by Mark McCullough, Senior Technical Consultant at Taos
User Account Management (UAM) is a hard problem. Many people have tried to simplify this problem down to “Just use AD”, but that isn’t a one-size solution, nor does it address most of the issues of UAM.
To have an effective UAM framework requires cooperation from multiple departments. HR for example needs to provide the list of who is in the organization, when people leave. You need a clear system inventory.
Even the way to structure requests needs consideration, especially as many sites and tools have moved toward role based account management.
Once the structure is in place, the actual request framework can begin. A number of details should be identified in each request, enough to reconstruct four years later when your new sysadmin is preparing to transition an application to a new server, “Why are there active accounts named jsmith and dsix on this server with full access to oracle?” Avoiding such situations because jsmith left the company three years ago and dsix was a user who transferred to another department last year and never was supposed to have access to oracle is also critical.
Account provisioning, which many people suggest using Active Directory for, has many caveats; even though, for many, AD may be the right choice, it isn’t always the right choice. Authentication also needs to be considered. Passwords are a constant bane of users and support staff alike, despite their long tradition. The FTE hour cost of supporting passwords with the inevitable forgotten passwords every week may cause those alternative solutions, even pricier options like hardware tokens, to look quite attractive.
Above all, when building a UAM framework, sit down, think about each step in the process, and get management support. This isn’t an easy problem.