18.03.2015 - 'do good and talk about it'-series, volume 5
Since 2001, WedaCon Informationstechnologien GmbH is helping its customers to reach their goals regarding everything related to identity and access management (and access governance, to be complete). In this series, we would like to give you as the valued reader a quick overview on what we have achieved. Other just call it 'Success Stories'. Today we will talk about...
Relational LDAP Services
Lightweight Directory Services are somewhat strict. They have a schema, which you have to follow. And they are read optimized, so perfect for access control and identity management.
But they lack a function that is available on databases: they are not relational, which means you have to have all required attributes and information on one object you will query. Sure, you can do more than one query, but nearly all systems using ldap require you to deliver all informations they request in ONE call.
In the real world, an employee (user) belongs to a department, which belongs to an organization (you can add more relations like countries, locations, costcenters, etc here). In our approach, we exactly link these elements together: a user is linked to a department, which is linked to an organization. Lets call them all 'Entities'.
Based on these relations, the entities can 'inherit' settings from each other. Why? Well imagine you can simply assign a new service (eg a group) to a department, and everyone in that department will get the service automatically. The department is renamed? Well - rename the department. And every user belonging to it is automatically updated.
Using an Identity Management system, we 'flatten' the relational data (directly on the event itself) from the related entities. That means an event like 'change organization name' is triggering the event 'Update the Organization-Information' on all users belonging to that organization. Within seconds.
The first relational LDAP implementation was done by us in 2008. Since then, this system is operating as expected. Additionally to that, we quickly found out that this implementation ca be served as a kind of 'virtualization layer', which de- couples the 'real' organization structure (often driven by financial aspects) from the requirements of IT-Systems and administration.
Today, we do not fear any organizational rebuild any more. We just adjust the relational rules and policies. A recent re-organization taking place at customer side affecting more than 1000 users took us just two days to adopt the system. New Organizations and departments are integrated within 1 working day.
And a complete provisioning of a new user with all rights and services assigned is happening with 2 minutes, targeting into more than 20 applications, services and databases.
Feel free to contact us via firstname.lastname@example.org