Those crazy Rock Hounds

I got a great response from Deborah Volk at Identigral regarding my little thought exercise on dynamic opt-in/opt-out mailing lists. In this case, a mailing list for Geology majors, as well as anyone else interested in the occasional spelunking field trip.

Her approach is perfectly valid (and truthfully, makes more sense than what I was trying to do...). Basically, her suggestion is to use the various provisioning mechanisms of an identity management package, like OIM, to maintain the membership of a particular mailing list or group. People could be automatically provisioned into a group at time of account creation, or be event-based, such as someone switching majors. By providing other workflows, such as opt-in or opt-out, users could also add or remove themselves from that static group ad hoc.

What I was trying to accomplish was to put the logic of list membership into the list definition itself. Meaning, if I wanted to send out this week's Geologic Times newsletter, the group membership would be dynamically determined as soon as I hit the "Send" button. Anyone, at that point in time, who was either a Geology major, or had opted in to the list, would then be sent the email.

In summary...

The IdM-centric approach:
IdM workflows provision users into a static group for mailing list membership. The triggers for adding users into this group could be event-driven, such as at time of account creation, or manual, such as an end-user opting in or out of the list. The 'dynamic' part of the list is handled by the IdM software.

The mailing list logic approach:
Using advanced LDAP filters, create a mailing list that would dynamically determine membership at the point in time an email was sent to the list. This would most likely be driven off of attributes or roles assigned to the user objects in a directory store, such as Sun Directory Server or Active Directory. There is no 'group' per se -- it is the LDAP query filter that determines list membership.

Like I said earlier, Deborah's approach makes much more sense, if you have the IdM workflow engine already. However, true dynamic opt-in/opt-out lists are still possible without an IdM solution, but would be more difficult to create and maintain.

Another use case for good IdM workflows?

While I'm sure UC San Diego will learn all sorts of valuable lessons from this situation, what it should teach everyone else is the importance of establishing proper approval chains for workflows (such as sending out acceptance letters), and a strong business case for some sort of distribution list management tool...

http://www.nbcsandiego.com/news/local/Youre-Out-Youre-In-No-Youre-Out.html?yhp=1

ILM2 delayed until Q1 2010

This news certainly comes as a surprise, considering our Microsoft sales team apparently wasn't even aware of the delay. Architecting a solution around software that might ship sometime in the next 12 months doesn't seem like a wise decision to me though...

Jackson's Identity Management & Active Directory Reality Tour Travelblog: Microsoft's ILM"2" delay hurts

Directory Self-service applications

These are some of the vendors that provide products that enable end-users to update their own records in a directory server (most, if not all, of the products below are primarily AD focused though). This could include the ability to do password resets without calls to the help desk, but I was looking at their capability for managing opt-in/opt-out of distribution lists.

(Note: I haven't used any of these products, although several do offer live demos from their web sites)

Imamani:
Their Smart DL product allows end-users to create dynamic distribution lists based on AD attributes. I don't know whether they also provide an opt-in/opt-out capability though.

Namescape:
There are several different versions of their rDirectory product. However, according to their comparison chart, both the Professional and Enterprise editions offer a 'Group Self-Subscription' feature. The Enterprise edition looks to be a full-fledged IdM solution, with User Provisioning capabilites,

ManageEngine:
Their AD Self-Service Plus product looks to primarily be aimed at allowing end-users to perform password resets without calling in to a help desk, but according to the product page, one of the listed features is 'Update Personal AD Info'. I'm not sure if this could be extended to provide some sort of group/mailing list subscription capability though.

Securitay:
Like the Imanami product, the Group Management Portal allows end-users to create and manage their own distribution lists in AD/Exchange. Although from what I could tell from the live demo site, it seems to be only managed groups (meaning, members are manually added vs. dynamically updated based on user attributes)

And I would remiss if I didn't mention Microsoft's new ILM"2" product (which is only a release candidate now, but should available soon). This latest version of their identity management offering does have some pretty nice group management capabilities, along with the ability to delegate dynamic list creation to end-users. Of course, the primary focus of ILM"2" is user provisioning and the synchronization of identity data across many different target systems. But the rich end-user self-service interface is a nice differentiator compared to many other full-service IdM stacks out there today.