% fortune -ae paul murphy

A unified point of control

It's called "identity management" but that's not what it is. What it is, at least in the Sun implementation, is a unified point of control for rights management.

For some applications I can see some of this stuff being extremely valuable - and I'll get to some examples of that in a minute, but first I want to continue being negative for a bit longer. Consider two questions:

  1. Why does Sun, which claims to have one of the best and most effective customer identity management systems available anywhere, keep sending me duplicated email headed "Dear You already have me registered" ?

  2. what do the following have in common?
What I think is that the one word answer to both questions is "immaturity" - but it's actually a little more complicated than that. Look at how any one of those Java Systems is described - for example:

Sun Java System Directory Server Enterprise Edition is much more than a directory server. It delivers the key capabilities of security, interoperability, availability, scalability, and manageability that define a true directory service. It therefore makes it possible to successfully address the challenges of increasing security, improving quality of service, and controlling costs that today's enterprise faces.

Vertical and Horizontal in nature, Directory Server Enterprise Edition can be applied in any industry where identities and users need to be managed securely and efficiently.

You know what that sounds like to me? Microsoft Power Speak -nice words strung together nicely, but entirely devoid of the actionable content someone might look for after the implementation fails to deliver the expected results.

So why?

Because this stuff is terribly immature. Pick almost any commercially important IT technology from outside the Unix world and this is what it sounded like when first sold - it would scale horizontally and vertically, grate your cheese for you, and save the world - well, except for the first ten years or so when all it really did was sell products and services to ever hopeful customers.

And that brings me to the good news - taken one at a time this stuff pretty much works: telcos can, for example, manage customer DSL accounts using Java System tools and customer portals or automatically extend Windows server access for a new hire. What doesn't work, at least not out of the boxes, is what these systems really promise: not identity management but a unified point of control for user rights management.

As a result getting the customer what the customer wants isn't impossible - you just have to understand enough about what the customer wants, and about which component does what, to implement exactly and only the right components and then customize a front end to "dashboard" all of those installed components.

The competition is, if anything, worse - except for Novell, whose front end integration stuff is considerably slicker than Sun's, but whose backend strength unfortunately seems to start and end with the directory. IBM's, however, well - let me just say the whole thing is based on Tivoli and leave the rueful laughter to you.

Sun has some web based tools for the integration job now, and more are clearly on the way but a common front end doesn't address the conceptual conflicts in the way various pieces approach their jobs.

On the other hand I think the really good news here is that Sun's working, scaleable, backend components contain the information needed for someone to figure out a generic, extensible, approach to all this and produce a single, unified, rights management tool that becomes, like dTrace and ZFS, an industry standard.

Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 25-year veteran of the I.T. consulting industry, specializing in Unix and Unix-related management issues.