While I was in college I worked summers for a glass company. My job was in the engineering drafting department where I drafted furnace parts, conveyor belts and paint bands that hides the goo they use to stick your windshield to your car. During this time American automakers struggling cope with the explosion of Japanese imported cars. Japanese cars had a reputation of low cost and good quality, but the Japanese automakers also had a secret weapon that made them more efficient – Just-in-Time manufacturing.
Just-in-Time manufacturing is a simple concept – rather than keep all the unassembled car parts in expensive warehouses, have them delivered to the factory at the time they are needed to assemble a car. This idea stuck with me and has been rattling around in the back of my mind for the past twenty years. Dell later used a similar concept steal market share away from IBM and Gateway who were building huge numbers of PCs and storing them until they were sold – while Dell built PCs that were already sold.
A project I have been working on for the past year or so was applying Just-in-Time concept to the process of granting users access to applications or data. The idea is that when a user attempts to access a resource for which they have not been granted access – the access attempt kicks of a self-service process or an automatic grant of access.
While I have seen other applications perform similar activities, many people have seen Microsoft SharePoint’s basic request access feature. The challenge I see with SharePoint is that it only allows generic requests that don’t allow the user to select the level of access they wish nor does it tell the user the state of their access request. Both are needed and both must be components of any more complete solution. A more complete solution must also provide access to more than just SharePoint; files, folders and applications access are also desperately needed.
Today, we posted a technical preview of Just-in-Time Access Provisioning called the ActiveRoles AuthX Provider The provider not only integrates authentication using SAML between AD users and Google Apps, it also can trigger a self-service access request through ActiveRoles if the user does not yet have an account. Once the request is approved a Google account is created. The next time the user points his/her browser to Google Apps URL the Provider seamlessly authenticates the user by doing an account mapping of AD user to the Google account and creates a SAML token that automatically signs the user into their Google Apps account. We created a 2 minute video showing the process so you can see how this works. The video was a little long and choppy at some points so I cut it down to about 2 minutes.
Pingback: Just-in-time Google Apps Provisioning « CloudEnterprise.info
Pingback: Federation Service 2.0 is now Shipping – Bobel's Active Directory, Identity, Entitlement & Access Blog
Very cool. I would love to see this integrated into Quest PuTTy/Authentication Services so when a user tries to SSH (or any protocol–Apache, SAP) into a Unix box to which he does not have access it would bring up the ARS access form.
Time. The final frontier ….
the fourth dimension of Access Controls …
This is the four year mission of starship ‘Enterprise (Identity & Access Management )’
We began this mission managing access to Windows with EDM (remember that ?!?) – and here we are provisioning access using ActiveRoles Server for Unix Systems. Man oh man.
Our goal for ‘Justin’ – is focused on elevated privilege. Self-Service fulfillment of access to shared data over the self service portal will be sufficient … but as Matt indicates – provisioning ‘Justin’ for elevated access to Unix, Windows, Mainframe … and any other ships on the event horizon … would be awesome. ( barring spatial anomalies )
Pingback: Federation, SAML and a client conversation | www.idmwizard.com
A video-demo of async provisioning/deprovisioning of user based on AttributeQuery:
http://www.youtube.com/watch?v=jj3-zJ8HXFE