Tuesday, July 8

Metadirectories: What's left to say?

If you haven't been following the flurry of conversation since my post last week stating that metadirectories aren't dead, well you're in luck. We couldn't have asked for a better recap of the conversation than the one provided by Ian Yip (although I think he gave Nishant a bum rap on this one).

There were so many different angles explored that I'm not really sure where to start or what's left for me to say.

  • I'll restate that I see perfect use-cases for both metadirectory and virtual directory. Now and in the near future. In the far future, there will probably be better ways to achieve the same goals.

  • Also, it sounded like Clayton took my comments to mean that "everyone needs to be using Active Directory for everything", which was (I think obviously) not the intent. My point is that although the top 500 or 1000 companies may have a number of directories for various strategic uses, there are probably 20x that number of companies that use only Active Directory as the central and primary user store because of it's network and email integration. And those companies might like for their application vendors to offer direct plug-in to AD as an option.

    Plugin to LDAP might be another good option and virtual directory technology would be a great enabler to incorporate various vendors, schemas and even relational databases through that single mechanism. But those mid-market companies probably would prefer not to take on the complexity of virtual directory (even if relatively simpler than writing numerous connections) if they could just use AD natively. And I think some percentage of the Fortune 1000 would see AD as strategic enough to ask the same as well.

    That's my guess based on a customer perspective as opposed to a software vendor's ideal state of architecture. And I don't think this is limited to companies who are 100% Microsoft shops. AD just has a very far reach and because it holds email in most of those companies it will already have an account for every employee, be available, etc..

    I don't think any of this should be seen as threatening to the role that stand-alone directories or meta- or virtual- directories play. The difference in viewpoint between me and Nishant & Clayton (if I can group them together) might be in the types of customers we've been talking to. There are still a ton of companies out there that aren't super-strategic about their Identity Management architecture. Or that just want a point solution because it fits the current business needs.
I think that's it. For now.

[UPDATE] - forgot one:

  • Bavo, I wasn't requiring that the HR database is the primary source for account creation and status. I also wasn't telling you that the HR database should be the primary source for Identity information. (However, I think it's more true than you think.) I was stating a requirement (one that I've seen many times). HR has been deemed THE authoritative source for employee existence in a majority of the companies I've worked with. My experience seems to differ from yours. [That's at least interesting! ...and one of the reasons I blog – to engage with people that have different experiences.]

    Yes, companies struggle with getting HR updated for the employee's start date. But, I've actually seen more than one customer implement a complicated AD-to-HR-back-to-AD process to accommodate for the issue. One customer integrated the candidate review system into the provisioning system. I think the reason for HR being authoritative is usually for deprovisioning. They want a disabled HR account to ripple downward.

    I think what you call the IDM system assumes a provisioning solution with work flow and its own internal store. These are luxuries that are not always available. In my scenario, the cost and complexity of a provisioning solution is probably overkill based on the requirements. And that's my point. There are scenarios where the simplicity of a metadirectory are not only sufficient to meet the requirement but actually a bit more of an elegant way to meet the requirements.

OK, now I'm really done for the night.


Anonymous said...

Rather than do a whole new post... (I think I've only done 6 today. Ouch!)

Actually I didn't mean to imply that you were actually saying that everyone should use AD for everything. My main point was actually that many of the same applications will be used for both small and large companies and we run into a lot of mid-size companies and agencies (well smaller than Global 2000) that have the same kind of integration issues.

It all comes down to mismatch between application expectations and what really exists. This can happen in an all-active directory shop as much as anywhere. That said, there's certainly nothing wrong with applications having direct support for Active Directory if a company doesn't want to leverage this technology (which is actually easily embedable by ISVs as well, I should point out).

Our strategy here at Oracle is certainly to do much of this integration under the covers with our virtual directory technology. The application administrator may not even notice they're using this technology in the simplest cases, but it's there to ensure that our customers aren't boxed in and left to do a bunch of custom coding when the default integration doesn't fit.

Ian said...

Nishant was the only one I gave a bum rap to? What about everyone else? I obviously wasn't trying hard enough! :-)

Seriously though, I didn't mean to so apologies to Nishant if I came across that way.

By the way Matt, thanks for the comment. I'll take court jester over fool anyday.

Matt Flynn said...

Clayton, that makes a lot of sense. If you can "black box" the virtual directory and make the experience seamless for customers while providing flexibility to choose from existing data stores, then that sounds like a great value-add for your customers.