Information Technology Reference
In-Depth Information
Transitioning to the Target State
You need to plan the development of IAM functionality based on the
requirements of business projects, and take advantage of project budgets to
fund their development. Appendix E shows how you could align the IAM
roadmap to the requirements of business projects to achieve viability
through incremental funding.
There are some specific items you need to pay attention to during this
process.
Harmonising data
You will start with data held redundantly in multiple systems, with
inconsistencies and errors galore. You plan to end with a reasonably
consistent set of user data, with one or more directories holding
authentication credentials, and a user database holding other user
attributes. Upstream sources of truth will populate and refresh these
repositories. Downstream replicas of data will be refreshed through IAM-
generated user events.
Partway along this journey, you will have problems harmonising the data
you have painstakingly marshalled into the IAM repositories with data that is
outside its ambit. There will be people and systems furiously updating what
should rightly be read-only replicas. Upstream sources of truth will have no
way to communicate changes reliably and consistently to the IAM system.
You will need to create mitigating controls, manual processes and temporary
applications and scripts to maintain a semblance of sanity.
As you progress towards the IAM vision, remember that the User UUID is
your friend. If you can push the UUID vision and gain buy-in from owners of
systems, you can start seeding those independent repositories with the data
hooks that you can later use to “reel in” those disparate user records. The
good news is that lots of people can appreciate the value of the UUID when
it is explained to them, and many systems, databases and directories can
support a UUID field.
Managing SSO realms
It may happen that you have rolled IAM out to an intranet application but
have not exploited SPNEGO or Active Directory integration, perhaps because
there were too many changes being introduced and you didn't want to
