Skip navigation
All Places > CA Security > CA Identity Management > Blog > Authors wilda05

CA Identity Management

4 Posts authored by: wilda05 Employee

Four Steps that will help you to determine whether you should upgrade.


It’s a known fact: CA customers running the most recent version of CA Identity Manager (IM) log fewer support tickets and have less severity 1 issues than customers on older versions.  


That leads us to the question, “When is the right time to upgrade my CA IM solution?” I’m here to help you make that decision, and CA has several technical tools that help clients determine when to upgrade.


Step 1 in the process is to determine the current solution level by running a tool that CA provides. The tool, which extracts a lot of information about an organization’s IM solution, is called iminfo.bat (for MS Windows environments) or (for UNIX environments). The top lines in the file named “…\CA\Identity Manager\Provisioning Server\bin\caim_iminfo.txt” show the current solution’s build level:



This tool should be run on every server that houses one or more CA IM components, as components on different servers are sometimes at different release levels.


Step 2 is to consult CA’s support matrix, which helps clients determine whether they’re on track with their IM solution, or if they’ve fallen behind and are therefore at risk of losing support. If that’s the case, they need to start planning an upgrade.

In fact, upgrade planning should be an ongoing activity, especially if your organization has a high level of solution acceptance and use. Just like every other agile product deployment these days, it makes sense to always have a backlog as well as a few sprints actively going on or coming up.


Which leads me to step 3, the IM capabilities roadmap. It behooves customers to have a roadmap in place, so that day-to-day operation of the solution don’t get in the way of adding value where it’s most needed. (When Services helps a client implement IM, we provide an initial set of capabilities and give them a roadmap for enhancements.) A best practice is to revisit the roadmap every 12 months to make sure it’s still relevant and valid. The answer depends on how long the solution has been in place and how long ago the roadmap was created.


Step 4, the final step in determining whether an upgrade is in your immediate future, is to gather feedback from your user community. In my experience over the last eight years, a lot of clients don’t take the time to get feedback from their users. Satisfaction surveys or other modes of getting feedback are invaluable in helping organizations determine the capabilities that most need to be upgraded or added. In a future post, I will discuss the kinds of questions that yield the most useful feedback in a satisfaction survey.


As for my next post, I’ll talk about how CA Services can help you create a comprehensive upgrade plan that will justify the (really very reasonable) expense of an upgrade and help you get leadership buy-in on the project. Stay tuned!

Let’s say you implemented an IDM solution about a year ago. Everything hummed along just fine for a while, but now momentum has slowed and you’re experiencing a stall. Here’s how to prevent that stall by doing the right things from the very beginning.


Tip #1: Automate to Foster End-User Participation

Perhaps more than any other enterprise security domain, identity management and governance processes require active and meaningful participation from end users, which can be difficult to foster when processes are manual and/or ad hoc. Consistent, automated processes provide users with a better experience, deliver high satisfaction and increase efficiency. What’s more, the interface needs to be hospitable to the business user, not just the IT-savvy user. In fact, a recent Aberdeen report indicates that a focus on the user experience can increase user productivity by 60 percent and user satisfaction by 80 percent.


Tip #2: Drive Adoption

In driving adoption, training is a must-have—especially the combination of formal education and informal knowledge transfer.

CA Education has a lot of excellent courses for IDM that are excellent for implementers and administrators. In my experience, clients who take advantage of these courses are invariably better prepared for governance when we leave.

Also essential is to leverage ongoing technical knowledge transfer from our technical people—the consultants—to your team’s technical people. We work with your team to show them the ins and outs of the solution, including configurations, log reading, daily backups and recovery, to name just a few. We work hand in hand with the client to be certain the client team is ready to take over governance of the solution. Alternatively, we can provide short- or long-term application management services.


Then there’s the all-important documentation. I’m not talking about reams of paperwork, but we make sure we leave behind enough material so that a year after implementation, when the client wants to expand the project, they have what they need to move quickly. Plus, they don’t have to review everything and figure out what the previous team had in mind.

CA Communities are a great forum for customers, CA colleagues and partners to share experiences, knowledge, and information about new offerings.


Tip #3: Keep Current on Releases

Software is dynamic and undergoes continuous improvement. CA Identity Management is a great example of how feedback we receive from our clients results in new capabilities. Approximately every six months, CA releases a new service pack with new capabilities and code modifications. Because upgrades are inevitable, it’s just logical—and essential—to plan ahead. By doing so, you get both new capabilities and program modifications. Most clients plan upgrades in 18-month cycles. Look for a future blog to deep dive into the planning process.



Tip #4: Minimize Customization

This is so crucial to preventing stall that it has its own post. If you haven’t read it already, take a look.

I welcome your input on what works for you in avoiding the dreaded stall. Please feel free to leave your comments.

As organizations enter emerging markets by acquiring companies that are successful in those markets, the burden falls to IT departments to introduce new services, maintain security and reduce costs by integrating and streamlining operations, all while onboarding acquired employees. Often, that requires customization of your IDM solution, such as interfacing with legacy systems that need to be kept, at least for the time being.


Currently, 70% of IDM implementations I work on have some customization, but it’s tending down. I would estimate that in the past, 70% of IDM implementations had a lot of customization. In discussing whether or not to customize, I remind the customer that once CA leaves the premises, the client is responsible for governance of those customizations, so they need to retain the technical skills to keep it going.


But often, there’s a better solution. CA Services offers several rapid IDM deployment scenarios that reap value in three short months.


Deployment Xpress simplifies the process of deploying common IDM use cases, such as password reset, forgotten password reset, and birthright provisioning to common endpoints such as Active Directory, without custom coding. Clients select the use cases they need, and Deployment Xpress automatically creates the basic code and policies. A virtual appliance makes installation/configuration quick and easy.


Our best advice to customers is to stay on the field of play with out-of-the-box capabilities, but sometimes they need endpoints for which we don’t normally provide provisioning connectors. In those cases, we use Connect Xpress, an out-of-the-box tool, to create a new connector quickly.


Another option is IDM Policy Xpress, where we can do a lot of logic in policies out of the box, so that clients don’t have to code their own Java or C++ code. This is a huge advantage, for two reasons. First, governance is much less of an issue once CA Services leaves the premises. Second, when the client later decides to do a migration or upgrade (or any other work), there is no need for the client to have the right skill set to manage custom components.


When it comes time to migrate to a new release or environment, Config Xpress eases and facilitates a simplified graphical migration of IDM environments. This out-of-the-box tool supports the migration of and delineation of all IDM objects and their dependencies in the environment, including roles, policies, tasks and workflows, among others. It also provides a graphical comparison that establishes the differences between two configurations, without losing yourself in thousands of lines of XML code.


So before you decide that a customized solution is the only way to go, consider the semi-custom route with CA’s Xpress products.

In a leading market survey, 66% of IT security officers stated that their identity and access management processes were too manual and insufficiently automated. This indicates that many organizations get less than full value from their identity management (IDM) solution.


As a CA Services senior security architect, I’ve been involved in dozens—if not hundreds—of IDM implementations. Here’s some advice for getting the most from your solution…with the least amount of blood, sweat and tears.


Tip #1: Get involved from the start and stay committed. While outside experts are almost always key to success, the client’s IT leaders will be held accountable for success or failure. That means they need to identify the right people on their team—the people with the right technical and soft skills—to collaborate with the service provider and take ownership of project success when the service provider leaves the premises. The service provider can help identify the required skills.


Requirements gathering takes place before the implementation officially starts—in fact, often before the contract is signed. This is a critical juncture in for project success, because the implementation will be designed and executed based on the requirements the architect gathers from client stakeholders. Don’t scrimp on the time or commitment that stakeholders allot to this phase.

Our clients are always working on many projects, so it’s often a challenge to ensure that the right people are involved, but I can’t overstate how important it is for them to participate through every phase of the project—and beyond.


Tip #2: Include a business analyst on your internal project team. About 50% of CA Services’ implementations are new solution deployments. The other 50% are migrations, where clients want to expand their use of IDM or upgrade to the next release—or even jump four or five levels.

Migrations present the risk of impacting the client’s business, so requirements gathering focuses on identifying risks and determining the client’s risk tolerance—which, more often than not, is close to zero. We always advocate for including a business analyst on the client team, because analysts are invaluable in identifying risks and risk tolerance.

CA Services often mitigates risk by doing a parallel build. We build a new hardware-software infrastructure with three environments—development, testing/QA and production. We plot out the course for migrating and testing the objects the business needs from existing environments to the new, parallel environments.

In typical migrations, clients want to expand IDM value by automating more business functions, resulting in fewer daily routine tasks for security staff. Expanded value also stems from extending the solution’s reach into new provisioning areas such as a mainframe environment or another database. After we identify how the client wants to expand IDM value, we go into the same kind of thought process as for new deployments—identifying the hardware and software the client should add so that we can provide the new function. During this process, business analysts are essential team members.


Tip #3: Test data needs to be real data, and testing can’t be given short shrift. Unrealistic data causes headaches for everyone—and a less-than-effective solution. Allow plenty of time for testing: Time “saved” on testing translates to time spent on fixing issues later.

CA Services architects now regularly recommend using BlazeMeter and JMeter to ensure that we have a broad set of tasks to run quickly—and the same way every time—to validate the implementation or migration. You’ll see more about these tools in future posts.

If your tests aren’t broad-based enough, you’ll go to production with a failed effort. By taking the time to automate the tests and run enough tests, everyone will be confident when you migrate that you’ve seen 95% of what you expect to see. And users aren’t impaired in their ability to do their work.


Tip #4: Never underestimate the effort required; the larger the organization, the more time it will take. This piece of advice speaks for itself.