Back to first principals – What is ILM for?

I started this blog as a way to help other people like myself (ie system administrators) who were just starting out with ILM (then MIIS), and finding it heavy going. Even so I made assumptions about the level of reader knowledge, and now I plan to address that by starting from the very beginning with a series of posts aimed at complete ILM newbies.

So, what is ILM?

You probably know the letters stand for Identity Lifecycle Manager, but to explain how it fits into a typical business network, here are a couple of pictures I created for my TechDays presentation.

The first shows how synchonisation of users, contacts and groups might be happening in a typical organisation today. It is a combination of bidirectional solutions which include manual tasks (sending an email, creating an account, adding group memberships) with some special-purpose sync tools (GALsync, ADAMsync), and some scripted scheduled tasks (LDIF export/import, database syncs).

Figure 1: Ad-hoc, non-joined Identity Management

Now what exactly is wrong with all of this? It probably works ok – right up until you want to change it, or extend it to new applications or directories – and then you run into trouble. All of the sync relationships are between pairs of directories, and there is no easy way to tell how one user is effected by the sum total of all of them. You may be at the mercy of an old-fashioned empire builder as well: that individual who hoards all the knowledge about one of the parts of the puzzle, and you just have to hope it doesn’t go wrong while they’re on vacation.

ILM fits in at the middle of these relationships, centralising all the interesting data about objects, and synchronising changes wherever they should go. While the specific rules concerning the varous directories will be different, there will at least be a unified framework under which they all coexist. Finding out which directories a user has an account in is easy, as they’re all joined from the one, central location, and as it’s all built on SQL you could extract the data to produce reports, perhaps for a security audit.

Figure 2: Centralised Identity Management using ILM

The final point of comparison between ILM and the ad-hoc sync methods you may have today, is how extensible ILM is to new and interesting purposes. It doesn’t just have to be about user accounts. I have used ILM in the past to fully manage the lifecycle of home folders, mailboxes and personal websites (including automatic archiving and tidy-up). I know of a multi-national that has bought so many other companies that they use ILM just to keep their email aliases in sync across all the disparate systems in the conglomerate. The possiblities really are endless and are only restricted by your imagination, your technical abilities, and (it must be said) the spec of your ILM server.