The growth of enterprise networks and the explosion of connected devices has turned Identity and Access Management (IAM) into one of the top concerns of IT organizations across the globe. IAM services authenticate users at sign-on and authorize which resources they are permitted to use.

To perform their function, IAM solutions store information about:

  • Entities, including people, groups, roles, departments and business units
  • Resources, including systems, applications, data, files, devices, products, documents and other shared information sources and networked elements
  • Access rules, which determine who can and can’t access and modify resources

Traditional Directory Services Can’t Keep Up

IAM is often implemented using directory-service solutions provided by operating-system or enterprise applications. Almost all of these approaches use hierarchical data structures that can’t cope with the complex, ever-changing relationships found in everyday business, including:

  • Organization charts and approval chains affected by reorganizations, promotions, mergers, acquisitions and divestitures
  • Supply chains in constant motion as suppliers come and go
  • Facilities that change as buildings are added and remodeled, and physical and virtual meeting resources change
  • Network resources including the addition and deletion of servers, applications, desktops, devices and networking equipment

… and the list goes on

Without a centralized source of identity and access-management information, every time there’s a change of any size, you must identify which systems are affected, make the change to each system, and test your modifications. It’s enough to keep an army of administrators busy—and crazy at the same time.

Adding to the problem, as the datasets in custom-built IAM systems grow in size and complexity, they become slow or even unresponsive. At that point, they impact the performance of every application and the productivity of every user that depend on them.

Why Use a Graph Database for IAM?

So with today’s established directory services solutions to choose from, why should you consider using a graph database for implementing an identity and access management solution for your organization? The answer is simple: The challenges of IAM and directory services are perfect applications of graph technology. To use any other approach—purpose-built or otherwise—is choosing an inferior solution for crucial technology that resides at the core of all your enterprise applications.

A graph database is the right IAM solution for a variety of important reasons. For example, by choosing a graph approach to IAM, you can:

  • Handle organizational changes easily in one place and have them automatically affect your entire organization and its systems
  • Describe all your people, entities and resources fully using graph’s rich relationship and metadata models
  • Include employees, partners, customers, suppliers, and outside services and resources to enable secure management of the extended enterprise
  • Build directories of any size—even with billions of parties and resources—that use graph structures to maintain responsive scale
  • Create complex, densely-connected, access-control structures, approval chains and workflows
  • Define and maintain any combination of hierarchical and non-hierarchical organizational and approval structures

Even with enormous, highly-connected IAM datasets of entities and resources, Neo4j’s native-graph query engine traverses millions of relationships per second to maintain application performance and user productivity.

Answer Any Access Question Fast

Since graph database technology allows you to query relationships in any direction, you can use it to perform a variety of top-down and bottom-up IAM queries such as:

  • Which applications can a specific user can access?
  • Which users are permitted to access a specific application?
  • Which resources—products, services, documents, etc.—can a specific user access or an admin manage?
  • Given a specific resource, who can modify its settings?

The high performance of graph-based IAM solutions turn the seconds and minutes required by relational approaches into millisecond response times. Such speed makes graph-based IAM particularly applicable for applications with large audiences, many resources, and complex connections—including social networks, customer portals, content management, document systems and federated services.

Reinventing IAM at Telenor

Telenor Group provides mobile network services across Scandinavia, Eastern Europe and Asia. For several years, Telenor has offered self-service account management to large business customers. Using a browser-based application, administrators can add and remove services on behalf of their employees.

To ensure users and administrators see and change only those parts of the organization and the services they are entitled to manage, the application employs a complex identity and access management system that assigns service privileges to millions of users.

Due to performance and responsiveness problems, Telenor replaced their old IAM technology with a Neo4j graph database IAM solution.

Their original, relational IAM system used recursive joins to model complex organizational structures and product hierarchies. The join-intensive model crippled the performance of their self-service application, threatening customer satisfaction at their most important business accounts.

Telenor’s new graph-database IAM solution delivered the performance, scalability and maintainability required by their self-service portal, and reduced query response times from many minutes to milliseconds.

The Bottom Line: IAM Requires Graph Technology

For your enterprise organization, managing multiple changing roles, groups, products and authorizations is an increasingly complex task. Traditional directory services and relational databases cannot handle the size, complexity, connectedness and ever-changing nature of identity and access-management information. In addition, the slow query times of relational IAM crush the performance of enterprise applications and portals, affecting all of your employees, customers and partners.

Related Articles