M-Tech Information Technology's ID-Org

Cleaning Up Green Bay

I tested a beta version of ID-Org with NWC Inc.'s org structure in our business-applications lab in Green Bay, Wis. (Read more about our real-world environment for testing enterprise-class software) A Windows 2000-based application, ID-Org takes advantage of existing Web servers, supporting deployment to Microsoft's Internet Information Server 4 and higher, Apache, SunONE and iPlanet. If ID-Org will be managing accounts in applications as well as directories, the server it's installed on must have the appropriate client software, such as the Notes R5, Oracle, SQL Server or Novell client.

After installation, I had to configure at least one target system within ID-Org. The application uses target systems to harvest user information in order to create and manage the corporate organizational hierarchy. Among the target systems supported are various directories, including Active Directory, Novell Directory Server and LDAP-based ones, as well as databases such as Oracle and SQL Server. I pointed ID-Org at NWC Inc.'s Active Directory installation and performed a manual update to force ID-Org to fetch the user information. The program synchronizes data nightly (based on a time you set), or you can force a synchronization.

ID-Org correctly imported all 234 NWC Inc. users from Active Directory. You can configure ID-Org's self-service portal to authenticate to one or more target systems as well.

After configuring ID-Org with the appropriate e-mail server parameters to send notifications (using NWC Inc.'s Exchange server), I kicked off an organizational-discovery process by choosing a top-level manager from the list of users (the CEO). Posing as the CEO, I received an e-mail saying I should log in to the portal and specify my subordinates. ID-Org let me search through its imported user list and select those employees reporting directly to me.

Once I had compiled the list, I designated managerial status for employees who weren't already so specified or removed said status. Once this work was completed and verified, ID-Org sent e-mail notifications to all subordinates with managerial status so they could list their subordinates. The e-mail messages contained instructions and a link to the self-service portal.I logged in as one of the CEO's direct subordinates after receiving the mail and chose a mix of managers and nonmanagers as subordinates. Then, as CEO, I received a message that a pending security request awaited my approval. ID-Org requires managerial approval whenever subordinates attempt to change the status of a subordinate.

Updating the Data

ID-Org provides the means for ongoing maintenance. A configurable, scheduled update pulls users from the target systems, and when users are deleted or added, the appropriate person--that is, the direct manager--in the hierarchy is notified. If a top-level manager leaves, a higher-level manager can reassign all subordinates to a new manager through the user interface. Managers also can transfer, delete or reassign subordinates, keeping the data up to date.

ID-Org offers configuration options for the discovery process in terms of duration and escalation. Reminders can be sent to managers who don't update the hierarchy within a configurable time period, and requests to specify subordinates can be pushed to upper management if not fulfilled within configurable time limits.

However, some operational functions cannot be accomplished from the administrative console. To import and export data, as well as manage some aspects of the user IDs, you must use the command-line utilities. One of NWC Inc.'s customer service representative accounts was originally disabled, which meant the rep couldn't log in to the self-service portal and subsequently was locked out of the portal for attempting to login. As the rep's senior manager, I enabled the account within Active Directory and then had to run a command-line utility to unlock the account within ID-Org. If you purchase ID-Org as a part of M-Tech's larger ID Management installation, such fixes can be handled through the console of one of the included products.ID-Org also offers an option to load an organization chart from existing data through a command-line utility, loadorgchart. I created a second instance of ID-Org and attempted to use this, but ran into problems because of the detail within the file I exported from Active Directory. The utility requires very little information, and apparently too much information is problematic for the tool. But this option is useful: The discovery process becomes more of a verification exercise, saving managers time.

Whether you're planning an ID Management deployment, considering a BPM implementation or just want to get the data right, ID-Org is great for discovering the organizational hierarchy hidden within your directories and putting them to use. Because ID-Org integrates with existing directories, the data used by enterprise applications that require a valid organizational hierarchy will be up to date, and process flows will run smoothly.

Lori MacVittie is a Network Computing senior technology editor working in our Green Bay, Wis., labs. Write to her at [email protected]. .