IAM Lifecycle Management for (Take Your Pick)
We in the IAM world do a fairly good job of addressing “User Lifecycle Management” and “Role Lifecycle Management” issues, but are generally abysmal in other areas that beg to be governed by full-functioned, easy to use, lifecycle management principles.
What are lifecycle management principles? I propose that the following apply:
- Application of standard, repeatable, and easy-to-use methods for creating, configuring, changing, approving, invoking and terminating objects.
- Ability to execute these methods directly or through delegated administration functionality.
- Ability to verify correct operation through process transparency and consistent audits.
- Ability to easily manage objects individually or in large sets.
In order to benefit from lifecycle management principles, objects need to have characteristics such as these:
- a beginning
- an end
- dynamic configuration over time
- need of approvals for creation, changes and termination
- operative dates/times for each step in the lifecycle
- object versioning
Given these two lists, what types of objects in an Identity and Access Management system beg for Lifecycle Management? At least these:
- Users
- Roles
- Entitlements
- Policies (for provisioning, access control, authorization and audits)
- Managed Systems (applications, systems, devices, etc.)
- Workflows/Processes
- Forms
- Configurations
Wouldn’t it be great if there was a single coordinated, cohesive user interface for providing lifecycle management of all these objects? Certainly, there are significant differences between object types, but the processes of keeping them all under control over time have more similarities than differences.
We still think too much in silos, rather than in integrated architectures. If we are to ever reach the worthy objectives of ease of use, rapid implementation and effective administration, we must successfully conquer this lifecycle management problem.