Deploying Identity Manager in any organization is bit complex and involved many things, very often customer struggle to have successful IdM (Identity Manager) deployment because of various reasons. To me, identity manager deployment is like eating a big elephant, do not try to eat whole thing at a time. As a experienced IdM senior architect, here are the top three things to remember for a successful IdM deployment.
1. Beat your own politics: We all know Identity management deployment is not as simple as most people think, it gets more complex because of legacy applications, business needs, complexity in current process and number of applications that user needs to be provisioned and managed. Like you all know it is more political then technical. As soon as project started every application owner and team member start thinking about how it is going effect their own application, current process, ownership, job, etc. Thats where the deployment team start facing political difficulties. So you can reduce political difficulties by explaining following benefits by project sponsor/owner to application owners.
- Necessity and importance of project.
- Need of automated identity management system by explaining problems in current process problems.
- More productivity from employees.
- Compliance with government audit policies, and to find who has access to what.
- Reduce helpdesk calls for password resets/ management, and other user management issues.
- Why this is right time to do it.
2. Phased deployment: Deploying IdM in a phased approach is most important for success of the project. As soon as the project is started every application owner want their application provisioning is automated and integrated with IdM as soon as possible. It is not recommended to integrate all applications/resources with IdM in one phase deployment, but at the same time each phase scope should give some justification of IdM deployment by showing benefits to business. So, here are the key things to remember to define scope of each phase.
- Authoritative resources for both employee and contractor should be in Phase1.
- Password management should be in phase 1, it is going to be good business justification for the project which saves lot of money by reducing the help-desk calls.
- Key application/resource (ex: Active Directory or Sun LDAP) should be in Phase.
- Next phase scope should be extension or addition to the previous Phase.
- Do not integrate more than 3 application for each Phase.
- Admin or End user interface customization should handled in separate Phase.
3. Deploy IdM right way and smart way: Follow all possible best practices to do it right, often Application owners or administrators want IdM interface to be customized similar to current process even though IdM interface provides better way of doing things, do not try to implement complex current process in new IdM deployment. And, try not to do huge amount of customization to solve very little problem to support application which are going to deprecated or going away soon, these are just samples, there are many more things like this will come up in IdM deployment, so be careful when designing any end user or admin interface customization.