Users Are Assets, Too!
EMC has a very complex set of relationships with our partners. They have many different roles (reseller, distributor, service provider, etc.) and work with dozens of different products. Partners are segmented into programs in order to drive engagement; program membership (and with it, information) is gated based upon achievements such as successfully completing training as well as achieving revenue targets. More pointedly, some companies who are our partners in one space are competitors in another, meaning that content access needs to be carefully meted out, often at the level of individual users. These ambivalent relationships with individual partners are subject to the vicissitudes of the industry, and programs and campaigns targeting all our partners are characteristically updated on an annual basis.
Historically, we relied on an internally developed, technically robust solution to manage user access privileges. Unfortunately, it suffered from a lack of governance. Dozens of program managers, acting independently of one other, could command updates to entitlement attributes and their usage. Once created, attributes could not deleted, meaning that over time hundreds of outdated values accumulated in the system. Nor could they be edited, so attributes created to support user access management for a defunct programs were repurposed to support new ones, still bearing the defunct program names. Further, attributes were applied to content in clusters denoted only by four-digit numeric IDs. This meant that it was impossible to look at a user profile and a content metadata record and understand whether or not that user should have access to the asset. Predictably, all this resulted in the creation of a host of offline keys, usually managed as Excel documents on individual user desktops, fluctuating as programs and training modules were initiated or abolished. Inordinately complex and woefully inefficient.
Our goal in migrating partner content to a new platform was to avoid migrating the legacy user access management model with it, or recapitulating it in a new environment. In particular, we wanted to ensure parity and transparency between the application of entitlement attributes to user profiles and content metadata records. To achieve this, we needed to think of user profile records as a kind of content asset, one which could have metadata attributes applied by an external master data system in much the same way as multiple content repositories consume product tagging from our MDM platform.
We spent several months reviewing the legacy model, both through analysis of entitlement attribution and conversations with partner program managers. From this review, we were able to define a user access management model comprised of 45 individual attributes, representing a roughly 75 percent reduction in the total number of available attributes. These attributes were ordered into three taxonomy hierarchies in our MDM system; a careful structuring of the hierarchies as well as an inheritance property ensures that only a small number of attributes need to be applied to content to provide a broad level of user access. Integrations were set up with the MDM API to both the user profile database and the new platform’s content management system. Now, when a user attempts to access an asset on the new portal, a matching logic compares entitlement data being passed to the site by the user profile web services. If there is a match, the content is displayed; if not, the content remains hidden.
By treating user records as objects equivalent to downloadable files or web pages, we’ve been able to overcome the systemic divide between user profile management and content management which conceived independent models for each. Now when help desk personnel and content publishers talk to one another about user access issues, they’re speaking the same language. Not needing to translate between multiple models means that users get the assistance they need more efficiently. And of course, with centralized management of the user access model in the MDM repository, changes to the model can be propagated synchronously and almost instantaneously across all impacted systems. We think that’s pretty neat, and our employer thought it was so cool, they even applied to patent it.