Planning the Project Management Aspects of Identity Manager Implementation

This section outlines high-level political and project management aspects of implementing Identity Manager. (For the technical aspects, see Planning the Technical Aspects of Identity Manager Implementation.)

This planning material provides an overview of the type of activities that would normally be taken from the inception of an Identity Manager project to its full production deployment. Implementing an identity management strategy requires you to discover what the needs are and who the stakeholders are in your environment, design a solution, get buy-in from stakeholders, and test and roll out the solution. This section is intended to provide you with sufficient understanding of the process so that you can maximize the benefit from working with Identity Manager.

We strongly recommend that an Identity Manager expert be engaged to assist in each phase of the solution deployment. For more information about partnership options, see the Novell® NsureTM Solution Partner Web site. Novell Education also offers courses that address Identity Manager implementation.

This section is not exhaustive; it is not intended to address all possible configurations, nor is it intended to be rigid in its execution. Each environment is different and requires flexibility in the type of activities to be used.


Novell Identity Manager Deployment

There are several activities suggested as best practices when deploying Identity Manager:


Discovery

You might want to begin your Identity Manager implementation with a discovery process that can do the following:

  • Identify the primary objectives in managing identity information
  • Define or clarify the business issues being addressed
  • Determine what initiatives are required to address outstanding issues
  • Determine what it would take to carry out one or more of these initiatives
  • Develop a high-level strategy or "solution roadmap" and an agreed execution path

Discovery provides a common understanding of the issues and solutions for all stakeholders. It provides an excellent primer for the analysis phase that requires stakeholders to have a basic knowledge of directories, Novell eDirectoryTM, Novell Nsure Identity Manager, and XML integration in general.

  • It can establish a base level understanding among all stakeholders
  • It can capture key business and systems information from stakeholders
  • It can enable a solution roadmap to be developed

The discovery also identifies immediate next steps, which might include the following:

  • Identifying planning activities in preparation of a requirements and design phase
  • Defining additional education for stakeholders

Key Deliverables
  • Structured interviews with key business and technical stakeholders
  • High-level summary report of the business and technical issues
  • Recommendations for the next steps
  • An executive presentation outlining the outcome of the discovery


Requirements and Design Analysis

This analysis phase captures both technical and business aspects of the project in detail and produces the data model and high-level Identity Manager architecture design. This activity is a crucial first step from which the solution is implemented.

The focus of the design will be specifically on identity management; however, many of the elements traditionally associated with a resource management directory, such as file and print, can also be addressed. Here is a sample of items that you may want to assess:

  • What versions of system software are being used?
  • Is the directory design appropriate?
  • Is the quality of the data in all systems appropriate? (If the data are not of usable quality, business policy may not be implemented as desired.)

After the requirements analysis, you can establish the scope and project plan for the implementation, and can determine if any prerequisite activities need to occur. To avoid costly mistakes, be as complete as possible in gathering information and documenting requirements.

The following tasks might be completed during the requirements assessment:


Define the Business Requirements

Gather your organization's business processes and the business requirements that define these business processes.

For example, a business requirement for terminating an employee might be that the employee's network and e-mail account access must be removed the same day the employee is terminated.

The following tasks can guide you in defining the business requirements:

  • Establish the process flows, process triggers, and data mapping relationships.

    For example, if something is going to happen in a certain process, what will happen because of that process? What other processes are triggered?

  • Map data flows between applications.
  • Identify data transformations that need to take place from one format to another, such as 2/25/2002 to 25 Feb 2002.
  • Document the data dependencies that exist.

    If a certain value is changed, it is important to know if there is a dependency on that value. If a particular process is changed, it is important to know if there is a dependency on that process.

    For example, selecting a "temporary" employee status value in a human resources system might mean that the IT department needs to create a user object in eDirectory with restricted rights and access to the network during certain hours.

  • List the priorities.

    Not every requirement, wish, or desire of every party can be immediately fulfilled. Priorities for designing and deploying the provisioning system will help plan a roadmap.

    It might be advantageous to divide the deployment into phases that will enable implementation of a portion of the deployment earlier and other portions of the deployment later.

  • Define the prerequisites.

    The prerequisites required for implementing a particular phase of the deployment should be documented.

  • Identify authoritative data sources.

    Learning early on which items of information system administrators and managers feel belong to them can help in obtaining and keeping buy-in from all parties.

    For example, the account administrator might want ownership over granting rights to specific files and directories for an employee. This can be accommodated by implementing local trustee assignments in the account system.


Analyze Your Business Processes

The analysis of business processes often commences by interviewing essential individuals such as managers, administrators, and employees who actually use the application or system. Issues to be addressed include:

  • Where does the data originate?
  • Where does the data go?
  • Who is responsible for the data?
  • Who has ownership for the business function to which the data belongs?
  • Who needs to be contacted to change the data?
  • What are all the implications of the data being changed?
  • What work practices exist for data handling (gathering and/or editing)?
  • What types of operations take place?
  • What methods are used to ensure data quality and integrity?
  • Where do the systems live (on what servers, in which departments)?
  • What processes are not suitable for automated handling?

For example, questions that might be posed to an administrator for a PeopleSoft system in Human Resources may include

  • What data are stored in the PeopleSoft database?
  • What appears in the various panels for an employee account?
  • What actions are required to be reflected across the provisioning system (such as add, modify, or delete)?
  • Which of these are required? Which are optional?
  • What actions need to be triggered based on actions taken in PeopleSoft?
  • What operations/events/actions are to be ignored?

Interviewing key people can lead to other areas of the organization that can provide a more clear picture of the entire process.


Design an Enterprise Data Model

After your business processes have been defined, you can begin to design a data model that reflects your current business process.

The model should illustrate where data originates, where they move to, and where they can't move. It should also account for how critical events affect the data flow.

You might also wish to develop a diagram that illustrates the proposed business process and the advantages of implementing automated provisioning in that process.

The development of this model begins by answering questions such as the following:

  • What types of objects (users, groups, etc) are being moved?
  • Which events are of interest?
  • Which attributes need to be synchronized?
  • What data is stored throughout your business for the various types of objects being managed?
  • Is the synchronization one-way or two-way?
  • Which system is the authoritative source for which attributes?

It is also important to consider the interrelationships of different values between systems.

For example, an employee status field in PeopleSoft might have three set values: employee, contractor, and intern. However, the Active Directory system might have only two values: permanent and temporary. In this situation, the relationship between the "contractor" status in PeopleSoft and the "permanent" and "temporary" values in Active Directory needs to be determined.

The focus of this work should be to understand each directory system, how they relate to each other, and what objects and attributes need to be synchronized across the systems.


Key Deliverables

  • Data model showing all systems, authoritative data sources, events, information flow and data format standards
  • Appropriate Identity Manager architecture for the solution
  • Detail for additional system connection requirements
  • Strategies for data validation and record matching
  • Directory design to support the Identity Manager infrastructure


Dependencies

  • Staff familiar with all external systems (such as HR database administrator, network and messaging system administrator)
  • Availability of system schemas and sample data
  • Data model from the analysis and design phase
  • Availability of basic information such as organizational chart, WAN and server infrastructure


Proof of Concept

The outcome of this activity is to have a sample implementation in a lab environment that reflects your company's business policy and data flow. It is based on the design of the data model developed during the requirement analysis and design and is a final step before the production pilot.

NOTE:  This step is often beneficial in gaining management support and funding for a final implementation effort.


Key Deliverables

  • A functioning Identity Manager proof of concept with all system connections operational


Dependencies

  • Hardware platform
  • Necessary software
  • Analysis and design phase that identifies the required connections
  • Availability and access to other systems for testing purposes
  • Data model from the analysis and design phase


Data Validation and Preparation

The data in production systems can be of varying quality and consistency and therefore may introduce inconsistencies when synchronizing systems. This phase presents an obvious point of separation between the Nsure Resources implementation team and the business units or groups who "own" or manage the data in the systems to be integrated. At times, the associated risk and cost factors might not belong in a provisioning project.


Key Deliverables

  • Production data sets appropriate for loading into eDirectory (as identified in the analysis and design activities). This includes the likely method of loading (either bulk load or via connectors). The requirement for data that are validated, or otherwise formatted is also identified.


Dependencies

  • Data model from analysis and design phase (proposed record matching and data format strategy)
  • Access to production data sets


Production Pilot

The purpose of this activity is to begin the migration into a production environment. During this phase, there may be additional customization that occurs. In this limited introduction, desired outcomes of the preceding activities can be confirmed and agreement obtained for production rollout.

NOTE:  This phase might provide the acceptance criteria for the solution and/or the necessary milestone en route to full production.


Key Deliverables

  • Pilot solution providing live proof of concept and validation for data model and desired process outcomes


Dependencies

  • All previous activities (analysis and design, Identity Manager technology platform).


Production Rollout Planning

This phase is where the production deployment is planned. The plan should:

  • Confirm server platforms, software revisions, and service packs
  • Confirm the general environment
  • Confirm introduction of eDirectory and mixed tree coexistence
  • Confirm partitioning and replication strategies
  • Confirm Identity Manager implementation
  • Plan the legacy process cutover
  • Plan a rollback contingency strategy


Key Deliverables

  • Production rollout plan
  • Legacy process cutover plan
  • Rollback contingency plan


Dependencies

  • All previous activities


Production Deployment

This phase is where the pilot solution is expanded to affect all live data in the production environment. It typically follows agreement that the production pilot meets all the technical and business requirements.


Key Deliverables

  • Production solution ready for transition


Dependencies

  • All previous activities