The Nature of the Beast: Kinds of IM/UP Systems
Because the needs of small, medium, and large enterprises are so different, IM/UP systems come in three main flavors (small, medium, and large). They vary not just in size, but in complexity, cost, and approach to the problem.
For small to medium-sized enterprises, the need is primarily to reduce administrative workload in the basic process of providing and modifying access permissions. One tool for these purposes is SetACL, available from SourceForge. This is a package of provisioning utilities that can be run from the command line, organized into scripts, or included in ActiveX controls to handle common permission-management tasks. Among other things, SetACL utilities can manage multiple permissions on multiple users simultaneously, control how permissions are inherited by sub-objects, and work on a single object or recursively.
John Aisien, Oracle’s vice president of product management and identity management, points out the problem with the packages aimed at the smaller enterprises: They’re not process-aware. They don’t have the built-in smarts to relate to the aspects of provisioning as part of a unified whole. Instead, the administrators have to provide not just the guiding intelligence, but a lot of the routine procedural knowledge as well.
Of course, there’s a very good reason for that limitation. Designing a user provisioning/identity management system that is both process-aware and flexible enough to be useful is a big undertaking, and it doesn’t end with the software vendor. For large enterprises, provisioning and identity management is a major project, with costs that can easily run into the millions. As is often the case, the software cost is only a fraction of the expense. In fact, some vendors give away $250,000 IM/UP packages because they make most of their money on the services needed to get the packages set up and running.
In the medium-to-large market, a number of companies (including Oracle, M-Tech Information Technology, BMC Software, IBM, and Sun) offer provisioning packages. It’s a measure of the interest in the field that many of the specialized provisioning companies are being snapped up by larger players such as Sun and IBM.
When you consider that a very large IM/UP system may have to support a million or more users logging into hundreds of different systems, the big systems from companies like M-Tech and IBM are complex indeed.
For medium-sized and small installations, the costs—and effort—are much more reasonable. However, if you want to get the most out of identity management software for any size of enterprise, you need to spend some time thinking about your requirements and planning your implementation.
The dividing line between medium-sized and large IM/UP systems isn’t so much the number of users, although that’s also a factor. Oracle’s Aisien says that the real quantifier is the number of "provisioning events" in the enterprise each year. Aisien defines a provisioning event as anything that alters provisioning in any way, such as adding an employee or changing employee permissions.
A useful proxy is the number of identity systems being managed. That means not only the number of servers but also the number of applications requiring separate permissions. As you add systems, the provisioning effort goes up exponentially, and problems such as identity coherence become increasingly important.
The other difference between the classes of software is the degree to which they integrate user provisioning and identity management. As the systems grow larger and more complex, identity management becomes an indispensable part of the package. The products for medium-sized and especially small installations tend to separate the issues of identity and provisioning.