Hi folks, so it's been a while.
That's mostly since I was blogging over on the wonderful SAP Community. Unfortunately, I will not be as active there now as my career is moving away from the wide, wonderful world of SAP as I have taken on a new position as a Regional Solutions Architect at Ping Identity.
This affords me the ability to explore new areas of the Identity Management landscape, and play with some technologies that I've always been very interested in but have not had the time to delve into. I'm hoping as I learn and experience more that I will get to share it with you folks.
Which leads me to the third item in this entry's title, certification. I guess they knew I was coming and how interested I am in getting certified in technologies as Ping has just announced a certification program!
If you use Ping products in your business, or do Ping related services work, this is something you should definitely look into, and look for.
Here's to the next stage of the career and certification journey!
#pingidentity #training #security #cybersecurity #certification
Tuesday, October 08, 2019
Monday, February 01, 2016
You've read my ramblings, now listen to them!
You've been reading my ramblings for years here and on SCN. Now you have a chance to listen to some of my thoughts on SAP IDM and a bit on SAP IDM 8 I was recently interviewed by long time colleague and fellow IDM Expert,Scott Eastin for his IDM Masters Interview Series.
Please take a moment to listen to the interview and support Scott's efforts!
BTW, please let me know if this is interesting and if we should consider a regular podcast / YouTube discussion of SAP IDM, along with topics that you would like to see covered!
Thanks!
Saturday, September 12, 2015
SAP TechEd 2015
Just a quick not to let everyone know that I will be speaking at SAP TechEd 2015! I will be speaking on the new version of SAP IDM:
This session will be on Thursday, October 22 from 11:45 - 12:45. Without giving it all away, I'm planning on talking about how this new version of SAP IDM will affect the various members of your organization as you plan and implement this exciting new version of SAP IDM.
This should be a fun and interactive presentation where we will have a chance to discuss how your organization will prepare for IDM 8.
As this link will be shared on Social Media, let me take a moment and introduce myself for people who are unfamiliar with me and with IDM in general.
My name is Matt Pollicove and I have been working with SAP Identity Management for the past 11 years, from its beginnings as the MaXware Identity Center, which was purchased by SAP in 2007 to become IDM.
Over the years I have done engineering, training, project management, architecture, blogging, and yes, speaking on SAP IDM.
SAP IDM is the preferred system for managing user accounts (identities) in the SAP Landscape and the Enterprise as a whole. It offers a wide array of connectors and a dynamic framework for creating, maintaining, and deprovisioning accounts. The new generation of this product, IDM 8, embraces new technologies and offers new approaches to Identity Management.
How Will YOU Prepare for SAP Identity Management 8
This session will be on Thursday, October 22 from 11:45 - 12:45. Without giving it all away, I'm planning on talking about how this new version of SAP IDM will affect the various members of your organization as you plan and implement this exciting new version of SAP IDM.
This should be a fun and interactive presentation where we will have a chance to discuss how your organization will prepare for IDM 8.
As this link will be shared on Social Media, let me take a moment and introduce myself for people who are unfamiliar with me and with IDM in general.
My name is Matt Pollicove and I have been working with SAP Identity Management for the past 11 years, from its beginnings as the MaXware Identity Center, which was purchased by SAP in 2007 to become IDM.
Over the years I have done engineering, training, project management, architecture, blogging, and yes, speaking on SAP IDM.
SAP IDM is the preferred system for managing user accounts (identities) in the SAP Landscape and the Enterprise as a whole. It offers a wide array of connectors and a dynamic framework for creating, maintaining, and deprovisioning accounts. The new generation of this product, IDM 8, embraces new technologies and offers new approaches to Identity Management.
Sunday, March 23, 2014
Measuring Identity Management
When I first started in the IT/Services field, I worked on a
help desk providing technical support for a software company. Everything on the
job was about Metrics: How many calls did you take, how long you were on the
call. Later, I managed the support group
and the metrics got more interesting: Who called the most? What did people call
about the most? This information needed to be shared amongst my fellow team
leaders, my immediate management, sales management, product management, and
even the executive management of the company. As a primary interface between
the company and its clients, I had a lot of information.
I see Identity Management as holding a lot of that same type
of information that would be of interest to various parts of the organization.
Understanding who is provisioned to what endpoint, how identities change in the
organization over time, users with given access rights. How many people are set
up with the new password management scheme? Have processed their attestations?
The list is ever changing and of course would vary by organization, per Pollicove's Law.
Sure, we can generate reports that show this information, but
I think there could be a use for a dashboard views showing real/near real-time
views of essential data. Reports are all
well and good, particularly when trying to analyze data over a period of time.
What metrics do you think would be of the most value in an
Identity Management Solution?
Thursday, December 12, 2013
What comes after IDM?
People often ask me what comes after Identity Management? My answer is that it depends.
As I've discussed before, it's really up to what the organization requires and simply tacking on new workflows, approvals, and functionality is only really useful if it will actually be used. However, I think we can make a few generalizations about what might occur as part of a far reaching and comprehensive IdM program.
Assuming that the initial project succeeded in its goal of creating an authoritative data store and basic provisioning, there's always the goal of adding more applications and additional attributes in existing applications that can be provisioned as part of workflow.
Password management is always popular. If your application allows password provisioning or linking into a SSO or password management solution, this is a great place to add in further automation. Your organization's help desk will appreciate it, I'm sure.
Adding in a compliance solution (sometimes referred to a certification or attestation) is always something organizations look into as a part of that overall IdM program. Some applications such as SailPoint IIQ have this built in, while others such as SAP GRC or Oracle Identity Governance are separate, but complementary modules to the Identity Management offering.
However what I think is one of the key places that the IdM program manager should be looking at is automation of IT processes. Every day the Help Desk and the System/Network administrators are using untrackable and un-auditable tools for editing user accounts. IT Management and Audit staff have no idea exactly what these people are doing as they are on the job. At the very least, there is the possibility that users will be accidentally granted the wrong entitlements, and in the worst case, there could be the creation of undocumented SuperUsers. If we can direct these actions through the user provisioning application, then we can have an audit trail that tells us:
It also becomes a lot easier to do these tasks when they are placed in the IdM solution. This lets our Server Admin and Help Desk teams work on the more detailed analysis and troubleshooting that they were hired for rather than mundane user management, all while creating a more secure and audited environment.
As I've discussed before, it's really up to what the organization requires and simply tacking on new workflows, approvals, and functionality is only really useful if it will actually be used. However, I think we can make a few generalizations about what might occur as part of a far reaching and comprehensive IdM program.
Assuming that the initial project succeeded in its goal of creating an authoritative data store and basic provisioning, there's always the goal of adding more applications and additional attributes in existing applications that can be provisioned as part of workflow.
Password management is always popular. If your application allows password provisioning or linking into a SSO or password management solution, this is a great place to add in further automation. Your organization's help desk will appreciate it, I'm sure.
Adding in a compliance solution (sometimes referred to a certification or attestation) is always something organizations look into as a part of that overall IdM program. Some applications such as SailPoint IIQ have this built in, while others such as SAP GRC or Oracle Identity Governance are separate, but complementary modules to the Identity Management offering.
However what I think is one of the key places that the IdM program manager should be looking at is automation of IT processes. Every day the Help Desk and the System/Network administrators are using untrackable and un-auditable tools for editing user accounts. IT Management and Audit staff have no idea exactly what these people are doing as they are on the job. At the very least, there is the possibility that users will be accidentally granted the wrong entitlements, and in the worst case, there could be the creation of undocumented SuperUsers. If we can direct these actions through the user provisioning application, then we can have an audit trail that tells us:
- Who was worked with
- What was done to them
- Who did the work
- When the work happened
It also becomes a lot easier to do these tasks when they are placed in the IdM solution. This lets our Server Admin and Help Desk teams work on the more detailed analysis and troubleshooting that they were hired for rather than mundane user management, all while creating a more secure and audited environment.
Tuesday, June 11, 2013
Some thoughts on database locking in Oracle and Microsoft SQL Server
Deadlocks are the bane of those of us responsible for
designing and maintaining any type of database system. I’ve written about these
before on the dispatcher
level. However this time around, I’d like to discuss them a little further
“down” so to speak, at the database level. Also in talking to various people
about this topic I've found that it’s potentially the most divisive question
since “Tastes good vs. Less filling”
Database deadlocks are much like application ones, typically
come when two processes are trying to access the same database row at the same
time. Most often this is when the system is trying to read and write to the row
at the same time. A nice explanation can be found here.
What we essentially wind up with is the database equivalent of a traffic jam
where no one can move. It’s interesting to note that both Oracle and Microsoft SQL
server handle these locking scenarios differently. I’m not going to go into DB2
at the moment but will address it if there is sufficient demand.
When dealing with SQL Server, management of locks is handled
through the use of the “Hint” called No Lock. According to MSDN:
Hints are options or strategies specified for enforcement by
the SQL Server query processor on SELECT, INSERT, UPDATE, or DELETE statements.
The hints override any execution plan the query optimizer might select for a
query. (Source)
When NOLOCK is used this is the same as using
READUNCOMMITTED which some of you might have be familiar with if you did the
NetWeaver portion of the IDM install when setting up the data source. Using
this option keeps the SQL Server database engine from issuing locks. The big
issue here is that one runs the risk of having dirty (old) data in the database
operations. Be careful when using NOLOCK for this reason. Even though the SAP
Provisioning Framework makes extensive use of the NOLOCK functionality, they
regression test the heck out of the configuration. Make sure you do, too misuse
of NOLOCK can lead to bad things happening in the Identity Store database.
There is also a piece of SQL Server functionality referred
to as Snapshot Isolation which appears to work as a NOLOCK writ large where
database snapshots are held in the TEMPDB for processing (source)
This functionality was recommended by a DBA I worked with on a project some
time ago. The functionality was tested in DEV and then rolled to the customer’s
PRODUCTION instance.
Oracle is a little different in the way that it approaches
locking in that the system has more internal management of conflicts through
use of rollback logs forcing data to be committed before writes can occur and
thus deadlocks occur much less often (Source)
This means that there is no similar NOLOCK functionality in the Oracle Database
System.
One final thing to consider with database deadlocks is how
the database is being accessed, regardless of the database being used. It is considered a best practice in SAP IDM
to use To Identity Store passes as opposed to uIS_SetValue whenever possible (Source)
At the end of the day, I don’t know that I can really tell
you to employ these mechanisms or not. In general we do know that it’s better
not to have deadlocks than to have them and to do what you can to achieve this
goal. In general, if you are going to use these techniques, do make sure you are doing so in
concert with your DBA team and after careful testing. I have seen
Microsoft SQL Server’s Snapshot Isolation work well in a busy productive
environment, but I will not recommend its universal adoption as I can’t
tell you how well it will work in your
environment. I will however recommend that you look into it with your
DBA team if you are experiencing Deadlocks in SQL Server.Thursday, March 21, 2013
The future of SAP GRC
There has been quite a bit of discussion about the potential futures of SAP IDM and SAP GRC. SAP has just started a survey so that they can get customer input. I would encourage all customers using or considering these products to take the poll.I've worked with the integration between the two products several times now, and I can honestly say that I have never achieved the results that I wanted. As I've thought about the issues that have kept me from getting what I (and of course, my clients) want, it all seems to come down to the architecture.
The way SAP would have it, GRC is the brains, VDS the nervous system, and IDM is the muscle. IDM workflow does all the work using the various frameworks (Provisioning, Exchange, GRC, Lotus Notes, etc.) while it checks with GRC via VDS to tell it what to do.
The problem as I see it is that there are:
- Too many moving parts - IDM, VDS via WebServices to GRC, back to IDM
- Not enough information that passes back from GRC - We don't see why things are rejected and it's not clear what is happening.
- A lack of ways that conflicts can be addressed from IDM - This means that the "Security Desk" needs to get involved so they can fix the issue.
So how should this be addressed? I think through either a tighter integration that is more direct and thicker, that is one where more information is passed, so that IDM becomes the "face" of GRC allowing for mitigation and remediation activities. However I do not know that the current SAP architecture really supports this. therefore I think it makes more sense for IDM to "consume" GRC and make the GRC functionality part of IDM.
IDM already has a very basic concept of Segregation of Duties through Role Mutual Exclusion functionality. Having logic that determines what should be "Mutually Excluded" from GRC type functionality makes sense.However as SAP Roles map to IDM Privileges it would also be necessary for this concept to be extended to the IDM Privilege level.
Subscribe to:
Posts (Atom)
