Tuesday, September 16, 2008

Answering Matt's Questions

Matt posted questions about the User Identity Reference Model on his blog, which I'll try to answer here.

Q. This is just about identifying the types of information that is used to represent an identity. Correct?

A. Correct. At my day job we defined the word identity to mean a set of attributes, at least one of which is an identifier. By this definition, an identity is information, so an identity model would be some form of information model.

Q. Why is Sponsor relevant to this model? Sponsor is important in the provisioning process, but is not part of the identity data itself.

A. We felt that especially for Digital Personas representing non-human Entities it is important to be able to map back to a responsible party that is human (or perhaps a group of humans). At times we have done this incorrectly in the past, and it has caused major headaches. For example, in one of our directories we populate the employeeNumber attribute with the represented user's employee number. Some applications use that employeeNumber to lookup additional user data in other user stores and directories. When representing a non-human Entity in the directory (e.g., a service account) we sometimes put the Sponsor's employee number into the employeeNumber attribute -- Yikes! The applications that use the contents of employeeNumber to lookup additional information in other user stores were seeing that the service accounts had people-type attributes (like citizenship - which is really an attribute of the Sponsor, not the Entity) in addition to service account attributes. We now think it's important to emphasize that the sponsor relationship is not the same thing as the Subject represented by a Digital Persona. We could leave it out, but we favored leaving it in with a dashed line to differentiate it from the other kinds of relationships depicted with solid lines.

Q. What's the difference between an Entity and a Subject?

A. The model agrees with you (and so do I) that when an Entity tries to access a resource, the Entity is doing so as a Digital Persona. An Entity exists even without any Context. A Subject is an Entity in a particular Context. If you've got no relationship to my home company, then you are not a Subject in my company's Context; however, you are still an Entity. At the point you get some relationship to my company, then you will become a Subject of interest in my company's context, and to keep track of you, we'll establish one or more Digital Personas for you.

Your remarks about personas sound pretty good to me. Bear in mind that one motivation for this model is promote consistent use of terms. I noticed your frequent use of the word "context" to describe what you mean by persona. It's unfortunate that Context is one of the proposed components of the model, which make it confusing to use that word to describe other parts of the model. Oh well, even if we used a different word instead (circumstance, situation, meaning, condition???) we'd still have a similar problem trying to differentiate between the general use of the word and the specific name of a model component.

I think your use of the information card metaphor is interesting too. Do you think that within a company an employee would have one card or multiple cards? At my company we think some people have multiple personas within our company. I suppose if/when we use info cards, those people would probably get multiple cards.

Regarding accounts: this whole effort is a bunch of compromises by the several people participating in the discussion. I started off with the idea that an Account is an example of a Digital Persona. However, I was outnumbered, and the majority felt that they have just one Digital Persona at our company, parts of which are represented in each of their many Accounts. Because in the context of our company we each have many accounts, but generally just a single Persona, Account cannot be an example of a Digital Persona (at least according to us). at some point, I don't know that we can declare the model is "correct"; instead it will be great if we can just declare it "acceptable".

2 comments:

Matt Flynn said...

Thanks Marty. It sounds like you've all analyzed this ad nauseam. And we seem to agree for the most part. My only complaint would be that to answer WHY on a couple of points, you said that the model is this way because that's how it is at your day job. That's something I would think about if you're trying to create an industry standard model.

The "sponsor" issue sounds pretty limited to a subset of corporate environments and probably wouldn't apply to a general industry model.

Also, use of persona to represent a single person's same-ness across numerous accounts doesn't seem to mesh with how I've heard it used. Same-ness is established by how you're using the term entity.

Personas would IMHO represent an instance of an entity within a context (or circumstance). And an account or infocard or ID badge would be used to represent the persona that you're assuming for the given circumstance.

Ultimately, I agree that perfection may be impossible to achieve in something that's inherently subjective. But, a model is meant to help people understand a complex concept. The way that entity, sponsor, subject and persona are laid out here seem unintuitive.

If it were my model, I would probably have (from left to right) an entity. Entities have multiple personas. Personas have a many-to-many relationship with accounts. And accounts are assigned roles and privileges. Or I would just remove accounts b/c I see them as the technical implementation of a persona.

In any case, I think you understood my feedback and that was the goal. Now, you can choose what to do with it. I certainly don't want to undo hours of work at the last minute. Let me know if you need anything else.

Marty Schleiff said...

I guess I can comment on your comment on my own blog.

It's not the last minute; the model can still change, or be completely replaced. We took it as far as we could take it at my company. Interest outside my company seems to be picking up a little, and I take your comments back to my company to point out areas we could look at it differently. I also hope to host a telecon(s?) with a wider population after interest grows some more and more people speak up. And, I'm not opposed if some other forum or standards org wants to take over the model, or come up with a completely different (hopefully better) model. So keep the comments coming!