Designing an IAM Framework with Oracle Identity and Access Management Suite[文摘]
2012-12-18 11:25
531 查看
下面这段文字还是从标题的书中摘录出来的。
What do I mean by that? Well, the thing so many companies have gotten wrong is: they have 10,000 users and 30,000 roles. If I can do five different things as part of my job, then I have five roles. If the guy sitting next to me also has five different roles,
then between us we have ten different roles. Ouch! I’ve actually heard of even worse examples, where organizations had literally millions of roles, with the excuse being, “Everybody is unique.” As a product manager at Oracle puts it, “When everybody is unique,
nobody is unique.”
Let’s say I’m appearing in a Shakespeare play. Let’s go with Titus Andronicus, because it’s extremely violent and bloody, much like the software market. If I’m appearing as Titus in one theater, and there’s another production of the same play down t he
street, I’m not Titus-1 while the other guy is Titus-2. We’re both reading from the same scri pt. We’re both Titus. We’ve both been assigned that same role. What’s different is our context, since we’re in different theaters, and besides that, I’m tall, swarthy,
handsome, and articulate, and the other guy’s kind of ugly. But we both have the same essential role, speak the same lines, and end up in the same horrid way.So instead of 30,000 roles for 10,000 people, it should be 10,000 roles for 30,000 people.
But wait, there’s more! It should probably be more like 100 rol es for 10,000 people, a vast order of magnitude less. Don’t turn a slight variation into an excus e for a whole new role. If the plastics division has a Quality Control Officer, and so does
the metals division, then you have one role, with the context being the division. The grant of that role may still require different approvers; remember not to confuse the role with the granting of that rol e. But the baseline definition of the role will
be consistent, yet flexible. Using context as a quali fier on a role keeps the number of roles from exploding.
总结来说,定义role的时候,最佳实践尽量减少role的个数。要区分role和context,比如这个人是某某部门经理,这个可以当作是一个role,但是他的location应该是作为一个context。因此在IAM项目实施的时候,注意不要设计过多的role。
What do I mean by that? Well, the thing so many companies have gotten wrong is: they have 10,000 users and 30,000 roles. If I can do five different things as part of my job, then I have five roles. If the guy sitting next to me also has five different roles,
then between us we have ten different roles. Ouch! I’ve actually heard of even worse examples, where organizations had literally millions of roles, with the excuse being, “Everybody is unique.” As a product manager at Oracle puts it, “When everybody is unique,
nobody is unique.”
Let’s say I’m appearing in a Shakespeare play. Let’s go with Titus Andronicus, because it’s extremely violent and bloody, much like the software market. If I’m appearing as Titus in one theater, and there’s another production of the same play down t he
street, I’m not Titus-1 while the other guy is Titus-2. We’re both reading from the same scri pt. We’re both Titus. We’ve both been assigned that same role. What’s different is our context, since we’re in different theaters, and besides that, I’m tall, swarthy,
handsome, and articulate, and the other guy’s kind of ugly. But we both have the same essential role, speak the same lines, and end up in the same horrid way.So instead of 30,000 roles for 10,000 people, it should be 10,000 roles for 30,000 people.
But wait, there’s more! It should probably be more like 100 rol es for 10,000 people, a vast order of magnitude less. Don’t turn a slight variation into an excus e for a whole new role. If the plastics division has a Quality Control Officer, and so does
the metals division, then you have one role, with the context being the division. The grant of that role may still require different approvers; remember not to confuse the role with the granting of that rol e. But the baseline definition of the role will
be consistent, yet flexible. Using context as a quali fier on a role keeps the number of roles from exploding.
总结来说,定义role的时候,最佳实践尽量减少role的个数。要区分role和context,比如这个人是某某部门经理,这个可以当作是一个role,但是他的location应该是作为一个context。因此在IAM项目实施的时候,注意不要设计过多的role。
相关文章推荐
- Oracle LDAP解决方案 - Oracle Identity and Access Management Suite
- AWS IAM (Identity and Access Management) 使用笔记
- Oracle Identity Management: Governance, Risk, and Compliance Architecture, Third Edition
- WebSphere Portal Transfer with XMLAccess, Release Builder and Site Management
- [Cloud Computing]Mechanisms: Identity and Access Management
- Advanced Data Access with ADO.NET and Oracle
- [转]Sorting, Filtering, and Paging with the Entity Framework in an ASP.NET MVC Application (3 of 10)
- Scene is unreachable due to lack of entry points and does not have an identifier for runtime access via -instantiateViewControllerWithIdentifier解决办法
- Getting Started with Oracle Identity Management
- Building Applications with Force.com and VisualForce(Dev401)( 八):Designing Applications for Multiple Users: Controling Access to Records.
- Identity and Access Management Buyer’s Guide(摘录)
- Life of an Oracle I/O: tracing logical and physical I/O with systemtap
- Sorting, Filtering, and Paging with the Entity Framework in an ASP.NET MVC Application
- An Example of Pre-Query and Post-Query Triggers in Oracle Forms With Using Display_Item to Highlight Dynamically
- SmartHome Gateway solution With rich and various interfaces Supporting flexible access of appliances
- 81.You are managing an Oracle Database 11g database with this backup strategy: - Every Sunday night,
- using web services core framework and CFNetwork to access remote soap service
- iPhone HTTP Streaming with FFMpeg and an Open Source Segmenter
- "constantize" and "with_indifferent_access" method
- Getting Started with Java Management Extensions (JMX): Developing Management and Monitoring Solutions