Thursday, August 21, 2008

User Identity Reference Model - 21 Aug 2008

Today at my day job we made lots of progress. A team member had submitted an alternate diagram for consideration. As we compared it with the diagram you see in this blog, we determined they were very close to the same thing! I think the experience helped validate (to ourselves) that we're on a pretty good track, and brought us much closer to consensus. I think we're now to the point of evolving this diagram instead of considering completely separate diagrams.

Nevertheless, the model continues to evolve, and we still have quite a bit to discuss. Here's what transpired today:
  • We dropped "Principal" from the label on box 5. It was causing too much confusion even though the description for box 5 points out that Principals are a subset of Subjects (the ones that can be authenticated). We still left the words in the description in case people would complain about an identity model without mention of Principal.
  • We opened a new debate about whether or not an account is an example of a Digital Persona. Most team members argued that an Account is how a Digital Persona gets instantiated into some platform that is not yet sufficiently enlightened to rely on external representations of identity. They say a Digital Persona could have multiple Accounts. To me this sounded like getting back to the concept of Accounts described back in my first post on August 7th, but the rest of the team says it's not. I feel like if an account is something different than a Digital Persona, we ought to be able to represent it in the model some way, but others disagreed. Obviously I'm not quite seeing this the same way as others yet -- hopefully we'll get closer in next week's meetings.
  • In a comment to the post on Aug 19, PC provided some more views around the concept of Sponsor. This is another place we still have some discord on the team. Personally, I'm starting to think that a Sponsor is only responsible to specify which entities should be included as Subjects in a Context. A Sponsor should not be responsible for authorizing a Subject to do anything (I'm disagreeing with PC on this); instead, the Role management process deals with authorization. I do recognize that a single individual might be both a Sponsor of the Subject, and an approver in a Role management workflow that handles the Subject's authorizations.
  • One last new area of contention: I wonder why one Subject might have only one Digital Persona, but another might have multiple Digital Personas. What's the difference? I think it's because of the functions (roles?) that a Subject plays within the Context, so I suggest that a Subject's Roles might result in additional Digital Personas being established for the Subject (and the model currently shows that a Role can have multiple Digital Personas for a Subject). That idea didn't sink in with the rest of the team.
As we resolve some of these differences of opinion, the model could change significantly, especially within the "Digital Realm" section. Please stay tuned.

And PC, please don't be discouraged that I disagreed with you. Keep arguing your point and you may change my mind.

Click the diagram to enlarge today's version:

2 comments:

Anonymous said...

Just testing out my i-name to authenticate.

pc said...

Marty - I'm just beginning this path into IdM - your model makes a whole lot of sense to me, however, I'm looking at this from an authorization / de-authorization point of view for access management of accounts (provisioning workflow, etc...) so I'm by no means an expert. On further discussion with my own teammates, I believe the digital persona to be the digitized representation of a physical identity. Ie- a userid is representative of the person who's using it (granted authorization or declined authorization)in terms of user.

In terms of user and sponsor, I believe a user would have a sponsor and that sponsor or their delegate would have the role to authorize or de-authorize...just my $.02!

If you can figure out how to ping me via my blogger id - it would be nice to open a dialog outside of the comment box...thanks

Peter