About a month ago now I did a post about account reconciliation capabilities that I believed were necessary to make reconciliation practical. My post was triggered by a session I attended by IBM’s Stuart McIrvine, during which he answered a question about ways to correlate identities by saying it should be done based on common attributes.
At the time I pointed out that this seemed to be a big product gap, as a critical element is the ability to use pattern matching. Well, I received quite a bit of feedback on that, correcting Stuart’s (and by extension, mine) misconception. The fact is that ITIM does support pattern recognition.
Ian Yip wrote:
IBM Tivoli Identity Manager can handle the pattern recognition matching you
speak of. This is defined within the relevant adoption rules used for
Tim (no last name) sent me this comment:
ITIM does actually support the functionality you discuss in your article. As
well as the ‘shared attribute’ or alias type matching it also has a scripted
component which allows you to script any relationship you wish (regular
expression or otherwise).
In my view, this has revealed one of the dangers of trying to turn an industry conference session into a product pitch. The people who speak at conferences don’t have the time (and sometimes the hands-on knowledge) to provide a detailed and accurate representation of their products, causing this kind of confusion. Ian said it best:
I suppose this is what IBM gets for sending high level marketing types without
the deep product knowledge to speak at conferences. They sometimes get caught
out when answering questions 🙂
While these comments did correct my understanding, they also got me (and a few other folks) thinking. Is there another (better) way to do identity correlation, that is not based on common attributes or pattern matching? After all, administrators don’t always follow the correct patterns. Shekhar Jha also mused:
The way I would interpret this is that two separate set of people came up with
multiple ways (attribute matching, pattern matching)to solving the same problem
of hopefully being able to map 80% of the accounts (It would be interesting to
see a study published on how effective each of these techniques are). Well
exceptions are so common (is that an oxymoron?) that all the provisioning
product have to deal with them in some way or the other.
So, does anyone know of any better ways to deal with this problem? One of our customers, Toyota Financial Services, came up with an innovative self-service account claiming mechanism that has worked very well in their environment. I believe some of the other provisioning products out there actually support this mechanism out of the box (this capability will be productized in Oracle Identity Manager in an upcoming release; the TFS implementation was customized solution). Are there other ways that are some combination of technology and process? Let me know.