For a few years I had the pleasure to work for Novell. I did several consulting projects with Identit Manager and even have some experience with the predecessor DirXML. After the Novell era, I worked for an independent service provider and got to know Sun Identity Manager and IBM Tivoli Identity Manager. This just to say that I have at least some experience in the world of Identity Management and directory synchronisations.
Matt Flynn is chiming in on the virtual directory versus meta directory “blog wars” that have been going on earlier this year. You can catch up here, here, ah, also here and then here as well.
In that post Matt Flynn starts with a simple scenario: there is an HR database, an Active Directory and a custom build SQL identity store. So far so good, that looks like something standard and simple. Then he continues by requiring that the HR database is the primary source for account creation and status.
This is where I have to disagree, strongly disagree. For years IDM product vendors have been telling us that the HR database should be the primary source for Identity information. This is just not true. The HR platform can not fulfil this role of primary source. The platform has been built and is driven by the need to manage the employee status of people and make sure they are paid properly and in time. This difference between what the HR platform actually is and what IDM product vendors want it to be, becomes more visible if you look at the following typical issues:
- New employees are not entered fast enough in the HR system. The IDM system can’t act on events if they don’t happen in time.
- Some of the attributes kept in the HR system are of lesser importance to HR and therefore typically are of lower (data) quality. The IDM system however depends on correct and up to date values for these attributes.
- When employees migrate internally (to a different department or business division) the HR system often lags behind in changing the employee records. It also rarely models the typical transition periods involved in migrating.
For me these are all signs that the HR system, at least as they are managed today, should not be used as a primary source for account creation and status. In fact, the HR system should probably be “just a slave” of the IDM system. Leave the HR system for what it is: a system for managing the legal and financial aspects of an employee.
If you use the HR system as your primary source, you will soon find yourself implementing numerous ugly hacks and workarounds to compensate for low quality data and events that are either triggered too late or without enough detail. Demanding that the HR department should get their act together and improve is not a good solution. Doing identity management is not their job, they manage the legal and financial relationships. That’s just a part of the Identity. It’s the IDM product that should manage the identity and inform the HR system of changes that are relevant to the legal and financial aspect of the relationship.
None of the current IDM product vendors however have a product that can serve this role. As far as I know, most of these products are expensive data synchronisation tools with some workflow and UI layers on top. As the years pass by, I am wondering if any of these vendors is ever going to radically change and improve how (enterprise) Identity Management is dealt with. Since the first of these IDM products, over 10 years ago, not much has changed. It’s just more of the same.