In Part 1. we introduced identity management and the motivations behind it. Now, more about the challenges facing the would-be IM implementer.

It was the connectors issue that derailed Nancy Birschbach's plans to deploy CA's eTrust Admin for user provisioning. Two years ago, Birschbach, information security officer at health care provider Agnesian HealthCare in Wisconsin, hired a consultant to plan the transition. Her staff spent more than a year mapping data between repositories and changing all user IDs to a common naming convention.

But then they found that the versions of the Lawson CRM and Cerner Millennium clinical software she had deployed — both key repositories of user identity data — wouldn't connect with eTrust Admin without substantial integration work. Newer versions of both products will work with eTrust Admin, but upgrading will have to wait.

Agnesian had recently deployed both applications, and upgrading again would have required changing out both hardware and software.

"Those applications are our bread and butter, and we're not going to ditch that and put in something new," Birschbach says. Another alternative was to write a custom interface, she says, but "it wasn't worth our while to do custom programming." So she abandoned the project. "I had to back out all of the policies and procedures and write new ones for manual provisioning," Birschbach says.

Still, the organisation is benefiting from the work done so far. All of the data repositories have been cleaned, and Agnesian created roles and mapped each to the appropriate applications so administrators could provision at a group level. "I met with every director and department leader to define a role for every job code," says Birschbach, who found that her version of Lawson software doesn't support group-based provisioning. "We're using that information. It's just, unfortunately, not in an automated process," she says.

Tesenair says such problems shouldn't be a show-stopper. "I don't see technology being a barrier. If you need data, you can get it in some way or another," he says. But although Health First has built connectors for its identity repository, it has yet to take full advantage of that for user provisioning. Applications that work with a directory service are supported, he says, "but if it has its own repository, it's manual."

Manual vs automatic workflow

Tesenair has created workflows that automatically notify administrators when a user is terminated or his credentials change, but the actual provisioning is manual. "We've held off until we get a better handle on our roles first," he says.

Defining those roles has been a challenge. "We don't have this figured out from a business process perspective," Tesenair says. For example, it's unclear whether a nurse manager should get access to medical records or if only nurses should have that access. "I don't find technology to be as much of a barrier as the business processes are," he says.

While role modelling is a challenge, it hasn't stopped Health First from leveraging its identity infrastructure. Tesenair rolled out a password self-service application that cut help desk calls from more than 6,683 to 534 a year. The organisation is also piloting a mobile clinical workstation, deployed on a tablet PC, that supports single sign-on to a suite of clinical applications and e-mail. The identity management system synchronises username and password data among the applications, a biometric authentication system and Novell's eDirectory service.

Role definition also can be tricky when several business units are involved. Ingersoll Rand supports different Web portals for dealers of each of the company's three construction equipment lines: Bobcat, Club Car and Ingersoll Rand.

A dealer that carries all three brands had seven different log-ins to access all required applications. Jim McDonald, manager of IT, says he used Oracle's Identity Manager and other Oracle tools to create a single identity and single sign-on for each user. Now he's working on assigning users roles so each user inherits role-based rights and attributes automatically.

The problem is that different groups define the same role names differently. For example, a parts manager at one dealership may be able to see prices and costs, while at another, management may not want the parts manager to see what the company pays for a part. Different constituencies will never agree on a single set of role definitions, says McDonald, and you have to work around that. "We let each brand define their own roles. We're not trying to dictate the business requirements," he says.

Identifying roles

"After mapping all of your accounts, the second most challenging task is defining roles," says Jim Shattuck, lead systems analyst at Children's Hospital Boston. The teaching hospital has been consolidating identity repositories and uses Microsoft Identity Information Server to link 14 applications to perform automated user provisioning. As part of that effort, the hospital defined about 90 minor roles.

"The roles help us provision about 80 percent of the users, but there are 20 percent that are too disparate," Shattuck says. Those "do not justify the effort involved in defining and maintaining them," he says, so they are handled as one-off requests.

The number of applications included in the project is also limited. "For the most part, the roles affect applications and permissions that are integrated tightly with Active Directory and not beyond," Shattuck says. The rest of the more than 100 applications, including the hospital's primary clinical application, aren't yet integrated. "As far as roles go, we're maybe 20 percent of the way there," he says.

Shattuck cites both technical and management challenges. For example, to provision the clinical application, the hospital needed to define key roles and add new "departmental" and "manager" fields in PeopleSoft, the authoritative repository of identity data for provisioning users in the clinical application.

While identity projects may be complicated and costly, organisations can be successful by taking small steps and limiting the scope to key applications — at least initially. "We don't believe that all of those legacy applications will ever be fully integrated," Wagner says. Despite the challenges and limitations, he sees clear benefits to moving ahead: "You can, through the application of some of these tools, make your business run more efficiently."