Today I find myself on a short consultancy visit at the King Abdullah University of Science and Technology (KAUST) in Saudi Arabia for leading local SAP partner RFID Saudi est. The University is busy integrating different business systems like SAP HR (HCM) and the Student administration system (SCLM) to its portal, email system and Active Directory.
Many people in the Identity and Access Management Industry best know me as Managing Director of MaXware UK until the 2007 SAP acquisition. In fact I was part of the five person core management buy-out team, that acquired the company from EDB Business partners in Norway five years earlier. Today wind forward another five years and I was pleased to get the opportunity to get my hands dirty again in a slightly more technical role than usual. This enabled me to see for myself how much has changed in the look and feel of the old IdentityCenter and Virtual Directory products relabelled SAP NetWeaver IDM.
A bit of IDM history
First of all I should explain that when we started Maxware, I believe the term Identity Management hadn’t been invented yet. We called our product a ‘Meta Directory’, a term first introduced by Canadian company Zoomit Corporation. At least I assume this as their managing director Kim Cameron was known in those days as the ‘daddy’ of all Meta Directories. When Microsoft acquired Zoomit in 1999 Kim became Microsoft’s chief architect for identity and privacy. How much remains of the original Zoomit product in Microsoft’s Forefront Identity Manager (FIM) I am not sure.
The second major acquisition that shaped the Identity Management market took place on June 25th, 2002 and concerned IBM’s acquisition of one of MaXware’s main competitors, also hailing from Norway, called Meta Merge. The product is now known as Tivoli Identity Management (TIM). Then on 03 September 2002, IBM acquired all assets of Access360 and thus Tivoli Access Management (TAM) was added to complete the IAM portfolio.
Finally when Oracle created its OIM offering, they gobbled up a succession of companies in this space including OctetString (OVD), Thor (OIM) and Oblix (OAM).
Dave Kearns observed in Network world :
“The major driver for SAP, of course, is the competition from Oracle. When Larry Ellison annexed PeopleSoft, after PeopleSoft acquired J. D. Edwards, the battle line was drawn. Oracle’s successful integration of its identity management acquisitions – Phaos Technology, Thor Technology, OctetString and others – meant that SAP would have to acquire or develop similar technology or forever be on the defensive, or subject to the mercies of technology partners, when competing with Oracle for customers.”
So here we have set the scene. David Kearns mentions BMC Software, Computer Associates, HP and Sun as other big-name companies companies that have at least in part bought their way into this field.
Before that time large organisations, that needed this technology, had to buy it from small innovative independent software vendors like MaXware. Novell was the only one among them that thought they were big enough to make it on their own. Now I rarely read about them. I read in WikiPedia that thousands of layoffs were announced by current owner Attachmate for the Novell workforce, including hundreds of employees from their ProvoUtahValley center. Maybe they should have been a bit less conceited and a bit more co-operative when it mattered in those early years?
SAP IDM the first 5 years
I know its getting on to six years since the MaXware acquisition, but most of the first year tends to be spent changing PowerPoint presentation templates and letter heads, organisational reshuffling and usually not much more. It was funny to see all the SAP identity store fields still begin with the trusted MX- prefix. Some of the original developers are still there from the original 1995 team. Plus ça change……
In the IDM market place SOX compliant provisioning became more of a business driver than data synchronisation between directories and data bases. The extension of the identity store with a provisioning framework and a role model complete with privileges is undoubtedly the major enhancement in this period. Also the .php web based user interface was replaced by SAPS own Web Dynpro programming tool, giving clear separation of business logic and display logic that big MaXware customers like T-OnLine had been demanding for years. Existing SAP users will probably stick with access through the SAP portal for user self service and role approvals . Some screen shots can be seen in the gallery below.
Provisioning now and provisioning then
When the term provisioning became ‘en vogue’ and customers started asking me if we did provisioning I said: “Sure we provision, we do ldapAdd and ldapDelete as well as ldapModify to keep corporate data in sync. What we didn’t tell them that our method always tried to do an ldapModify first and if the object wasn’t found we just created it in a second pass. The effect was the same.
If customers asked us if we had SAP connectors out of the box we were economical with the truth. We simply used iDocs reports and parsed them as simple delimited text files, applying our MD5 based delta mechanism to detect any changes.
Today’s provisioning connectors are much more sophisticated. No longer do we overwrite the entire record if our delta hash suggests something has changed. Our changes in target systems are much more atomic and at attribute level.
MaXware’s Virtual Directory provided SAP with the ideal common provisioning middleware for passing identity data to and from target systems like Microsoft’s Active Directory. A light weight event agent simply monitors the directory’s unique sequence numbers (USN) to see if anything of identity interest has changed there.
The integration with HR (SAP HCM) and SAP GRC works on the same principles.
However on some other more obscure ABAB systems like SLCM, SAP clearly has more work to do! For instance they haven’t implemented methods, whereby an APAB system can send alerts to an external systems like IDM, when attribute changes occur, records are added or deleted.
They also don’t have a unique change number like AD which IDM can monitor using event-agents. Therefore, currently the only way we seem to build a connector of sorts, is to use the generic ‘Business-Suite-Connector’ and generate reports of changes from such systems and enable the aforementioned trusted MaXware delta mechanism, either on the from pass or the to-pass. You can imagine this may cause some performance issues, when large data sets need to be handled.
In conclusion, much has been achieved during the last five years since SAP took over the reigns at MaXware, but the school report also says: “Could do better in some areas!”
Furthermore being part of a huge organisation like SAP the level of documentation training and support is second to none, which is why I find it strange why this solution hasn’t moved an inch up in the Gartner ‘Magic Quadrant’ for provisioning. This is the subject of a previous blog post which WordPress statistics tell me is my most widely read to date!
Below some screen captures of the user interface of SAP NetWeaver IDM