Ask Dr. K: Directory Synchronization Vs. Provisioning
Inspired by the Daimler-Chrysler series of ads around the enigmatic Dr. Z, I am starting a new series in my blog called “Ask Dr. K” (you’ll find a link to that section on the right under Site Navigation). This is also a play on the fact that some of my colleagues mockingly refer to me as Dr. K around the office (presumably more to do with my constantly espousing IdM around the office, and less to do with any real claim to solve problems that I can make).
In this series, I will posting answers to some of the more interesting questions that are coming my way, both from within Oracle and externally. If you would like to ask a question, send it my way by emailing me.
The first question in the series is an interesting one posed by one of our guys on an internal mailing list, trying to make sense of the myriad of IdM products we have here at Oracle.
It seems like there is a fine line between how one defines directory synch. and provisioning. Provisioning seems more rules and mapping based while plain synch. (i.e. DIP or other metadirectory engines) appears to be more of a one to one activity with less intelligence and no workflow. I’d like to hear everyone’s thoughts on this.
Dr. K says:
On the surface, there seems to be quite a bit of overlap between the two. After all, the primary function of both systems is to move around data. The main difference that I see is that directory synchronization is an IT solution, while provisioning is a business solution.
Directory synchronization can be viewed as a loose way to link directories. It exchanges data between directories, providing various levels of integration and control. It can enable two directories to stay in sync by sharing information between them, or it can maintain data synchronization between a directory and some external data source (e.g. an HR System database). The focus is on the data, and it is usually practical only where the data and schemas of the two directories are similar, and data can be mastered in both. The rules and filters governing synchronization are usually technical in nature and can be applied to all of the data management platform.
Provisioning approaches this same problem from a business solution perspective. It provides human interface tools for requesting access, workflow capabilities, role-based decisions, and business and security policy management. It deals with ad-hoc situations, and supports a myriad of business capabilities like reporting, attestation and SoD management – capabilities that directory synchronization tools are not geared towards.
So, when trying to solve the business problems of identity management, go for a provisioning tool. When trying to solve a technical problem around data management, go for a directory synchronization tool.
In some work I had done at Fortune 5 a couple of years back, managing directories was cumbersome. They ended up actually building their own directory synch application between each business unit and a Master directory. The aim of this was to centralize a user repository across 500K people that was very segmented and changed frequently. They then used their IdM solution to help herd the cats twice a day and capture the adds/changes/deletions across the enterprise and deprovision the deletes, and run the adds through the workflows.
The issue in all of this, at least in my experience is that the IdM solutions and a lot of other apps are dependent upon clean or clean enough directories. The cleaner they are they better things will work as IdM is implemented.
This is a fine line that very few people, even those in charge of access-provisioning depts, understand.
I hope that in your future posting, you can provide some more inputs on access provisioning and access mgmt from the business and technical perspectives.