Well it is rather easy when everything is within the same domain. Agreements are easy (well, easier) to make when there is only one organization involved. Once we get outside of the domain, there greater complexity due to meeting the diverse needs of each organization, including (but not limited to) audit requirements, privacy rules, establishing common protocols and, of course, determining a description of what the identity is in the first place.

It’s great that we’re linking in tightly to ERP suites as Oracle and SAP tell us we should do. Leveraging repositories for use in authentication is great as Microsoft says we should do. Federation would be fantastic if we could get folks to come to quick agreements. What we really need is more actions that are associated with what we do with these identities. From what I’m seeing / hearing, there’s not enough being done with the actual identities once we’ve constructed them based on the authoritative sources in the organization’s IT infrastructure.

I think a great example of what can be done is shown in an article in CIO magazine that I saw on Jackson Shaw’s blog the other day.

We talk about these things all the time, but it seems many organizations barely get out of the Authentication / ERP stage since that’s perceived to have more direct impact.
I disagree. Truly actionable items that result in a direct decrease in getting employees functional should be the first effort in any Identity Management project after the data has been cleaned and a definition of what an identity is.

This is an ongoing discussion that’s not going away anytime soon. Not the definition of Identity, not what to do with the Identity, or how to protect the Identity.

Data Cleanliness

2010-11-17T20:18:00.000-05:00

Whether working on User provisioning, password management, compliance, directory virtualization or meta-directory projects, the first step has always been about checking the data and making sure that it is clean.

What constitutes clean data, and how do we get it that way? This is almost certainly the most important question that should be addressed when considering an Identity Management project.
When considering User Provisioning project, there are a few basic things to consider:

Is the data authoritative? It’s important that the data going into the provisioning solution comes from authoritative sources. Such sources would include HCM, Active Directory, etc.
Does the data include a unique identifier (UID)? This can be a tricky value. Depending on legal and compliance rules, some attributes are not usable in a UID. Furthermore, UIDs that are based on name components frequently require additional elements to ensure uniqueness, which means the potential for additional transformations at some point in the provisioning process.
Additionally, is there a way to link data from disparate sources? Some parsing or similar ETL transformations might need to occur to the data to make sure there is a way to link the same data. Some organizations make the assumption that the same key must be used in all tables. While this is certainly the goal, it can’t always happen and that should be realized in the architecture and business analysis / requirements phases of the project.

Compliance projects also require cleansing and preparation. In some ways, this should actually be easier since these projects generally occur after basic user provisioning. However, this is only half the battle as compliance data usually relies on two basic types of data, user and application.

So it makes sense when considering user data:

Do we have necessary data about the person, name, email, physical location
Do we know who the manager or certifier is? If this is to be determined programmatically, it does not need to be defined here, but you might want to specify a default value.
Do we have data to group the users by? It might be manager, title, or department

Application data is somewhat different, but does not necessarily need to be that complex.

Do we know the name of the item we’re certifying about?
Is the entitlement clearly spelled out?
Is the permission clearly spelled out?

The big challenge here is that all of the application information can be bound up in other pieces of data so unfortunately there will always be some need for additional transformation here. It’s important to work through the sample data so that the project can clearly define all of the elements that are needed to create the certification.

In any case, before beginning the project it makes sense to transform the data into a clean, clear and concise format. Otherwise, the project is sure to extend with a combination of extended business analysis and development work before getting to work on the main goal of the project. Even if you think the data is clean, to allocate a week or so for your project team to look over the data and understand it. This type of “front loading” in the project will help make the build process work much smoother.

Dispatcher Tips

2010-11-09T19:19:00.001-05:00

It’s one thing to build a system in a sandbox or lab environment and a completely different thing to run that system in a production environment. There are a number of things that system designers and architects need to consider. Some of these considerations are fairly obvious, such as RAM, processor, network configuration, whether or not to virtualize, etc.

However one of the things that sometimes gets forgotten in a NetWeaver Identity Management solution is the use and configuration of dispatchers. These seemingly small pieces of the configuration are responsible for a great deal of the operation of NW IDM, as they actually process and execute the provisioning jobs in the workflow.

There are a couple of basic rules of thumb that should be considered when planning for deploying dispatchers in a productive environment.

There should only be one dispatcher per host. If anyone has any data on this, I’d love to see it. In an ideal world, it would be one dispatcher per physical host. I have not done any testing in virtualized environments, but I don’t see that as being a huge issue.
Plan on one dispatcher per about every 25,000 users.
If you have specific types of tasks and workflows that require special access, create a specialized dispatcher that supports them. Specific examples would include password management and deprovisioning.

It’s also important to consider that there are several options for tuning the dispatchers, which we will discuss in a future post.

Required Reading in Identity Management

2010-10-25T14:47:00.000-04:00

If you have not read it yet, the latest Magic Quadrant from Gartner is out. I've taken a quick look at it and saw no real surprises. Look for a slew of marketing material to come out shortly based on this report.

In the past, I've found the IdM Magic Quadrant to be basically accurate, and pretty good at pointing out hidden truth and the seeds of potential excellence in the covered products. This year appears no different.

Final report from Las Vegas

2010-10-22T12:24:00.000-04:00

Sorry to say I'm wrapping my my stay here in Las Vegas. It's been a great time to catch up with some of my friends from Trondheim Labs and SAP Consulting. Also a pleasure to meet some folks that I've communicated with only by email and SDN from the RIG and SAP Waldorf.

I'm going to hit on two main items in this post. Best Practices and CUA.

I attended a great best practices session which talked about a number of things, most of which are fairly obvious (but still bears repeating) and a couple of interesting items. (Emphasis is mine)

Approach the project from the business standpoint, not from IT
Successful IDM efforts encapsulate both technology and process, so address the initiative as a Program, not a project
Executive sponsorship is a must
Start with data cleansing
Don't think that all roles need to be identified right away. Set up the roles that are most critical and will have the biggest impact. (To be honest, I had not really thought about that one before and it makes a whole lot of sense.)

The other significant presentation I attended was on CUA.

The CUA picture has been murky ever since the acquisition of MaXware. It's going away, it's staying, it's on maintenance... Well, you get the picture.

Based on recent reports from SAP, I think we can safely assume that it's on life support. CUA will not be further developed, and even experienced CUA hands are endorsing the use of NetWeaver Identity Management.

That's not to say that IDM is the perfect replacement for CUA. It would seem that a fair amount of development is needed to have IDM do everything that CUA does. However, the good news is that based on the way Identity Management works, that development will not be huge.

Based on what I saw, organizations should begin planning on moving CUA operations to IDM, even if they are using another Identity Management system. One of the things that was established about NetWeaver Identity Management is the fact that it is the only system that can offer complete provisioning to both the ABAP and JAVA stacks for SAP. I know that there are many partners to SAP that offer connectivity, but I think only SAP will be able to offer a holistic approach to provisioning, particularly when provisioning to CRM and SRM. This is because the Provisioning framework that comes with NetWeaver Identity Management offers the only connectors that will work with both Technical and Business roles.

So to wrap up the coverage of TechEd, I think we can safely assume that NetWeaver IDM is evolving quite nicely and that it is in a position to gain greater acceptance from the SAP community as a whole.

As always, feel free to contact me with your NetWeaver Identity Management questions and thoughts. I am, of course available for assessment and consulting projects. Feel free to contact me at matt (-at-) cticorp (-dot-) com, for more information or check out the CTI website!

Errors when deploying a Service Pack

2010-10-21T16:24:00.001-04:00

One of the interesting things about the move from MaXware Identity Center to SAP NetWeaver Identity Management (Or even NetWeaver Identity Management 7.0 to 7.1) is that we've moved away from the PHP / SMARTY presentation engine to SAP NetWeaver and WebDynpro. I'm not going to go into the pros and cons of this change as I've pretty much found it to be a wash. However, usually one of the better things about using NetWeaver is that it makes the update process quite a bit easier.

Notice, I said usually....

Every now and then when setting up a new environment I get all kinds of crazy dependency errors when deploying the new SCA file. This drove me absolutely crazy for a while until an experienced NetWeaver hand pointed out what the issue was.

I do most of my development work using a VM on my Laptop that uses NW Developer Workplace 7.0. It seems the dependency issue was coming about when I was trying to deploy a SCA file for NetWeaver 7.1. Once I tried deploying the correct SCA file it went much better.

For the record:

The correct file for 7.0 is: IDMIC05_0-10007482.SCA
The correct file for 7.1 is: IDMIC05_0-10007483.SCA

I'm sure that this is documented somewhere, but I figured I'd share it for general reference.

I'll be posting a wrap up of SAP TechEd 2010 later tonight or tomorrow.

SAP TechEd on Wednesday, October 20th

2010-10-20T16:46:00.001-04:00

As promised, I'm going to follow up on some of the challenges that Gregg Dippold had commented on. To the best of my knowledge, all of the information that I have reported here is public as of TechEd. I have chosen not to share some information as I felt that it was still to tentative to report. All of this information, of course, subject to change.

The short answer is: SAP NetWeaver Identity Management 7.2 is a huge leap forward. It will be more customizable, have better tools for managing roles and connect to more systems than ever before. So here's Gregg's list of challenges and what I've learned so far.

Challenge 1: Self Service is Not Intuitive for Unsophisticated Users

Version 7.2 will be adding additional functionality to create custom user interfaces using an Open API. It might not make it into the initial release, but look for it in one of the 7.2 Service packs.

Challenge 2: Fragmented Documentation

Don't know about this one, but I can say that the documentation has been getting steadily better, so I'm cautiously optimistic.

Challenge 3: Limitations in the Staging Environment

I think we're all aware of some of the limitations in the Import/Export. Look for some changes that will make transferring configurations between environments much easier. Among these will be an interface from the Web UI to export the entire configuration including repositories to a single XML file. Also to be included in 7.2 is a configuration analyzer which will review the entire configuration and check for objects 7.1 that will not work in 7.2 and do some basic checking for inefficient practices (such as queries that use aValue rather than SearchValue.

Note: I forgot to add that this utility will also export associated VDS configurations as well.

Challenge 4: Job Customization Frequently Requires Custom JavaScript

I don't know that this can ever really go away, as there needs to be some mechanism for implementing transformations of attributes and back end processing. To make things more interesting, we'll also see more use of the extension framework which will be JAVA based and open up some new and exciting possibilities. We can also expect to see some changes to the standard provisioning framework that will make connectivity to SAP and non-SAP systems a bit easier.

Challenge 5: Few Useful Reports Available in Default Installation

This could also be a big item as 7.2 will now talk to the Business Warehouse. From what I saw during the presentation these reports will be much better than the previous Jasper and Crystal based reports.

That's about it for the moment. Heading to a session on VDS shortly. Hopefully, I'll get some more information that I'm free to share.

Reporting from TechEd

2010-10-18T19:44:00.000-04:00

I'm here at SAP TechEd, in Las Vegas. Looking forward to a great week of presentations, learning, catching up with some old friends and hopefully making some new ones.

Gregg Dippold, over at the NetWeaver Identity Management blog, has posted a number of challenges that he feels exist in NetWeaver IDM 7.1. For the most part I agree with him. During the week, I'll be posting about how SAP plans to address Gregg's challenges.

Otherwise, I'm going to be looking at what's in store for the future of NW IDM and how it can help people over versions 7.2 and 7.3.

Modifying Attributes in SAP NW IDM

2010-10-08T14:13:00.000-04:00

Had an interesting challenge recently as a part of a project I have been working on. As a part of the deprovisioning process, the sAMAccountName in Active Directory needs to be renamed.

However in doing a straight ToLDAP pass, the sAMAccountName attribute cannot be modified. It seems in order to do this, we need to use the ~ (replace attribute) modifier.

I don't know how often I'll be asked to rename this attribute (the more I think about it, the more I like it as far as the deprovisioning process goes), but it's certainly a good technique to have in my back pocket should it be necessary to change other attributes that resist a straightforward modification.

Couple of Random Things

2010-10-05T22:24:00.000-04:00

I've not had the chance to write much lately, as I've been rather busy on a project in the Southeast US. I've got a couple of nice tips that I hope to share in the next couple of days.

However, I do have a couple of quick things that I'd like to share.

First off, I will be at SAP TechEd, which will be in a little under two weeks from now, in Las Vegas. If you're going to be there, please leave me a comment or let me know via a comment, LinkedIn, XING, or any other way that works for you. There's going to be a lot covered for NetWeaver IDM and I plan to report on it. Would not mind having a little after hours round table.

Also I've been picked up on the Planet Identity blog. Looking forward to being a part of that conversation as well.

Intelligent IDM

2010-09-08T11:10:00.000-04:00

Just read a great blog post (Thanks, Dave Kearns for posting in your newsletter) that I think anyone involved in Identity Management Architecture / Design / Management should be aware of.

Earl Perkins from Gartner Group has written a short piece on Business Intelligence information that can be obtained from an IDM solution.

We've spoken for years about making IDM a part of compliance and security, and certainly tools such as SailPoint Identity IQ help provide that data, but I think that all applications, particularly provisioning applications that are long on information and short on reporting and logging could do more to share this information not only with central BI repositories. Certainly there is information that is of interest to a BI warehouse. It would be interesting to see what such a model would look like.

I look forward to seeing what Earl and others develop in this concept.

Scripting Tips

2010-09-01T21:21:00.000-04:00

A quick entry, but a couple of tips when creating SAP IDM scripts:

1. Do not put a space between a built in function and its argument.
2. Do not put a space between Par.get and the argument in a "To Generic" pass.
3. Be careful of infinite loops

Violating any one of these rules can start a java.exe process that will take 99% of CPU.

More about how I discovered all of this soon.

Team of Rivals

2010-08-11T22:00:00.000-04:00

I really enjoyed reading Doris Kearns Goodwin’s book, a Team of Rivals. In it, she describes how President Lincoln brought his rivals for the election of 1860 together into his cabinet. All of them turned out to be essential during his first years in office. Similarly, I have found that bringing together the enterprise and consulting staff is a key element in creating success in any organization’s Identity Management project.

Application Owners, Architects, Business Analysts, Database Administrators, Engineers, Executive Sponsors, Project Managers, System Administrators and Testers are among the many different types of people that we expect to see on an Identity Management project. While these people are not necessarily rivals in Kearns' sense, they definitely represent many different aspects of a companies business, technical and operational viewpoints. However that is only one dimension of the project team. The other dimension involves technical skill sets.

Having the proper balance of technical skills is just as important a component of the project. Coders, Database specialists, ERP system experts and other Subject Matter Experts (SME) are critical to project success.

One of the nice things about SMEs is that they usually do not have to be allocated to the project on a full time basis, rather server as “on call” resources to help out with specific parts of the project. While members of the technical staff are cross trained (and rather well in my client facing experience) it’s tough to have complete knowledge of multiple enterprise systems. The local system SMEs are a required part of any successful project implementation and substantially lowers the risk inherent in any enterprise project.. Bringing this "Team of Rivals" together brings about a synergy which results in exceptional project effectiveness.

"Registering" Identity

2010-07-13T19:25:00.002-04:00

Read an interesting article off of the UK’s Register site.

The article starts out by stating that Identity Management is both “Complex” and “a pain in the backside.”

While focusing on “classic IdM” issues like password control and provisioning, it also links in some interesting thoughts about linking Asset Management to Identity Management with the loss of a phone (or dare I say a laptop) and the fact that some assets are linked to the identity concept.

The article goes on to discuss some thoughts about preparing for identity related projects, offering some thoughts on an architecture that revolves around people, their roles and authorizations.

What really grabbed my interest about this article was a list of three assumptions, which I will paraphrase:

There will be Identity Assets and applications that the IdM team will be unaware of
Provisioning is event driven, and therefore your IdM procedures should reflect this
Provisioning is a process, not a onetime deal

The author has a nice wrap-up and words of advice which leaves the article on a high note. The point here is that these folks seem to get what IdM is all about.

The IdM Technology doesn’t matter
Directories doesn’t matter
Databases doesn’t matter

What matters is that one understands the organization’s business and cultural needs. That will dictate how the technology, directories, databases, etc. are employed.

Talk Down, Build Up

2010-07-10T21:51:00.005-04:00

No, it’s not a new self esteem program; rather what I think is the best methodology for developing SAP NetWeaver Identity Management Workflows.

First, let’s review the basic components of a NW IDM Workflow

Screens represent the top most level and what most people routinely deal with. Here’s where we present the attributes (populated and empty) Descriptions and other UI related features. Starting with NetWeaver IDM 7.1, this is handled by the Web Dynpro engine. Before that PHP was used.

Tasks are what give the workflow their structure. Ordered Tasks, Un-Ordered tasks, Conditionals, Approvals, etc go here.

Action Tasks are the real muscle of the workflow. Action tasks execute the actual operations of the workflow. Writing information to a Target System, a Report or the Identity Store itself all gets done from these tasks.

Of course there are many workflows of various complexities that come with the SAP Provisioning framework, but as we all know this will not cover all circumstances and sometimes custom workflows will need to be created. Fortunately, NW IDM makes it rather easy since Screen, Tasks and Action Tasks can all be linked and re-linked together over and over.

Over time I’ve found that the design and creation of workflows can be best summarized by what I refer to as the “Talk Down, Build Up” approach.

When discussing the formulation of a workflow it is generally best to discuss the workflow top down. That is start with what the user sees and then what happens after they press “Submit.” People find it easy to follow the workflow and its branches (if any) when we start from this approach. Given the way that the workflows correspond to a flowchart, this seems to be somewhat of a no-brainer. The following screenshot, gives one an idea about this:

Development, however does not work the same way. Trying to develop top down becomes fairly confusing since the developer is linking to objects that might not exist yet. Development, it seems works best, from the bottom up. In general I recommend creating NW IDM workflow objects in the following order:

Action Tasks
Privileges
Roles
Conditional/Approval/Switch Tasks
Ordered tasks (I seldom make use of unordered ones)
Screens

As a general best practice, I also reccomend using folders as organizational containers to group related tasks together. Usually I like to do this by target system (AD, SAP, SunONE, NW IDM, Notifications, etc.)

So there we have it. We talk down about the structure, but we build from the bottom up. I’m wondering how other SAP NW IDM architects approach this. What about other IdM products?

Credit Where Credit is Due!

2010-06-29T21:44:00.002-04:00

Just in case anyone was wondering, this blog does not write itself.

I don't mean my time. I love thinking and sharing my thoughts on Identity Management in general and SAP NetWeaver Identity Center, specifically. I also get a real kick out of the comments I receive publicly and privately. It's truly my pleasure to share with you, and yes, I wish I could do it faster as well :)

I'd just like to take a moment and thank all of the people that I talk to around the world that provide me fodder for comment and sharing. I appreciate the time that people have taken to support both myself and this effort over the past few years. I don't usually mention people by name, (I take your privacy seriously) But I am most grateful for your advice and support.

Of course for those in the know, I'm always happy to buy a beer or three for my devoted advisors!

Thanks again, you all know who you are.

Linking pulldown attributes in NW IDM 7.1

2010-06-23T16:11:00.004-04:00

One of the coolest things about NetWeaver Identity Manager is that there are always new tricks to learn. The development team keeps finding new and interesting ways to extend the functionality of the product. This, in turn, allows us to further extend what we can offer to our customers. Sometimes what I learn for a particular customer is brand-new, sometimes it's functionality that's been around for years, but either way, it's usually of use to someone, so I like to share when I can.

Recently I was asked by a client how we could link two fields together so that for a given value chosen in the first field via a pull down box would result in a specific subset of values being available in the second pull-down.

After a bit of research and some emailing I found that the use of the FIELD attribute prefix was the way to go. Here's how it all works:

In your database, create a table called LOCATIONS

The database should be populated with two columns called COUNTRY and CITY as shown below:

United States New York
United States Atlanta
United States Los Angeles
Norway Oslo
Norway Trondheim
United Kingdom London
United Kingdom Liverpool
Spain Madrid
Spain Barcelona

In NetWeaver Identity Management, create two attributes called COUNTRY and CITY. Set the Displayname and tool-tip in the Presentation tab as you would like but make sure presentation is set to SingleSelect.

Next go to the Attribute values tab and set up the SQL Queries as follows:

COUNTRY: select distinct COUNTRY from LOCATIONS (We want to use distinct so we don't see duplicate entries when we use the pull-down)

CITY: select CITY from COUNTRY where COUNTRY = %FIELD.COUNTRY%

Now add these attributes to a task and make sure they are added to the screen in the attributes tab so that we can see them from the Web UI.

Basically what's going on here is that we now compare the first value we enter, that of the country to the table itself and then presents a list of cities that result from the match. Locations are an easy example, but I can also see a use in listing business units and departments or anything where you have a long list and want to be able to just look at sub-sets.

There you go! Have fun with this... Wondering what other customizations have people been making? How do you extend the interface?

Conflicting Views on IdM Acceptance

2010-05-21T16:53:00.004-04:00

Within a span of a couple of days I saw an interesting contradiction regarding the adoption rate of Identity related technologies, particularly in Europe. This contradiction came through a couple of articles I found on Identity Management through my trusty Google Search agent.

The first article, basically states that adoption rates have not been as high as they should be since everyone is acknowledging their importance. Additionally the prevalence of cloud technology brings about a new wrinkle in managing Identity which has yet to be properly addressed and might be a way of pushing acceptance of IdM. It also states that the inherent complexity in IdM creates additional acceptance and execution barriers.

The second article, takes a more positive approach to the acceptance of IdM technologies. Particularly when considering Privileged User Management.

Interestingly enough, both articles referenced the same Forrester report, Identity and access management adoption in Europe.

What should we take away from these article?

While both articles mentioned that the Cloud could be a great IdM enabler, there was not much mentioned in the way of Architecture models by which this could be addressed. Guess you have to engage Forrester for that information.
Looking for IT and IS goals such as Privileged User Management can be a great way to gain additional acceptance for an IdM project.
Another issue that the articles do not mention is that acceptance can be promoted by leveraging established ERP application. Both Oracle and SAP now have Identity Management Systems that have specific functionality to provision in their respective internal landscapes as well as to the Enterprise in general. IBM also features similar tools for their infrastructure. Seems to me that along with Privileged User Management as discussed above, this could be another tool to gain IdM project acceptance (and more importantly, budget dollars) Quite a few project proposals I've come across lately are adopting this methodology.

Finally, I'd like to comment on the complexity issue. IdM is made complex when organizations do not execute from an agreed upon game plan. This plan does not need to be all that complex, and briefly consists of the following:

Understanding the Identity related needs of the organization
Prioritizing those needs based on potential return which could be based on, time savings, monetary return (ROI through reduced Help Desk calls) or consolidation of workflow, portals and other IT infrastructure, and ability / time needed to design and develop the parts of the solution
Executing a Project Plan based on these criteria

Like I said it does not need to be complex, but does require a certain amount of Project Management and, perhaps more importantly, buy in from the various project sponsors. Avoiding complexity in determining objectives, results in lower complexity of the finished product.

SAP + Sybase = Oracle

2010-05-13T09:16:00.002-04:00

I've been wondering when SAP would finally acquire a decent database. I was quite astounded when SAP passed on MYSQL and letting it go to SUN. (A complete waste in my opinion since now it's a 3rd class citizen in Oracle-land)

Now we see that SAP has purchased Sybase. An interesting purchase to be sure and one that will have some far reaching implications. First off, I think SAP will have the ability to go toe-to-toe with Oracle on almost all fronts (Still think they lack a strong access control piece)

It also allows them to include the missing piece to the entire SAP ecosystem, the environment that everything will live in. Now one wonders if they will pick up a Linux of some sort (SUSE/Novell) to compete with Solaris and maybe a hardware vendor to compete with SUN servers.

SAP in a box, anyone?

Glad to see them getting into the act

2010-05-03T14:43:00.002-04:00

It was fantastic to see SAP actively stepping into the Identity Management discussion in the article Better services in higher education? Without Identity Management: no chance!

I've long been a proponent of bringing IdM to Higher Education. With constantly changing user populations, complex access management needs, and many disparate systems to connect to, usage of an IdM system seems to be a no-brainer. Add on need for Compliance controls given HIPAA, Student Loans, etc, there's an even greater need.

Here in the US, it seems that Oracle has been the 500 pound gorilla pushing IdM in the Higher Education space. Nice to see that there is another vendor stepping up!

More on SailPoint

2010-04-20T11:07:00.002-04:00

In reviewing yesterday's post, I realized I got a little off my intended track of talking about my SailPoint training, and spent more time talking about IdM Architecture.

In light of that, let me talk a little bit more about SailPoint and what they have to offer.

The SailPoint product seems pretty darn interesting. It does a fantastic job of linking in to various types of repositories (LDAP, Database, ERP, flat files, etc) that are found in the Enterprise and brings them into a common repository known as the Identity Cube (love this name, BTW)

Once the data is in the Identity Cube, all the fun begins, we can then do Role Mining, Segregation of Duties and other forms of Compliance analysis, and most importantly, Certification/ Attestation. It's easy to do all sorts of searches and analysis on the information held within the Cube and produce everything from application centric user role reports to IT Security oriented Risk scores based on role, application and group membership.

I'm going to find it pretty darn hard to believe that Enterprise IT and auditing departments will be able to work without a tool such as this in the future. This application is a great add on to add to current Identity and Risk Management projects and I'm looking forward to working with it.

SailPoint Training

2010-04-19T11:21:00.004-04:00

Not too bad when you get to go to two training classes in a row. Even better when they are on cool technologies like SAP NetWeaver Identity Manager and SailPoint's Identity IQ.

Had a great time and learned lots of stuff down in Austin, TX with the SailPoint team. Clearly, the IdM field continues to expand and redefine itself as a combination of regulation and security concerns demand better audit and compliance rules. Corporate Governance policies are finding themselves enforced as IT tools embrace certification and audit along with "old school" concepts such as user provisioning, password management and access control. I think SailPoint will be aggressively moving forward to complete this integration to produce a new "Compliance Driven" IdM model.

Given these developments, I find it hard to understand how Burton Group feels that "IdM is not aging gracefully" as pointed out in an abstract on Bob Blakely's latest paper, "Identity and Privacy Strategies Assessment (Single Instance Use Case)"

While I have the greatest respect for the folks at Burton, I have to say I cannot disagree more with this assessment. (Disclosure: I am not currently a Burton Group customer and as such only have access to the abstract and have not read the whole article)

IdM is rising to meet several challenges, as I have indicated above, and if there are architectural flaws it is due more to the fact that current providers are channeling the products to reflect their application suites. Oracle, SAP and Microsoft all embrace some part of their technologies for application serving or the front end or require specialized programming in the form of JAVA, Xpress or ABAP and are increasingly being engineered to work first with their own products and then addressing the rest of the enterprise (SAP is particularly guilty here)

I also foresee additional growth as IdM embraces new technologies in User Identification. A tighter integration between Biometrics, Smart Cards and other identifiers becomes more mainstream. However, before this can begin, IT and IS have to agree on standards and adoption of these identification methods.

Also let's not forget about the Specter of Federated Identity Services. While there have been several successful architectures developed, it's still one of the most complicated IdM scenarios out there. Perfecting the Federation Use Case and its easy deployment will kick off another chapter in IdM's steady evolution.

SAP IdM Training - Wrapup

2010-04-10T12:49:00.002-04:00

The last day of the training was an excellent conclusion. We spent a few hours connecting to SAP JAVA and ABAP systems. In general the SAP connectors work quite well. I'll be much happier, however if the Trondheim development team creates real to/from SAP passes rather than relying on custom connectors, and of course, the end of the MMC management interface!

I also had more exposure to the new UI and as one SAP insider commented to me, what it lacks in flexibility, it makes up for in security and language localization, which I cannot disagree with. Even if a company in need of Identity Management is not a SAP shop, it should consider SAP NetWeaver IDM in environments where multiple languages need to be supported.

In general, I think the product is moving in the right direction. Looking forward to getting on some planned projects in the next few weeks, plus whatever else might come up!

SAP IdM Training Continued

2010-04-08T22:49:00.003-04:00

Still impressed with the training class. I’ve found it interesting how they’ve been able to give the class a good flavor of how NetWeaver IdM works. I think the folks in the class are getting a solid foundation in what the product can do. Everyone in the class is looking forward to working with the SAP Provisioning framework which is the emphasis of the last day of class.

I also received a nice tip today. Take a look at this new document from SAP (I believe it is a general access document)

An interesting discussion of reconciliation from an ERP context. Most people typically reconcile against an enterprise directory, but when working with an ERP system as the authoritative source, it makes sense to have a reconciliation process against this system as well.

It's also been interesting seeing the general improvements to the product. While I miss the ease of installation, speed and flexibility of NW IDM 7.0 (Not to mention MaXware Identity Center) the new version shows better scalability than ever before. Little tweaks like adjusting the attention dispatchers should give to different task types, to improved role / management handling and event handling. The interface is not terrible and the WebDynPro UI lacks the flexibility of the old PHP, but it is a heckuva lot more functional, particularly where mutli-valued attributes , roles and privileges are concerned.

After SailPoint training and some customer facing work (gotta earn some money!) I'll be looking forward to setting up a lab environment for the rest of the IdM team at CTI. Once that's done we'll be up to giving some demonstrations to clients and other interested parties.

Long time since I ran an IdM demo...

I'll be sure to comment on the SAP Provisioning Framework sometime over the weekend.

SAP Training, day 1

2010-04-05T19:45:00.001-04:00

I'm attending a SAP Training Class on NetWeaver Identity Management 7.1 this week. So far I've been really impressed. SAP has done a great job updating the training materials and the trainer is knowledgeable and well prepared.

Been getting some nice tidbits on what's happening with the future of Identity Management at SAP. First of all, contrary to popular rumor CUA is not being directly "killed" by SAP anytime soon. CUA is being condemned to a slow death as SAP will no longer be updating the product. It would seem, based on some quick conversations I've had with some SAP customers. I also had an interesting chat with a SAP evangelist, who was quite excited about IDM replacing CUA. As we both noted:

· CUA only works for ABAP systems (Sorry Java, but there's no provisioning for you)

· CUA offers no Workflow and little audit tracking (Audit, we don't need no stinking audit!)

Based on this, why would anyone not be interested in upgrading? Well, it all has to do with change. These are some considerations when making a change your SAP infrastructure.

· Old methodologies need to be updated. If you have been running CUA via scripts, they will have to be evaluated for transformations into workflows and reconciliation processes.

· Help Desk and administrative users need to be trained to use the new technology. While the training will probably not be extensive, there's still a real cost in time and money to do this.

· It's not broken , why fix it?

At this point in time, I don't know that there is a compelling case to make immediate changes to an existing CUA implementation. However, if you are planning on making changes to your SAP infrastructure, this would be a good time to review your use cases and see if there is a good business reason for adopting NetWeaver Identity Management for your SAP infrastructure instead of CUA.

More tidbits as I encounter them...

IdM Humor

2010-03-31T09:14:00.001-04:00

Saw this one and just had to share it...

Happy Wednesday!

News Update

2010-03-29T09:30:00.002-04:00

I'm happy to say that I've started what I hope will be a long and successful association with Commercium Technology Inc. I am now working with them as a Senior Principal Consultant in the Identity and Access Management group.

I'm looking forward to working with SAP Identity Management, Virtual Directory and other exciting technologies like SailPoint. I'm looking forward to learning (and writing) about all of this in the weeks and months to come.

Please feel free to reach out if we can help you or your organization with your Identity Management or Compliance needs!

The Myth and Reality of ROI

2010-03-19T21:19:00.002-04:00

Ultimately IT departments (and their clients) are concerned with a reduction in complexity, whether we are considering Identity Management, GRC, Information Security or any other initiative. This can measured in a number of ways:

Lowered TCO
Reduced Help Desk call counts
Increased usage of existing tools

No matter what metric is used, this is ultimately measured as Return on Investment, yes the dreaded ROI. Investment in software tools is always weighed against what this potential ROI can offer. Most firms specializing in Enterprise Software are more than happy to offer ROI calculator to prove the value of their offerings.

Customers and their Business Analysts consistently find that the ROI claims do not hold water. There are a couple of reasons for this, in my estimation:

The ROI Calculator is defined too narrowly – Only a few parameters are highlighted in the calculator, and is therefore incomplete. For example, there’s no consideration for hardware costs, data costs, High Availability considerations, etc.
The ROI Calculator is defined too broadly – The only way the numbers work is when they are applied too broadly. For instance, when a tool is needed for a workgroup or single location, but total enterprise numbers are the only ones that make it work.

Does this mean that the companies sponsoring the ROI are crooks and liars? Or those potential customers can’t do basic math? No, not at all. Just that everyone involved needs to be aware of how we plan to measure ROI. Vendors need to consider what the customer needs, while customers need to make sure that the offered metrics in the ROI calculator actually affect their organization.

When I first started outlining this entry is was more about technology and how the reduction in complexity would translate into required services whether they were based in the local data center or the cloud, however a discussion of the ROI benefits. The takeaway here is that once again business analysis is what drives the discussion.

From the technology side, the problem is fairly straight forward; do you use a simple monitoring solution that reacts to inform the client’s datacenter or a more modern intelligent system as advocated by Adrian Rodriguez and the team over at Likeminds? Along with a discussion of what the Enterprise’s requirements are, it will also depend on how these intelligent systems are evolving. It will be fun to watch, that’s for sure!

New Blogroll Entry

2010-03-16T09:13:00.004-04:00

Just started following a blog run by some old friends of mine. A link to their blog now appears in my blogroll.

I had the good fortune to work with Adrian Rodriguez and Ramanth Krishnamurthi at various projects while at Mycroft. They have some interesting thoughts on Access Management, Identity Management and the Managed Services spaces. This is their corporate blog and I think we'll be seeing some interesting things from them in the weeks and months to come.

I foresee many interesting conversations on these topics in the future.

Managed Services Models for IdM: Slomin Shield or Roto-rooter?

2010-03-09T13:51:00.003-05:00

One of the issues in handling Enterprise level implementations, such as Identity Management is what to do when the project is completed? The answer to that is to make sure it’s monitored and that there is a methodology to manage the implementation.

First of all we need to make sure that all connected sources and targets are up. Normally this is not a problem for most enterprise systems since they are monitored from Enterprise Management systems such as HP Openview, CA Unicenter or Microsoft MOM. It’s essential that in addition to making sure the systems are working, we also need to make sure that the systems are all talking to each other. This specific type of monitoring cannot always be done using these standard tools.

In addition to monitoring it is also important that we can manage the implementation for troubleshooting, maintenance and enhancement. When these concepts are combined, we have a recipe for the concept of Managed Services. When I consider the way that managed services work I see two basic models, which I like to call the Slomin Shield and Roto-rooter, two companies you may or may not have heard of.

Slomin’s is an Alarm Company that offers central service monitoring. If they detect a problem, they call, assess the situation and take appropriate action.
Roto-rooter is a plumbing company known for their quick response to service calls.

Both organizations represent effective, but different models for providing essential services, but which one is correct for Identity Management? They both have their pluses and minuses depending on the organization’s business drivers, staffing needs and high availability requirements. Based on some of my thinking this is how these models would work for Identity Management.

The Roto-rooter model is a reactive model. When an organization sees that something needs to be done, a call is made for support services. More often than not, there is an arrangement for providing these support services. Engagement is made on an as needed basis for dealing with enhancement and upgrade processes.
I would characterize the Slomin’s model as a more proactive model. In this model, there would be ongoing monitoring to make sure essential servers are responsive. As soon as incidents are uncovered contact is made with corporate IT to provide information on system status and likely causes of the problem. Resolved incident details would be entered into a knowledge base to provide historical data not only on what failed, but why it failed. Furthermore there is an ongoing review of needed enhancements and comprehensive review of patchers to determine applicability.

Like I said before, I don’t know that one model is inherently better than the other. The decision to embrace a particular model depends more on the organizations’ business needs and requirements. I hope to examine the pros and cons of each model in future entries.

201 CMR 17

2010-03-04T15:34:00.002-05:00

I've been hearing some buzz about this legislation lately. For those that have not heard, 201 CMR 17 is a Massachusetts state law that specifies standards for the access, storage and management of personal information for state residents. (Full text of the law can be found here.)

While this blog has been more of a forum about Identity Management rather than Identity Theft, I still thought this was an interesting thing to discuss.

For the first time there is real comprehensive discussion of how data should be managed for the general public. While HIPAA and SOX mandate similar practices, this is the first legislation that says all personal information is important, not just the information as it pertains to specific groups or industries.

I do think that this is good for the Identity Management industry for a few basic reasons:

There's no such thing as too much security
Laws like this promote development of good access management infrastructure
It gives us a chance to reexamine existing role / access assignments

Of course this is always interesting to an old fashioned provisioning guy like me since it means we need to develop the existing User Life-cycle process to make sure that we are building in stronger access management as noted above. Laws like this will make us think again about concepts of:

Attestation / Recertification
Role Assignment / Segregation of Duties

Sometimes this will be an audit of what rights / permissions users have over various File System / ERP / Database objects. Sometimes it will be a complete reassignment of these rights.

Planning for complying with this law will require planning and forethought. The state of Massachusetts has provided a FAQ and a checklist to help begin the planning process. However, I think at the very least a complete review of current processes combined with a through gap analysis from a knowledgeable project team.

As I think more on this, I will be posting my thoughts on what the 201 CMR 17 planning process will look like.

Identity Management and GRC: The Analogy

2010-02-15T08:23:00.005-05:00

I find it interesting how IdM implementations are no longer considered to be "complete" without considering the inclusion of GRC applications. Recent architecture discussions I've been in always seem to include mention of how the two applications should interact. It was not all that long ago that GRC was considered to be unhelpful in promoting security.

In discussions with other IdM and IT Security folks, the general consensus seems to be that IdM solutions should provide the provisioning "muscle" to provide the action and provide feedback along the workflow based "nervous system" to the GRC "brain" that decides what action should be taken and to record it in memory.

I find this analogy to be quite helpful when describing the roles (sorry for the pun) each application should take in the overall IT Security Architecture.

However, the questions do not end here. It will be interesting to watch over the next months and years to see if IdM becomes a subset of GRC or vice versa. What are the advantages? What are the disadvantages? How will SaaS affect these changes? Hopefully product announcements, briefings and real world experience will answer these questions soon.

UPDATE -- Just say this link which had some similar, interesting thoughts as well.

Ok, it's been a while

2010-01-25T21:33:00.002-05:00

Sorry it's been a while since I've posted. Been considering a lot of things lately and It's been just a little bit hectic over the last three months.

Working on some new things and I hope to share developments shortly.

However I'd like to comment on two things that I've noticed lately.

1. As always documentation is THE MOST IMPORTANT part of your IdM project. If you are a consultant, it's what you are ultimately paid for. Yes, you might design connectors, solutions, etc, but that is only part of it. Without documentation to allow your customers to keep working, it's they are crippled. As the wise person once said, "Give a person a fish, you feed them for a day, teach them to fish and you feed them for a lifetime" As the customer, you must have some documentation in place to provide a starting point for your work. I am currently working with a company now to assist in this and it will be the foundation for further work. These folks are starting off on the right foot and using their heads.

2. I was recently asked "What's the right product for our organization" My question back was what do you run and what do you want to do? I don't know that I'd recommend ILM in an all *NIX environment, for example. We need to listen, learn, think and THEN execute.

That's it for the moment. I might have some other thoughts in the days ahead. I'll be sure to share.

Project Listening

2009-09-21T12:00:00.005-04:00

At the end of my last post I made a reference to pay attention to the customer's needs when planning and executing an Identity Management project:

...Whether you are a consultant helping a client with their solution or an internal employee building your firm's Identity Management strategy, you still have a client, and their needs should always come first...

I recently took part in a Linkedin discussion where the person posting the question asked the question:

...I would be interested in your take on the latest and greatest products to implement for Identity and Access Management needs across the enterprise. Thoughts / comments...

I gave a pretty straightforward answer which covered some informative (in my opinion) basics centering on looking at the basic systems in the enterprise and advised the questioner to move forward from there.

There were a lot of people who went on another tangent, which was a more consultative answer... Find out what you need and then go to match technology.

Sounds like we have a chicken and the egg here.We cannot determine what technology fits until we determine how the technology is to be used. We also cannot determine how to use the technology unless we know what the technology can do.

Who is right? Who is wrong? I don't think either viewpoint is wrong. The fact is the first questions should have been along the lines of:

Have you determined use cases?
Have you begun to look at what technologies are out there?
Who is using the system?

Nothing about management, systems, or anything else. The initial basic tasks must be this broad outline. Once these big questions are answered we can do to then fill in the holes and determine how to answer all the little questions.

Incidentally, my answer came from the fact that the questioner specifically wanted to know about technology. Since the initial posting he has not made any comments on which approach he needed, but I did see that my good friend and fellow blogger, Matt Flynn posted as well!

IdM vs IAM

2009-09-18T15:51:00.001-04:00

I've actually been thinking about this for a while after several conversations and then reading a blog entry by Earl Perkins of Gartner, Which made me realize that it is time to bring this discussion into the open.

All too often IdM (Identity Management) and IAM are used interchangeably and this a not a good thing. Let's break it all down:

Identity Management had to do with the creation, maintenance and eventual retiring of enterprise accounts. Many people, myself included have discussed this concept in blog entries, presentations, white papers and other forms of media. Sometimes, but not always, workflow mechanisms might be used to handle processes in a specific order or allow for approvals by specific person or persons.

IAM (Identity and Access Management) is about the extra use of controls for Web or Physical Access Management. From the Gartner article this seems to be more about configuring a user in a multi-factor authentication, a firewall device or SSO app rather than setting Active Directory's userAccountControl attribute. It may or may not deal with provisioning to enterprise systems as mentioned above in IdM, but it will provide for population of the Access Management system.

So what can we conclude from this. I've come up with three basic scenarios:

IAM is just another system for IdM to manage. This makes sense when considering considering the relationship between NW IdM and GRC.
IAM is a super-set of IdM - I think this is how we should consider projects where the IdM system is tasked with heavy role and group management which then ties into the Access Management Tools.
IAM is a completely separate discipline with separate systems. This could be the case when there is extreme segregation of the provisioning and security infrastructures.

I don't think that there is any problem with any of these scenarios, after all, according to Pollicove's Law of Provisioning, every implementation will have it's own unique architecture that needs to be satisfied. I don't even think that there's much of a difference between the first two scenarios from an operational context. Rather, the real difference is going to be architectural and based on working with your customers. Whether you are a consultant helping a client with their solution or an internal employee building your firm's Identity Management strategy, you still have a client, and their needs should always come first, but that is a thought for another day. (coming soon)

The Bigger Picture

2009-09-11T11:39:00.003-04:00

In the Identity Management field, there's a lot of thought placed on how to provision users, and even more thought (rightly placed) on de-provisioning users. After all, if users can't get into the systems, you get no return from them since they are not as productive. Similarly, we also know that leaving user accounts active in the system leaves an organization open to data loss, financial and legal risk, and loss of productivity.

However, what of the middle of the user life cycle? User profiles and access need to be maintained as they change titles, departments and locations. It is also important to record this information for compliance/audit reasons.

IdM provisioning tools are probably the best tools for managing these changes in access for enterprise systems. While tools such as SAP's GRC are excellent for work in SAP systems, they are useless outside of them. Same goes for Active Directory / LDAP specific tools, PeopleSoft specific tools, etc. IdM systems have the ability to connect to all of these (and more) systems.

Leave the provisioning, role assignment and management to the IdM system and rely on specialty tools for specialty needs.

(Database - Sun) + Oracle = Acquisition

2009-09-03T10:16:00.008-04:00

It seems that the Europeans are putting their two cents into the pending acquisition of Sun by Oracle.

Can't say I'm surprised as many businesses in Europe and around the world use MySQL. I've often thought that this more than anything else would get in the way of the acquisition. Of all the areas of overlap, this seems to be the one that matters the most.

Oracle already owns one of the biggest databases around, now it stands to acquire another one with world wide appeal. As the article quoted above mentions:

Regulators must “examine very carefully the effects on competition in Europe when the world’s leading proprietary database company proposes to take over the world’s leading open-source database company,”

It's also a key part of the SAP system (in the form of MaxDB), which I am sure is part of the European investigation whether it is specifically mentioned or not, as the article also states:

“the enquiry will focus on the extent to which open-source software developers would be able to continue to develop software based on the open-source MySQL database,” which Sun bought last year and which is widely used.

I'm still thinking that the simplest solution to to sell MySQL to SAP. It would create a level playing field between Microsoft, Oracle/Sun and SAP.

All would have ERP and database tools. Microsoft and Oracle/Sun would still have operating systems, but I don't think this is a big issue for SAP since they not only run just fine on both. Additionally I think we all realize that SAP drives purchases of operating systems and tools from the other companies.

Can't wait to see what happens...

Where are the controls

2009-06-29T14:31:00.004-04:00

I got this "joke" email from a family member, which I think proves some interesting points in the field of Identity Management, especially where governance controls are involved:

Outside the Bristol Zoo, in England, there is a parking lot for 150 cars and 8 coaches, or buses.
It was manned by a very pleasant attendant with a ticket machine charging cars £1 (about $1.40) and coaches £5 (about $7).

This parking attendant worked there solid for all of 25 years. Then, one day, he just didn't turn up for work.

"Oh well", said Bristol Zoo Management - "we'd better phone up the City Council and get them to send a new parking attendant..."

"Err ... no", said the Council, "that parking lot is your responsibility."

"Err ... no", said Bristol Zoo Management, "the attendant was employed by the City Council, wasn't he?"

"Err ... NO!" insisted the Council.
Sitting in his villa somewhere on the coast of Spain, is a bloke who had been taking the parking lot fees, estimated at A£400 (about $560) per day at Bristol Zoo for the last 25 years. Assuming 7 days a week, this amounts to just over A£3.6 million ($7 million)!

So what's the point here? Without governance controls anyone can come in and rule the roost. There is no accountability, control or record. I know I've been harping on this a lot lately, but it just seems to me that if controls are not in place and a means for reviewing the implementation and usage of the controls, anyone can walk away with the keys to the kingdom as it were.

This is much like what happened with Abdirahman Ismail Abdi or even Terry Childs, both of whom I have commented on before. If either one of them had been subject to some sort of governance process it would have been much more difficult for them to execute their schemes.

After all, you know what they say, "a million here, a million there and soon we're talking about real money."

Promising News

2009-06-22T13:14:00.003-04:00

Had an interesting article cross my email today from techtarget.com. It nicely dovetails with discussions I've had with many in the IdM and Security fields.

The basic fact is that businesses save money when they implement Security and Identity Management projects. The costs of one security breach, password exploit, compliance violation, etc. dwarfs the investment and maintenance of a sound enterprise security infrastructure.

I found it interesting that the experts quoted in the article specifically referenced, encryption, compliance and Identity and Access Management technologies. I would also recommend the use of SSO technologies which make it easier to enforce password policy and promote compliance.

In the war of data security, a good defense is the best offense.

The Yo-yo theory

2009-06-15T17:16:00.006-04:00

I was talking to someone the other day about the economy and how IT and security are affected by it and I made the following observation and analogy:

Everyone knows IT spending is important and can result in real benefit to the company however, there's a tendency to use yo-yo budgeting.

When things get tough, the yo-yo is dropped as spending slows and we expect IT to run on the bottom for as long as possible, but eventually we need to catch up and snap the yo-yo back up and we catch up on technology.

Maybe the reasoning is a bit simplistic (after all I'm an IdM architect, not an economist) but I think it holds up and I'm pretty sure that this model would extend beyond IT as well. I'm wondering how much the model holds, does a slower decline mean you can stay down longer or not? Does each department have it's own yo-yo?

Where's an economist when you need one?

Central Management

2009-06-07T09:20:00.008-04:00

One of the objectives in my trip to Europe is to consider what additional systems an Identity Management system should be supporting.

Perhaps the biggest area that is not being supported is security applications. One wonders why this is so. Being able to centrally manage Smart Cards, Certificates, and Tokens is critical in maintaining security and regulatory compliance.

Take this example, where Abdirahman Ismail Abdi, managed to resign and commit 9.2 million dollars in fraudulent wire transfers with his still active electronic key card.

From an IdM perspective, we need to realize that de-provisioning must cover all sensitive Enterprise systems in a prompt and thorough manner.

It's also not enough to say that an email notification issued by the provisioning/de-provisioning system is sufficient for anything less than a first phase in an overall Identity Management project.

By completely automating the process we make sure that everything gets done at termination time. Going with the classic provisioning arguments, we make sure it's done in a timely manner, without the chance of manual operator errors and recorded in the audit/compliance database for future reference.

Realistically, we make sure that the barn door is closed before the horse can get out.

How to use a Smart Card?

2009-05-22T07:17:00.002-04:00

One thing that I am seeing here in Europe is that there is a difference in how "Smart Cards" are perceived.

In the U.S., we're not too keen on them, and are mostly used for "proximity" functions, meaning we apply them to readers for physical building access. To verify Identity within applications, most organizations prefer to use muti-factor authentication with hardware tokens (e.g., RSA SecurID) Of course, passwords are still used to access physical systems as well, plus some activity in biometric authentication (fingerprint scanning) but this is still in an early adopter stage, but showing some promise with laptop manufacturers.

In Europe there is a potentially greater use for Smart Cards. They do the physical access functionality, but are also used to authenticate to enterprise hardware systems, clock in and out, provide digital signatures, VPN access and even pay for lunch in the company cafeteria.

So it would seem that there are some differneces, unless you're in the Executive Branch of government or attached to the Military. In both of those organizations, Smart Cards required for access and authentication.

Which model is right? Why do we rely on separate "badging" and "access" mechanisms in the U.S.? Is it because RSA got there first? Is it better to have these things separate to provide multi-factor and multi method (card and token) authentication?

Identity Abroad

2009-05-17T09:57:00.003-04:00

I'll be spending the next few weeks doing some work in Germany doing some custom connector work with NetWeaver Identity Manager at our offices in Darmstadt, Germany. I'm hoping to have the chance to learn more about how Identity Management works in a different environment. I'll be posting my observations from time to time, along with the usual reporting on news and NW IDM tips.

New School Identity Management?

2009-05-07T10:30:00.003-04:00

I'm all for a discussion of changes in the Identity Management world, in fact I encourage them. I think it's a pretty dynamic world. As Mark Diodati mentions in his article "Changing times for identity management" (login required) There are elements of IdM that are established parts of IT infrastructure, and then there is "New School Identity Management, where he talks about Privileged account Management, AD Bridges and Virtual Directories"

All due respect to Mark, who I know has been around the IdM world for some time, but none of these elements should be considered New School and have been around for quite some time.

Privileged Account Management - I don't know of an engagement I've worked on in the last 5 years that did not have some concern about the creation and management of both Privileged and Service accounts. If anything, because of their nature, these accounts have a greater need to be created in such a way that they are done according to mandated processes and recorded for audit and review.
AD Bridges - While not a technology I've gotten to work with a lot I know that many a mixed UNIX/Microsoft shop consider the Vintella/Quest tools to be indispensable.
Virtual Directories - Again, a technology that's been around for a long time. I've been working with Virtual Directory technologies since 2004, where I would commonly show customers how to map information, provide access controls and even used the Virtual Directory as a write back mechanism to supported repositories.

I can say that I'm glad these Identity Management technologies are finally getting their time in the sun. Some of these technologies have not been considered as interesting or sexy since they worked with a subset of users. I think we can all agree that there are more end users than UNIX accounts or system accounts so they should receive some more attention.

However, in the end, the design and implementation of an Identity Management solution must be holistic in nature. Regardless of one's opinion on the New School qualities of the all the technologies Mark mentions in his article, they must all be considered and planned for in the final design.

Where oh Where will MySQL go?

2009-04-21T12:06:00.004-04:00

Well it's been just over a day since the announcement of the Oracle/Sun announcement. A lot has been said about the match, some good, some bad. Most note (as did I) that the Java and Hardware additions to Oracle are a plus and that there's a bit of overlap.

One of the most interesting elements of overlap is MySQL.

Sun and Oracle have been going tit-for-tat with acquisitions going back to Waveset/Thor a couple of years ago in the IdM space. Oracle has been doing the same thing with SAP trying to build its own version of NetWeaver and an ERP suite. Now all three companies have the same basic arsenal of products with their own specialties:

Sun offers both hardware/OS layers, Java, and is the Elder statesman of the IAM space
Oracle offers the database and is showing great momentum in the IdM and ERP spaces
SAP offers an ERP suite with tight integration via NetWeaver

I can't see that regulators will allow Oracle to hold onto MySQL while they hold the lion's share of the database market (44.3%) Given this I wonder what Oracle plans to do with MySQL. They could move it back to open source and set up an independent organization to manage it, but this does not seem to mesh with the Oracle Corporate Culture, which has not been historically been keen on open source.

My thinking is that SAP should try to acquire it and I wonder why they did not make a try at this before. My SQL is already the basis for MaxDB and would address a major missing piece of the SAP architecture. Being able to control both the front and back end of the SAP solution set would offer a new level of cohesion for NetWeaver and place it on a more equal footing with Oracle. However, I don't foresee a direct transaction to occur between Oracle and SAP. Look for the spin off to occur and SAP to make the acquisition as soon as they think they can get away with it.

I don't think SAP will pass on this opportunity a second time.

First thoughts on Sun/Oracle

2009-04-20T09:25:00.003-04:00

Wow. There's a lot to consider here. On the macro level, I can't see this as a bad thing for Oracle. A hardware stack, ownership of Java, Solaris...

On the other hand, there would appear to be some significant overlap, databases, ERP, IdM...

I think there's going to be a lot of CIOs, CFOs and CEOs who are going to be looking at where they should go now. Taking a very high level look from the IAM/ERP perspective, is this the right time to ditch the current infrastructure and:

Embrace their ERP vendor and solidify the environment
Embrace their OS vendor and get everything on one OS
Embrace their hardware vendor and get everything on one platform
Embrace Open Source and junk the whole corporate nightmare
Embrace individual point solutions and get best of breed solutions

There's lots of ways to look at this. The one thing I know for sure is that it's way too early to make any determinations. I agree with Jackson Shaw's thoughts on this in that it is indeed a dog's breakfast and will take at least 18 months to figure out. Also kudos to him for coming up with a quick and witty one liner to describe the situation.

Web UI Password Troubleshooting

2009-04-17T10:27:00.003-04:00

I was setting up a NW IDM 7.0 SP2 Patch 5 test system yesterday and had the strangest problem. Workflow and Monitoring passwords were not being accepted. I could not log into Workflow and altough I could get into Monitoring, clicking on any link presented me with an error that I was not logged in and would be redirected to the login screen.

Now being an old hand at setting up 7.0 and previous versions I went through and checked all the obvious, IIS, permissions, PHP version.

I had some trouble initially getting PHP running but since it was now running, I did not think it could be PHP.INI, particularly since I just went through and compared it to a working PHP.INI. However since not hing else was working, I decided to take another look.

Sure enough, the path for the session directory was incorrectly specified. Changed the path, double checked the privileges and cleared all cache folders and IE cache just in case (paranoia can be a good thing sometimes) and all was fine.

Just thought I'd share...

The Next Frontier?

2009-04-07T15:17:00.004-04:00

Identity Management continues to find a space in the Enterprise landscape. It would seem that it's been falling into the realm of Information Security. Not sure that I completely agree with this but at least it's being discussed as part of Enterprise Architecture.

Certain business verticals in particular have been embracing this technology more than others. Most notably, Higher Education has been a big proponent of Identity Management (Gotta give it to Oracle's OIM/Fusion Middleware, they're doing well here right now.) As I think about other verticals, it strikes me that it's about time that the Health Care industry embrace, IdM.

Why so, you might ask? Here's a few of my reasons:

HIPAA -- How can you discuss the Health Care field and not talk about HIPAA? Strict access controls, need for compliance, monitoring of changes to accounts? All easily done by IdM. Advances in GRC apps will make even more of a splash.
Lots of changes -- Permanent staff, temps, students, visiting professionals means there are lots of changes in the user community, topped with vendors, contractors, patients and visitors makes it seem to me that this should be captured and recorded. Virtual Directories will be key in maintaining these user communities.
Identity is more than people -- Role management will also be important for business and technical roles. The better we track how these roles are created and maintained, the easier it will be to administer them.
Physical Access management -- Hospitals by nature are intended to be secure, so including means of physical access management will be important, either through "smart cards", biometrics or a combination of both.

I'll be thinking more about this in the coming weeks and months, what about you? Anyone out there doing this in a medical/hospital facility? What are you doing?

Other thoughts on Implementation

2009-04-01T15:37:00.002-04:00

I liked what Ash Motiwala had to say on his blog recently on the topic of Implementation. Ash is a guy who's been around the IdM block a couple of times and what he has to say clearly proves it.

The only thing I might add to this is that a good pilot can be a lead in to Phase I. Additionally, good background work in the form of Business Analysis and Architecture design goes a long way as well.

New White Paper!

2009-03-31T09:05:00.003-04:00

Sorry I've not posted for a while but between carpal tunnel surgery and a new White Paper on NetWeaver Identity Management have been keeping me busy.

The hand is healing nicely and the Paper has just been published. Please let me know what you think.

On a related note, I also had a brief article posted on SAP Developer Network SAP Weblogs: Identity Management.

When is a Virtual Directory not a Virtual Directory?

2009-02-28T17:22:00.000-05:00

The answer is simple, when it is used as a Web Server Proxy rather than an LDAP Proxy.

Let's look at the classic definition of a virtual directory (in the interest of full disclosure, this is from the SAP VDS whitepaper)

"The Virtual Directory Server can logically represent information from a number of disparate directories, databases, and other data repositories in a virtual directory tree. Various users and applications can get different views of the information, based on their access rights. "

So what does this mean? We're taking various sources and putting a LDAP front end on them. Now what can these back ends be—databases, directories, other virtual directories, etc. The connections can take the form of ODBC, XML, or other web services.

But what happens when we do web services on both the front and back end of the VDS? Well, I do not think it is really a Virtual Directory any more. We're not representing information in a Directory form and we're not doing read/search operations. It certainly would seem to put the never ending cache debates to bed as well. I'm thinking that what we now have is a web services proxy; or in a more mature implementation, a Virtual Application Server.

So how the VAS would be used? Simplest case would be to have an application make a request to a VAS for information. This information is available from another VAS connected system via some mapping logic that would be able to tell VAS where to find it. With this information delivered to the targeted system the proper information is obtained and returned to the requesting application.

You would have to wonder how often something like this is needed after all, web services connectors can be written easily enough. However, what happens when we do not have all the code or if there’s a need to segregate the request over multiple domains or firewall zones. That I think would be one use case for the VAS. Another would be when there is no direct connection say, between a role management system and a provisioning system, two common IdM applications these days. This could open up completely new ways for systems to interconnect. I wonder if anyone has been thinking along these lines.

Managing Project Communication

2009-02-23T22:36:00.003-05:00

I've written before on the topic of how to prevent project failures, but very little about what happens as projects are failing. I was recently chatting with some colleagues about what does happen when a project begins to head south.

First of all, there always seems to be a tendency to blame the outsider. Basically this argument looks something like: "You never got the requirements right (from the customer) / you never delivered correct requirements (from the consultant)"

What does this boils down to is a failure in communication. Now the question from a risk management approach is how one keeps this communication in sync. Based on our discussion we came up with the following:

Regular status meetings. If your executive sponsor is not at these meetings, schedule regular steering committee updates which should be just the project manager(s), architect(s) and the executive sponsor. They might not need to be weekly, but they must not be optional any of these people. Do not rely on only one side to make these reports. Everyone must be on the same page. Make sure the sponsor is aware of the key challenges so that there are no surprises.
Obtain consensus and settle the issues quickly and decisively. If there are dissenting opinions about major decisions, get the issue settled once. Don't keep circling on the issue. If there's an issue that just won't go away, get the parties in front of the executive sponsor as I've noted above. Get a final ruling and move on.
Establish change controls. For some reason, no one likes to use these. There's a feeling that these are things to hide behind, rationalize additional cost or bog down the project in extra paperwork. None of these are true. All that's being done here is making sure that all project principals are aware of the change. This establishes responsibility and sets up controls for making sure that things don't get out of control. And I'd imagine that the amount of paperwork involved in a change control is minor compared to having to write the report of why the project failed. Trust me, this is not fun.
Use and establish some sort of project strategy/methodology. I don't care what it is, but make sure a project plan exists and that there is structure in place. There should be a project manager who will make sure that there is a plan to complete the project, but the architect and senior engineers should make sure that there are development standards which must also include documentation!

These points are intended to increase communication and decrease mistrust and politics. If the project team meets regularly, tracks what they are doing and how the project changes and has a structure for managing progress and change there is less of a chance of having a post-mortem and more of a chance of documenting the best practices that were done right!

The Real Time Myth

2009-01-24T15:19:00.003-05:00

I was talking to a colleague last week and the topic of real time provisioning came up. This has always been a bit of an issue with me due to the use of the term "real time" I've almost always found that by the time we discuss what is involved in the act of provisioning and what the requirements really are, it is impossible to have this happen in "real time". The fact is provisioning takes time. Always has, always will. Writing the information to your authoritative store takes a certain amount of time. As does provisioning to LDAP. We know it takes at least 15 minutes for AD to begin replication, and regardless of type of Directory Service used, it takes time to replicate in an international setting.

In my experience most organizations are more concerned with improving performance over the old methodology and getting initial provisioning to happen in less that a day. There's nothing that irritates a manager more than having to sit around and wait for the new person's accounts to be created. If we can get that time period down to a reasonable wait, hopefully to about the time it takes to fill out the remaining new hire paperwork, tour the facility, get the briefing from HR and have that welcoming cup of coffee, we will have made progress.

In the best of all possible worlds, provisioning should have already been started as soon as HR receives a signed offer letter. Creating essential accounts in a a disabled state gets a lot of the heavy lifting done and front loads the whole process. This way all that has to be done is wait for the start date to occur and then enable accounts via a regularly scheduled work flow. However, I recognize that even creating disabled, locked accounts poses something of a risk so it will not be for all organizations.

In the end careful analysis of current state, target state environments is called for along with a thorough examination of compliance, legal and best practices as they relate to the organization's needs.

SELECTing from the Identity Store

2009-01-19T19:30:00.002-05:00

Now I don't know about you, but I've always had some issues with looking up entries in the NetWeaver Identity Management Identity Store. I know there are built in scripting functions like uIS_Get, uIS_GetValue, uIS_sGet, uIS_sGetValue, etc, but they've just never worked well for me. So to compensate, I've developed my own methodology for searching and retrieving items from the Identity Store.

The basic use case is this: The Identity Management solution needs to do a look up between an incoming data feed and the Identity store. The basic idea is that if the value from the feed and the value from the Identity Store match then the entries match and updating/provisioning can proceed as directed by workflow. I'm sure you can imagine other use cases, looking up managers, phone numbers, and other frequently used attributes.

The feed processing job will use a script to evaluate the match. Most likely it will pass MSKEYVALUE but could also use some other unique attribute in the feed.

The first thing that is needed is to determine the MSKEY, if any, for the entry to be worked with. To this end, I created the following query which will be implemented by NW IDM's uSelect function, which can be used in a Provisioning Job or Reconciliation task. Following best practices for NetWeaver Identity Manager, I am using the JAVA engine and therefore JavaScript in this example.

//Create an uppercase version of Par for checking against the SEARCHVALUE
uPar = Par.toUpperCase();

MSKEYQuery = "select mskey from mxiv_sentries where (searchvalue = '" + uPar + "')";
MSKEYResult = UserFunc.uSelect(MSKEYQuery);

You'll notice one of the first things we need to do is make sure we access the searchvalue correctly. Elements in this column always have their text elements stored in Uppercase, so we need to make sure that for the purposes of searching, we have an uppercase value handy. The results of this query are stored in a variable called MSKEYResult. Now that this information is available, we can now search for needed values related to this entry.

EmployeeNumQuery = "select avalue from mxiv_sentries where (mskey=" + MSKEYResult + ") and (AttrName='HR_EMPNUM)";
EmployeeNumResult = UserFunc.uSelect(EmployeeNumQuery );

With this query I can now look for a specific attribute value for a specific user and store it in a variable. At this point we should plan on returning a more nicely formatted version of the attribute so we will return aValue rather than SearchValue which is the value for the attribute as it entered into and subsequently processed by NW IDM for use in screen output, reports, emails, etc. In this example we are returning the user's Employee number.

This process might also include another query to do a count of returned Employee Numbers to protect against potential "dirty data" entries (multiple identities for the user or to many users with the same name.) If this scenario occurs more detailed searching, involving more attributes might be needed.

Note: I don't necessarily claim that this is the best or most efficient methodology for accessing this information. All I know is that it works for me and the way that I think / process information. If anyone has ideas on making this better or properly using the embedded functions listed above, I'd love to hear about it.

Recent Article

2008-12-23T12:45:00.003-05:00

I did not think I'd have anything else to say before the end of the year. However, this was not to be the case... Some months ago I was interviewed, along with several others for an article that has appeared in Information Security Magazine. The article, by Robert Westervelt, talks about Identity Management challenges an economy full of Layoffs and Mergers. It's a very nice high level treatment of some of the strategic reasons to have Identity Management Solutions in place.

You might need to register in order to view the material however, there is no charge to view the content.

Happy Holidays

2008-12-22T10:51:00.002-05:00

It's been the end of a great year of working with Identity Management this year. Sun, Oracle, Novell, IBM and of course, SAP are all in the mix and doing well. Companies are recognizing that not only is IdM useful, but a strategic business goal as well.

Personally, I've gone from Project Management, to Independent work, to working with a fine organization, SECUDE Global Consulting. I've had a great year with them, and am looking forward to more challenging work in the coming year.

I'd like to wish everyone a happy, safe and sweet holiday and New Year. Even if you don't celebrate a particular holiday, take a moment and reflect (which you should do often anyway)

On a lighter note, I saw this humorous post at CSOOnline. Hope it brings a chuckle!

Why do We Bother With Server Virtualization, Anyway?

2008-12-12T14:52:00.003-05:00

This is something that has frankly astounded me over the years... For years vendors such as VMWare and Microsoft have been telling us about the flexibility, power and savings inherent in consolidating Servers into Virtual Machines.

For some reason, the rest of the software industry has not caught on to this and think that this is not a scalable architecture. I'm amazed. I don't think any of these software firms have ever looked at a manual or talked to the vendors or their customers running virtual data centers.

There's no reason production implementations cannot run on a VM. Modern VMs are just as configurable and scalable as physical servers. Even more so in fact, since the files can be moved from one host server to another where more resources can be allocated.

Wake up, application vendors! VMWare is just as good as an IBM P server in terms of configuring hosted configurations. This is the 21st century, let's start thinking a little more "out of the (server) box"