Ask Dr. K: Directory Synchronization Vs. Provisioning

Inspired by the Daimler-Chrysler series of ads around the enigmatic Dr. Z, I am starting a new series in my blog called “Ask Dr. K” (you’ll find a link to that section on the right under Site Navigation). This is also a play on the fact that some of my colleagues mockingly refer to me as Dr. K around the office (presumably more to do with my constantly espousing IdM around the office, and less to do with any real claim to solve problems that I can make).

In this series, I will posting answers to some of the more interesting questions that are coming my way, both from within Oracle and externally. If you would like to ask a question, send it my way by emailing me.

The first question in the series is an interesting one posed by one of our guys on an internal mailing list, trying to make sense of the myriad of IdM products we have here at Oracle.

It seems like there is a fine line between how one defines directory synch. and provisioning. Provisioning seems more rules and mapping based while plain synch. (i.e. DIP or other metadirectory engines) appears to be more of a one to one activity with less intelligence and no workflow. I’d like to hear everyone’s thoughts on this.

Dr. K says:
On the surface, there seems to be quite a bit of overlap between the two. After all, the primary function of both systems is to move around data. The main difference that I see is that directory synchronization is an IT solution, while provisioning is a business solution.

Directory synchronization can be viewed as a loose way to link directories. It exchanges data between directories, providing various levels of integration and control. It can enable two directories to stay in sync by sharing information between them, or it can maintain data synchronization between a directory and some external data source (e.g. an HR System database). The focus is on the data, and it is usually practical only where the data and schemas of the two directories are similar, and data can be mastered in both. The rules and filters governing synchronization are usually technical in nature and can be applied to all of the data management platform.

Provisioning approaches this same problem from a business solution perspective. It provides human interface tools for requesting access, workflow capabilities, role-based decisions, and business and security policy management. It deals with ad-hoc situations, and supports a myriad of business capabilities like reporting, attestation and SoD management – capabilities that directory synchronization tools are not geared towards.

So, when trying to solve the business problems of identity management, go for a provisioning tool. When trying to solve a technical problem around data management, go for a directory synchronization tool.