It's identity management that counts

Directories are just a piece of the identity management puzzle, say network managers, and can't be considered on their own. Andrea Malcolm pieces it all together.

Directories are just a piece of the identity management puzzle, say network managers, and can’t be considered on their own.

Simply writing about directories, the best known of which are Novell’s eDirectory and Microsoft’s Active Directory, wouldn’t be that useful to anyone, maintains Auckland University enterprise architecture manager Tim Chaffe.

Directories are a way of simplifying network management, easing the tasks of adding users and changing access rights whilst conferring some nifty benefits like a single sign-on system. They must be seen in context with other technologies such as identity management, web services, XML and enterprise application integration, says Chaffe.

Ultimately, as long as it’s in conjunction with these other parts, directories can go to the heart of allowing employees, customers and partners to use your systems to do business in the most convenient way possible.

This evolution in the thinking around directories is evident at Auckland University where Chaffe, who came on board four months ago, is completing phase one of a rollout of Microsoft’s Active Directory. When the project kicked off two years ago, the stated aims were to provide common authentication for multiple databases encompassing more than 200,000 names, and simplify management of the nearly 70 Windows NT 4.0 domains that had sprouted. It was also part of the university’s migration to Windows 2000.

It was important to ensure Active Directory could integrate with Peoplesoft’s technology, which runs the university’s HR, payroll and student administration systems. At the time interfaces between the two had very little documentation. About halfway through, the project was paused while the university reviewed what it was doing and realised more work was needed telling end users about why it was being done and what they’d get out of it. The university now has common authentication across systems but the project is no longer just a directory rollout.

The focus is on something that directories support: identity management, says Chaffe. As you’d expect, the focus is on people, primarily staff and students. The university has a clear view of the diverse range of relationships it has with individuals it calls “Campus Community”. Relationships exist between individuals and the core administrative IT systems as well as the faculty systems providing services such as labs and online learning. The key to an individual being able to use a service is defining who they are and what they can do, says Chaffe.

“The challenge is that we’ve got the individual with ID, password, contact details, relationships with the university — what kind of courses they do, what faculties, whether they’re student or staff — and everyone in the university would like access to that information.” Chaffe says many people see this as a directory problem and slap a directory in the middle, populate it and let all other systems run off it. “But the problem is how do you manage identity?”

He says identity management should provide:

  • Authentication, the ability to verify who an individual is. “This is not just single sign-on,” says Chaffe.
  • Authorisation, which ensures that once the environment knows who you are it can find out what you’re allowed to do.
  • Policy, whereby the environment must decide when and why you’re allowed to do it and control access to that.
  • Synchronisation or replication of information.
  • Password management, in which not all systems can access a common password repository. You have to propagate the passwords across systems. Single sign-on can be hard to achieve. Common passwords across systems is easier. The ability to support multiple security realms is useful.
  • Data mastering, whereby once you start to replicate information you need be sure which systems are mastering that information. Those systems own the update of that data.
  • Data transformation, in which not all systems have the same view of information and to exchange information between these systems some form of interpretation/translation is necessary.
Chaffe says Active Directory has been activated at the university as an enterprise services directory as well as a quasi-network operation system. This directory provides domain name services to some faculties, authentication services to various systems such as CECIL (a management studies teaching system) and the virtual private network and provides authentication and group information to other systems. It provides role information for the university’s portal and domain trust relationships for Windows NT 4.0 environments.

“Users aren’t created in Active Directory,” says Chaffe. “They come from an upstream database which holds all the information about each individual.” This is the university’s Peoplesoft environment. Information from Peoplesoft is synchronised into Active Directory so downstream applications such as CECIL, laboratory accounts, email and online learning can use it.

“This means the Peoplesoft system becomes very powerful and there is a reduction in workload because you don’t have people handling individuals’ identities twice.”

Chaffe is adamant that you shouldn’t enter information directly into the directory. “I think guys pushing the directory as the main repository for information are wrong. An enterprise directory is an aggregation of information from different places that’s presented in a consumable format. Directories aren’t very good at replacing databases. A lot of people got confused and thought they could shove anything into a directory. Directories are very strong on reading but poor on updates.

“Directory vendors have tried to make directory services provide some of this stuff, but it’s a bit back to front. Vendors said we can use this technology to do x, y and z and then marketing took over. Now the industry is saying it’s not about directories. It’s all about identity management. Directory services are becoming more the repositories for security information.”

In fact, “directory” is fast becoming an overused term, says Chaffe. He relates how a CTO in the US was talking about putting all the company’s control information for network devices into a directory.

“The directory model is hierarchical whereas the application or object model is much more complex. I said to him, ‘Those are very complex relationships to be putting in a directory’ and he said, ‘No, actually we’re putting that information in a database and then we’ll publish to the directory’.

“What are called directories today are actually more than directories. They are becoming like fully-fledged systems for managing things. The whole concept behind directories has a varied background and directories have always been looking for a place to be used.”

Originally directories came out of the context of telephone directories. The first major computing directory standard was X.500, which was created and defined in the classic telecommunications mode and evolving out of that the LDAP (lightweight directory access protocol) standard. The likes of Microsoft’s Active Directory and Novell’s eDirectory are more like network operating systems (NOS), says Chaffe. “The NOS controls users, machines, and does desktop management. It’s all to do with management of various vendors’ software and equipment.

“The enterprise directory is to do with common user information and attributes across the organisation. It’s more about information and less about control. For example, Microsoft and Novell use the directory to create a PC and user management solution. The original directory specification was a repository for putting information in.”

So network managers have to look at other technologies such as web services and enterprise application integration to provide other parts of the identity management solution, Chaffe argues. “Web services and EAI [enterprise application integration] technologies are like a superset of directory technology. They’re about taking disparate systems and creating a hub or central workflow/management environment.

“Most businesses tend to think about customers and employees differently. At the university we’re lucky in that we tend to see them as the same. Businesses usually have employees in a directory and customers in databases. Usually you have to spend loads of money trying to integrate those systems and this is where EAI comes in. The problem it’s trying to solve is how do you manage a single view of the customer across all systems? EAI and identity management are coming together.”

Chaffe says customer self-service is driving all this and the crux is managing the customer’s identity.

“If you just put in a directory without thinking about what you’re trying to solve, you’ll fail. The business problem is the management of identity throughout the organisation.

“If you are able to identify your customers and control the way your customer accesses services, you’re in a very strong position in the market.”


Meta-directories - pulling it all together

Fonterra goes global

Join the newsletter!

Error: Please check your email address.

Tags Directories

More about MicrosoftNovell

Show Comments