I’ve been to many Catalysts but this was my first as a Burton Group analyst. Besides seeing how the sausage gets made, so to speak, this Catalyst was different in that I got to speak to a lot of enterprises on their struggles and successes with identity management. It was in these conversations that I heard a disturbing theme: “I’m not ready to do roles, so I won’t attempt user provisioning.” This is truly a disturbing theme for both enterprises and vendors alike.
Before delving into why this theme scares me, let’s look back at the history of the market. Role management products got their start five plus years ago. At that time, user-provisioning tools had poor permission policy (entitlement) management capabilities. Although user provisioning tools did provide some means to aggregating account permissions for given systems and a semi-automated way to dole those groups of permissions out, they were a bit cumbersome and difficult to report on. Because these permission policies were difficult to deal with early adopters struggled getting automated provisioning projects off the ground. Role management (and here I am speaking of IT or technical roles) tools filled a vital gap allowing enterprises to speed up their user provisioning deployments by accelerating and strengthening the entitlement management process. At that time in history, there was something to the argument that role management tools were needed to deploy user provisioning. That argument is no longer valid. User provisioning tools have greatly improved their permission policy management capabilities and provide the enterprise adequate tooling.
Implicit in the idea that an enterprise cannot attempt user-provisioning because it is not ready for role management is the notion that user provisioning has no value to the enterprise without role management. This is an outdated argument that is simply not true. By delaying a user-provisioning program (and I say program here and not project), the enterprise cannot reap the benefits of more automated deprovisioning, password management, self-service account requests, and basic user provisioning itself. Most importantly, by putting off user provisioning and waiting for role maturity to spontaneous happen, the enterprise risks putting off the most important part of any identity management program (role management or user provisioning alike) and that is establishment of governance. Establishment of governance is the most critical success factor to identity management programs and if it is not established up front, future programs and projects have a nearly 100% chance of failure.
As I said earlier, the wrongheaded notion that user provisioning requires mature roles contains danger for vendors as well. Vendors who have role management tools will find their bigger deals delayed as the enterprise waits for a sign that they are mature enough to begin their user-provisioning program. Further, vendors will end up with more shelfware deals as there are significantly more implementation teams familiar with user provisioning tools than they are with role management tools. Lastly, this disturbing theme constrains identity management to being viewed as a series of projects and not holistic programs and thus a lack of governance.
I have hopes that this theme is, in fact, observed retrograde motion of identity management. I hope that the market and its thinking is not reversing gains, but instead exhibiting a transformative behavior that we have yet to see. To close, keep in mind that both role management and user-provisioning efforts can be done in parallel and each will find benefit in the other as they mature. Provisioning requires an understanding of process and procedure, role management an understanding of relationships and responsibilities. To be successful with either, clear scoping and small iterative projects as part of an overall well governed program are advised to ensure current success and future growth.