Matt asked for more context to help think about the model. Lets look at it in the context of the very familiar Access Control Model below:
The Digital Realm in the User Identity Reference Model represents what is inside of the "Identity Data" store depicted above. The Subject is the "Requestor" above. This yields a diagram like the following (I inverted the Digital Realm because that seems to look better in this diagram):
Craig suggested replacing Account, IT Role, and Entitlement with a single "Capabilities". At my day job we discussed using fewer boxes in this area too. But we decided that there are different types of attributes associated with a users and we wanted to represent at least the following four types:
- Inherent Attributes of the Entity like age or address. We consider these part of the Digital Persona.
- Business Roles like manager or CEO. These are inherent attributes of the Subject (or the Entity within a Context), so we also consider them part of the Digital Persona.
- IT Roles which are explicitly assigned (as opposed to being inherent to the Entity or Subject). IT Roles are explicitly assigned, probably for purposes of administration efficiency in access management.
- Directly assigned Entitlements.
Drummond submitted a bunch of questions and comments:
1) Higgins uses some terms differently than this model. that's OK for now. I think what's important is to get the shape of the model close to correct. The labels can change if we figure out better words, or if it would help align with other established models.
2) Regarding the term Sponsor which Drummond suggests is a bit narrow, we think it is the party with lifecycle responsibility for the Digital Persona. A term like "Authority" might work, but it might not be the authority for all the data associated with the Digital Persona, so I don't think it should be "Context Authority" or "Realm Authority", because those would include the IT Roles, Entitlements, and Accounts. An example of a Sponsor is HR, who is responsible for lifecycle of the Digital persona, but probably not responsible for IT Roles, Accounts, or Entitlements.
3) Regarding "IT Role": In earlier versions the box was indeed labeled "Role"; however, we then started exploring the difference between Business Roles (part of the Digital Persona) and IT Roles (assigned for access management). We called it "IT Roles" to differentiate from "Business Roles".
4) Regarding Digital Realm: that's mostly just a comment. Outside the Digital Realm the Entity and Subject are concrete or conceptual things, but when they get represented as Digital Personas they are in bit form. If we include a description of Digital Realm, then the descriptions will be lots taller than the diagram (pretty poor justification). Do we really think it needs a number and description?
5) Regarding Account: Earlier versions described an Account as an example of a Digital Persona; however, we evolved to the view that a regular employee of a company would probably have a single Digital Persona at the company. The employee's Digital Persona is all the bits (even spread across different systems) that represent the inherent attributes of the Subject employee. The Employee likely has several accounts, all associated with the employee's single Digital Persona. So we ended up at an Account is not an example of a Digital Persona; rather, it may contain a subset of a Digital Persona in a format required by some particular system.
6) Regarding Groups: we think of Groups as aggregations, and therefore just a particular form of IT Role.
Note to all: I'm trying to answer these questions the way we did at my day job; I'm not trying to say your ideas are wrong. So if my answer doesn't satisfy you, then please continue the discussion, and push for changes to the model.
No comments:
Post a Comment