In-Depth

Account Provisioning: Roles vs. Rules?

Managing user accounts in a myriad of systems

• By Mathew Schwartz
• 04/09/2003

Identity management software is hot, hot, hot. Jim Hurley, security analyst for the Aberdeen Group in Boston, estimates there are at least 40 big identity management players, plus perhaps another 100 on top of that. “That’s the good news. [Buyers] have a choice.” Of course, from an evaluation standpoint, “that’s the bad news too.” He says it’s a rare Fortune 3000 company that isn’t evaluating or already running automated identity management software. Still, companies are early in the process—only what Hurley characterizes as year two of a seven-year adoption cycle.

The drive to automate identity management (and reduce costs) is similar to the late-1990s enterprise push to automate human resources information. Why task an HR manager with updating user addresses and phone numbers when users could log on to the corporate intranet and just do it themselves in the same amount of time? So, too, for security: users can request a password reset and have a temporary password e-mailed to them immediately, and automatically, cutting down on IT's time and expense of such chores.

One product in this market is AccountCourier version 3 from Courion Corp. (Framingham, Mass.). The user provisioning software lets companies manage and keep secure the computer accounts and access rights of employees, business partners, and customers. It helps automate all aspects of account creation, maintenance, and termination, and lets security administrators enable “self-service” features for end users to perform much of the account management work themselves.

AccountCourier lets security administrators create and modify large numbers of accounts at once. Security administrators can get real-time information about any user’s access privileges and settings, and clone that user’s settings for other (similar) users. “For example, if I’m a bank [security manager] and I want to allow a teller manager to hire new tellers and give tellers access to PCs and the mainframe, I can build a very simple policy that only allows teller managers to create new accounts for tellers, and they can only give them to tellers,” says Tom Rose, vice president of marketing for Courion.

Rules, Not Roles

One of the crucial aspects to automating user accounts is spelling out who gets access to what. To do that, Rose says AccountCourier is “more centered on rules” rather than roles.

Rose says roles are predicated on some kind of centralized database—an Active Directory or a lightweight directory access protocol (LDAP) database, for example—containing users by groups, such as teller managers, tellers, and executives. By contrast, rules let a security administrator apply security policies by induction (closing settings, for example), “so it’s more centered around really restricting the groups of users and templates that can appear to them.”

Which approach is better—roles or rules?

“I think it’s a marketing distinction,” says Aberdeen’s Hurley. “I think there’s a bit of magic and shaking of the tablecloth” when it comes to the terms. “Let’s look at it from the reality of the way that most organizations that deal with it think about it. I never hear the word role or rule from most of these people. They talk about job function.” Regardless of how buyers and sellers categorize what needs to be done, it’s the same thing. Likewise, “at the end of the day, those roles, however they’re defined, have to be turned into electronic rules that can be defined by technology.”

Account management is usually just the tip of the iceberg when it comes to hiring a new employee. Many large companies have elaborate forms—say in Lotus Notes, Peregrine Service Center, or BMC Software’s Remedy—that a hiring manager fills out to create an account for a new user. The forms also trigger the relevant people to begin procuring a laptop, cell phone, pager, or reserve cubicle space, or any of the other myriad things that need be done when someone gets hired. Similar forms are used when employees leave.

AccountCourier can be tied in to existing, automated workflow processes. “Both our password management software as well as our user management software has the ability to create automatically tickets in pretty much any system,” says Rose. The front ends of other programs can call AccountCourier via XML.

Besides helping automate the hiring, maintaining, and erasing of user accounts, the software has another crucial feature: disable. “They’ll call it, 'Did one of your employees just give notice? Click here to turn them off,'” says Rose. A new feature in AccountCourier 3 is the ability to tailor what the disable feature actually does, since not everything, such as in Microsoft Exchange 2000, has a “disable account” feature. For Exchange, AccountCourier can set the mailbox quota to zero, and prevent the user from sending any more mail, effectively shutting the account down.

Disable is useful because while it allows a manager to deactivate an account, the power to eliminate the account altogether—a potentially disruptive action, especially if a manager doesn’t know what he’s doing—can be reserved for a security administrator.

Picking the Right Software

When evaluating the many different identity management software vendors today, Hurley says he typically sees organizations choose one to three vendors to handle identity management.

“One big myth and misconception about LDAP is that organizations are looking at using this as a monolithic directory,” he observes. “In fact, they’re not, and in fact we see all kinds of databases underneath the covers of the technology that are interconnected with lightweight directory access protocol.” Instead of consolidating multiple information sources—legacy, SAP, Peoplesoft HR, for example—companies keep the data where it is, then dump it into another database, massage it for identity purposes, keep it synchronized, and move on.

Often, different departments use different software. The good news is that implementing it has gotten easy enough so that this doesn’t have to be a gargantuan, centralized enterprise rollout. Different departments can get what they need. “That is, in fact, one of the benefits that has been told to us by an awful lot of the buyers—that the stuff isn’t big pie-in-the-sky enterprise architecture stuff, and that makes it easier for them to acquire, test, and deploy it.”

Courion’s AccountCourier allows companies to integrate with the multiple places in which identity information is stored, and it’s typically stored in a lot of places—including relational and non-relational databases, and hierarchical and tree systems.

That there are so many data repositories for user information still in use might surprise some, given the buzz over creating one centralized directory for user information. In reality, “what’s going on is there’s a lot of data of record that exists throughout the organization, and the organization does not want that data of record to change, because it’s good at whatever it does,” says Hurley.