Released: Identity Manager 8.0
By Sean ONeill on Jun 16, 2008
Was told to hang on until the press releases went out, but here it is on the public website: Sun's industry leading Identity Manager 8.0 has been released. You can read about it here, you can download it here (yes, download. Can you do that with Oracle or IBM?), and you can read all the documentation you want from here.
So, what's new.
Roles, thats what.
And Data Exporting.
And additional resources supported.
Will be blogging about these features and other information from the release notes in the coming weeks. Don't want this to become a marketing shout out blog, because the intended purpose of this is to discuss identity projects and problems, not product features. But sometimes these new features help with the delivery of identity projects.
So what's new in 8.0 and why is it important to me? First off is role management. Identity Manager had the concept of a role in it, but at a basic level. An administrator could group a series of entitlements together and give it a role name. Then the role could be assigned to a organization node and thus have some owner be responsible for it.
But it was never really a solid role management approach. Our engineers have worked long under the hood to create a more generic object type and give roles a life (think Dr. Frankenstien "its al-i-v-e"). Roles now behave like UserObjects - they are created, they are approved, they have an owner, they can be modified, they can be audited, they can be scheduled, and they can be deactivated.
Identity Manager 8.0 has also define two types of roles - the traditional IT role, where the role gives entitlements on specific resources (this is the traditional IdM role) and business roles, which are roles that are aggregations of IT roles. They have no entitlements, but help business users better understand what a group of entitlements does.
Quick example: The role of employee identifies me as a employee, but does not really tell the world what I can do as an employee. But the "employee" role could have the IT roles of email user, phone account holder, and medical insurance account. Each of these "IT" roles have specific entitlements that give the user capabilities. They can even change based on other criteria, such as location. An employee in England or Taiwan is still an employee, but will have different IT roles compatible with their local systems.
One way to think of it is an egg carton analogy. IT roles are gathered together into a business role (an egg) and the user account is an egg carton, collecting eggs. An employee account might include "employee", "Sales Manager", "Equity owner", and "Project X Lead", each of which a non-technical business person can understand in plain language. You then peel back the business roles to get to the underlying IT capabilities through the business roles.
More on this going forward. But quick side bar; why did we buy Vaau? Is this role management from that acquisition? The answer is no; the acquisition of Vaau was completed after IdM 8.0's code was frozen for release. The two still are integrated via SPML and can work together as well as stand alone. The new Sun Role Manager (formerly RBACx from Vaau) will remain the tool of choice for full role architecture and management. But the new role management capabilities of IdM 8.0 may be sufficient for your project.
The other big new feature is the data exporter. One key feature of Sun IdM architecture is the data sparse "meta" nature of our user account repository. We don't carry all the data in the underlying database, which greatly simplifies account management because you don't have to worry about synchronicity across accounts (which of three locations has the right user email string?).
However, this data sparse model limited the ability of the repository to help in historical auditing and data analysis. Without data, you can't really do any data analysis.
So, we have a new capability within IdM. You can now "snapshot" data while it is in flight to an exporting queue. Then an exporting task is executed to push the data into an external table or bean. From there, you can massage the data to your hearts content and IdM's repository is not cluttered with vast quantities of data. We have even included a simple forensic reporter that can connect to this data and query it for answers. More on this later.
So, go download and start reviewing. We will bring more information in the coming weeks and go over the new features in detail.