It’s been an absolutely fascinating week reading the output of Burton’s Catalyst Conference.  Thanks to Mark Dixon over at Sun for his great recap of the conference.  And to add to the chorus of voices, congratulations to Ian Glazer on his new job at Burton Group!

It’s Ian’s first post on the Burton Group blog that’s generated some rapid fire responses in the Identity Management blogosphere (which is a very good thing!).

Ian airs his concern over the statement from potential Identity Management customers, “I’m not ready to do roles, so I won’t attempt user provisioning.”

*sigh* (make the jump for my rant)

I read that statement and had to ask myself — “what year is this?” Seriously… Shame on us sales folks. Shame on us consultants. Shame on the vendors. Is this what customers truly believe? That there’s no value from user provisioning without roles?

Jeff Bohren gets it right when he says that in the very least there is one role — “Employed.”  Seriously.

When I go into a customer environment and they seem overwhelmed by the (purported) complexity of user provisioning, screaming “where do we start?” I simply ask them — “how does your organization know when to start mailing you a paycheck?” and “how does your org know when to stop mailing you a paycheck?” It’s my Prego sauce theory: “It’s in there!” (in the organization, that is). That discussion helps moves the project forward.

Even if we need to build manual input-based workflow components, we can eliminate the often lost paper process and empower users to request access for themselves instead of calling IT Security or the Help Desk.

Dave Kearns makes some solid points in his response that most organizations are doing some kind of task-flow provisioning (most likely related on organizational responsibilities) already, even if they don’t call it “provisioning” or even have it automated through technology. He’s right to point out that organizations can benefit from role development downstream of an earlier provisioning project. IBM/Tivoli has been pitching this as a maturity model for provisioning software (TIM) for years.

In talking to Role Management/Discovery vendors (versus provisioning), one in particular sees demand specifically for their product outside of provisioning tools, with customers who don’t already have SIM, TIM, OIM, NIM, etc.

That’s a fascinating statement. Roles without a user provisioning tool.

We all need to do a better job talking to our customers about where they will gain the most value and where to start in a truly white-space environment. But I think it’s safe to say that everyone could benefit from user provisioning tools. (or maybe that’s just the former TIM Evangelist in me talking…)

What have you seen?  Do you know customers who are adopting RBAC without user provisioning?  Comment below, I’m interested!  Especially if they see user provisioning as a “later-stage” activity.

But after all this, I’m left with the feeling that while there are some excellent (and obvious) synergies to a combined role-management and user-provisioning strategy, they are not mutually exclusive nor predicated on one or the other.  If a customer wants (and needs) role discovery and management, without user provisioning, we can dive right in and get to work — instead of trying to convince them they need user-provisioning first.

I think the whole community is in agreement that we should by no means allow them to delay starting a user provisioning project just because they think they need roles first…

With all this talk of roles, I’m getting hungry for the other kind of rolls! Thanks to Sharps for sending us this funny story about Crescent Rolls. Enjoy…

Filed under: Identification, Provisioning, Security