I got a great response from Deborah Volk at Identigral regarding my little thought exercise on dynamic opt-in/opt-out mailing lists. In this case, a mailing list for Geology majors, as well as anyone else interested in the occasional spelunking field trip.
Her approach is perfectly valid (and truthfully, makes more sense than what I was trying to do...). Basically, her suggestion is to use the various provisioning mechanisms of an identity management package, like OIM, to maintain the membership of a particular mailing list or group. People could be automatically provisioned into a group at time of account creation, or be event-based, such as someone switching majors. By providing other workflows, such as opt-in or opt-out, users could also add or remove themselves from that static group ad hoc.
What I was trying to accomplish was to put the logic of list membership into the list definition itself. Meaning, if I wanted to send out this week's Geologic Times newsletter, the group membership would be dynamically determined as soon as I hit the "Send" button. Anyone, at that point in time, who was either a Geology major, or had opted in to the list, would then be sent the email.
In summary...
The IdM-centric approach:
IdM workflows provision users into a static group for mailing list membership. The triggers for adding users into this group could be event-driven, such as at time of account creation, or manual, such as an end-user opting in or out of the list. The 'dynamic' part of the list is handled by the IdM software.
The mailing list logic approach:
Using advanced LDAP filters, create a mailing list that would dynamically determine membership at the point in time an email was sent to the list. This would most likely be driven off of attributes or roles assigned to the user objects in a directory store, such as Sun Directory Server or Active Directory. There is no 'group' per se -- it is the LDAP query filter that determines list membership.
Like I said earlier, Deborah's approach makes much more sense, if you have the IdM workflow engine already. However, true dynamic opt-in/opt-out lists are still possible without an IdM solution, but would be more difficult to create and maintain.
Introducing OCI IAM Identity Domains
2 years ago
1 comment:
The solution makes perfect sense for OIM, since you could set it to kickoff processes based on events and then let the target systems be.
Other IdM platforms are controlled based on policies, and do not let the target systems be if a change were to made directly - i.e. there group memberships would be re-instated. This would probably cause problems for the opt-out portion.
On another note, I found a solution that might be interesting?
Post a Comment