One of the philosophies at Thor (that we have proudly carried over to Oracle) is our commitment to building products that deal with the dirty realities of our customer’s deployment needs, instead of living on some idealized plane. Getting there requires a lot of input from our customers. This week, our Product Management team is doing a customer roadshow regarding our audit and compliance features, in an effort to validate and get input on the next phase of our offerings. As they embark on this trip, I wanted to share the most significant takeaway we had from our last such effort.
The Problem Statement
After the initial design of our attestation feature offering, we did a similar roadshow with the IdM teams at some of our customers who have been supporting significant audit efforts within their organizations. While they liked the effort we had put into weaving attestation into the fabric of IdM, and the attention to manageability we had put into the UIs and flows, they pointed out one aspect we had not anticipated – the lack of predictable reviewer patterns. What they pointed out was that the automated processes around attestation would only be as good as the data that would drive the decision-making; and that, for better or for worse, that data is almost impossible to find/capture in any kind of authoritative source. While the concept of managers attesting to the access rights of their reports is good in theory, the reality is that the knowledge needed to actually make an informed decision is often distributed among different people, who may have dotted relationships to the subject at best, and no visible relationship at worse. The scale of a lot of these organizations also means that a single manager could end with an impossibly large number of entitlements to attest to, a lot of which he/she really has no context into. Roll ups in the attestation world are extremely common, and having the head of a division attest to the entitlements of everybody in their organization just cannot happen (especially when it is their head on the line).
The Solution Statement
The advice that we got was to build into our attestation offering a key feature – Selective Delegation. In the old world of paper-based attestation, this would be the equivalent of the reviewer putting in the notes column of a particular entitlement in the spreadsheet the phrase “Not sure, ask Jim to review this”. Imagine the headache this causes for the team generating and receiving these spreadsheets, having to sit and compile all these ad-hoc requests into new spreadsheets. There are only two ways this can end - both of them badly. Either the compliance teams spends man-years handling these ad-hoc requests, compiling new spreadsheets, sneding them out and tracking the results. Or they push back on the reviewer against such requests, resulting in the reviewer being forced to take a decision without any context (or having to do a lot of legwork to gain that context, which as was explained to us, never happens in real life). The result – bad attestation certifications.
Now imagine if all of this is automated to happen online, and instead of having to write a note back to the compliance team asking for Jim to review a particular entitlement out of a hundred or so, the reviewer can just tag that entitlement with Jim’s name. The system automatically picks this up and generates an attestation request for Jim, complete with the same entitlement data, and the reason why they are being asked to do the certification. The delegation is tracked and audited, and a chain of responsibility is created. Best of all, this simple act has eliminated potentially man-years of effort, and closed an extremely serious audit loophole.
This critical aspect of Human Integration (stealing a phrase from Kim Cameron’s elegant 7th law) was repeated at each customer we talked to. So we went back to the drawing board, and spent quite a while designing an elegant solution to this problem. The feature – selective delegation – is proving to be quite the hit with everyone we have shown it to since it came out. In fact, one prospect said that just this one feature is enough for them to green light a project, because it gives them the confidence that automated attestation can become a reality in their complex world. The key element that all of them pointed out was that, unlike everything they had tried up until this point, it gave them a way to handle completely ad-hoc occurrences in a systematic, audited manner that did not break the process. And to them, that was pure gold.