Vaau, Roles and Identity
By steffo on Apr 10, 2008
The acquisition of Vaau enriches our identity portfolio by a role mining and management tool. Tried to figure out the main differences and areas of application between RBACx and Sun's Identity Manager. First of all, Vaau's RBACx (Sun Role Manager) is more a configurable tool rather than a programmable tool as for example Sun's Identity Manager. Programmable means that the configuration language includes things like IF THEN ELSE, WHILE loops. So Identity Manager can be applied to many areas and programmed as desired.
Role Manager is quite static compared to Identity Manager. It has its fixed area of application which is compliance and role management (including role mining). This makes it more a management tool rather than an administration tool. Role Manager can talk to Identity Manager via SPML. So you can drag out all user data from Identity Manager and import it via SPML into Role Manager.
Which tool to start with? Apart from that there is no 'one size fits all' when it comes to enterprise apps, I would recommend to start with a privisioning tool which (IDM). First, you need data cleansing
- find out stale data (accounts, attributes etc)
- check for compliance violations, segregation of duties
Both tasks can be done with Identity Manager or with Role Manager. However, my personal view is that Identity Manager is more flexible because it accesses data online whereas Role Manager needs a CSV file for data loading if you don't drag out the data via SPML. Compliance tasks and attestation can be implemented in either.
Second, role mining is a nice feature when you haven't defined your roles yet. Role mining is not a black art. It uses a covering algorithm to help the role designer in a way a CAD system helps technical designers. The important point here is that the outcome of the mining process is where technology meets business: whether or not a mined role is useful depends on the business.
The mined roles can be amended to meet business criteria and then be exported to an identity management system (e.g. Sun's Identity Manager) from where the entitlements can be provisioned to the target systems (RACF, AD, LDAP etc). Overall impression: good tool. But beware it's called Role Manager and not sox.exe or security.exe.