A Journey from Customization to Standardization

It was a cold evening back in fall 2010 when a succinct but impressive cake cutting ceremony was held at Oslo’s massive indoor stadium, Telenor Arena. The ceremony progressed with some speeches and presentations, leading to a delicious cake and refreshments.  The gathering also comprised of brilliant IT Security and Identity & Access Management professionals, who were accompanied by personnel from other IT disciplines. Most of the audience showed great enthusiasm and pitched very interesting questions which were responded with great passion and confidence by those energetic professionals.

It was the launching ceremony of an application that received OracleFusion Middleware Innovation award at Oracle Open World, in the same year. The application was built on the concept of ‘Identity as a service’ for group companies and proved to be a great addition in application portfolio of our Shared Services organization.

Customized GUI over top of Oracle Identity Manager

The application was built as a customized layer upon Oracle Identity Manager 10g and offered user friendly Certification audits and Access Request Management, powered by a multi-tenant architecture. The features were a bit early of their time in IdM world and were key reasons to build customized layer over top of standard solution of Oracle. Though it was not the first time that we built customized application using APIs of standard identity manager, we had already done that in the form of “user creation management GUI” on top of Oracle Identity Manager 9i.

Shortcomings of Customized solution

Though customization results a product according to customer’s desire and fulfills requirements more precisely, but we shall have to believe that technology has somewhat matured recently and companies are offering off-the shelf solutions, better than the traditional tailored products.

Following are the major shortcomings of Customized solution that were faced.

• A tailored solution is always expensive than using an off-the shelf product. The logic is simple – customized product are made for a single customer and consequently all development expenses are borne by one entity.

• Upgrade to newer version is always a big challenge when using a customized solution, but it becomes even bigger when customization is heavily dependent upon the application interfaces (APIs and WebServices). I still remember the mayhem while upgrading from OIM 10g to OIM 11gR1 :)

• Maintenance and development of a customized solution (application) requires considerable time and resources as compared to the standard solution. A dedicated team of programming geeks is a must, for successfully running a tailored solution. Another relevant challenge is training and coaching of newly hired resources. Every time a new resource is hired to fulfill a vacant position, a hands-on training will be required for him to understand the architecture and approach used for customization.

• The product support community does not offer any support for a customized product, so if you get a bug or challenge in your customized solution, you will be the only one to resolve that.

• It is admitted by many of the solution providers, that customization has resulted in slow performance of their application instances. Allowed customization approaches use standard APIs or related interfaces to interact with core application, which have always been considered performance degraders due to the formalities of applications towards external interfaces. This challenge is not only true for Identity Management but similar feedback has been reported by experts of other products i.e. Oracle E-business suite and Oracle SOA suite.

Oracle’s Beta testing program

The Beta Testing Program is a joint venture featuring Oracle and its customers. This initiative provides a structured approach to include users of Oracle applications from selective organizations in the Beta Testing Programs. The overall goal is to allow selected users to perform in depth testing and analysis of Oracle's new products and releases in order to help Oracle deliver better products to market. As a beta testing participant, testers perform in-depth testing of the next generation of Oracle products. This also helps to build personal knowledge base, become an industry recognized technology leader, and help influence Oracle's future product direction.

Our organization, as a Shared Services Solution Provider of Identity and Access Management, was also involved in the beta testing for patch set 2 (PS2) of Identity and Access Management suite 11gR2. The focus area from our side was limited to Identity Governance – more specifically, features of Multi-Tenancy and Access Request Management. (See my article on PS2 features for more detail).

Decommissioning of Tailored layer and rollout of Off-The-Shelf Solution

It's a common misunderstanding that boundaries limit creativity. It may sounds unreasonable, but boundaries can actually boost creativity. Instead, we need to impose boundaries by tightening our processes and one way to achieve this effectively is with Off-The-Shelf solutions.

As involvement in beta testing program resulted in the confidence on much awaited functionalities, last week we have decided to decommission the customized layer by moving functionalities in OIM 11gR2 PS2. The work has actually been started and intention is to complete before summer vocation of 2014. We're crossing our fingers and hoping that the rollout of Off-The-Shelf solution stays fine.

Oracle Identity Manager – Gleaming with New Dimensions

Year 2014 began with release of patch set 2 (PS2) for Oracle Identity and Access Management suite 11gR2 and it was a pleasure and moment of fulfillment while being involved in beta testing of the same for over 2 months.

I believe that open and transparent two way communication should be an integral part of our daily lives thus continually strive to meet customer satisfaction and felt fully responsible to convey the customer’s voice, experienced as a Shared Services Solution Provider of Identity and Access Management to group companies, operating around the globe.

It was so worthy experience to be actively involved in the beta testing which also includes enhanced and interesting features towards Access Manager and Entitlements Server, though the focus area was limited to Identity Governance.

The purpose to prioritize Identity Governance module was only to explore the most desired features which application lacked since its inception resulting to introduce complex customized layer in our organization on top of the standard OIM architecture. Let’s skip the details of customized layer which I intend to cover in some other article. Here I shall try to focus on the features of Identity Manager 11gR2 PS2, and elucidate the business drivers of new release.

Shared Services for Governance

Multi-tenancy is the most important driver of new release which helps users belonging to different organizations to have their own policies for self-registration, notifications, password management, user creation rules and relevant shared service features. The functionality, often called Dynamic membership, also allows users to become member of multiple organizations.

The much awaited part of functionality is the ability to offer application instances to be published on an organization level and/or sub-orgs level to secure the scope of access request management.

Multiple views of the Catalog

The second important driver of the release is requirements from customers to present criteria-driven Catalogs e.g. Catalogs by Country, by employment types, Catalogs showing only entitlements for an application etc.

Complex Entitlements support

There are applications which require additional information to be provided along with the request for provisioning of accounts and entitlements e.g. eBusiness suite, DataBase, Citrix and thanks to PS2 for offering the ability to add additional attributes in the cart.

Another interesting feature is allowing users to upload complex hierarchical metadata about an entitlement. An example could be to show users with SharePoint folders/ Windows file shares that they can get access to when granted a group.

UI Simplification

UI Simplification has been a continued agenda item for Oracle’s Identity Management product which is further improved in PS2. Introducing support for additional attributes for cart items, cloning requests, draft requests, removing dependency of Entitlements over Accounts, Catalog with pre-defined beneficiaries, hierarchical Catalog and multiple views of catalog are all inclusions towards UI Simplification.

It should be admitted that for many of the Identity Management customers, slow performance had been a major challenge towards application self-service for end users. Good news is that PS2 release introduces new ADF skin Skyros which contains lightweight components hence the Performance is ultimately improved by only showing relevant information instead of all, and additional information can only be seen through inline dialogs.

Other salient features of PS2 Identity Manager are listed below:

• Improved Diagnostics: Fusion Middleware control as the Operational console
• Administrators can see the defined operations (Orchestrations)
• Can see the OOB and customer-defined Event Handlers, their state as well as errors, if any
• Can drill across into the BPEL workflow or OIM request
• Can drill into child orchestrations
• Oracle Identity Analytics (OIA) 11g customers can migrate completed Certifications into Oracle Identity Governance Platform
• Configurable workflows allowing customers to extend Access Certification and introduce additional levels of approval
• Improved SSO support towards OpenSSO, Tivoli Access Manager, CA SiteMinder and XIMDD
• Improved sandbox functionality
• Enrich self-service personalization features