Controlled Access

Computerworld - If you're pondering electronic provisioning, think single sign-on all over again. Like its predecessor, e-provisioning is saddled with all the same integration and complexity problems that kept single sign-on from becoming the killer application many industry observers thought it would be.

The definition of e-provisioning varies depending on which vendor you talk to, but basically, e-provisioning tools mediate among human resources systems, directory services and network resources to automatically set up new user accounts into the applications that employees need to do their jobs. Inversely, these tools also automate de-provisioning by removing user accounts from the system when employees leave or no longer need those resources.

Vendors claim that their products provision users to all the resources they need across the enterprise, which is possible in simple cases such as that of Burlington Northern Santa Fe Corp. (BNSF) in Fort Worth, Texas. BNSF automated add/delete/change functions to three commercial platforms using Lighthouse from Austin, Texas-based Waveset Technologies Inc.

But automating provisioning across all applications, particularly in complex enterprises, isn't possible, say analysts and users. About the best that companies can hope for is 20% to 55% coverage, they say.

"No vendors cover 100% of the applications or systems that exist in an enterprise. So the question becomes, How much coverage can you get?" says Mike Hager, vice president of network security and disaster recovery at OppenheimerFunds Distributor Inc. in New York.

Hager did what many early adopters are doing: He scaled his provisioning requirements down and started with his top two platforms, Windows NT and Novell Inc.'s GroupWise. Even then, his team ran into integration problems between the applications and his provisioning tool, enRole from Access360 in Irvine, Calif. Furthermore, Hager says, it will probably take another two years to develop the connectors to provision to the rest of his target applications.

"Even if you can address 80% of your needs, you still have to do the rest of the provisioning by hand, which was the same weakness in single sign-on," explains John Pescatore, an analyst at Gartner Inc. in Stamford, Conn.

But early adopters say they're willing to pay this price for what they see as an inevitable return on investment. Hager, for example, has already reduced his maintenance staff from seven employees to three. And users say that by starting now, they're also laying the foundation for future applications that will safely allow business partners and customers into their networks.

Dangerous Orphans

One primary driver for undertaking unwieldy provisioning projects is the security risk posed by orphaned accounts left behind when employees leave or change job functions. With manual add/delete/change processes, inactive user accounts could get lost in hundreds of applications across the enterprise.