The first was a means of provisioning access to non-AD based applications (applications that cant leverage AD for authentication) based on AD Group Memberships. The problem was notoriously difficult to solve and as it ended up, they crafted an XMA based on AD Groups using MVGuids and the bit vectors from AD which are used to denote group memberships. They then provisioned this in the applications in question. Brilliant right? Lots of code and very fancy terms. Then I thought, what was the real problem? Why manage access via AD Groups to an application that can't natively talk to AD? Well most companies don't have a website to allow them to request access to roles so the Tech Support teams manage Roles (see Groups) via Active Directory. The far simpler solution would have been to modify the applications in question to query AD directly rather than create new XMA's for every group in AD.
The fuzzy logic presentation was equally bright. There was lots of code and pattern matching with confidence scores, etc. All to allow non unique field to match up and create solid joins. There's obvious appeal to the idea, we could have used it for increasing the reliability of the name matched between HR and IDMGMT. But here's the kicker, why not create a GUID to match all the entries on both sides? Again, I think of the next version of something really complicated and then I stop and I think to myself...GLOVES.
The only positive outcome of all of this is that Apollo seems to have been very fortuitous in its software development leadership and wise in its choice of solutions to thorny problems. We remain light years ahead of the competition. We should seriously consider selling our solution or at least consulting with companies headquartered in sunny, tropical seaside locales.
1 comment:
I just had to do a Google search on "Apollo identity management" to get a clue as to who you are :) ... working in this space myself, I have to say I feel some genuine empathy for your thoughts.
Post a Comment