Make a deployment plan
Now that you have a rough idea of what is an IGA project about, it is time to make a plan.
Before you involve a broader spectrum of people in your organization, devise a rough idea of what you want to achieve and how it helps your organization.
-
Assess your resources, capabilities and goals.
-
Set your target.
-
Determine whether the project is feasible.
-
Make a rough plan.
-
Get long-term support from management.
-
Secure budget.
|
Prepare a pitch-talk to explain clearly why it is a good idea to implement an IGA solution and why midPoint is your solution of choice. |
The sections below contain guidance on how to select your advisory team, what questions to ask, and what to take care of.
Pick the team members
Start with a brainstorming kick-off meeting. Bring together all the people in your organization who are interested in identity management. This does not have to be a formal team. The project is not yet formally established anyway.
Here are some tips on whom to invite:
-
A senior IT engineer or architect. Identity management is related to many different areas. You need someone who can see the big picture and understands IT.
-
Administrator of a critical IT systems with which you want to integrate midPoint.
-
A member of HR familiar with HR practices. Usually, HR information system is to be your information source, so you need someone who can help you assess the impact of the HR practices on the IGA project.
-
A security professional. Identity management and governance is closely related to information security. There may be policies, limits, and goals given by company security policy you need to consider in your plans.
In smaller organizations, this can be a meeting of just a couple of people over coffee. It could be a series of meetings. Do whatever suits the culture of your organization the best.
Topics for discussion
Here is a list of topics you should discuss with your team. You probably will not have all the answers after the first session. That is OK. It is important to know that these questions are there to be answered eventually. The sooner you find the answers, the faster you will progress.
What are your data sources?
A data source is a system you can consider authoritative and from which you can pull data into midPoint.
You probably have many systems with identity data, but only some can be considered authoritative. The HR information system (HRIS) is likely your first choice because its data usually are mostly correct and authoritative.
In this guide, we use a simple resource that exports CSV files to act as an HR system.
|
Do you have other reliable source systems? If so, could their data be in conflict? For example, one system might say that an employee’s name is "John," while another system says it is "Johannes." In that case, which system do you trust? |
Questions regarding data handling
-
How do you add records about new employees?
-
What happens with data of former employees?
-
Are the records deleted?
-
Do you keep them marked as inactive?
-
Do you only set a layoff date?
-
-
What is the unique identifier of each HR record?
-
Is it guaranteed to be unique?
-
Do all your systems share the identifier?
-
-
What happens if a former employee comes back to the organization? Do you start over with a new ID or can you reuse the old records?
Ask the HR department for some sample data to ensure the data formats work for you.
If you can, request a few sample data exports (like daily or weekly) to see trends in the data: For example, whether the exports include former employees, what’s the approximate number of changes per period, etc.
What are your data targets?
As opposed to data sources, data targets are systems that hold identity data but are not authoritative. Your goal is to push data from midPoint to the target systems to ensure identity data consistency.
The usual setup is that you mostly write to target systems and use the authoritative source systems to overwrite any conflicting data on targets. Of course, this depends on your situation. A system may be both source and target. You will see further down the lane how to temporarily use a target system as a source for select attributes.
|
In this guide, we simulate an Active Directory (AD) server using an LDAP server and use that as a target resource. |
Whatever target systems you have, discuss their internal data structure with their administrators so that you know what you are going to work with in midPoint.
For example, in the case of an Active Directory or LDAP server:
-
How are users distributed among organizational units?
-
How are usernames created?
-
What is the convention for generating usernames?
-
Any exceptions to this convention?
-
-
Is there a reliable unique identifier of user accounts?
-
Maybe an employee number, the same as in the source system?
-
Look at the live target resource data, select a few samples (such as your own account), and assess the situation. Then, compare the sample with the same account in the HRIS. This will help you see the common attributes and figure out how to connect the accounts.
Discuss other data targets. What other systems would you like to connect to your identity management deployment in the future? Consider just the big picture for now. You don’t need to go into all the details. Just roughly set the scope, listing and prioritizing the systems. Although this step is completely optional, it helps a lot with planning and budgeting.
How much security do you require?
What security measures do you need to implement? Discuss the limitations, requirements, and wishes given by your information security authorities.
It is important to distinguish requirements and wishes.
Your security official will likely give you a long list of hard requirements that must be implemented right now. That is understandable and all right. However, in this phase, it is important that you do not get distracted by theoretical discussions of information security.
You are undergoing this IGA project to improve real security, clean up your data, and automate processes. Not to implement false sense of security on data that are wrong and insecure anyway. Discuss the practice, the current state, the day-to-day reality. Be honest with yourself.
Hear the long-term requirements, make a plan to address them, and focus on what’s non-negotiable and possible to implement right now. The rest comes later.
Plan your budget
Discuss resources, timing, and rough plan.
Keep your plan realistic. Identity management requires:
-
Systematic approach
-
Time
-
Money
-
A lot of patience
Too many projects have failed due to unrealistic plans and expectations.
Set modest goals that you can achieve in a few weeks. Start by connecting your first source and target systems to get first results in days. Then proceed in iterations, delivering improvements every few weeks.
Discuss who will lead the project, who needs to be involved, what other resources you need.
And most importantly, prepare for a long run. This project does not have specific start and end dates. It will be with you from now to eternity.
Last but certainly not least, discuss money.
You will need money, even if you plan to do most of the work internally. You will need training, assistance and support.
|
Plan for recurring budget
Having a modest budget every year can lead to a successful IGA program. Having a generous budget for the first year and no budget after that is a certain way to an expensive failure. |
Get a buy-in from your management
Once you develop a rough plan and estimates regarding required money and time, go talk to your management. It is crucial to get their buy-in, get them to believe that your IGA mission is meaningful and that it makes sense to invest money in it.
Do not oversell and exaggerate. Provide honest plan and estimates, set realistic expectations. Identity management is a long run, any kind of hype or exaggeration is very likely to backfire in the future. Get a green light—for a long program, not just for a short project.
And with that, you are ready to go.