Methodology: First Steps With MidPoint: Kick-Off

Last modified 09 Jun 2022 16:43 +02:00
Table of Contents
Assess your resources, capabilities and goals. Set your target. Decide whether the project is feasible. Make a rough plan. Get long-term support from management. Secure budget.

You have to start somewhere. At this point, you probably have a very rough idea what you want to achieve. However, all the details are missing. The goal of this step is to fill some details in, make a plan, set up project structure and secure necessary resources.

Start with a brainstorming or "kick-off" meeting. Gather all the people in your organization interested in identity management. This does not have to be a formal team. The project is not formally established anyway. Gather all the people that have something to say.

You will probably need to engage following persons:

  • Senior IT engineer or an architect. Identity management is touching many things, you want someone with broad perspective and IT experience.

  • Active Directory administrator, or an administrator of a critical IT systems that you want to manage.

  • Someone from HR, or any person that is somehow familiar with HR practices. HR is going to be your information source, you need someone that can help you assess impact of HR practices on your project.

  • Security professional. Identity management is intimately related to information security. There may be policies, constraints and goals given by company security policy, which you should definitely consider in your plans.

In fact, especially in smaller organizations, this can a "meeting" of just a couple of people over the cup of coffee. This can be a series of meetings. Do whatever suits your organizational culture the best.

The paragraphs below contain a lot of questions. It is not an exhaustive list; there may be others. You do not need to know all the answers before starting the project. The questions are provided as starting points for discussion. Yet, you need to know there will be questions that need to be answered eventually, in one of the iterations. The answers to the questions (or lack of them) may influence the speed and quality of the project.

The results of the initial meeting/kickoff/brainstorming should be:

  • Identify data source, which will probably be HR system. Discuss the data the HR has, their scope and quality. Do they have data on all employees? Do they have also a data on contractors? How and how often are the data updated and maintained. E.g. how are records of new employees enrolled? How are data of former employees handled? Are the records deleted, marked as inactive, set a lay-off date or something else? What is the unique identifier of HR record? Is its uniqueness guaranteed? What happens if former employees return to the organization again? Are they considered new record with new identifiers or are their original HR records reused?

    You will probably get CSV export of HR data, or perhaps a database table/view. Both are perfectly fine, at least for now. Request a sample data from the HR people, to make sure data formats will work for you. If possible, request several sample data exports from HR (e.g. daily, weekly) to see the trends in data (e.g. if it contains also former employees, approximate number of changes etc.)

  • Identify data target, which will probably be Active Directory (AD). Discuss the structure of AD users with the administrator. Are all the users in a single organizational unit in the AD? Are there several organizational units? How is the AD username created? Are there any conventions to generate username? Are there exceptions to these conventions? Is there a reliable identifier stored somewhere in the user account? Maybe an employee number is conveniently stored in employeeNumber attribute? Have a look at live AD data, selecting few examples (such as your own account), roughly assessing the situation. Compare that with the HR data sample. This may help you to see how much HR data is actually part of AD attributes, and you should have at least some data transformation ideas.

    Discuss the practices of creating an AD account. Are there any special procedures or manual steps that take place? How is the initial password set, how is it delivered to the user? Is there a need to create a home directory, file share, mailbox? What is the procedure to delete/archive account? Discuss which steps would be nice to automate, and which are best left for manual action.

  • Discuss security. Discuss the limitations, requirements and wishes given by the information security policies.

    Do not overdo it. This is very important. Security professionals tend to provide long lists of non-negotiable security requirements that need to be satisfied right now. Do not get distracted to theoretical discussions of information security. Discuss the practice, the current state, the day-to-day reality. Be honest to yourself. Do not pretend that you have perfect security while the reality is vastly different.

    Goal of identity management is to improve real security, not to pretend that the security is perfect while it is not. Do not try to satisfy all the security requirements and requests immediately. Make a plan to address the requirements in iterations. It is too early to focus solely on security at this point. Basing security on wrong data is no security anyway, it is just false sense of security. You need to put your data back in line first, then built up from there.

  • Discuss other data targets (optional). What other systems would you like to connect to your identity management deployment in the future? Consider just the big picture for now. You do not need to go to all the details. Just roughly set the scope, listing and prioritizing the systems. Although this kind of perspective is completely optional, it is a huge benefit for planning and budgeting.

  • Discuss resources, timing and rough plan. Keep you plan realistic. Identity management requires systematic approach, time and a lot of patience. Too many projects have failed due to unrealistic plans and expectations. Plan modest results, delivered in few months. Then proceed in iterations, delivering improvements every few months. Prepare for a long run. This is not a project, with a specific start and end. This is a program. It starts now, yet it has no end. Discuss who will lead the program, what people will need to be involved, other resource that you will need.

  • Discuss money. You will need money, even if you plan to do most of the work internally. You will need training, assistance and support. Plan a recurring budget, sustainable funding for many years to come. Having a modest budget every year can lead to a successful identity management program. Having a generous budget for year one and no budget after that is a certain way to an expensive failure.

As we mentioned, you do not need to have all the answers to all the questions at this point. We will get to that later. What you need is an overview of your situation. It is perfectly OK to leave a lot of blank spaces in your plan now. The important thing is to know that you have a lot of black spaces that need to be filled in later.

Maybe you will need some time to get your plan straight. Take your time. Learn and explore in the meantime. Do some read-up on identity management. Watch videos. Download midPoint and have some fun. If you are a hands-on type, create a small prototype. All of that will help you better understand your problems, and also the tools that you have at hand. Gather your collaborators again, update your plan as necessary.

Now comes the most important step. Talk to your management. Make sure that the management understands importance of identity management for your organization. As identity management touches many parts of the IT infrastructure as well as business processes and organizational procedures, support from your management is critical for success. You will also need time and money. Make sure there are human resources and appropriate budget allocated for your project. Do not exaggerate, do not oversell. Provide honest plan and estimates, set realistic expectations. Identity management is a long run, any kind of hype or exaggeration is very likely to backfire in the future. Get a green light - for a long program, not just for a short project.

Now, you are ready to go.