Identity and Access Management Myths

Last modified 15 Jan 2025 17:03 +01:00
Logo

There are often practices and ideas that are very common - and very wrong. They are used often, but they usually fail miserably. These are the IAM myths, misconceptions, antipatterns and pitfalls. Identity and access management is not a simple field, that are many obstacles and complexities to handle. Quite understandably, there are many ways to do thing incorrectly, many dead ends. Due to the complexity, the dead ends are often not very obvious. Implementation teams may spend years, only to find out that the huge invested effort was utterly pointless.

This section of the documentation documents IAM myths - for you to be able to avoid them. Each myth starts with an idea that may look good at first sight. However, it ends up in tears.

Myth Description

AI Will Fix It

Artificial intelligence (AI) will do it for us. It will make better decisions than we do. It is going to save us!

DIY IDM

Building homebrew identity management solution may look like a great idea, but it is not. It is complex, expensive and frustrating experience.

Everything in LDAP

Storing all identity data in a single directory server may look attractive. It may even work for some simple cases. However, it usually leads to a complete mess in a long run.

Identity Management Big Bang

Deploying identity management solution in one big project was a very common approach back in 2000s. Despite numerous expensive failures, this approach is still tried even today.

Identity Solution Deployment Project

Identity cannot fit into a project. It is a never-ending program that constantly evolves.

IGA Means Accounts

Identity governance and administration (IGA) is not about account synchronization. It is about policies, policies for access control and business-oriented governance policies.

Indirect Access

Creating a specialized table, database view or special-purpose API in from of your identity resource as a facade may look like a great idea, aligned with software architecture best practice. However, it usually complicates things quite a bit.

Login Roles

Creating special-purpose roles that provide basic account properties was a common practice in old IDM systems from 2000s. This complication is not necessary any more.

My Data Are Perfect

No dataset is pefect. There are gaps and inaccuracies, which may have quite disastrous effects for IAM automation.

Policies Are Easy

Policy definitions may look easy. There is a simple policy language that can easily describe anything. That sounds great, but it is not true. Policy definition is hard, complex and messy endeavor.

Provisioning Interface Abuse

Modern identity management systems have cool APIs, just waiting to be used for variety of purposes. However, such APIs are both easy to use and easy to abuse, leading to serious headaches down the road.

RBAC Is Static

Role-based access control (RBAC) is a well-known static access control model - or at least it was, back in 2000s. Modern RBAC models significantly evolved the concept, bringing dynamic and policy-driven approach.

SSO First

Single sign-on (SSO) is the first IAM component to deploy, as it brings the most value for the users. Unfortunatelly, it also brings nightmares for deployment engineers.

Universal Provisioning Interface

It is very tempting to design an universal provisioning interface, a standard way to provision accounts to any kind of system. However, it is much harder than it looks. Quite surprisingly, it is usually a very bad idea to even try.

Was this page helpful?
YES NO
Thanks for your feedback