OSS IDM Functional Areas
Identity Data Management
Function |
Description |
Standards |
Technology |
---|---|---|---|
Person Registration and Profile Management |
When a new person joins an enterprise, providing basic information about the person to the Identity Management System (IdMS) enables various identity and access management processes to be kicked off. This initiation, referred to as Person Registration, may happen via manual data input, or by automated batch or real-time data exchanges from authoritative Systems of Record (such as a Student Information System or Human Resources Management System) to the IdMS. |
|
|
Identity Reconciliation |
Where an enterprise has multiple authoritative Systems of Record that may provide registration records to the IdMS, and where an individual may be asserted by more than one SoR, a process is required to determine if the IdMS already knows about the person being registered. This process is known as Identity Reconciliation. |
|
|
Identifier Management |
An individual may have multiple identifiers, such as user IDs, ID badge numbers, etc. Some of these identifiers may be changeable, some may not be known to the user, and different applications may use different identifiers. Identifier Management is the process of handling these concerns. |
|
|
Authenticator Management |
An individual may have multiple authenticators, such as passwords, PINs, hardware tokens, and certificates. These authenticators require different management processes, such as password changes, password resets, token issuance, and token revocation. Collectively, these processes are referred to as Authenticator Management. |
|
|
Group Management |
An individual may be a number of any number of groups, which may be derived using business rules or which may be created ad hoc. The power of groups is in their use in access management and other privilege granting decisions, in a group of users may be referred to rather than an explicit list of users. This facilitates granting users access to the systems they need, and revoking access when it is no longer required. |
|
|
Role Management |
An individual performs one or more roles within the enterprise. Access management and other privilege granting decisions may be based on roles rather than individuals, which in turn facilitates granting users access to the systems they need, and revoking access when it is no longer required. |
|
|
Access/Permission/Privilege Management |
By driving access management decisions from the data managed in an IdMS, rather than relying on manual processes in disparate systems, users are more easily granted access to the systems they need, and there is a greater assurance that such access is revoked when no longer required. |
|
|
Attribute Management |
In an IdMS, various attributes are attached to an individual. These attributes may include profile information, identifiers, group memberships, roles, and privileges, among other data. By providing a central repository of these attributes, downstream applications can meet all of their access management needs from one location. |
|
|
Identity Data Workflow |
|
|
|
Delegated Administration and Self Service |
Different identity and access management functions require different levels of privilege. For example, only an authoritative System of Record may add an individual to the IdMS with a given affiliation, while any individual may change their own password and perhaps select a nickname. By delegating administration of the IdMS wherever possible, and by allowing user self-service wherever possible, business processes around identity and access management can be made more efficient. |
|
|
Identity & Access Services
Function |
Description |
Standards |
Technology |
---|---|---|---|
Provisioning and Deprovisioning |
The process of creating accounts or otherwise enabling access to systems required by individuals affiliated with an enterprise, as well as the revocation of that access when no longer required. |
|
|
Authentication |
The process of proving an individual is who they claim to be, usually via a password, PIN, hardware token, or certificate. |
|
|
Authorization |
The process of determining if the individual has access to a system or function. |
|
|
Directory |
A repository of people affiliated with an enterprise, accessible to anyone within the enterprise and possibly to the general public. |
|
|
Single Sign On (Local and Federated) |
The use of a single credential to access multiple systems, usually by way of a web-based authentication service. Federated Single Sign On enables the single credential to be used across multiple enterprises. |
|
|
Presence |
A service that indicates the availability of an individual, often coupled with another service such as instant messaging or VOIP telephony. |
|
|
Session Management |
The process of managing individuals access to an application following authentication, without continually requiring reauthentication. Most applications have their own session management. |
|
|
Reporting |
The extraction of various metrics describing the usage and performance of the IdMS. |
|
|