Wonky thought for the day.
Be careful not to confuse your customer relationship management (CRM) with your identity and access management (IAM).
When you’re building an IAM infrastructure, it’s easy to put too much into your identity stores if part of your business is tracking other information about your users. For example, if I have a banking client who needs access to her account online, I don’t need to know her banking history, her contact information, her balance, her favorite broker, her country of origin, etc. None of that is relevant to my job of managing her access. If the Private Banking department tells me she’s getting a login and they’ve approved it, great, I’m done.
All I need to do is tell her apart from the other users of the system, whether they’re customers or not—that is, perform the identification. I also need to make sure nobody else uses her login (meaning authentication). The only other information I need to store is anything that directly relates to the kind of access she gets and the approval chain that led to that access being granted (authorization). If it’s not about identification, authentication or authorization for the system itself, I don’t want to be responsible for it. Besides, logins may come and go, but the business may have a need to track a customer over time regardless of whether she is currently using the online services.
Sometimes if you’re too integrated with the business, it’s easy to get sucked into the business where you don’t belong. Make sure that the business is in charge of managing business information, not you. Don’t let them put just “one more thing” into your own database; either you’ll have to maintain it yourself, which means more work, or you’ll have to give them more access to do it themselves, which means that you’ll have to let more people futz around with a security system than is really advisable. Strive to keep your IAM system pure.
