• Speaking
  • Downloads
  • About Talking Identity
  • About Me

Ask Dr. K: Directory Synchronization Vs. Provisioning

  • Posted on:October 16, 2006
  • Posted in:Ask Dr. K
  • Posted by:Nishant Kaushik
2

Inspired by the Daimler-Chrysler series of ads around the enigmatic Dr. Z, I am starting a new series in my blog called “Ask Dr. K” (you’ll find a link to that section on the right under Site Navigation). This is also a play on the fact that some of my colleagues mockingly refer to me as Dr. K around the office (presumably more to do with my constantly espousing IdM around the office, and less to do with any real claim to solve problems that I can make).

In this series, I will posting answers to some of the more interesting questions that are coming my way, both from within Oracle and externally. If you would like to ask a question, send it my way by emailing me.

The first question in the series is an interesting one posed by one of our guys on an internal mailing list, trying to make sense of the myriad of IdM products we have here at Oracle.

It seems like there is a fine line between how one defines directory synch. and provisioning.  Provisioning seems more rules and mapping based while plain synch. (i.e. DIP or other metadirectory engines) appears to be more of a one to one activity with less intelligence and no workflow. I’d like to hear everyone’s thoughts on this.

Dr. K says:
On the surface, there seems to be quite a bit of overlap between the two. After all, the primary function of both systems is to move around data. The main difference that I see is that directory synchronization is an IT solution, while provisioning is a business solution.

Directory synchronization can be viewed as a loose way to link directories. It exchanges data between directories, providing various levels of integration and control. It can enable two directories to stay in sync by sharing information between them, or it can maintain data synchronization between a directory and some external data source (e.g. an HR System database). The focus is on the data, and it is usually practical only where the data and schemas of the two directories are similar, and data can be mastered in both. The rules and filters governing synchronization are usually technical in nature

Provisioning approaches this same problem from a business solution perspective. It provides human interface tools for requesting access, workflow capabilities, role-based decisions, and business and security policy management. It deals with ad-hoc situations, and supports a myriad of business capabilities like reporting, attestation and SoD management – capabilities that directory synchronization tools are not geared towards.

So, when trying to solve the business problems of identity management, go for a provisioning tool. When trying to solve a technical problem around data management, go for a directory synchronization tool.

Be Sociable, Share!

Tags: Directory SynchronizationProvisioning
  • http://identitystuff.blogspot.com Mark Mac Auley

    In some work I had done at Fortune 5 a couple of years back, managing directories was cumbersome. They ended up actually building their own directory synch application between each business unit and a Master directory. The aim of this was to centralize a user repository across 500K people that was very segmented and changed frequently. They then used their IdM solution to help herd the cats twice a day and capture the adds/changes/deletions across the enterprise and deprovision the deletes, and run the adds through the workflows.
    The issue in all of this, at least in my experience is that the IdM solutions and a lot of other apps are dependent upon clean or clean enough directories. The cleaner they are they better things will work as IdM is implemented.

  • mhafod

    This is a fine line that very few people, even those in charge of access-provisioning depts, understand.
    I hope that in your future posting, you can provide some more inputs on access provisioning and access mgmt from the business and technical perspectives.
    Dr B.

Recent Posts

The Conundrum of 2FA meets the Enigma that is PAM
"It's a mystery. Broken into a jigsaw puzzle. Wrapped in a conun...
The Dilemma of the OAuth Token Collector
'Tis the season to be hacked, I guess. Twitter joined a bunch of...
Why 2013 will be 'The Year of the SCUID'
I'm just now coming back to earth from the high I've been on sin...
The IDaaS Powered World
Last week I was in Colorado for the Defrag and Blur conferences....
What Happens When Telco's Declare SMS 'Unsafe'?
If you've been following Authentication related discussions, you...

Recent Comments

Bob Pinheiro on
The Conundrum of 2FA meets the Enigma that is PAM
7 weeks ago

NishantKaushik on
The IDaaS Powered World
7 weeks ago

Nikolaj Ivancic on
The IDaaS Powered World
15 weeks ago

on
The Dilemma of the OAuth Token Collector
18 weeks ago

on
The Dilemma of the OAuth Token Collector
18 weeks ago

Tags

Application-Centric IdM Burton Catalyst Conference Cloud Computing Cloud Identity Model Facebook Federated Provisioning Identity Governance Identity Governance Framework Identity in Social Networking Identity Management Identity Services IGF OpenID Oracle Identity Management Oracle Identity Manager Oracle OpenWorld Oracle_IDM Password Management Personal Identity Management Privacy Provisioning Risk Management Role Management Service-Oriented Security User-Centric Identity

Connect

Twitter Follow @NishantK

LinkedIn Connect on LinkedIn

Slideshare View Nishant's Presentations

About Me nishantkaushik.com

Categories

  • Ask Dr. K (11)
  • Identity Services (36)
  • Identropy IDaaS (2)
  • Insight IdM (124)
  • Oracle Identity Management (61)
  • Personal Identity Management (32)
  • The Cloud Identity Series (17)
  • Tips & Techniques (4)
  • User-Centric Identity (24)

Archives

  • ► 2013 (3)
    • April (1)
    • February (1)
    • January (1)
  • ► 2012 (13)
    • November (2)
    • August (3)
    • July (2)
    • June (2)
    • May (1)
    • February (3)
  • ► 2011 (29)
    • December (1)
    • November (1)
    • October (1)
    • September (2)
    • August (3)
    • July (4)
    • June (5)
    • May (3)
    • April (4)
    • February (2)
    • January (3)
  • ► 2010 (33)
    • December (1)
    • October (1)
    • September (4)
    • August (5)
    • July (6)
    • June (4)
    • May (3)
    • April (2)
    • March (3)
    • February (2)
    • January (2)
  • ► 2009 (24)
    • December (1)
    • November (1)
    • October (3)
    • September (3)
    • August (4)
    • July (2)
    • June (2)
    • May (3)
    • April (1)
    • February (2)
    • January (2)
  • ► 2008 (44)
    • December (1)
    • October (4)
    • September (4)
    • August (8)
    • July (11)
    • June (4)
    • May (2)
    • April (2)
    • March (3)
    • February (3)
    • January (2)
  • ► 2007 (56)
    • December (3)
    • November (5)
    • October (6)
    • September (5)
    • August (8)
    • July (5)
    • June (9)
    • May (3)
    • April (2)
    • March (5)
    • February (5)
  • ► 2006 (33)
    • December (4)
    • November (2)
    • October (6)
    • September (1)
    • August (2)
    • July (3)
    • June (5)
    • May (3)
    • April (2)
    • March (5)

Disclaimer

Talking Identity is my exploration of the world of Identity Management. The views expressed on this blog are my own and do not necessarily reflect the views of Identropy (doesn't mean I'm not trying hard to mold them in my own image).

Copyright © 2005-2013 Nishant Kaushik. All Rights Reserved.