BPuhl’s Blog

A little bit of everything without actually being much of anything

Enterprise Identity

Posted by BPuhl on March 16, 2008

Active Directory can provide unique identity information within it’s scope.  But sometimes, usually when applications are being developed, the identity requirements are a little bit more than what AD can provide.

For example, in your environment, do you have any identifier for a user, which you can guarantee is unique, and never reused throughout the lifetime of the enterprise?

This can be a hard question, because AD doesn’t (and arguably, shouldn’t) provide this kind of uniqueness in a way which is easily consumable by applications.  Internally at Microsoft, quite a while ago, it was determined that a persons employeeID number was going to be the piece of identity information which is guaranteed to be unique at any given point in time, and never reused over any span of time.

Interestingly, I recently had to write an Identity FAQ type of document for our application team explaining this little bit of trivia.  It seems that in the absence of this knowledge, they had simply assumed that a persons user name (samAccountName) was guaranteed to be unique, and hadn’t considered the impact of whether it could be reused.  This has led to some interesting help desk calls, for example:

User Robert (call me Bob) Puhl works for Microsoft from 1995-1999 – user name, BPuhl

User Brian Puhl (me), gets hired into Microsoft in 2001 – user name BPuhl

When Brian goes to access several web applications, guess who’s information and history in that application context are already there?  Yup, Brian meet Bob.

Much of the time, we’ll think about the need for uniqueness within the environment “now”.  If you’ve only got a single domain, then you might get away with samAccountName.  But if you fail to consider the time factor, then reusing common attributes like user name, can become nearly equivalent to reusing SIDs.

Advertisements

One Response to “Enterprise Identity”

  1. Pam said

    Ohhh it can get waay more complicated than that. Imagine you have 3 critical enterprise identity stores. Let’s say one of them is an old and stupid financial system that can’t handle a login identitifer of more than 7 characters, and within which identifiers have to be kept for 8+ years. Then you take your AD infrastructure which has an identifier retention period of 30 days. Then you add your help desk infrastructure, which is technically the system of record for both types of login identifier, but is only maintained via process, not actual integration… then you link a whole bunch of apps into AD, and have no business process to deprovision application access at the same time you offboard — then you hire and fire a whole bunch of people and don’t try to balance the identity books for a long time.

    And then you take into account that customers and employees have different retention periods, and that some but not all contractors are even in your financial system, and therefore may or may not have an 8-year retention policy attached… and GOD FORBID you’ve ever done a merger or acquisition where you actually had two historical sets of business process around onboarding, offboarding, and retention…

    And all of that in a single namespace, suddenly has to, for compliance reasons, be managed in an auditable way? Ha!

    That is why provisioning projects are expensive and complicated and take forever. This is not a problem that can EVER be solved in a cookie cutter way, because every single company evolves in a different way. If, however, we could create a methodology for new companies that would give them the practices to be organized from the START, well that would make a massive difference.

    Hmm… should blog about this…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: