This section provides specific business requirements to consider for Access Manager (that is, which business requirements imply a need for an Access Manager solution).
Sun JavaTM System Access Manager is a complex, distributed identity management system that, when properly deployed, secures access to a wide variety of data and services spanning an enterprise’s organizations. To ensure proper control over corporate resources, appropriate planning of the deployment process is required. This chapter offers information about how to plan the deployment, including:
Because an identity management solution involves a broad variety of systems throughout an organization, proper Access Manager deployment requires a variety of resources. The following corporate resources will be involved or required in the deployment process.
You should consider the various business and political relationships within an organization. A team of individuals should be assembled with a direct or matrixed reporting structure. Typically, Access Manager deployments have small teams that might consist of a project manager and several dedicated System Administrators. These people report to the Team Lead and further up to an owner who has responsibility across a number of related projects and often reports directly to an executive sponsor. This group is often augmented by virtual team members consisting of Sun technical resources, and LOB Application Administrators, which are used as required.
While this structure might not meet your exact needs, it does represent a fairly typical deployment team model. Although not necessarily distinct individuals, the following abstract technical roles representing various skill sets further define a typical Access Manager deployment team.
Successful identity management deployments traditionally cross organizational and political boundaries, which requires buy-in and support from those setting direction for the company. It is critical that executive sponsorship be in place. Planning meetings are an important process for gaining insight from those with a vested interest in the deployment. As the project plan is developed, ensure that its deliverables are inline with the goals of the company as a whole. For example, if cost reduction is a core business driver, collect statistics on current identity management costs and then determine costs such as using the help desk for password resets? Having tangible statistics available can help define a specific return on investment (ROI) as the deployment team attempts to gain executive support. Other company issues that might be relevant include:
Who benefits from the identity management deployment?
What organizational problems does an identity management solution solve?
How does the company address internal issues that might slow the deployment?
Often the identity management concepts and the value of an Access Manager deployment must be related to other executives. A business and technology evangelist can sell the new infrastructure to executives, helping to drive the demand for integration and aid in the acceptance and ultimate success of the infrastructure changes.
A team lead should be chosen as the party responsible for the project’s success. The team lead must be in charge and have the authority to make the project’s goals happen. The team lead might be a logically distributed role, perhaps between a technical lead, a project manager, and an executive. However you define this role, the goal is to show continued progress and demonstrated success throughout the deployment process to maintain executive sponsorship.
A project manager is responsible for the coordination of schedules. The project manager maintains a schedule that correlates the availability of services, support provided by the core IT group and the integration of the various line-of-business (LOB) applications. This person must have strong communication skills and understand the political aspects of the company. The project manager must also balance the needs of the internal customers with the availability of resources in order to support new applications joining the environment.
LOB applications are vital to running an organization. They are generally large programs with capabilities that tie into databases and database management systems. They can include accounting, supply chain management, and resource planning applications. Increasingly, LOB applications are being connected with network applications that have user interfaces and with personal applications such as e-mail and address books.
A systems analyst is responsible for assessment and categorization of the various data and services to be integrated into the Access Manager deployment. The systems analyst interviews the LOB application owners and gathers details on technical requirements including platform, architecture, and the deployment schedule. With this information, the systems analyst formulates a plan about how the application will be integrated into the deployment in order to meet their customer’s requirements. The systems analyst must be an IT generalist, with broad knowledge of various application architectures and platforms. Detailed knowledge of Access Manager architecture, services, agents, and APIs is also required.
LOB application administrators are technical specialist with intimate knowledge of, and control over, the LOB application and are responsible for integration of the Access Manager policy agents, or policy enforcement point, into their application. They must clearly communicate the LOB application’s architecture, its integration points, and appropriate schedules. They are typically responsible for defining the access control model represented in Access Manager policies. They might perform custom programming to enhance the integration between Access Manager and their application (for example, session coordination). Finally, they are generally responsible for quality assurance (QA) and the regression testing of their application within the newly-deployed environment.
It is critical that appropriate resources are in place to deploy and maintain the availability of Access Manager. System administrators are required at the following levels. Additional administrators might also include a web container administrator who is responsible for the deployment and performance of the software container in which Access Manager is deployed.
The Access Manager administrator is responsible for the deployment and maintenance of Access Manager. This administrator assures the availability of the common services, provides necessary enhancements to the infrastructure in general, and configures policies and roles in particular. This administrator also helps support integration efforts by developing guidelines, and offers technical support to the LOB application administrators. An understanding of Java, XML, LDAP, HTTP, and web application architectures is critical.
Corporate directory services used for authentication and authorization are often already managed by a group within the organization before the Access Manager deployment is even considered. The Directory Server administrator is responsible for the availability of the directory services, as well as for accepting and integrating additions or modifications to the currently defined LDAP schema and identity data, including changes that are required to support the identity management infrastructure.
Large organizations typically find economies of scale by separating hardware, operating system, data center, and network administration from middleware administration. If this is the case in your company, it is essential that there is clear communication between these various administrators. It may be critical to the deployment’s success to have access to certain machines or to establish certain network configurations; keeping these administrators aware of project milestones and requirements can facilitate a smooth rollout.
Sun Microsystems and other independent software vendors (ISV) are critical partners in the successful deployment of Access Manager. Purchasing packaged software allows an enterprise to diminish and distribute the cost and risk of software development across multiple organizations.
An ISV makes and sells software products that can run on one or more types of computer hardware or operating system platforms. The companies that make the platforms (for example, Sun, IBM, Hewlett-Packard, Apple, or Microsoft) encourage and lend support to the ISV.
It is in the best interest of all parties involved for ISV to develop cooperative relationships and drive successful deployments. Engage Sun technical services and other ISVs to help bootstrap the project and to convey knowledge they have gained from previous Access Manager deployments. Using technical services, as well as an open discussion with your account team (who can act as an intermediary between Access Manager engineers and your deployment team) can help insure your investment and a successful deployment.
If you are planning on leveraging the Federation Management capabilities of Access Manager, you will be collaborating with external partners and third party affiliates. Consider an initial deployment of this functionality in conjunction with your own internal deployment. In this case, it is important to involve the LOB application that owns the business functionality that will be delivered and to maintain communication with the technical resources of all parties. Your legal counsel can also help to establish a good relationship between involved parties.
The core IT group is often responsible for the cost of the deployment project. In fact, it is common to have internal funds transferred from an LOB application to the core group in order to fund portions of the identity management project. But, even when a single LOB application group is providing initial funding, the needs of the larger organization should be balanced with the needs of the funding group.