Credit Card iPhone stand for taking Video
Recently, I Jailbroke my iPhone 3G and installed Qik. It provides live streaming to the Internet from you iPhone (even 3G).
I have found myself needing a stand so that I could take video and participate in the video personally. Instead of buying one, I created a quick stand out of a Credit Card. It works pretty good, and is always in my wallet.
Check it out:
Ok… not so Simple Question: How the heck are managers supposed to know if access is correct?
Posted by Mat in IdentityManagement, Roles on May 28th, 2009
How can managers, when presented with their employees’ access across all enterprise applications, make a determination of accuracy? They can’t, or won’t, if they don’t understand what they are attesting to.
So, we have to make it easy for them.
Here are a few ways to make it easier:
Glossary
For business users to understand a list of fine grained access rights currently held by their employee, the information must be easy to understand. There needs to be a translation between the IT representation of access and what it actually means if you were explaining it to someone face to face. For example, if I were to ask a manager, Joe, if his employee, Suzy, should have SAP TCode ‘BGM1′, Joe would have no idea… let alone sign his life away on a decision. We must translate it to, “Is it ok if Suzy has rights to create master warranties?” Ideally, your company would establish a cross-departmental governance board to translate these items, and manage and maintain them over time.
ID Card / Contact Information
During the attestation process, if a manager is provided translated access information, but still doesn’t know if the access is correct or not, who can help? The owner of the access. During automated access certification, the contact information of the owner of the access could/should be presented to the person making the decision about appropriateness, so they can contact them directly and talk about it.
Delegate the decision
What if a manager is reviewing access for an employee, and finds entitlements that they believe are tied to a temporary project, or cross-functional task? They really are not the appropriate attestor of this access…. So, a manager should be able to delegate the decision about access to the appropriate business owner.
Present the right information to the right people
From the outset of you access certification process, you should be thinking about who should be determining appropriateness of access to what applications and data. Building on the example above… the project manager should be presented a list of access relating to the project for individuals on the project. Ensuring your automated solution provides this flexibility of certification populations is important.
Present information about the access data
Enable your attestors/certifiers to make an informed decision. Indicate to them during the certification process if certain access is deemed high risk, or is part of an existing SoD violation, or is of a certain classification (like Finance), or is access that has been previously revoked. All of this metadata about the access information will increase the effectiveness of your access certification process.
Simple Answer: Sit with your certifiers and understand why and where they are having difficulty completing their certifications, and apply some of the items above to make it easier for them.
Simple Question: Is this access correct?
Posted by Mat in IdentityManagement, Roles on May 21st, 2009
Correct…
What is correct?
- Is the data in the warehouse up to date?
- Are the accounts correlated correctly to their owners?
- How do you know?
- What about the accounts that can’t be correlated to an actual person?
- Are they system accounts (used by applications)?
- Are they privileged accounts, used by IT administrators (bad!.. no shared passwords)?
- Are they accounts that were once owned by employees, contractors or partners who no longer have a relationship with the business?
- Is each person’s access correct based on least privilege? (only access needed to perform their job)
- What is least privilege for Suzy? Bob?
- Does any of the current access represent a risk?
- Does anyone have the ability to perform an unwanted transaction (or set of transactions)?
- Who has privileged access to applications and data?
To properly answer these questions, you have to ask the people who would know… The Business. If you ask the IT department, they might be able to tell you when the access what granted, and maybe even how… but it is unlikely that they can tell you why… and even more unlikely that they know if it is still needed.
The business also knows if the current, static access of each person is correct. If there is anyone in the company that knows what access Bob or Suzy actually needs, it’s their manager or possibly the application owners on which they have accounts. The business owners need to review each individuals’ exact access, down to the entitlement level and make a determination of appropriateness. This is the process of access certification.
Additionally, the business should be engaged to decide what entitlements, when granted to the same individual, constitute a Separation of Duties violation. These SoD policies can typically span the entire enterprise, and all applications should be considered during the evaluation cycle. For example, your vendor management (for creating vendor records) could be in an operational application, like a fulfillment or inventory solution, while your vendor payment process may rely on the records in your accounting application. In this scenario, if someone had the ability to create a vendor in the inventory solution, and then pay the vendor in the accounting solution, this would constitute a SoD violation, or a “Toxic Combination” of access. This is why the ability to define and enforce SoD policies across enterprise applications is critical.
Simple Answer: Once you’ve build an identity warehouse, execute an SoD evaluation an complete and access certification. Once they are complete, you truly have “Identity Gold”… all nice and shiny.
….next question: How the heck are managers supposed to know if access is correct?
Simple Question: Who has access to what?
Who has access to what?.. a simple question, but one that is not so easy to answer for a lot of companies… Companies compelled to answer this question and meet their regulatory obligations.
Siloed IT departments, mergers and acquisitions, employee transfers, contractors hired to full time positions, and terminations can all lead to proliferation of invalid access. Getting a handle on who has access to what is often times a difficult task that requires cross-departmental cooperation and process development to even gather the data. Once gathered, correlation of accounts to an actual person or “subject” needs to occur, and is also not an easy task.
We often overlook the value of gathering Identity data. In a recent face-to-face meeting with Ian Glazer of the Burton Group, he referred to this as “Identity Gold”, and I completely agree.
This step is the foundation for Access Certification, Role Mining, Entitlements Management, Policy Evaluation, Identity Auditing, and numerous other custom services developed by our customers.
Simple Answer: Build an Identity Warehouse… next question: Is this access correct?
Always on Top… I love my Mac, but really.. can we get this added?
As an avid Linux user prior to my migration to Mac (happy migration), I relied heavily on the “Always on Top” feature in Gnone. The main reasons were to keep a chat window or log terminal viewable (and possibly somewhat transparent) while perfoming other tasks. As user-centric as OSX is, this is a feature that it lacks. Thankfully, there’s Afloat 2 to save the day (for Cocoa apps only). Thanks Infinite-Labs!
Proximity + JackSMS + AppleScript = Mac Fun
I recently “StumbleUpon“ed a utility for my Mac called Proximity. It basically can detect when a bluetooth device is within range and when it’s not, and fires any AppleScript when the status changes. So, I did a bit of Googling (love how these new verbs get created) and found some pretty cool scripts.
Cloning and owning some of the best stuff I found, my Mac now detects when my iPhone leaves (hopefully in my pocket) and then executes the following:
- Sets my Adium status to “Away”
- Pauses iTunes
- Sets JackSMS status to “On”
- Locks my Mac (via a setting in JackSMS)
For those of you who are not familiar with JackSMS, it is a small utility that will detect when your Mac is moved, unplugged, etc. When JackSMS is triggered, it fires an alarm (just speaker noise), sends you an SMS, and emails you a picture taken from the built-in iSight camera. Very cool. It also locks your machine if enabled to do so.
When my iPhone returns to the scene, the reverse happens:
- Adium status is set to “Available”
- un-pause (play) iTunes
- Sets JackSMS status to “Off”
- Unlocks my Mac (without password) via JackSMS setting
- BONUS: Says “Welcome back master, the current time is XX:XX:XX”
If you want to give this setup a try here are the steps:
- Download and install Proximity
- Download and install JackSMS
- Create an “away” and “back” AppleScript, mine are listed below
- Configure Proximity to execute these scripts
- Set the Proximity to detect the device proximity every 10 seconds
- Configure JackSMS to lock the screen when the status is on
- Balance the iTunes and Mac volume so that when the script runs you can hear the Mac “talking” and not blaring the Music
Give is a shot and let me know what you think….
caveat: I’m an AppleScript newbie, so there’s probably a better way to write the script
ProximityAway.scpt
tell application "System Events"
set itunes_running to (exists process "iTunes")
end tell
if itunes_running is true then
tell application "iTunes"
pause
end tell
end if
-- Set JackSMS status to on, which also lock the computer
tell application "JackSMS" to set jack status to "on"
delay 1
-- Set Adium status to away
tell application "System Events"
set adium_running to (exists process "Adium")
end tell
if adium_running then
tell application "Adium" to go away with message "I am away from my computer"
end if
ProximityBack.scpt
-- Pause iTunes (might add in fancy fade later)
tell application "System Events"
set itunes_running to (exists process "iTunes")
end tell
if itunes_running is true then
tell application "iTunes"
play
end tell
end if
-- Set JackSMS status to off, which also lock the computer
tell application "JackSMS" to set jack status to "off"
delay 1
-- Set Adium status to back
tell application "System Events"
set adium_running to (exists process "Adium")
end tell
if adium_running then
tell application "Adium" to go available
end if
say "Welcome back master" using "Zarvox"
delay 1
say "the current time is" using "Zarvox"
say (time string of (current date)) using "Zarvox"
Software Positioning Brainstorming with MindMeister
I recently dug in deep on positioning a product here at Sun Microsystems, and to help I constructed *this mind map* on MindMeister.com (which, BTW, is a great tool). Hope it helps someone out there.
No more del.icio.us links here!
Posted by Mat in Daily Links on January 13th, 2009
The end of my links-for-200x-xx-xx!
I have officially disconnected Wordpress and Del.icio.us and deleted all blog entries created by del.icio.us.
If you would like to follow my del.icio.us links, please subscribe to the RSS feed here.
If you were checking here everyday at 11:00 PM central to see what great thing I found that day… click the link above, wait an hour, and check here instead: http://www.woot.com … it’s more interesting.
Cheers!
Reminder of Leadership
Posted by Mat in ProductManagement on July 9th, 2008
Focus.
I often loose focus of a topic or characteristic as is becomes less important in my life, and it is good to be reminded of the aspects of professionalism that span any job and any relationship.
This blog entry on Leadership in Product Management from Michael Ray Hopkin spoke to me this morning.. particularly this quote from Colin Powell: ”Great leaders are almost always great simplifiers, who can cut through argument, debate, and doubt to offer a solution everybody can understand.” – General Colin Powell
Thanks for the reminder Michael.
Business Roles and IT Roles, is there a need for distinction?
As I return from my first Burton Catalyst Show in San Diego, many of the ideas, concepts and statements presented still linger in my head. Before they all leak out, I’ll attempt at formalizing some of them.
In this first blog relating to the show, I wanted to talk about the difference between Business Roles and IT Roles and the need for their distinction. Now before I go any further, I want to direct you to my Blog’s tag line… Simplicity is elemental…. my attempt here is not to go head to head with the acadmeia and drivers of standards, but to try and tackle a complex subject simply… and hopefully the outcome relates to the standards and open debates currently brewing.
Business Roles at the core are a representation of a relationship an individual has with an enterprise or organization.
Examples:
- A job function like Product Manager or CFO
- An affiliation like alumni or contributor
- A temporary relationship, internal or external, like project leader or anonymous buyer
- In all case, there is a set of attributes or information that can be modeled and captured for each segmented group.
IT Roles can be described as a container of entitlements, or simply, a set of rights to gain (or deny) access to information or assets.
Examples:
- Access to the accounting system for viewing sales data
- Perimeter access to the Austin Campus
Now, the topic of debate at hand. Is there truly a need for the distinction between Business Roles and IT Roles?
The thought leaders at the conference seemed to be in two camps, one which was more pragmatic about the current application of Roles and believed there is little need for the separation, and one which was more standards based and academic, believing that there is a need for distinction.
I side with the later, but for the reason of the former. Business Role and IT Roles have pragmatic application uses today… whether they are being utilized or not.
What struck me odd about the conversations and debates about this subject is that no one chose to span the gap and talk about how Business and IT Roles apply to actual market problems today and in the future. There is an immediate need for Roles Based Access Control, which does not require Role Types, but by defining types now, there are options for additional uses of each type within and outside the scope of the current IT needs.
In my opinion, there is value in Business Roles and modeling a relationship outside the context of IT entitlements.
Examples:
- Segmenting customers by Role
- Airlines do this with their rewards programs (member, platinum, executive platinum). Arguably, this is just an attribute of an individual in context of the company’s relationship to them, but that is limiting. Modeling an Executive platinum role gives an airline a way to group individual based on their relationship to the company and provide additional services (which can be an IT function such as free WiFi access in the executive lounge or a human interaction such as an extra “You’re super awsome” phone call). A role also facilitates additional customer relations such as affiliations with partners…. Exec Platinum get free coffee at <insert favorite coffee shop here>.
- Segmenting employees by Roles other than their Job Function
- Roles based on enrollment in corporate programs such as Fitness or Philanthropic ventures. A member of the Fit Club could be given access to the Gym (IT functions), but also the membership could indicate to others in the organization that you optionally have chosen to provide assistance to others looking to get fit.
These examples show the value of Roles outside of IT functions. So, I agree with camp 2 that there is a need for at least a conceptual distinction. However, the reason that 99% of the people were even discussing Roles at Burton Catalyst was in the context of IT functions. Roles today, whether business or IT roles, are being used to describe IT access. Therefore, I also agree with the pragmatic view of camp 1, in that there is does not need to be an implemented distinction.
With all that said, If I were implementing a Role Based Access Control solution, I would model Business Roles and IT Roles. Here’s why: It’s easier to understand and manage over time.
If you own a coffee shop and wanted to give your employees roles how would you begin? You would likely start with the job functions or titles of the employees. Maybe you end up with a “Barista” role. Now, a Barista needs what? Well they need to be able to “clock in”, they need access to the bean storage, and they need access to the barista training material. Oh, and maybe we decide that this Role is Activated once training is completed. Do they need access to the cash register? maybe. Is there a business need for a Barista to check out a customer?
So let’s begin.
Step 1: Create new “Barista” role.
Step 2: Give the Barista access to the system for clocking in…. How do we do that? Do we assign access rights directly to the Barista Role or do we create an IT Role that contains the access rights to clock in? Both would work, but direct assignment limits you from grouping access rights in a logical way across systems. A “Base Access” IT Role could contain the access rights for perimeter access and the ability to clock in…. everybody needs to be able to enter the kitchen and clock in, right? So in this scenario you have either:
- Barista (Role)
- Clock in (Entitlement)
- Perimeter Access (Entitlement)
- Bean Closet Access (Entitlement)
- Inventory System Access (Entitlement)
- Barista (Business Role)
- Base Access (IT Role)
- Clock in (Entitlement)
- Perimeter Access (Entitlement)
- Supplies Controller (IT Role)
- Bean Closet Access (Entitlement)
- Inventory System Access (Entitlement)
- Base Access (IT Role)
Ok, ok.. I know what you’re thinking… Yes, this is a good place for a hierarchy…. so I guess we should step briefly into that. Taking another look, you could state that Barista is an extension of and Employee and if you are assigned a Barista Role, that should include the Employee Role and all of the Entitlements it provides. Here’s how that would look.
- Barista (Business Role)
- Employee (Business Role)
- Base Access (IT Role)
- Clock in (Entitlement)
- Perimeter Access (Entitlement)
- Base Access (IT Role)
- Supplies Controller (IT Role)
- Bean Closet Access (Entitlement)
- Inventory System Access (Entitlement)
- Employee (Business Role)
Back to the ease of use… In all the cases above, when you are describing the access to someone, you’d say, “Bobs’ a Barista, which means he can Clock in, Get in the Kitchen, Get in the Bean Closet, and update the inventory system” …. Now what if instead of 4 entitlements, Bob had 40. Would you list them all, or would you say… “Bob’s a Barista, which gives him the ability to manage the supplies” … and just assume that it is understood that he has the “Base Access”. And from a management standpoint, modeling Business and IT Roles is also easier to manage. Isn’t is easier to create a new Super Barista role and merely assign the Barista (Business Role) and the IT Role “Vault Access” which provides access to the Super Expensive (yet very disturbing) beans than to assign all the entitlements directly?
- Super Barista (Business Role)
- Barista (Business Role)…
- Special Supply Controller (IT Role)
- Vault Access (Entitlement)
One additional (and good) argument for Role Types (in this case Business and IT) is that it allows you to implement management controls around the roles themselves…
Examples:
- Only Business Roles can be directly assigned to users
- Only “Administrators” can edit IT Roles
- Business Roles can only contain other Roles, and not direct entitlements
- All Business Roles must be approved by HR
At the end of the say, maybe it’s just a semantic difference. Whatever you call it, a well modeled, typed, hierarchical, inherited model will best serve the enterprise.
Recent Comments