April 27, 2008 by mabatche.

I haven’t been following the whole ID Card landscape very much to be honest. But lately I was looking over Project Bandit, and downloaded the Digital-Me card selector. It looks pretty promising and can potentially see a lot of very interesting uses for this stuff. But, my question is, does anyone know of a site I can try this against that supports it? Or am I just flat out missing something? I know this is new stuff, but at the moment, I have the card selector and nothing to use it with… Anyone know of anything? And if not, if I were to attempt to set something up would anyone be interested?

UPDATE: So I was looking around some more on ID-Cards, and ran across this great video here. It’s basically a little mini-tutorial on how to get card-space working with a website with very minimal effort. I may mess around with this some more just to see what I can do with it.

Posted in Uncategorized | No Comments »

October 9, 2007 by mabatche.

I have recently been thinking a lot about role based access in large enterprises. I have personally been involved in quite a few Role Based initiatives, and I got to thinking.. Given the typical bureaucracy that goes along with a large corporation, and given the somewhat disjointed nature of roles in most organizations, can one actually achieve *true* role based access?

I think it depends on what your definition of roles is.

Roles - The Problem:
The trouble with IDM solutions and Role Based Access, is that every vendor out there tells you.. “Sure, we do role based access.” I have even had a few vendors tell me that they will come in and figure out what my roles are for me, and then work with that.
Where I think most fall short, is that in every large company I have ever been to, they don’t know what their own roles are… let alone have some external entity figure it out for them.
The real problem is that a “role” can be anything a company defines it as. It can be something as simple as pay-grade = ROLE or something as complex as your practice+group+pay-grade+manager-reporting-relationship+tenure+location = ROLE. So, as you can see, I think a “role” is a relative thing.
This trouble around roles is where I think most IDM/Role projects fail.

Technology:
Most companies focus their time on the technology behind IDM/Roles and not enough time figuring out what roles mean to their organization. (I have found myself guilty of this at times).
Technology is great, but in the end when doing IDM projects, the technology is just a means of getting your data pushed around from one place to the other. The data is the truly important piece to the IDM puzzle. If you understand your data, the technology is simple. If you don’t, then you’re doomed to have a terrible IDM implementation.

The Data:
I would venture to say, the most large enterprises have a good idea of what they are paying their employees, but, when asked what their employees roles are or what makes up that role, they might not have an answer.
When creating a Role Based Framework, you have to be able to define what makes up a role in its entirety. So, an example might be and Administrative Assistant, what is needed to fulfill this particular role? A File and Print account? An eMail account? Financial reporting Account? PeopleSoft Account? Special access to Admin databases? A home Directory? Special Access for their location?
- As you can see, a simple role like Administrative assistant can become very complex. Imagine having to do this for a company that potentially has thousands of roles?

This is why I think Roles (as they are talked about today) are not achievable on any kind of scale. While some may disagree with me here, I think if done on a large scale, roles are just too messy this way.

Self Service:
Many IDM vendors are pushing the concept of self-service as a way to help the problem of roles/access provisioning by taking out the middle man and allowing data owners to do their own approval and access granting. I think this is a great concept and can be a good fit in any organization of size. But, self-service has a problem as well.. That is, knowing who the data owners actually are.
Most big organizations have a hard time pulling this off as well. Over the years data owners change, data changes, where data lives changes so if there were owners of the data in the beginning, chances are.. They don’t know who they are now.

Recommendation:
So, if you find yourself working on one of these Role projects at a large shop, before you even start talking about technology you need to ask yourself and the organization the following questions:
1 - Do you already have a rock solid idea of what your roles will look like and what each role *means*?
- Not just what the role name is, you need to know exactly what it means data wise and access wise when someone gets that role applied to them.

2 - If the answer to #1 is no, then the conversation needs to turn away from technology and turn into a matter of exploration to determine if its even possible to figure out what roles are, given current data. Often you will find that given the data, roles are not definable. If this is the case, the the conversation usually turns into.. let’s make up some roles.

I think the right place to be when thinking about roles is somewhere between knowing your roles completely, and providing self-service.
I think that if you can get to a point where you have say, 10-20 general roles out of 1000, and those general roles provide 80% of the people the access they need from day one, then you have succeeded at roles. After you figure out the general roles, then you can add self-service to catch the rest of the 20% that you couldn’t automate in the first place.

So, basically after all this rambling, I think what I’m trying to say is…

1 - Generalize your roles. Being too specific just makes things way to complicated.
2 - Knowing that you generalized, you need to provide a way to make up for the difference. This is where I think providing self-service and workflow comes into the picture.

So, once again, sorry for the rambling.. just had to get it off of my chest.

Posted in Uncategorized | 1 Comment »

August 16, 2007 by mabatche.

Step 1
Download and burn the mini CD iso from the opensuse.org website. I found it here. This is the 10.3 miniboot.

The 10.2 miniboot can now be found here.

Step 2
Boot off or your newly burnt mini CD.

Step 3
Once at the screen where you can choose “Installation”, press the F4 key and choose HTTP.

Step4
Now, when prompted for the server place the following in that field suse.mirrors.tds.net
Now, when prompted for the directory, place the following in that field /pub/opensuse/distribution/10.2/repo/oss/

Step5
Now, choose installation and your off and running!

Step6
Wait……… installing over the internet isn’t the fastest thing in the world, but it works pretty well.

Note, that this doesn’t take into account anything like proxy servers, or nfs mounts, or anything like that. These 5 steps assuming you have a direct connection to the internet.

Updated: I changed the link to point to the 10.3 miniboot CD. It should work for 10.2 as well. (But I have not confirmed this).

Posted in Uncategorized | 4 Comments »

May 29, 2007 by mabatche.

I poseted my resume like everyone else does.  Nothing special.  I’ve been with the same company for 10 years and recently was wondering if there is anything else out there.  Don’t get me wrong, I actually like my job.  But you never know unless you look.  So, here is the resume.  Its a work in progress, this is just the first draft, so if it isn’t all that pretty, i apologize. 

 Mark.

Marks Resume (No Addresses)

Posted in Uncategorized | No Comments »

May 11, 2007 by mabatche.

A few days ago, I put up a little article asking where my open source IDM solution was. Looking across someone elses blog, I was directed to this link here.
Its a very cool mapping tool used to create a map of known open source IDM projects and their status. I found this very helpful. Maybe you will as well.

Posted in Identity Management, Uncategorized | No Comments »

May 11, 2007 by mabatche.

I just started putting together a list of all the pam modules I can find that are open source. It can be found here.

I’ve been getting a bit frustrated at finding some of these. Many of these are very useful! And it would be nice to a one place to go to find out about some of these… Sooo.. im starting this little list and updating it as i come across them.

Mark.

Posted in Directories, Identity Management, Uncategorized | No Comments »

May 7, 2007 by mabatche.

Recently, I’ve been working on a project which is intended to replace access/authorization mechanisms on Solaris/Linux servers with PAM_LDAP. (see www.padl.org ).  Getting PAM-LDAP to work has actually proven to be a relatively easy thing to do. (We happen to be using Novell’s eDirectory as the LDAP environment for it).  But, we have been running in to multiple problems when it comes to non pam aware applications running on our servers.Heres an example.  IBM DB2.  Technically, it looks up users/user access information from /etc/passwd and from /etc/groups.  This is all well and good.  But, on some older isntances of it, it doesn’t necessarily seem to adhere to the standards that nss_ldap uses for lookups.  Which leaves us in a scenario where we have to maintain a local copy of the account on the solaris servers in order for DB2 to function correctly.  Now, this completely defeats the idea behind using a central directory for access/authorization.  Whats the point in having one, if you have to also maintain local accounts for non-system level users on the server as well? An Idea - 

Posted in Uncategorized | No Comments »

April 30, 2007 by mabatche.

I’ve been doing IDM for about 6 years now. With everyone I speak with, IDM pretty much gets talked about in 2 ways.
1 - SSO/Federation solutions. Geared mostly around federation and SSO Access/Authorization. (there are actually a plethora of Opensource projects that can help tackle these problems).

2 - IDM in terms of user provisioning and profiling in the enterprise to enterprise type software. Such as Lotus Notes, Active Directory, eDirectory or even things like RACF on zOS.

For number 1, I’ve found all sorts of stuff in that space.. heres a couple of links for it…

http://www.manageability.org/blog/stuff/single-sign-on-in-java/view

http://www.techworld.com/networking/features/index.cfm?featureid=1681

For number 2 though, I have yet to find anything interesting that gets my attention. Which got me wondering why?

Im well versed in Novell’s Identity Manager product as well as have done *some* work with Sun’s product. There are also a few other companies out there that claim to do some form of IDM in this space, including Microsoft, IBM/Tivoli, CA, and then there are some smaller players.

Most of these products base everything on some sort of a directory technology. Be it eDirectory for Novell, AD for microsoft, or whatever the directory of the day is… they all have some form of directory back-end that serves as a meta-directory. In the opensource world, we have openldap which is certainly a reputable and well proven directory service. Seems to me, that it would be a relativley interesting idea to attempt to build an enterprise class IDM solution that works in conjunction with open-ldap as the back end.

I realize, I’m sort of rambling on here, so if anyone knows of any efforts going on in this space, post a comment.

I’m actually considering attempting this myself. If there is any interest, let me know!

UPDATE: from one of the little handy “Whos linking to you links” Someone pointed this out… http://www.diamelle.com/ . They appear to be working on this exact problem.. ill check it out and let everyone know.

Posted in Identity Management, Uncategorized | No Comments »