Life of the agilista

The Story of 'O' products

2010-10-12T23:37:00.001-07:00

Its come to my attention lately there's a LOT of confusion about what the litany of 'O' products ('O' being Oracle). Given Oracle's choice to name everything after itself you end up with a myriad of 'O' products in three and four letter acronyms. Coming from a background of Microsoft products where almost every year the product was renamed to something entirely different for no rhyme or reason (see MIIS to ILM to FIM), I am OK with Oracle renaming everything it buys to "Oracle" something. Still there's a lot of confusion about the products and what they do. Given the recent acquisition of Sun products and there subsequent renaming there's lots of speculation that the products overlap or worse, compete. Some examples, OAAM or Oracle Adaptive Access Manager, OAM or Oracle Access Manager, given the names one might think the products are competitors. Naturally in today's business environment where every penny counts as businesses guard their cash reserves you wouldn't want to put anything into production with an overlapping or competitive function. As such, I've been repeatedly asked about things like OIM, OID, OIA, and OAAM and whether they are serving the same function. This post is my attempt to provide some insight as to how those products interact, what purpose they serve, and our roadmap for implementing them.

A good visual is invaluable to show the relationship between the parts of the Oracle Identity Suite. Here's the interaction as presented by Oracle for their products and respective niches they fill:

We're currently implementing the foundation for good Access & Identity Management which is good role based access and role governance. This is served by Oracle Identity Analytics or OIA. OIA will allow us to move away from the very manual of process of managing roles today by spreadsheet and SQL Scripts. It will also allow us several key improvements; separating our AIM systems from any and all legacy databases, moving away from the tight coupling of roles (access) to job codes and cost codes, and finally associating access with job functions and responsibilities in the form of enterprise roles. Having a solid grasp on roles is fundamental to our efforts and will provide a multitude of benefits to us, our customers, and the business.

We're also implementing Oracle Internet Directory or OID which will allow us to govern access to Oracle databases. Oracle Internet Directory (OID) is an implementation of LDAP (lightweight directory access protocol) and allows end users to access Oracle databases with their network credentials. This allows us to tie back access to Active Directory as our single point of control for all access in the enterprise. OID will also allow us to manage authorizations in Oracle databases via membership in LDAP (OID) groups, groups governed and approved by the database owners. So Business Intelligence database access will have to be approved by the Business Intelligence team, CRM database access will be controlled by CRM team, etc. All of this access will be requested, approved, and authorized through a single site, the Computer Access Process or CAP.

The CAP itself will get a facelift this year and we're going to improve and extend our provisioning process (see Identity Administration) as we implement Oracle Identity Manager or OIM. OIM will allow us to move away from our Microsoft based workflow engine, which has served our purposes admirably but not without its challenges, and allow us to begin to use OIM's connectors for expanded provisioning to the eBusiness applications. OIM also promises tighter integration with the Oracle owned applications like PeopleSoft and the rest of our Oracle Identity Suite products like Oracle Adaptive Access Manager (OAAM) and Oracle Identity Federation (OIF), two technologies we're going to implement in the next 4-6 months as well. More on Oracle Adaptive Access Manager and Oracle Identity Federation in a future post.

So to RECAP:

OIA: Oracle Identity Analytics - role management, a foundational piece (database) for role based access and role governance.

OID: Oracle Internet Directory - a directory implementing LDAP which will allow us to authenticate Oracle database users via Active Directory and authorize them based on membership in groups (roles) governed in the near future by OIA (no dependency).

OIM: Oracle Identity Manager - a workflow and provisioning engine for extending and enhancing the administration of identities.

OIF: Oracle Identity Federation - a means for federation of our identities with partner organizations. Federation via standards, plain and simple.

OAAM: Oracle Adaptive Access Manager - strong authentication and knowledge based authorizations for websites. Coupled with its capabilities for real time fraud detection and prevention this tool will serve a variety of purposes.

My Review of Roku HD Player

2010-09-07T05:15:00.001-07:00

Originally submitted at Roku

The best-selling HD Player (as known as Netflix Player by Roku) plays High Definition video and connects to surround sound audio.

Best purchase I've made in the last year

By agilekalaf from Goodyear, AZ on 9/7/2010

Pros: Easy to use, Great value, Video selection, Compact, Reliability, Built in Wi-Fi, Easy to set up, High quality picture

Cons: Need fast internet service

Best Uses: Internet Radio, Primary TV

Describe Yourself: Technophile

Given I am very internet savvy so I knew full well how to take advantage of this device from the start, but this is the future of TV. They are building the features of the Roku into TV's (Vizio, others) and selling them for a huge markup now. I wouldnt buy one, I'd buy this instead. Why? Its configurable. You can get Pandora, FlickR, SmugMug, and TEDTalks with this device. All for around $100 makes this the smart move.

(legalese)

Trying out MarsEdit2

2009-11-22T21:49:00.001-08:00

So I'm now a VERY happy Mac user. Its like the most stable, non free, linux laptop I've ever used. But, I've yet to find anything that rivals Windows Live Writer for blogging to a variety of platforms. While it isn't free, MarsEdit2 holds great promise. So for the next 30 days my posts will be coming to you courtesy of MarsEdit 2.

My Review of Pragmatic Thinking and Learning

2009-10-28T20:40:00.001-07:00

Originally submitted at O'Reilly

All day long, you're thinking. There's always something new you need to learn. But do you know the best ways to think, or learn? We all know how to work with software and hardware, but what about wetware-our own brains?

In this new book by Pragmatic Programmer Andy Hunt, you'll se...

Head First Thinking and Learning!

By Agile Kalaf from Phoenix, AZ on 10/28/2009

Pros: Well-written, Easy to understand, Helpful examples, Concise

Best Uses: Expert, Student, Novice, Intermediate

Describe Yourself: Developer

Whats great about the Head First books? They truly understand how we humans think and learn. Read the intro to any HF book and they will tell you their approach is based on an understanding of how people learn best. THIS book shows you how they arrived at that conclusion and how you can train your mind to be a better learner. Are you interested in mastering the job you have or training for the job you want? This book will help you lay the foundation for that no matter what area you are looking to master. One of the best books I've read in years!

(legalese)

2009-06-02T15:47:00.000-07:00

Some lucky devil is going to Catalyst 2009. Should be the bomb for Identity Management! Next year I'll try and make it to Prague!

Gartner last presentation

2008-11-12T11:17:00.000-08:00

I love the MQ on conference schwag. Sorry I missed the laser pointer (I think) but I did end up with two pair of magnetic Ben-Wa balls from Deloitte. Dude, did you just say Ben Wa? ummm...yes...look it up. Seriously, a dubious gift to be sure. I feel like Captain Quig when I play with them. Then there's the every present risk of HIGHLY magnetic items in the laptop case...thats gotta be dangerous. Finally, I was sure seeing those things in my bag would prompt some sort of impromptu cavity search but gratefully it was not to be.

Notes from the conference: Shannon Wilson is the coolest boss on the planet. Really, so many ways to describe it but the best reference isnt my word, its how many people at work are now approaching him wanting to be a part of his team. A good boss is like gold.

When you attend a Gartner conference and you're in the last session....ask a friggin question. I failed to notice the 4 iPod Nano's upfront...one for each questioner. Well how could you know you ask? Ummm...cuz they did the exact same thing last time (2 yrs ago). Oh well. I didnt win a damn thing.

Overall the conference was one of the best I've been to...relevant info, GREAT Wifi (consistently and EVERYWHERE) and very very good food (from the vendors).

One more thing, IT conference are great because of the diversity. I see Indians, Asians, Europeans, Canadians, South Americans, Caribbeans. I love the voices and the perspectives.

Making the case for IAM

2008-11-12T07:05:00.000-08:00

Key issue 1 - Obtain and maintain support
1. Understand the context
a. What the business really want?
b. Listen, dont pontificate
2. Plan and execute
a. Establish the mechanics
3. Maintain
a. Close the loop

"The foundation of effective support is credibility"

Understand the business strategy
Faster, better, less expensive
Map IAM strategy back to the business strategy
Understand the business environment
Drivers, Economics, Comptetition
Understand the business risk and risk affinity

Establish effective governance
IAM Steering committee
Role of Security vs Information/process owners, people owners
Establish channels of communication
Identity key stakeholders
Meetings, presentations, documentation
Build relationships
Marketing principles
Differentiate target audiences
SWOT it
Customize messages, packaging, and execution

Key issue 2 - Communicating the business value of the program

Articulate the business model
The 4i Model
Capture the business drivers
Security efficiency
Security effectiveness
Business agility and Performance
Map drivers to Values and Actions
Business value - Expected Benefits
Relevant Business Drivers - Why
Implications/Requirements - What

Executive Communication Plan
Vision, action plan, Project list, Resources requirements, Reasons (business drivers), Expected business values

Tailor to audience preference
Temper content to reflect cultural and personality realitiess

Key issue 3: IAM Projects - Cost Benefit Analysis or ROI?

Developing a balanced approach to investment justification
Reporting the results

Recommendations
Establish the foundations
Listen to the business, understand context
Implement governance structures and communications channels
Establish feedback loop
Communicate value of program
articulate benefits in business terms
Map business drivers to actions and expected values
Justify project investment in business terms
Use balanced CBA
Report back

Privileged Access Presentation by Ant Allan

2008-11-12T06:19:00.000-08:00

Ant is one of the best Gartner guys. Very thorough and very knowledgeable. So here's the news

50% growth in this space in the last 12 mos. This market is BOOMING right now. We've got lots of choices. That said, here's the choices we need to consider

SUPM: Super User Password Management - The SUDO model. This is the concept of a support person or power user who needs access to elevated privileges in a given network device, database, server, etc.

SAPM: Shared Account Password Management - SA, DBA, Administrator, these accounts are shared between systems administrators. The passwords to these ultra powerful, system installed accounts are often kept in Excel spreadsheet and much worse and shared among DBA's, Sys Admins, Network Admins. The passwords need to centrally managed and checked in and checked out.

SIEM: Security Information and Event Management - We need to log what people do with elevated and shared account privileges. Likewise, we can set up patterns and scan for suspicious activity.

SAPM: Software Account Password Management - Lots of applications have Service Level accounts with elevated privs. We need a way to manage passwords so that they can get their passwords, we can track applications using these passwords, and limit/change passwords to key systems and service accounts. This space is also called Application to Application (A2A) or Application to Database (A2B).

Discoverability: The ability to poll a network and inventory ALL network devices, databases, and servers. This ability is nascent in this space. Its a product differentiator. Its also assumed that AT A MINIMUM, you know what your inventory looks like in silo (Windows Admins know how many Windows servers there are, etc)

Pricing is all over the place. Per instance, per CPU, per entitlement, per user. CA has the best suite based product. IBM has a suite based product. The other 3 big vendors dont have this and partner with various vendors.

This space is exploding because auditors are forcing this as a compliance issue. Only 1200 companies world wide have anything in place. We're not alone in NOT doing this and pushing to get it done this year. However, we are unique in that we dont have a handle on what our resource (server, database, network device) inventory is...this is a major failing for us.

IAM Implementation, worst mistakes, best practices

2008-11-11T11:44:00.001-08:00

Big Mistakes
Not understanding the MQ. The leader quadrant is NOT for everyone.

No listening to vendor/integrator advice – you may think you know more or that your business model is truly unique BUT, they know their product and how it achieve your goals

Changing the scope on a whim – Dont allow yourself to get shortsighted , plan, design and build for the long term, remember IAM is infrastructure

Big Success

Establish effective governance
Steering committee
Role of the CISO/CSO vs process and people owners

Establish channels of communication
Identify key stakeholders
Meetings, presentations, documentation
Build relationships (dont use acronyms)

Marketing principles
Differentiate target audiences
SWOT it
Customize messages, packaging and execution

Decision Framework

Phase 1 – Identify
Phase 2 – Prioritize
Phase 3 – Organize

Prioritize – Drivers and Deliverables
Drivers – impact, cost, urgency
Deliverables – std deliverables

IAM Drivers
Security Efficiency
Security Effectiveness
Business enablement

the 4I model
Integrity, Investment, Indemnity, Insurance

What if your down, what to do to turn it around?
IAM Governance is key
PLAN AND COMMUNICATION

IAM as a Managed Service and IdMaaS

2008-11-11T08:47:00.001-08:00

its an embryonic “pre-chasm” market with licensing and config challenges ahead

IdMaaS will rise and fall with SaaS and SOA centric approachs

First gen IdMaaS will be hybrid service and app architecture

IdMaaS requires shared reuseable services, initial frameworks available but vendor products are nascent

Professional IAM “as a Service” Types 1 & 2 & 3

1.Professional IAM Services
1.They help you BUILD out your IAM offering
2.Managed IAM Services
1.They build it, you manage it and consume it at their site
3.On-demand “IAM as a Service”
1.Hosted Services you consume as a part of your IAM Solution
4.Service-Architected IAM
1.Fischer International
2.Early editions of current IAM products, ERP adminstrationn
3.SOA based design
4.simple pricing

Fischers International is a company who will provide you IAM as a Service

Recommendations

Near
Establish a common vocabulary for talking about this
Audit current IAM infrastructure so you know the cost to operate it

Intermediate
evaluate the options periodically
Consult with services procurement to see legal and policy issues

Long term
Implement IdMaaS type appropriate to your organization

Service oriented identity

2008-11-11T07:24:00.000-08:00

Early identity:

SSO, on boarding, provisioning to various applications

Today: Strong Authentication, Federation, encrypted laptops

What we need?
Externalized authorizations policies
Abstraction of deployment details from the application
integration of security with IDE's
Roles, context, trust
Hot pluggable functions....cross platform

All of these mean Service Oriented Security

Authentication Service
Oracle Access Manager (Web SSO) for Java and .NET
Oracle Adaptive Access Manager (Risk based access manager)
compares current behavior to behavioral baseline to assess risk

Authorizations Service
Oracle Role Manager
Oracle Entitlements Server

Oracle entitlements sit in the same namespace as the application, its not centralized, its localized so it doesnt go over the network (this sounds DAMN SEXY...i want details!!)

Identity, Profile Service
Oracle Identity Manager – manages identity lifecycle
Oracle Virtual Directory – replaces main directory in real time

the benefit of SOA Approach is that we can replace it as we see fit

lots of the standards for all of this are in flux and oracle is leading development of them

XACML is an XML representative of policy on disk

User centric identity keynote

2008-11-11T06:48:00.000-08:00

CEO Province of BC (British Columbia)
Frank Villavicencio Citigroup Global
Bandit Higgins Project Novell
Kim Cameron Microsoft Identity Architect

BC Citizen Centric identity
something we could use for transparency with Obama Open Government initiative
Privacy is a concern here....people will give everything to Amazon, but NOT to a government entity

Talk is about Joe the user Citizen Consumer

Live ID now supports OpenID

there's a new version of Cardspace? Kim Cameron's point is that the industry as a whole needs to do this NOT just Microsoft or Novell, etc

Open Source Identity System

within 2 years all major vendors will support this

enterprise identity will weaken as it moves on the to Internet

OpenID, what else
its OK for low level transactions where there's very little value to hacking it

Microsoft and Google offering OpenID but NOT accepting it

the idea is claims based security...OpenID is a threat to that in thats its not too secure
if it gets more secure its fine

standards based authorizations? Yes....eventually...authentication and authorizations have to be separate

Roles and Entitlements Management

2008-11-10T11:36:00.000-08:00

Policy (access and identity) management is the common element between role and authorization management

Access and Identity Management aka Entitlement & Role Management

Role engineering, identity analytics, authorization management are coming
Role life cycle management, identity auditing and authorization management

Questions:

Distributed vs Centralized Entitlement Management

Describe difference between row level security and entitlements

Do you see people 'de-provisioning' entitlements and/or roles

Entitlement auditing necessary vs role management and who is the audience (role governance group?)

Map entitlements to appropriate role leve – Do we, should we management the lowest level OR just the IT roles, not operation and resources

Assigning roles AND entitlements are seperate activities per Earl (Perkins)
identity analytics --> auditing (AND what where there entitlements 8 mos ago)

Policies --> Controls
Business Roles (Ent Roles) --> IT Roles (and rules) are comprised of Entitlements, operations, and resources

This is VERY similar to standard RBAC model

Users → Roles → Attributes (locations, etc) → Permissions → Operations → Resources

what is XACML and why is it important?

A common policy/service registry is a possibility (similar to directories)

The bottom line here is that there are a TON of solutions for each technology, CISCO for Networks, Oracle for Database, BEA for Web App Servers, IBM for WebSSO, etc

NO ONE VENDOR for ALL entitlements management

AND GOOD LUCK getting buy off from the software developers to implement entitlement in their SDLC

IAM Architectures

2008-11-10T10:31:00.000-08:00

Organization strategy for IAM

Make it a part of Enterprise Architecture (EA)
Establish Security Architecture Governance function
Oversight and Review
Subcommittee of EA team
Consider tactical security architecture team
Corporate and Business User staff
Drives development and implementation of information security architecture (ISA) into the business and IT
Focus on relationship building
Integrate with development lifecycle
AuthZ, AuthN protocols are adhered to
Unify CAS, Security, Identity, roles, and priv access

Also identify 'weak' spots in existing EA and call them out, bolster by modeling IAM specific artifacts. Trace back EA/IAM to business requirements

Consider Gartner's IAM Maturity Curve - self assessment or externally lead.

Gartner IAM 2008 Keynote

2008-11-10T06:01:00.000-08:00

Earl Perkins RVP IAM@Gartner

IAM is a subset of IT Governance (should we have an identity arm of IT Governance or should IAM run Governance meeting of its own)
Access in IAM is risk mitigation
IAM-GRCM - controlling activities and compliance in enterprise apps
GRCM is required to deliver "best practices"
GRCM is heterogeneous and complex, requiring heterogeneous IAM infrastructure
Addressing GRCM is IAM's showing "maturity" and increase success and quality
How does IAM cut costs? (this is straightforward)
trends in IAM GRCM
IT Austerity Programs - what are the assets in the organization (identity, entitlement, roles)
Why IAM Suite?
Cost savings, GRCM with risk based decisions, best in class GRCM (dont expect just one comprehensive IT Tool for it)
Deliver transparency of information while establishing "principles of privilege" to reduce litigation concerns and overall risk
the biggest challenge of IAM is figuring out what access to give people
IAM Maturity
Infrastructure procedures ---> business processes
Security basic -------> managing risk
Coarse grained access ------> fine grained access

Seven Ps of GRCM

Principles
Policies
Practices
Processes
People
Products
Production

IAM timeline
2008 IAM to IT Services
2012 Business Enablement
2016 Profitability
GRCM timeline
Today - compliance
2008 Risk Management
2012 - Profitability
Multi-regulatory, Cross enterprise - business stakeholders should get into compliance, reports, audits, defining access

2008-07-24T12:59:00.000-07:00

If I werent married and very much alive I would join...

The Future of Identity @myJob

2008-06-20T16:00:00.000-07:00

Identity is changing. Our initial focus was on controlling and provisioning access to key systems for purposes of satisfying Sarbanes-Oxley audit points. Identity was the afterthought, access was king. Our name for a long time reflected that, the Access and Identity Management (AIM).

More and more we’ve been moving towards becoming the Identity Information brokers. It hasn’t been easy. Our customers have continued with their demands to get their applications added to our Computer Access web site (CAP). The business has demanded easier access for new hires which gave birth to the ‘On-boarding’ project. The folks in Compliance and I&T still have an audit point to satisfy with regards to privileges granted roles in each application, and likewise privileged access to systems and databases. Throughout all of this we’ve been in the process of upgrading out metadirectory server for nearly a year now.

But as we’ve been completing these projects, my attention has been drawn to what we’ll need in the next 12-24 months. Here’s some of my conclusions of where we are headed in the Identity Management:

1. Being the identity information brokers doesn't mean we have to build a monolithic database (and schema) to house every little last bit of information about our users. For one, we should only build out relevant information as it relates to identity or is consumed by another application or end user. Likewise, we’ll never agree on a naming convention, etc with all of our end users. Instead we should look to support all of the elements they need and provide a proper mapping to the same for application developers. We should focus on building out a structure that will allow for more generic, more meaningful, roles for our end users. The application development teams who consume this information will provide the mapping to their application roles. We should partner with those development teams to better report on the privileges our roles grant to end users across the application eco-system.

2. We need to embrace the concept of Identity as a Service (IdAAS). We should provide an identity service layer to allow applications and other services to readily get their identity information from us. What are the aspects of this Identity as a Service that are key?

Highly available
Highly reliable
Highly standard
Easily recognized
Simple to use
Usable (see Simple to use)
Ubiquitous
Critical to daily activity
Taken for granted (see ubiquitous)

The best analogy I can give for this Identity Service Layer is one of the old phone system (prior to cells). Applications should be able to lookup key elements of identity for a user of their system with the ease of using a Yellow Pages or a phone book. The elements like name, address, and phone number should be VERY easy to get from it. Likewise, simply pick up the phone and you’ve got a very, very, stable, always on, service layer waiting for your input. Simply dial the number of the end users and your application could be talking to them in moments. This also speaks to the need for an elegant API.

3. The API we develop for accessing this identity service layer should be very simple. We should not force our application development partners to learn new standards, or complicated SOA schemes. My preference is for a simple REST-ful interface. Federation is where we will need standardize our communications with trusted partners.

4. Federation is a key to our success with vendor and student/faculty integrations. As as move to a service oriented world, integrations of our end users with various vendor applications and even access to our student and faculty portal will be critical. We’ll have to provision and de-provision users to and from their systems. Our initial approach is going to help to ease multiple logins to vendor systems internally. Our focus should be to allow staff to access vendor sites from home or other remote sites without having to remember their passwords. This will take some time to complete. The first step should be federating our identity repository information with existing vendors. From there we can begin to look at the student and faculty portals. I believe we should have an awareness of student and faculty identities in our internal identity repository. I don’t believe this requires that we provision and de-provision students and faculty (although I would certainly prefer we leverage a common identity framework) as that is the particular domain of the people vested with maintaining those applications.

5. Replication and copying data demands will grow to the point where it may become untenable. Metadirectory tools like MIIS and ILM are based on a Web 1.0 paradigm where it is relatively simple to determine who owned the data. There was HR data, Galaxy data, CT & OSIRIS data and so on. Today’s applications are sharing data, components, and identity information. Who owns the data is becoming less and less important and clear. As we grow our IdAAS and IDM Service Layer, we will be forced away from ILM as a hub for identity information and driven towards policy and user centric information sharing. This change is still roughly two years away but we need to consider the buy vs. build solutions now that will allow us to remain competitive and relevant.

6. Identity’s importance to the enterprise will continue to grow. Enterprise 2.0 and Web 2.0 will change our business models and our strategies will need to adapt. Identity is the FOUNDATION for all of this. Identity will grow to not only encompass systems and database access, but physical and user access to laptops and desktops. The Identity team will work more closely with the HR Team as it pertains to the identity lifecycle. But as our scope grows we will HAVE to staff up to meet the demand, simple decisions to purchase software in an attempt to minimize man hours spent developing custom applications will not suffice to meet the demand. The key will continue to be employing highly intelligent, highly effective people to extend, implement, and support our identity initiatives.

7. The computer access web site will continue to become less and less important. We should focus on breaking it up into viable, independent pieces to be consumed in other applications or modalities. The computer access web site will need to live on for the next 18-24 months or until we acquire an identity management suite. At the point where we implement any new identity management suite, we may be able to employ the gadgets or pieces of the old computer access web site that we develop. More focus should be given to building our Identity Service Layer (with consideration for an Identity BUS to be implemented as a part of a larger enterprise service bus) and the tools necessary to support it.

This is my vision for the next two years. I would love to hear from all of you and your thoughts on the future of Identity Management in the Enterprise for the next two years.

Agile Software Development contributes to flow experiences

2007-09-01T15:35:00.001-07:00

I've been practicing agile software development since the early XP days. When the agile manifesto came out it seemed to echo many of the things that I found good about agile software development. For our shop we needed agile software development so we could eliminate waste in the form of unneeded features which contributed to code bloat. To eliminate this waste required the participation of our customers. Customers would meet with us daily in a variety of ways, email, face to face, or in instant messenger. They would see the progress we made on a particular feature and say "good enough" or propose corrections. All in all it was a very efficient process. Likewise, as a manager I met with the business weekly to ensure that what we were working on was aligned with their objectives. In an ideal world, their objectives would line up with the company's strategic plans. This was a perfect synergy of strategy, tactical objectives to achieve the strategic goals, and software development addressing the objectives in two week releases of new features. I often thought about the unexpected by product of this whole process; happy customers and more importantly happy staff. It seemed that no matter how daunting a task I gave my team, they just smiled and got down to work on it. Truly, this was a software development manager's dream. Little did I realize that the happiness was a byproduct of 'flow' and that flow was a direct result of agile software developments' other tenets, namely self-directed and self-organizing teams.

Consider the following principles as described on the Agile Manifesto website:

The best architectures, requirements, and designs
emerge from self-organizing teams.
At regular intervals, the team reflects on how
to become more effective, then tunes and adjusts
its behavior accordingly.
Build projects around motivated individuals.
Give them the environment and support they need,
and trust them to get the job done

As a software development manager I was encouraged to turn over command decisions to my team so that they could come up with the architectures, requirements, and designs. My job was to accurately relay the problem and manage any impediments to progress. Our team would get together monthly and review what worked and didn't work and adjust accordingly. My job changed from getting hands on with the code, to supporting my staff, hiring the best and brightest to join our team, and understanding the needs of the business as deeply as possible.

Our team evolved into a very dynamic, highly cohesive, unit that would work together, eat together, and celebrate victories together. From the first design principle, people well versed in architecture started to shine and teach others about better ways to develop software in accordance with design principles and patterns. We moved from good ASP.NET developers to really good object oriented developers. This transition helped us bridge the religious divides of Java and .NET as we quickly started to attend tech talks and pattern workshops with the Java guys (they called us the 'sharpies' (for C Sharp (C#)) and we called them the 'dullies'). How was all this openness, honesty, and good work ethic achieved? Was it the agile software development methodologies we were following? No, it was the fact that in spite of all the hard work, we were all very happy. We took IMPOSSIBLE requests and turned them around in weeks, not months. We were by all measure one of the most productive groups in all of IT at the time. So where did all of this happiness come from? In a word, FLOW.

So, what is 'FLOW'? Flow is a concept described by Mihaly Csikzentmihalyi. I could spend this entire post describing it. But I would refer you to two really good articles on the subject, Frank Heckmans' article on 'Designing organizations for flow experiences' in the Journal for Quality and Participation, and an excellent post by blogger Steve Pavlina on the 7 Rules for getting into flow. The simple description of flow is the experience of happiness, energy, and creativity when someone is perched between impossible goals and insipid, easily achieved goals. In that fine line of tension, energy manifests itself, creativity is forced into play to achieve the 'nearly' impossible, and people just feel in the 'zone', invincible, and most importantly, HAPPY. There's a growing body of research that supports this psychologically, sociologically, and even anthropologically. It seems the state of flow is a very human experience from our antiquity. Flow was something that developed in the early nomadic tribal groups, wherein members were all called upon to participate, lead, follow, and play different roles.

My agile software development teams seem happier than other non-agile teams. I believe it's because agile software development in whichever methodology you choose, fosters flow. Its practices contribute to and create opportunity for flow experiences. Agile software development does this by way of its aforementioned principles, self directed and self organizing teams. These mirror the research done by Emery on the design principle of work organization that leads to flow; self-managing, adaptive group structures. Like the many links one sees to the Fibonacci sequences in nature and the universe, self-organization has roots in autopoiesis, complexity theory, physics, and biology. It would seem that self-organization is the natural order of things and when human beings at work in any area follow it, they are happy.

Emery's research suggested six requirements for human productivity. I will translate these to aspects of agile software development and how managers should structure the organization around that team for maximum productivity and employee satisfaction.

Autonomy – Self organizing teams are self-directed. You may suggest problems for them to solve, challenge them on the accuracy or completeness of their solution, but you can't employ traditional top-down management with them. You have to give them support and guidance so that they get needed direction enough not to feel lost or bored, but not so much that they feel like they have no ability to influence their success in the organization.
Foster a learning environment – This is something Google does exceptionally well in theory, they encourage staff to learn new things as long as they are loosely related to the company's overall aims. Agile teams constantly challenge one another to do more, work smarter, and learn new ways of being more productive. This makes people happier as a result.
Variety – Cross functional teams are advocated in agile software development. Cross training and mentoring are hallmarks are these teams. This leads to variety which helps people stave off boredom. Beyond that, as managers we should constantly be exploring new technologies and encouraging our staff to do the same. It's not technology for technology's sake, it's applied when applicable and at the very least the lessons learned can be applied to the employee's current assignment.
Mutual support and respect – Loyalty to the team, mentoring, and a healthy respect for each other's various proficiencies are keys to success in software development. Teams who have mastered this are able to cover for one another in absences, pick up and help one another without direction from management, and can self-organize along respective strengths better. Again, the end result is a feeling of belonging, a feeling not of us against them, but rather a nearly familial pride in each other. Agile software teams achieve this by virtue of cross-training each other, mentoring each other, and working as a team on their goals.
Meaningfulness – This one is harder to quantify for some managers. The suggestion here is that people like to think that their work makes a difference, contributes to society, and helps their employer's bottom line. How does agile software development help to achieve this? By releasing software in regular, incremental intervals. Agile teams release software every 2-4 weeks on average. Projects which take 60 days or a little more are rare. Project lasting 90 days are almost unheard of among agile teams. This means that software developers see their efforts, their code, and their creation, go into use. They get regular, almost daily feedback from their customers about how well the software works. Agile developers make a difference in their customers' lives and as such they derive meaning from their work.
Upward mobility – Some software developers feel stifled in their positions. They feel like they are spinning their wheels. Their software never sees the light of day and they will never get promoted or receive recognition. Agile software developers on the other hand know they make a difference. They can feel themselves growing as they get mentored, as they pair program, as they evolve newer and more efficient ways of writing software. Just the fact that they are on an agile team or can add experience with agile software development methodologies to their resumes is a huge plus. This in combination with the ever growing list of achievements added to their resume makes them more marketable. The really wise software development manager will promote from within, recognizing his or her employees' growth thus extending their tenure at the company. Likewise, be sure to backfill these promotional vacancies with junior level new hires that show an aptitude for learning and a 'go-getter' mentality. Lastly, as a good software development manager, recognize that at the apex of your senior staff's development, they will leave you for larger, more lucrative projects with national or global companies. Rather than trying to woo them back with unreasonably high counter offers or worse, veiled threats of sabotage or retaliation, celebrate their success within your team. This will build your personal network of former developers (who can buy you sushi someday) and will send a signal to your existing staff that their jobs are not dead ends, that they too can expect a celebratory farewell lunch someday.

So what will happen if you follow my advice? Will you get rich? No. You will not be personally famous. But, if you do decide to adopt agile software development (agile with a small a) then you will most likely have happier, more productive employees. It will help people that work for you get into the 'flow' and that experience by all accounts is meaningful, memorable, and makes a difference in people's lives. And if you're lucky, you may just end up on a list of some of the best places to work in IT, over and over again.

Ubuntu in the office

2007-05-12T22:45:00.000-07:00

So yes, I've been running Ubuntu (6.10 and now 7.04) in the office since October. I've definitely had my challenges but now I rarely need to cross over to Windows. The one thing that vexes me is a good substitute for Visio. I've got UML tools and Thinkature
but thats about it. So how do I get by with Ubuntu in a largely Windows corporate world? Here's how:

1. Buy in. My management is completely cool with my running Linux instead of Windows. I exist in open source goodness by the grace of their positional authorities. If you dont have buy in, you're asking for trouble, run Ubuntu as VMware or on a thumb drive.
2. Email. Well Outlook seemed to be an insurmountable challenge. I have Outlook Web Access which is pretty damn swell in Exchange 2003. But I've forced myself to know Evolution and I've been pleasantly surprised with how well it performs on Feisty Fawn. Its everything I need in an email client but it still has it quirks. It occasionally hangs, or crashes without saving my appts to my calendar, etc. But overall, no issues.
3. Development. Well this is afterall what I am supposed to do. I have been forced to use MonoDevelop in lieu of VS.NET 2005. I like MonoDevelop, but I am limited to doing just source code and very little complex stuff. I can check it in through KDESVN *I still say Tortoise is WAY better. And even though MonoDevelop is based on my all time favorite OSS IDE for .NET (SharpDevelop (I LOVE YOU BABY!)) its no where near as good as VS.NET 2005 or SharpDevelop yet. I also use Eclipe with a variety of plugins for Ruby, BPEL, UML, and many more. I really really like what they've done with Eclipse. Now if they could just get the refactoring thats built into NetBeans or a plug-in like ReSharper (the BEST Visual Studio plug in EVER) I would never leave. AND it runs SOOO much faster on my Ubuntu than Windows ever did for me.
4. Web. Oddly enough there are still times when I wish for IE back. I know its odd to say but for some Microsoft only solutions, its king. I was pleasantly surprise to see Sharepoint 2007 work well with FireFox 2.0. Nicely done Microsoft. And yes, I did install IE for Linux *v6 but sill dont like it as much as the real thing.

Conclusions? Ubuntu, OpenOffice, a SLEW of development tools....Ubuntu is great. Challenges? Enterprise buy in and integration challenges, no corp VPN, no corporate virus protection, no Outlook. If I have a problem with it, I own it. Other challenges, HARDWARE. Driver issues plague open source systems. Try to get full compatiblity with NVidia or worse yet ATI with Ubuntu. Got a Web CAM? Try to use it with GAIM or aMSN....its not that easy. Ubuntu is the best Linux yet for the desktop. For open source shops or non-Microsoft developers, this is a real consideration.

2007-05-12T22:21:00.000-07:00

ILM Core Concepts and Architecture

2007-04-25T22:49:00.000-07:00

Challenges: No formal relationship between the language of the enterprise and the system. We don't know what we dont know. People interpret policy. Policies are interpreted. Policies are often nebulous. Systems cant understand policy unless people who program them understand policy.

Wait, isnt this an “under the covers” look at ILM2? Don't give me marketing technobabble!!!

Communication = Contracts

Workflows = Process

Policy = ????

Assertions: Common Patterns

Provisioning
Group Management
Password Management
White Pages
Policy Management

“We react to events on sets of identity with processes.”

What are the issues presuming this axiom is true

collection of resources
request model on collection
sets which organize data
blah blah blah

ILM 2 Steps

1. Resources you want to manage

regulate your processes
synchronize with environment
CRUD on identity in ILM2
core object types and schema
you can modify types or create new ones

2. requests on resources has three phases

authorization
authentication
action

3. sets organize resources
4. events trigger processes

request events are defined as a quad
transition events are a double
processes formalize responses to events

5. Demo

Now Demo of the tool...again

What happened to architecture?

What if the language you create to mirror the business process isn't granular enough to reflect your needs?

how do you manage these processes? You dump them and they have to resubmit?!?! NFW!!

Clients Outlook, Sharepoint, Windows, Custom, Office 2007 (IE 6, Firefox, Windows XP SP2+)

ILM 2 will use web service standards (Windows Communication Framework, Windows Workflow Foundation)

ILM 2 will be server heavy up to 5 servers minimum – Sharepoint (WSS not MOSS), Resource Management Service, Resource Management DB, Metadirectory Service, MetaDirectory DB, **Exchange Server 2007**

Longhorn Server Standard with SQL 2005 SP2+ 64 bit ONLY

They MIGHT cluster MIIS **NO COMITTMENT and NO commitment on SQL Clustering with Support on MIIS

No event based model for MA's. No error handling for MIIS. Here's what we get maybe

“codeless” provisioning, improved performance, more adapters

The Impact of ILM

2007-04-25T22:18:00.000-07:00

Opinion – Identity Management is a set of business processes and a supporting infrastructure for the creation, maintenance and use of digital identities.
Inherent IdM is after service based IdM? Whats Inherent IdM? Its the entire IDM Business Suite.
Card Spaces (CardSpace, OpenID, etc) is coming soon. How soon? Gerry says 18 mos. Pam Dingle says 3-4 years. I believe Pam. No offense Gerry but I'm not talking about nascent efforts, I'm talking a mature, ready for the business technology.
User Provisioning:
“Integrated set of tools for managing life cycle of user entitlements”
Components: Workflows, administrative tool integration, password management, rule based processing, auditing and logging, connectivity to AD/LDAP/etc and Identity Repository.
Leaders of IdM: CA, IBM, Oracle are tops
Microsoft and Novell make quite a few claims but they cant back it up. Workflow is the gating factor to these two vendors being in the top end. Business drivers, process improvement will happen this year. Really? no proof of that....this is a bad version of what I saw at the Gartner Conference. Ah...he's suggesting that virtualization of the IdM tools will have this effect, he's not suggesting we're re-engineering business processes yet. Any implementation experience is a multi-year engagement .
Standards
SPML v2 limited adoption, more important to Federation
BPEL Oracle and Intalio are the only two vendors, only important as Oracle is pushing it. He views this as a workflow engine for business rules, Sun may support BPEL over time. What about BPM?
Trends – Vendors still in acquisition mode. Vendors will start to work on early adopters to smooth experience for mainstream users over time. (2-3 yrs) **WAY TOO MUCH TIME on IdM deep dive. Get to the ILM bashing MAN!**
Ahh....now to ILM (a potentially disruptive technology) Microsoft has been slow – no workflow, no user interface capabilities, etc. Good metadirectory and data synchronization technology. ILM2 will be Microsoft's FIRST move into real IdM. Workflow, Web Services API (but no SPML Support) Any impact? NONE. Role management Bridgestream, BHOLD, Eurekify, Omada, Vaau. Roll your own: Courion and Voelcker, Oracle will likely acquire some of these small vendors
Enterprise Access Control Management – Logical applicationss like Approva, SAP/Virsa. Provisioning lacks awareness within ERP Stack. It checks with EACM policy engine before provisioning. Auditing tools are also big as well.
Conclusions: ILM going different direction than the rest of the UP market. ILM will be heavily partner reliant, MSFT is in this long term, don't expect them to be chased out of the market. This is a rehash of things I already knew with Gartner

Care and Feeding of your MIIS SQL Server Database

2007-04-24T15:42:00.000-07:00

So far the best presentation of the conference *sorry Brad
Highlights:
Clear out the run history of all your jobs. This can really impact your jobs if you let it get cluttered

Spedometer - Use PerfMon
MIIS Objects
For Imports Objects Read/Sec
Objects Synchronized/Sec
For Exports Objects Exported/Sec

But wait, there's a script: http://www.ilmbestpractices.com/Articles/Speed_of_Past_Runs

as tables grow - Page splits, fragmentation, more scans than seeks, growth of log and data files.

monitor with Page Splits/Sec in perf mon how do we avoid it

scan v seek you get more scans as get more fragmented indices

read entire tables versus using an index

monitor with PerfMon

Full Scans/Sec
Auto Create/Update stats are enabled

File Growth
if auto growth is enabled
clear run history script on website

http://www.ilmbestpractices.com

DBCC SHRINKDB('MicrosoftIdentityIntegrationServer', NO TRUNCATE)
maybe preset size if you can predict
Log file should be 1/4 of total data file
Transaction Log is key to performance as well

Recovery Models
Full - LOG EVERYTHING
Simple - only as good as last full or diff
Bulk Logged hardly ever used with MIIS - only good for bulk logged operations

Red Gate SQL Backup to compress backup files (compression eats CPU time but far less Disk IO

When you clear run history it will host your transaction log. Do this during a maintenance window and
a. Truncate log
b. Change to SImple Recovery Mode
c. Clear run history in small chunks
d. Then go to Full Recovery mode and Perform a Full Backup

you can also add some indices to better performance

indexdefrag on DB every month, index rebuild quarterly till SQL 2005 EE. With SQL2005EE we get to rebuild index with DB online as well as rebuild index in TempDB
http://www.sqlbestpractices.com

Where's the WIFI?

2007-04-24T08:50:00.000-07:00

So the sponsor of this conference is NETPRO. NETPRO as in Network Professionals. Their logo is KNOW YOUR NETWORK. Thus it is that I am at a loss to explain WHY?! WHY cant I get wifi in the conference rooms. NO ONE CAN! Turns out they've outsourced that to Cox. Nice.

Think Gloves

2007-04-23T17:54:00.000-07:00

So the last two presentations I've seen have been technically brilliant. Things like Fuzzy Logic algorithms and using bit vectors and GUIDs to derive group memberships in AD, etc. Here's the thing, both solutions are geared to companies wanting to take shortcuts with their problems. I'm baffled why those companies don't spend more time crafting proper simple solutions to their problems as opposed to coming up with an overly complex solution.

The first was a means of provisioning access to non-AD based applications (applications that cant leverage AD for authentication) based on AD Group Memberships. The problem was notoriously difficult to solve and as it ended up, they crafted an XMA based on AD Groups using MVGuids and the bit vectors from AD which are used to denote group memberships. They then provisioned this in the applications in question. Brilliant right? Lots of code and very fancy terms. Then I thought, what was the real problem? Why manage access via AD Groups to an application that can't natively talk to AD? Well most companies don't have a website to allow them to request access to roles so the Tech Support teams manage Roles (see Groups) via Active Directory. The far simpler solution would have been to modify the applications in question to query AD directly rather than create new XMA's for every group in AD.

The fuzzy logic presentation was equally bright. There was lots of code and pattern matching with confidence scores, etc. All to allow non unique field to match up and create solid joins. There's obvious appeal to the idea, we could have used it for increasing the reliability of the name matched between HR and IDMGMT. But here's the kicker, why not create a GUID to match all the entries on both sides? Again, I think of the next version of something really complicated and then I stop and I think to myself...GLOVES.

The only positive outcome of all of this is that Apollo seems to have been very fortuitous in its software development leadership and wise in its choice of solutions to thorny problems. We remain light years ahead of the competition. We should seriously consider selling our solution or at least consulting with companies headquartered in sunny, tropical seaside locales.

Finally the meat

2007-04-23T13:11:00.002-07:00

After being nauseated by yet another vaporware Microsoft presentation, BMC gave an excellent overview of how to use XMA's to do things like provision OpenLDAP, MySQL, and ORACLE.

Privileged access project? Done. Now the only challenges are really getting the access to do the actual provisioning and getting the list of servers to maintain. One small wrinkle, XMAs seem to be based on one off connections so we'd have to run quite a few XMAs to cover all of our Oracle databases. Still, good problems to have compared to I cant do it with MIIS.

Kim Cameron's Keynote

2007-04-23T10:31:00.000-07:00

Seems like he is making a case for the OpenID movement. So, point one, we're becoming more and more interconnected. Businesses will do more and more business digitally, hence the need for agreed upon standards for communication, interconnectedness, etc. This will result in “de-perimeterization”, the dissolving of corporate boundaries, firewalls, routers, etc. He's advocating “legonic” (Lego like) technologies and businesses where they can easily be connected. Tomorrow's systems will be “agile and self organizing” and good at handling multiple sources of information with variable credibility. Cameron's point is that just like Remote API fell to the wayside in favor of loosely coupled Web Services and SOA, so to will identity management.

Enter in CardSpace and OpenID. This allows people to make “claims” about themselves or others and then to set up infrastructure to allow independent third party providers to validate the claim. This is EXACTLY the same point that SXIP's founder Dick Hardt made two years ago in his presentation to Open World (although his use of the Lessig style was far more compelling). Cameron also postulates, as a side note, that there will be increasing regulation around the concept of identity and anonymity on the Internet and the interconnected world.

So Microsoft's work is geared towards building out Cardspace to interact with things like ADFS, Security Token Services (STS), and Web Service Security protocols. Questionable? I wouldnt know, there was NO question and answer period provided for Mr. Cameron's keynote. Is he asking us to blindly validate his “claims”?

Microsoft to the...oops BSOD

2007-04-22T16:22:00.000-07:00

Well well...no shock that the show came to a close when the Microsoft rep got up to speak. Showing off ILM2 (with some admittedly cool features) caused the Virtual Server (Microsoft's competition to VMWare's ESX server) to crash. Of course he was using Vista and getting messages ALL THE TIME.

The real kicker was knowing that all of this was
a. Not available until Mid 2008 (when did Microsoft ever miss a ship date)
b. Gonna cost us an arm and a leg given its coolness.

To boot, the guy doing the presentation was an unkempt retro hip version of Bill Gates with a bad accent. While I love Bill he's not selling me anything.

So far so good

2007-04-22T15:05:00.000-07:00

Advanced MIIS training is good but its not the 504 course (Advanced MIIS). Its new technologies and it is COOL. Some items to get excited over?

XMA's: Imagine you want to connect to a MySQL database with MIIS. Normally I'd say you're SOL (look it up yourself). NOW, with Extensible MA's (XMA) you can write your own MA connection to it and then leverage it in MIIS. Web Services not a database? No problem. Centre Vu id's? Have an API we'll plug it in...

PowerShell: Almost had the big O on this one. Imagine a Cygwin/Ruby/Shell for Windows Servers....Now imagine scripted .NET where EVERYTHING is an object. Now imagine Kevin Feingold or Eric Treeman turned loose on this bad boy. IT IS SWEEEEET! We're going to retire the CMD files and Launcher.exe and go with the Power Shell scripts.

Advice: We're always really scared of putting bad data out there...Oxford's advice? NO BAD DATA in the MV. No garbage in....no garbage out. Lots of work on validation of data in and validation of Brad Turner's advice.

Gotta run...self service password reset is on....

Lessig's Presentation

2006-12-02T22:56:00.001-08:00

Aside from the brilliance of his presentation style, Lessig has an important message. His message was that an internet 9/11 is coming, which will result in an internet version of the Patriot act. This work is already under way with the Identity gang and Kim Cameron at Microsoft. The identity layer, an identity metasystem will enable traceability and regulability. Lessig's call for action was to have we as technologists involved in framing and shaping the discussion in order to preserve the generative, free, Internet we enjoy currently. He offered no clear way for us to get involved short of getting off the PC and getting into the political arena to help counter the perception of the Internet as a series of 'tubes'.

I also got to ask him about the CC license and the Microsoft Zune. His reply was that DRM much like the Patriot Act was a poorly crafted, poorly implemented technology. He suggested that the conversation with Microsoft and Apple (even Apple is guilty of catering to the DRM Nazi's) has been started and that its an important one for the digital rights world.

Gartner Identity Conference

2006-12-02T22:56:00.000-08:00

Very very good information coming out of this conference to date. Gartner is great for making solid recommendations on a range of things. Here's the overview so far:

Identity & Access Management is just a small piece of the pie

No one vendor does it all well yet

Radically different approachs exist.

The space is changing, look for model driven identity or policy based IAM to replace what exists today.

No one directory for all needs BUT...

One respository for all identity information should exist

Network access will tie in with IAM in the very near future.

Neil McDonald's presentation this morning was very very insightful.

And of course Lawrence Lessig spoke this morning!!

Lessig's Presentation

2006-12-02T22:55:00.000-08:00

Gartner Identity Management Conference Summary

2006-12-02T22:40:00.000-08:00

WOW. I am really proud. Apollo is ahead of the curve in SOOO many ways. Now mind you we're not at the apex of Gartner's Maturity Model which is Policy Based (and yes that is our new target) BUT...

We're at the Virtualized stage, our objectives now are increasing business efficiency to reduce costs in labor intensive or time intensive business activities.

A whopping 73% of Gartner customers DON'T do automated user provisioning. Likewise, all the products we looked at have CRUDE interfaces, ill defined interactions, and are still half baked. Even Oracle, the best identity and access management suite on the market today is only a rebranded amalgam of their most recent acquisitions. It introduces yet another workflow technology, it has gaps in what it can and can't do, namely business roles and role governance. For that it recommends we leverage someone like Bridgestream, which has yet another web interface for business users to use in requesting business roles (apparently only IT users use Oracle Identity Manager to request IT only roles) and yet another workflow engine for our support teams to learn. Add to that the spartan and un-intuitive interfaces on both products, and we look like rock stars.

We are in fact rock stars, what we've done and in the time that we've done it is nothing short of miraculous. We're in the top 27% of Gartner customers for user provisioning and I'm quite sure we're even higher considering the periodic audits we've been doing for a full year this month. At the user round table I attended Thursday, I was ahead of all but one customer and even then we had features and maturity that they were only now starting to consider.

So, considering all of this, where do we go next? Well there are still significant gaps in our offerings, and most certainly, opportunities for growth. Here's the short list of things we're missing or needing to improve upon:

UI: what we've got in the CAP UI is extensible, robust in comparison, far easier to user and more elegant than anything we saw at the conference. But being the rock stars we are we cant settle for success. Let's take it to the next level, let's simplify the UI and make it clean. We'll engage the HCI team in order to get this done. Think of the good Web 2.0 designs we've seen like Google, Skype, Delicious, and you'll have an idea of what it is that we want to do.

On-boarding: We need to simplify the on-boarding process for all new users. CAP can still be the place we go for on-boarding contractors. But when we hire staff or convert contractors to staff we HAVE to vastly simplify and streamline that process. Users shouldnt have to go from HR to CAP to put in access requests. Likewise, we should be able to identify people as existing identities when we provision them so we dont end up with duplicates. Every vendor has this, so should we.

Default access levels: When we on-board people we should automatically grant them a default level of access based on a role. This access would include network access, email, and some combination of roles based on their job code and cost code.

Email access: Its not fully automated provisioning until we include email. This is #1. Enough said.

Role Management: We need a means of adding or removing roles within CAP, the identity management environment, and downstream in the applications. This is a larger, multi-year goal but one we should pursue nonetheless. We should include some manor of reporting all the roles and role mappings in the system as well as who has these roles and who is in violation of the conflicting role policy. Role policy shouldnt be an Excel spreadsheet. That's just plain embarassing for a rock star.

Role simplification: We need to work on reducing role proliferation and streamline what we have to be more reflective of the true business roles. We should include some definition of what exists withing EMS.

LONG TERM GOALS:

RFP for IAM Suite: We should look at what we have versus what's available in the industry. We'll need to get some scope definition in place, then we'll engage Gartner to craft a proper RFP. Once we've got that we'll send it to the major players to see who responds. I'm anticipating we'll evaluate IAM Suites from Oracle, Sun, Microsoft, and IBM, with the outside possibility of BMC. We should narrow that down to 2 vendors within 3-4 months and then do POC's with both. Based on the results of the POC, we'll select a vendor and engage Purchasing for the contract. Here's the timeline for the RFP:

December - January: Scope Definition. We'll need to work on getting the list of applications we have as an enterprise, then list what it is we have in terms of IAM support for all of them. Once we've got that we'll draft the RFP with Gartner.

February - March: Draft the RFP with Gartner. Vet it with the business. I'm anticipating 2-3 days with Gartner on site potentially.

April - May: Send out RFP and await responses.

June - August: Vendor on site meetings, demo's, and selection. I'm anticipating we'll make #1 and #2 offers by the end of August.

September - October: POC one and two.

November - December: Work with Purchasing to sign contracts. Begin to plan phased roll out.

IMPORTANT NOTE: An important option we have open to us throughout the RFP process is to pass on all vendors before or after the POC(s). The relative immaturity of the market, the relatively high prices, and the relative maturity of Apollo's IAM infrastructure by June of 2007 could suggest we pass on all vendors for 2007-2008.

The rationale behind the drive to select a single vendor or at minimum 2 partial vendors is to reduce the manpower needed to build and deliver identity and access management as well as to move away from something thats completely customized and labor intensive to own and operate. Our development resources should be able to get to a point where they are focusing on integration and delivering services to our fellow application developers in accordance with the service based model. This is very high level, very rewarding work. And then finally, when we're ready to tackle transitioning to a policy based model, our developers will very likely use a single vendors tool(s) to assist our business end users in defining and implementing their business policies in terms of identity and access management policies.

Presenting at IAM2: Next year, I want to be on stage at Gartner in Los Angeles talking about the best company with the best IAM team on the planet. I want to wow our fellow Gartner clients. I want them to base a case study on us. I want us to have to wear shades on stage that day, not because the lights are too bright, but because our FUTURE is SO bright we've got to wear shades.

2006-10-11T11:48:00.000-07:00

Road map meeting

Ultimus web service step to BPEL doesn't work
consider re-visiting the BPEL WS to see whats different about the SOAP Headers or use .NET FB to call WS

Conclusions:
Web and Ultimus layer separation need to wait till Dec/Jan time frame. Even then we should deploy a beta to power users. Implement new CAP by March 1
November time frame, stabilize and analyze code in CAP for Dec Periodic Audit. Limited functionality changes. Steve to spearhead CAP Code Cleanup. Greg to spearhead memory increase on BPM. Mary to spearhead possible staggered audit
3.2.5 is new apps and roles - task and sub task breakouts to be added along with estimates
3.3 is BPEL batch and single Mgr approval, along with new HTML and Usability changes
3.4 is TBD but is targeted for late November.

Steve and Mary to work on budget for development to give to Mark
Greg to work on getting pulse of business requests and re-initiating stalled projects, Contractors and Role Governance

regular release and iteration planning meetings will occur until we stabilize the process

Trying out the new Windows Live Writer

2006-08-14T15:50:00.000-07:00

Think. Think about the current world's situation. The world is embroiled in two great cultural seismic changes. One is the battle between fundamentalists. Hindu's versus Muslims, Jews versus Muslims, Christians versus Muslims, and it extends into the various sects therein. Sunni's versus Shiites, Catholics versus Protestants, orthodox versus non-orthodox.

The second great battle is more subtle but engenders more animus from the aforementioned, seemingly intractable, enemies. Its the battle between progressivism and fundamentalism. This battle is cast in terms of heresy, godlessness, abomination, and apocalypse.

Some would cast the headlines of the day in the context of the battle against progressivism. Certainly, wahabis and jihadis both claim to be saving Islam from the progressivist Americans, Jews, Christians, etc. To their way of thinking democracy, equality, human rights (which extend to atheists, homosexuals, pacifists, anyone undesirable) are an American or Western abomination. They would have us return to the califate wherein the Koran dictated how to govern, a Shariahic state. Many Americans currently choose to see the conflicts in the Middle East in the same fashion, American progressive ideals like democracy being resisted in favor of brutal theocratic or autocratic rule.

I choose to see these conflicts as fundamentalist doctrines with opposing viewpoints. There are those who believe that not only should America 'free' a Muslim society, but we should also help them to choose a proper path, like Christianity, like capitalism, with a Western style culture. Witness the American displeasure and subversion towards freely elected governments like Hugo Chavez in Venezuela, Hamas in Palestine, or Evo Morales in Bolivia. We like progressive ideals when they suit our needs. When they seem to threaten us, we attempt to controvert them or change them by way of executive order. Look at the current administration's disdain for Congress and the rule of law (due process). We openly disdain stem cell research, alternative lifestyles, genetic modification, and any integration of biology and technology.

Moreover, the conservative (read fundamentalist) cultural zeitgeist is one that looks upon antiquity with a sophmoric nostalgia. "Remember the good old days?...." is their modern mantra. Gone are the days of simplicity and bucolic lifestyles that were inherently 'good'. Everything today is modern, complex, and very soon, to be apocalyptic, in its nature. The future is viewed not with optimism but rather a sense of loathing and foreboding.

If the human race to to evolve into a global culture, one progressing on a path to the cosmos and first contact with extraterrestrial civilizations, we must put aside our small minded beliefs. We must grow past national and cultural boundaries and embrace our humanity and our uniqueness in the universe. Only in accepting ecumenical movements, reconciliation, education, and diplomacy in place of war, will we ever be ready for what is truly wonderful, our future. We owe it to our children!

COOL New TECH

2005-09-22T00:06:00.000-07:00

http://del.icio.us is SOOO COOL....likewise, FlickR....i'll be using FlickR to post photos here!!!

Start of a new blog life

2005-08-29T13:49:00.000-07:00

Here's my blog which is tied into Gmail and GTalk. Only fitting as I explore the netherworld of Open Source technology and programming languages