Identity vault
A possible model for a identity vault
Last updated
A possible model for a identity vault
Last updated
What follows next is an attempt to create a model that is generic enough to cope with a modern IAM landscape.
During several integrations of identity management solutions, the knowledge gathered about processes, approvals, entitlement modeling, provisioning and other things that are too much to be mentioned in this sentence leads to a model that could, repeat, could be a nominee to be used in a generic identity management platform.
Identities exist with common attributes like first name, last name, gender, password,...
Note that attempts to work with dynamic attributes have been tried, but these tended to cause sometimes problems with performance and maintenance complexity.
Therefore a fixed set of attributes used in the context of authentication and authorization are proposed.
Typing of identities is also a supported feature in the model. For example, the need for having a difference between internal and external employees, when we want to only assign specific rights for internals for example.
Next to that entities like notifications, devices and consents are modeled.
For being able to participate in a processes, a workflow task can be assigned to a identity.
Organisations or departments are the container in which identities operate and this determines the roles and permissions, applications that they will have.
The link between a identity and a organisation is mostly created within the context of a temporal constraint and can be subject to a workflow. This link can be called a organisation assignment.
Administrators of organisations can approve the assignments that belong to their organisation(s).
Hierarchical organisations are left out of the model, though in some use cases they are required. But the complexity they introduce is rather noticeable.
Entitlements are a bundled set of applications and roles that control the coarse and fine grained authorizations a identity has, in the context of a organisation.
Entitlement assignments are the link between identity within a organisation and a entitlement.
Prerequisites are a mechanism used for controlling which entitlements can be assigned to whom.
Common prerequisites are :
the organisation(s) to which the identity belongs
the identity type : internal, external, ...
the organisation type
another entitlement can be a prerequisite
The entitlement assignments are also bound to temporal constraints and possible trigger for provisioning.
Entitlement modeling can be used for provisioning modelling. This means that all attributes gathered for an identity within a organisation with his entitlements can be used to create a context for provisioning.
