NEWSLETTER

Myth Number 2: Virtual Directories do not Need Metadata or Data Modeling Capabilities

As the market leader of complete solutions built on a virtual identity platform, our customer experience has revealed many misconceptions about the capabilities a Virtual Directory Server should have. As we continue our series, we examine the myth that "Virtual Directories do not need metadata or data modeling capabilities".

Virtualization by Proxy is just one small use case for Virtual Directory
Again, like in any myth, the story is seductive by its simplistic approach to reality. In a Proxy use case, a Virtual Directory is essentially about joining together "some" existing directories. Metadata management is unnecessary since the underlying structures are very similar. Data modeling is also unnecessary if some lightweight remapping is sufficient. However, closer examination reveals that except for very narrow use cases (which generally have low return on investment) the reality is much more complex.

A Virtual Directory Service is an integration point for many different existing data sources. In some cases those sources could be standard LDAP directories. But in most cases you have a mix; directories with specific extensions (e.g. Active Directory), relational databases, and API's or Web services which are not compatible with LDAP. The task of mapping different schemas (i.e. different objects and attributes belonging to different application’s domains) is not trivial unless you are supported by well designed tools which understand metadata and support data modeling capabilities.

Virtual Directories are key to a flexible identity infrastructure
The directory, even a virtual one, is a key piece of your infrastructure. You need flexibility. You need a service that can adapt to evolving requirements (authentication, authorization, provisioning, federation) and cater to different business constituencies. The bottom line is you need a directory which can offer more than one view of the world. You need a complete data model that abstracts the construction of your DIT(s). You need tools that support your design.

Here is a short check-list of features that are critical at the abstraction layer of a true Virtual Directory Service:

1. Metadata and Schema extraction: A complete Virtual Directory must provide tools that quickly reverse engineer existing data sources and represent the metadata in a common abstraction domain. Since this metadata is a precious asset that can you can leverage across many projects, you want to represent it using standards such as XML schema, the same standards behind SOAP and your Web Services SOA.
2. Directory tree and views: A complete Virtual Directory must provide options to create views and new hierarchies (aka contexts), based on existing attributes as needed. These virtual views could be totally different from existing hierarchies. The tools should allow you to:
   • Detect/declare the relationships between objects defined in a specific application domain (e.g. SQL databases)
   • Link objects and attributes across different silos
   • Simplify the construction of specific hierarchies for role definitions, entitlement management definitions, and delegated administration

1. Real time access - guaranteed performance through a highly scalable and flexible cache (both memory and persistent) based on an advanced cache refresh mechanism (event notification leveraging an Enterprise Service Bus or simpler Time To Live if it is sufficient)
2. Identity Correlation - without this component, Virtual Directories act only as a data aggregator and cannot truly address the requirements for authentication, authorization, and administration
3. Full Synchronization across systems where needed

Missed the Last Newsletter?

In the first of a series of articles about Virtual Directories, we looked at the myth that Virtual Directories are simply a proxy/polling Engine. To read our last newsletter "Myth 1: A Virtual Directory is simply a proxy/polling engine" please click here.

Questions? Comments? Please email us at info@radiantlogic.com.