How Harry met Sally on our identity management test bed

We tasked each solution vendor with a series of test scenarios based on a common business plot revolving around a simulated employee lifecycle

After more careful thought, we decided that our test environment could use a bit more variety, so we also threw in a z/OS mainframe emulator from Cornerstone Systems (provided by IBM, however) and a Lotus Notes server (also graciously provided by IBM). Our test scenarios wouldn’t require that these systems be provisioned, but we allowed vendors to do so for extra credit. Each participant in the test was given the test parameters one month prior to the test and general information about the test infrastructure: that it would be based on Active Directory, that e-HRMS and webERP would be our HR and accounting applications, and that these apps would run on Fedora Core. This enabled them to prepare connectors ahead of time, helping to speed along the integration of their identity servers into the TCPIP environment. Of course, we kept a few specific details quiet until the test began.

We allowed each vendor one day to install and configure the various infrastructure components necessary to work with our test bed, including installation of any required agents, implementation of any servers necessary to run their solutions, and some time to verify that the solution was functional. Then, we hired our fictional junior accountant, Harry Truman, who was destined for an exciting -- if brief -- experience with TCPIP Corp.

Harry proved to be on a fast track, as he was quickly promoted to accounting supervisor. This bump granted him additional rights on several key systems, including the webERP application, and entered him in additional security groups in Active Directory. Harry’s good fortune would only continue, as he would meet a stunning young woman named Sally Fergenschmeir, who in my mind’s eye looks much like Alyssa Milano in a business suit. Sally is the daughter of Bartholomew Fergenschmeir, who loses his company to TCPIP in a hostile acquisition, but who otherwise doesn’t enter into this story at all. Harry meets Sally during negotiations for TCPIP to purchase Fergenschmeir. As luck would have it, Sally was single and attracted to pudgy bean counters. It was kismet.

Before any nuptials could be planned, however, TCPIP Corp. bought out Fergenschmeir Inc., requiring the two AD stores to be merged in some form or another. The test scenario required the solutions to be able to manage two directories, to provision users from one directory into the other for the purpose of accessing file shares and applications across domains, and to migrate the entire contents of the Fergenschmeir directory into the TCPIP AD forest to complete the acquisition.

With the TCPIP acquisition behind them, Sally and Harry could finally plan their wedding, and Sally would take Harry’s name. Taking their cue from the change to Sally's record in the HR application, our solutions would then change Sally’s last name across all managed resources within the infrastructure without administrator intervention.

Unfortunately for Harry, things were about to take a turn for the worse. One evening over dinner, Sally inadvertently mentioned that one of Harry’s senior colleagues had successfully bargained for a sizable bonus during the acquisition process. Harry had to see this for himself, and he surreptitiously stole an administrator password by watching a careless admin log in to a system. Armed with his misbegotten admin privileges, Harry added a user account directly to AD and gave that account access to the payroll files.