Just-in-Time manufacturing is a simple concept – rather than keep all the unassembled car parts in expensive warehouses, have them delivered to the factory at the time they are needed to assemble a car.  This idea stuck with me and has been rattling around in the back of my mind for the past twenty years. Dell later used a similar concept steal market share away from IBM and Gateway who were building huge numbers of PCs and storing them until they were sold – while Dell built PCs that were already sold.

A project I have been working on for the past year or so was applying Just-in-Time concept to the process of granting users access to applications or data. The idea is that when a user attempts to access a resource for which they have not been granted access – the access attempt kicks of a self-service process or an automatic grant of access.

While I have seen other applications perform similar activities, many people have seen Microsoft SharePoint’s basic request access feature. The challenge I see with SharePoint is that it only allows generic requests that don’t allow the user to select the level of access they wish nor does it tell the user the state of their access request. Both are needed and both must be components of any more complete solution. A more complete solution must also provide access to more than just SharePoint; files, folders and applications access are also desperately needed.

Today, we posted a technical preview of Just-in-Time Access Provisioning called the ActiveRoles AuthX Provider The provider not only integrates authentication using SAML between AD users and Google Apps, it also can trigger a self-service access request through ActiveRoles if the user does not yet have an account. Once the request is approved a Google account is created. The next time the user points his/her browser to Google Apps URL the Provider seamlessly authenticates the user by doing an account mapping of AD user to the Google account and creates a SAML token that automatically signs the user into their Google Apps account. We created a 2 minute video showing the process so you can see how this works. The video was a little long and choppy at some points so I cut it down to about 2 minutes.

 Video:ActiveRoles Access Provider

To register visit: http://www.quest.com/events/listdetails.aspx?contentid=10866&searchoff=true&technology=&prod=183&prodfamily=&loc

You would think this would have been obvious from the start, but after reading the actual compliance equipments themselves it is easy to see why this causes so many people trouble. For example, the Sarbanes-Oxley Act of 2002 (SOX) was created to protect shareholders of public companies from financial miss-doings that could impact their investment. I will spare you the joy of reading section 404 of the SOX requirements which deals with the IT aspect of compliance and simply tell you, you would be underwhelmed by the lack of detail and direction it contains.

 What is clearly spelled out in SOX is that the owner of an application or data should be responsible for controlling access to that owner’s resource and further there needs to be a set of controls to make sure this happens. The reasoning is simple, the application or data owner is in the best position to know and understand the business justifications for granting access to their resource. SOX doesn’t recommend what type of controls are needed only that they must exist.  

The lack of detail around IT controls – leaves everything open to interpretation as to what is required on the part of IT to comply with the regulation. Because experience and competence varies by auditor and IT team, recommendations can be anything from a paper-based procedures to implementing a new compliance layer of audit software or worse. The directory owners I see who are able to achieve sustained compliance implement software based process controls. These software based controls should always automate and enforce governance be self-document and should support real-world demonstration that the controls are in place and effective. Once these controls are in place audit preparation time drops to hours rather than the weeks or months a first audit typically would require.