Archive | Uncategorized RSS for this section
June 13, 2014  

IAM Use Cases, why is “retainer” always missing?

I keep getting surprised about the 3 standard user cases everyone talks about; joiner, mover, leaver (JML). Everyone in the IAM sphere seems to have the same idea. Try and do a quick google search and you will find many many descriptions around the 3 areas. Just take the below.

It seems that joiner, mover, leaver is the foundation… or is it?

In my world it is a bid more diverse than that, especially if you also look into the time consumption within each use case. What I am trying to tell you is that usually an important and time consuming use case is missing – the retain use case

From my point of view the following use cases are needed by everyone looking into an identity & access management solution.

  1. Joiner – How new people joining your organization are granted accesses
  2. Retainer – The illegitimate child, covering especially governance activities
  3. Mover – When people move around inside your organization
  4. Leaver – How to handle people leaving the organization

The retain use case

In my world retainment of employees needs to be a separate use case area in any IAM solution. All other areas covers when something changes for the people in the organization; when they are hired, changes position inside the organization or leaves. But what happens when nothing changes for the employee?

Nothing, right?

But what if the same person has the same job over a 10 years period. Does nothing actually change for that employee? Just think what you were working on 10 years ago, not the same as today right? But if no attributes are changed for a person it is not a given that the IAM solution will capture the employees development. Hence the retainment use case becomes relevant.

What should be included in the retainment use case?

When talking about the retainment use case, I suggest that you at least evaluate the following use cases.

  • Periodic certification of accesses and SoD violations
  • Periodic certification of job role content
  • Employee development without attribute changes