Friday, 19 September 2008

What he said

« Palin's Hacked Email | Main | X.509 (SmartCard) Integration Kit for PingFederate »

Jeff Bohren responded to my recent post on centralized versus distributed projects.

So Federation (loose coupling) is always the best way to go, right?
No. It’s often the best way to go but there are many times that tight coupling simply must be done. Often that means using a provisioning system and a means of synchronizing accounts (IBM TIM, Sun SIM, MS ILM, etc). Sometimes that means configuring your systems to centralize the identity (Quest Vintella, Centrify, etc).
And here is where I will let you in on the dirty little secret of provisioning. It’s really all about deprovisioning. Typically enterprises don’t care if it takes weeks for you to get access to all of the resources you need to do your job. They care in the abstract (usually), but not enough to actually do anything about it. But the minute your employment is ended, your access to all your enterprise resources needs to be turned off.
And for that you need centralization of some sort.

Jeff, you're right. There is no 'one approach' that fits all. Both centralized and federated approaches have their pros and cons, depending on the situation. Most of life happens somewhere between black and white. I've just come to appreciate how to succeed in small increments, and this lesson isn't limited to IdM projects.

Posted by adurand at 11:47 AM in IdM | Responses (1) | Permalink

[Trackback URL for this entry]

Comment: Jeff Bohren at Fri, 19 Sep 1:30 PM

I couldn't agree more about getting small wins. I have been involved in both enterprise provisioning and federation projects, and in both cases looking for small, quick, wins works much better than the big bang approach.