03.07.08
Identity Management Meets BPM
Traditionally, identity management was regarded as something akin to maintaining a lock in good order; it was the price you have to pay to keep your space – whether that be home, car, office, or more grandly, the information stewarded by an enterprise. But last week, Todd Biske made a case that identity is more than a bunch of locks and keys, and that there is competitive benefit to keeping ID management up to date.
“Organizations that are able to keep their identity stores accurate and up to date will find themselves with a significant advantage. An accurate identity store is critical to the successful adoption of BPM technology… One reorg of operations and the whole thing could fall apart with escalation paths no longer in existence, incorrect reporting paths, and more.” He then proffers the suggestion that identity management be the first place you look to leverage BPM technology itself.
It sounds like he could have been eavesdropping on a conversation that we just had with The .NET Factory, a Microsoft integrator that has developed an identity management offering that, in its newest incarnation, plugs into the Windows Workflow Foundation (WF) and transforms identity management into dynamic, updatable workflows.
To recap, WF is Microsoft’s new process integration run time framework, around which third party solution providers can develop their own domain-specific workflows. Think of it as the BPM add-on to the original .NET Framework, which began as a common deployment and run time engine for third party programming languages. (Whether to use WF was the topic of a white paper by twenty-six New York’s Kent Brown that we reviewed last week.)
WF provides The .NET Factory to make identity management dynamic. Traditionally, you enter rules for which people, organizations, sites, or roles gain access to which applications, databases, tools, and/or B2B systems. There might even be a formal workflow that is triggered when a new employee is added or removed from the HR system. But these are at best one-time, static workflows. .NET Factory’s approach picks up from there, making provisioning of resources (which is what identity management is supposed to do) a dynamic process. So, once that initial provisioning workflow of adding a new employee is completed, it takes an event-based approach that, when resources or employee status change, it triggers business processes that, depending on how they are configured, may or may not require new approvals. More importantly, the result is keeping the employee’s profile and privileges in sync, not only with his or her status, but any changes in enterprise business rules or organizational status.
Hooking into a general framework like WF provides lots of possibilities with interoperation with related systems such as business rules management, various enterprise applications, and so on. But what’s more interesting is how it recasts what has traditionally been regarded as a non-value added process. So the question becomes, if we BPM-enable identity management, will there be any way to show tangible business value from it?