James McGovern asked in a recent post: "In the same way that Kim Cameron is running around Microsoft rallying for the need to rationalize identity, I wonder who his peer is for doing something similar with authorization?" I actually wonder, too. Is it (should it?) be my buddy Don Schmidt over at Microsoft? I don't know but it is about time for an authorization czar over there.
While I was thinking about this I stumbled across a post and a video that shows how to create and add roles to Microsoft's Systems Center Operations Manager 2007. As I watched the video I was pleasantly surprised to see that they really did use Active Directory users to "fill" the roles that they demoed. A nice step forward but are they open to enhancing that capability?
What you have enabled in SCOM 2007 is the ability to define a static role and a static set of users who fit that role. Who is maintaining the role and the users? Well, the SCOM 2007 administrator is. Every time a new user needs to be added to a role or a new role is required that admin has to do the work. You've basically shuffled the work from the help desk or Active Directory administrator to the SCOM 2007 administrator - that's just a shell game with no real productivity gain.
I'd recommend that you virtualize the user side of this equation. Specifically, most users in Active Directory have a series of attributes attached to their object such as title, manager, office location, phone number, etc. A role should have the ability to have attributes and specific values assigned to them so that role can be checked dynamically at use to see if a user is authorized for that function. An example might be that you'd like everyone who has title "SQL Administrator" to be able to manage and operate the monitoring of the SQL servers. This is easier than every new SQL Administrator having to email you to be added to the role manually. And, when they get promoted to "Product Manager" they automagically get dropped from that role - again, without the need for an email to you, Mr. SCOM2007 Administrator.
This way you enable the directory to do the work for you. I call that improving efficiency - yours.
It bothers me that at Microsoft this stuff isn't leaking through faster into everyday design and architecture...
Microsoft, Systems Center Operations Manager 2007, Active Directory, identity management, authorization