Distributed Access

February 6, 2008

One of my key criticisms of our current Account Management system, and of many of the other account/identity management products on the market is the high degree of centralisation that they require. When you distribute out service management, you need an account management system that can provide a similar level of distribution of provisioning. It shouldn’t be necessary for every provisioning script to be built into the runtime of the central system (as with our current system). It shouldn’t even be necessary that every provisioning script to run on the same central server. It really shouldn’t be necessary that provisioning scripts be developed and maintained by the people who run the account management system.

Some of these concerns come from scalability. Experience has shown that requiring that changes be made to the central account management system every time a new service is deployed doesn’t scale in terms of developer time. The priorities of a team deploying a new service often don’t mesh with those managing the central system, and requiring that a developer have an in depth knowledge of both the central management system, and the account database of the new service can cause difficulties. Eventually, you end up with a central system that, no matter how well designed the plugin architecture is, is creaking with the load of all the services hanging off it.

This model also causes problems with delegation. I’ll talk more about delegation in a later post, but part of the delegation issue is also pertinent here. In a model where more and more ‘services’ are being managed by research groups, it’s just not realistic to require that deployment of one of these new services requires changes to the central provisioning system.

Instead, a truly distributed account management system should move the provisioning details away from the centre, and locate it locally to the service. This doesn’t necessarily mean that the provisioning is performed on the machine(s) the service runs on, but that conceptually the provisioning act is the responsibility of those managing that service, and not of those running the central system.