Talking Identity

About a month ago now I did a post about account reconciliation capabilities that I believed were necessary to make reconciliation practical. My post was triggered by a session I attended by IBM's Stuart McIrvine, during which he answered a question about ways to correlate identities by saying it should be done based on common attributes.

At the time I pointed out that this seemed to be a big product gap, as a critical element is the ability to use pattern matching. Well, I received quite a bit of feedback on that, correcting Stuart's (and by extension, mine) misconception. The fact is that ITIM does support pattern recognition.

Ian Yip wrote:

IBM Tivoli Identity Manager can handle the pattern recognition matching you
speak of. This is defined within the relevant adoption rules used for
reconciliation.

Tim (no last name) sent me this comment:

ITIM does actually support the functionality you discuss in your article. As
well as the 'shared attribute' or alias type matching it also has a scripted
component which allows you to script any relationship you wish (regular
expression or otherwise).

In my view, this has revealed one of the dangers of trying to turn an industry conference session into a product pitch. The people who speak at conferences don't have the time (and sometimes the hands-on knowledge) to provide a detailed and accurate representation of their products, causing this kind of confusion. Ian said it best:

I suppose this is what IBM gets for sending high level marketing types without
the deep product knowledge to speak at conferences. They sometimes get caught
out when answering questions :-)

While these comments did correct my understanding, they also got me (and a few other folks) thinking. Is there another (better) way to do identity correlation, that is not based on common attributes or pattern matching? After all, administrators don't always follow the correct patterns. Shekhar Jha also mused:

The way I would interpret this is that two separate set of people came up with
multiple ways (attribute matching, pattern matching)to solving the same problem
of hopefully being able to map 80% of the accounts (It would be interesting to
see a study published on how effective each of these techniques are). Well
exceptions are so common (is that an oxymoron?) that all the provisioning
product have to deal with them in some way or the other.

So, does anyone know of any better ways to deal with this problem? One of our customers, Toyota Financial Services, came up with an innovative self-service account claiming mechanism that has worked very well in their environment. I believe some of the other provisioning products out there actually support this mechanism out of the box (this capability will be productized in Oracle Identity Manager in an upcoming release; the TFS implementation was customized solution). Are there other ways that are some combination of technology and process? Let me know.

By the way, it seems that there are some issues with features and controls on my blog. Thanks to a number of emails from readers, I realized a while ago that my post archive has not been working. Also, seems that the comments people posted to my blog are not being handled correctly. I put in place a control that said only the comments I approve should show up. This is primarily because a number of comments I receive are intended by the poster as a private request for information or guidance, and I get quite a bit of spam as well. However it seems that the approved comments are not showing up as links, but can be found if you search for them. Worse, comments that I haven't approved show up if you search for them. So I have some housecleaning to do.

If you know of any other issues with my blog, let me know. There may be some kinks in the system that need to be worked out. And unlike my personal blog which I control, this one is a corporate IT system, so fixing things takes time.