A new Internet2 Middleware group, MACE - Signet has been formed to come up with solutions surrounding a privilege management service.

A privilege management service is a key component of campus middleware that provides for central management of user privileges across a range of applications. Benefits include a standard user interface for privilege administrators, consistent simplified policy definition, interfaces to other infrastructure services and to application systems to support integration. Deploying and taking full advantage of a privilege management service has a number of technical and organizational prerequisites, based on some campus experiences with such deployment.

They are working on a Privilege Management Recipe. Nice to see some more movement in this part of [Identity Management].

The latest Information Week (March 15, 2004), has a significant article on The Need For Identity Management. The article inspired me to start documenting APU's need for further pursuing an Identity Management (IdM) strategy. However, the article in Information Week had some intersting points of dicussion.

The promise of Identity Management is to improve security, boost worker productivity, cut costs, and reduce the "integration friction" usually connected with giving employees, business partners, customers, and suppliers access to internal systems. The process starts internally, but the long-term objective is clear: Build a series of interconnected systems so an employee logged on to his company's intranet can access a business partner's systems and have those systems automatically trust the employee's digital credentials. The way to do this is through standards. This perspective of cross organizational authorization is called Federated Identity Management. Dan Blum, of the Burton Group has a good definition for federation, "standards and agreements that make identity and entitlements portable across autonomous domains".

Identity Management (IdM) is a long standing initiative in many organizations. APU's own Transparency Project was our first leap into this space, attempting to aggregate user management on several servers and services by deploying LDAP and giving our users a single set of credentials for most services. Married with the project, were changes to the network, and the deployment of our first portal to integrate access and interfaces to most used services. Some of the more advanced parts of IdM, such as provisioning, the automatic creation of accounts and services across multiple systems from a single interface or transaction, were moderately achieved with simple scripts.

Identity Management starts with the business valuation of viewing person information as a valuable resource. It therefore seeks to maintain person information in a secure, yet universally accessable person registry, so that permitted people and applications within and beyond the organization can make use of the data. Identity Management (IdM) includes the business processes, policies, and technologies necessary to leverage person information to enable the Virtual Enterprise.

IMT is greatly in need of a comprehensive Identity Management Initiative to address the complete Identity Life-cycle of our constituents. Knowing who are customers are, even as they change affiliations with the University over time, is essential to the success of our self-service initiatives. Furthermore proper management of groups as they are reflected by the business processes of the university, as well as the grouping of customers by activity, is critical to enabling collaboration and knowledge management. This is the problem with IdM, and other middleware efforts, they are the foundation on which so many other more visible initiatives depend, e-business, Enterprise Content Management (ECM), and distance education to name a few, but are hard to appreciate as adding business value independently of such projects. So perhaps APU should continue to make advances with IdM as attached to other projects which demand it, but perhaps a focused initiative will be required to address the business process change in how we manage our most critical data set, our people.