Thursday Jan 14, 2010

2010 The Year of Entitlements

2010 opens with the Identity Management field steaming forward and starting to wrestle with entitlements management.  This and the next few blogs will look at definitions, problem areas, and solutions emerging on the fine grain entitlements front.

[Read More]

Wednesday Dec 16, 2009

Never Use Emails As A Unique Identifier

This blog could just be the title and thats it. Nuff said.

One recurring major mistake I see over and over again is the use of email as a way to track unique user accounts.

Seems like a good idea.  When a new user is created, email is usually one of the first accounts they get provisioned. The email string is unique to the user, so why not use it as a way to identify user accounts across all systems? Its almost always a data element in the LDAP directory, so its available across the network for any user looking to authenticate a user.   Next thing you know, the ERP system uses it to track user accounts, the healthcare web site uses it, etc.

So what's the big deal?

The problem is two fold. First, by using a user's email account name, you are compromising the overall security of your domain.  Give me your business card and I already have one half of your login sequence.  Email account names are easy to guess, leaving one only to work out the password to gain access to many corporate systems.

And secondly, email account names may not be permanent.  Names change when one gets married. Users may want mail aliases to use nicknames or variations. Or even bigger (and this one hits close to home at this current time), the name of the mail domain may change.   If and when Sun gets acquired, everyone employee of Sun will most likely get a mail account in the domain. becomes  All audit trails become much more complex because you have to track across muliple UserID's to recreate a user's access.

So what is recommended?  An employee number, preferably greater than six digits. Most HR systems assign each employee a unique number.  The number is usually not easily known.  And its stays the same when the employee gets married or changes their name.  And it stays with the employee forever, even if they leave and then return later.  Add a few letters as well, say initials, would help insure uniqueness across all identity domains.

Monday Dec 07, 2009

Identity Crisis is Back Online

Identity Crisis is back on line with some changes.[Read More]

Monday May 12, 2008

You Can Be An Identity Hero

Hey, all.

Been busy getting up to speed on the upcoming Identity Manager 8.0 release and getting our ducks in line with Sun Role Manager (the rebranded RBACx from the Vaau purchase). More on this later as we get closer to general release., time for some fun. All work and no play makes Jack a dull boy.

As you know, this blog (IdentityCrisis) targets those of us out in the trenches working long hours, trying to make the clients happy and hit those deadlines. Time for a little fun.

Marketing sent out a plea for some viral blogging about a new online game they created to help make everyone more aware of Sun's Identity Software Products.

Say again?

A game about identity software packages? Must be lame. But lets check it out anyway.

Now I am not a big online gamer (Halo, all three on legendary, does makes me a legend for my 16 year old's friends) and the thought of an online game pushing software just made me roll my eyes skyward.

But I thought I would see how lame it would be.

Half hour later I was still playing it. They actually did it. I am not on the leaderboard yet, but practice makes perfect. So if you want to take a break and give it a try, go to

The Sarbox dragons give me the most trouble.

Here's the blog from marketing showing more screen shots.

Take a break and go have some fun. Congratulations marketing, well done.


Sean ONeill


« June 2016