HR, your source of identies?

For a few years I had the pleasure to work for Novell. I did several consulting projects with Identit Manager and even have some experience with the predecessor DirXML. After the Novell era, I worked for an independent service provider and got to know Sun Identity Manager and IBM Tivoli Identity Manager. This just to say that I have at least some experience in the world of Identity Management and directory synchronisations.

Matt Flynn is chiming in on the virtual directory versus meta directory “blog wars” that have been going on earlier this year. You can catch up here, here, ah, also here and then here as well.

In that post Matt Flynn starts with a simple scenario: there is an HR database, an Active Directory and a custom build SQL identity store. So far so good, that looks like something standard and simple. Then he continues by requiring that the HR database is the primary source for account creation and status.

This is where I have to disagree, strongly disagree. For years IDM product vendors have been telling us that the HR database should be the primary source for Identity information. This is just not true. The HR platform can not fulfil this role of primary source. The platform has been built and is driven by the need to manage the employee status of people and make sure they are paid properly and in time. This difference between what the HR platform actually is and what IDM product vendors want it to be, becomes more visible if you look at the following typical issues:

  • New employees are not entered fast enough in the HR system. The IDM system can’t act on events if they don’t happen in time.
  • Some of the attributes kept in the HR system are of lesser importance to HR and therefore typically are of lower (data) quality. The IDM system however depends on correct and up to date values for these attributes.
  • When employees migrate internally (to a different department or business division) the HR system often lags behind in changing the employee records. It also rarely models the typical transition periods involved in migrating.

For me these are all signs that the HR system, at least as they are managed today, should not be used as a primary source for account creation and status. In fact, the HR system should probably be “just a slave” of the IDM system. Leave the HR system for what it is: a system for managing the legal and financial aspects of an employee.

If you use the HR system as your primary source, you will soon find yourself implementing numerous ugly hacks and workarounds to compensate for low quality data and events that are either triggered too late or without enough detail. Demanding that the HR department should get their act together and improve is not a good solution. Doing identity management is not their job, they manage the legal and financial relationships. That’s just a part of the Identity. It’s the IDM product that should manage the identity and inform the HR system of changes that are relevant to the legal and financial aspect of the relationship.

None of the current IDM product vendors however have a product that can serve this role. As far as I know, most of these products are expensive data synchronisation tools with some workflow and UI layers on top. As the years pass by, I am wondering if any of these vendors is ever going to radically change and improve how (enterprise) Identity Management is dealt with. Since the first of these IDM products, over 10 years ago, not much has changed. It’s just more of the same.

YouTube vs. Viacom … what about privacy?

Most of you have probably heard about the case where a judge ordered Google to turn over every record of every video watched by YouTube user. That includes the user’s name and IP addresses. This in response to complaint filed by Viacom against Google for allowing clips of its copyright videos to appear on YouTube. Read about it here. This is the actual ruling from the judge.

I am not going to comment on the copyright issues or the actual complaint filed. I am however worried about the consequences for online privacy. A lot of users will see their personal information being handed over to Viacom even though they probably never watched a single copyrighted clip or at least were not aware of infringing anyone’s copyright. Somehow this reminds me of the toystar.com case. A company selling toys, files for bankrupcy and tries to sell their customer database to the highest bidder. It was eventually stopped by the FTC.

People can hand out personal information to sites and even carefully review the privacy terms before doing so. It means nothing if this kind of rulings can mean your information is handed over to a third party. It would be a different case if that information helps law enforcement agencies to detect crimes and prosecute criminals. I trust law enforcement agencies more then Viacom to properly process that data. Does Viacom give any guarantees on safeguarding this data? Will the processing be transparant and with full disclosure to the users involved?