The directory and database infrastructure in most organizations is a tangled web of identity information. According to Microsoft, the average user needs to be provisioned into 16 directories or databases upon hire. A disturbing side-note is that same user is de-provisioned from only 10 directories or databases upon termination.
But what I’m more interested in for this post is how do you make sure that each and every single data repository in that tangled mess is accurate. For example, there is absolutely no reason for home address information to have to be entered into more than one database when you can be reasonably assured that your HRIS has the authoritative information. Same thing for department and title, it should always be accurate in your HR system.
And there is the key, on the backend of that HR system is a database, whether it be SQL, Oracle, or an excel spreadsheet. Once you have identified the authoritative source for certain user attributes / identity information, you can easily synchronize that data betweeen the database and Active Directory or any other database that needs the information.
And you might need to bi-directionally synchronize as well. There are certain pieces of information that the authoritative source is none other than your end user (some would call them employees). If you offer a web based Active Directory front end for self service, you can have your users update information like mobile phone number or emergency contact and have that synchronized from AD to any other SQL, Oracle, SAP or other database that needs the information.
The meta-directory is supposed to solve this issue, creating a huge mass repository of all identity information, enabling IT to be the all-seeing eye into every last bit of a user’s identity. But, in my experience, this type of solution only works with large companies with a lot of resources to throw at a problem. And that is because you NEED a lot of resources for it to work. With a carefully constructed plan of where your authoritative data for certain attributes is and an easily managed codeless synchronization tool, you can ensure that data in all of these sources is correct.
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.
I would agree 100%. Does a tool like this exist, or some insight as to how to make it happen?
Scott,
Actually, Imanami has a product, GroupID, that does exactly what we describe in the blog post. If you would like, I can have someone from our sales team give you a demo of the product or you can take a look at our YouTube channel for some short product demos.
You can also view our product descriptions on our web site. .