Identity Management Then and Now: The SAP MaXware story
Today I find myself on a short consultancy visit at the King Abdullah University of Science and Technology (KAUST) in Saudi Arabia for local SAP partner RFID Saudi est. The University is busy integrating different business systems like SAP HR (HCM) and the Student administration system (SCLM) to its portal, email system and Active Directory.
Many people in the Identity and Access Management Industry know me as Managing Director of MaXware UK until the 2007 SAP acquisition. In fact I was part of the five person core management buy-out team, that acquired the company from EDB Business partners in Norway five years earlier. Today wind forward another five years, and I was pleased to get the opportunity to get my hands dirty again in a slightly more technical role than usual. This enabled me to see for myself how much has changed in the look and feel of the old Identity Center and Virtual Directory products relabeled SAP NetWeaver IDM 7.2
A bit of IDM history
First of all I should explain that when we started MaXware, I believe the term Identity Management hadn’t been invented yet. We called our product a ‘Meta Directory’, a term first introduced by Canadian company Zoomit Corporation. At least I assume this, as their managing director at the time Kim Cameron was known in those days as the ‘daddy’ of all Meta Directories. When Microsoft acquired Zoomit in 1999 Kim became Microsoft’s chief architect for identity and privacy.
The second major acquisition that shaped the Identity Management market took place on June 25th, 2002 and concerned IBM’s acquisition of one of MaXware’s main competitors, also hailing from Norway, called Meta Merge.
Finally when Oracle gobbled up a succession of companies in this space including Thor, OctetString and Oblix Dave Kearns observed in Network world :
“The major driver for SAP, of course, is the competition from Oracle. When Larry Ellison annexed PeopleSoft, after PeopleSoft acquired J. D. Edwards, the battle line was drawn. Oracle’s successful integration of its identity management acquisitions – Phaos Technology, Thor Technology, OctetString and others – meant that SAP would have to acquire or develop similar technology or forever be on the defensive, or subject to the mercies of technology partners, when competing with Oracle for customers.”
So here we have set the scene. I could mention BMC Software, Computer Associates, HP and Sun as other big-name companies companies that have at least in part bought their way into this field.
Before that large organisations that needed this technology had to buy it from small innovative independent software vendors like MaXware. Novell was the only one among them that thought they were big enough to make it on their own. Now I rarely read about them. I read in WikiPedia that thousands of layoffs were announced by current owner for the Novell workforce Attachmate, including hundreds of employees from their Provo Utah Valley center. Maybe they should have been a bit less conceited and a bit more cooperative when it mattered in those early years?
There have also been notable exits like HP, proving to corporate IT purchase managers, that size isn’t always what it is cracked up to be.
SAP IDM the first 5 years
I know its getting on to six years since the MaXware acquisition, but most of the first year tends to be spent changing PowerPoint presentation templates and letter heads, organisational reshuffling and usually not much more. It was funny to see all the SAP identity store fields still begin with the trusted MX- prefix. Plus ça change……
In the IDM market place SOX compliant provisioning became more of a business driver, than data synchronisation between directories and data bases. The extension of The identity Store with a provisioning framework and a role model with privileges is undoubtedly the major enhancement in this period. Also the .php web based user interface was replaced by SAPS own Web Dynpro programming tool, giving clear separation of business logic and display logic that big MaXware customers like T-OnLine had been demanding for years.
Provisioning now and provisioning then
When the term provisioning became ‘en vogue’ and customers started asking me if we did provisioning, I said: “Sure we provision, we do ldapAdd and ldapDelete as well as ldapModify to keep corporate data in sync. What we didn’t tell them that our method always tried to do an ldapModify first and if the object wasn’t found we just created it in a second pass. The effect was the same.
If customers asked us if we had SAP connectors out of the box we were economical with the truth. We simply used iDocs reports and parsed them as simple delimited text files, applying our MD5 based delta mechanism to detect any changes.
Today’s provisioning connectors are much more sophisticated. No longer to we overwrite the entire record if our delta hash suggests something has changed. Our changes in target systems are much more atomic and at attribute level.
MaXware’s Virtual Directory provided SAP with the ideal common provisioning middleware for passing identity data to and from target systems like Microsoft’s Active Directory. A light weight event agent simply monitors the directory’s unique sequence numbers (USN) to see if anything of identity interest has changed there.
The integration with HR (SAP HCM) and SAP GRC works on the same principles.
However on some other more obscure ABAB systems like SLCM, SAP clearly still has more work to do! For instance they haven’t implemented methods, whereby an APAB system can send alerts to an external systems like IDM, when attribute changes occur, records are added or deleted.
They also don’t have a unique change number like AD which IDM can monitor using event-agents. Therefore, currently the only way we seem to build a connector of sorts, is to use the generic ‘Business-Suite-Connector’ and generate reports of changes from such systems and enable the aforementioned trusted MaXware delta mechanism, either on the from pass or the to-pass. You can imagine this may cause some performance issues, when large data sets need to be handled.
In conclusion much has been achieved during the last five years since SAP took over the reigns at MaXware but the school report says: “Could do better in some areas!”
Furthermore being part of a huge organisation like SAP the level of documentation training and support is today second to none, which why it seems all the more ridiculous why this solution hasn’t moved an inch in the Gartner Magic Quadrant for provisioning. This is the subject of a previous blog post on IdentitySpace which WordPress statistics tell me is my most widely read to date!
This is a copy of a post on my wordpress blog IdentitySpace