Person Identity Registry

In an idealized IAM system, the Person Identity Registry (PIR) has certain key functions and responsibilities with respect to other elements of the IT environment:

  1. It contains a set of demographic attributes for each person in its scope of coverage
  2. It draws person information from various line of business systems, AKA systems of record, information that is of interest or value to other systems and applications
  3. Where appropriate, it attempts to determine if multiple SoRs carry information of interest about a single person and it maintains those links
  4. It assigns and manages a persistent, unique, and preferably non name-based identifier for each person it carries. It is the sole authority for this identifier
  5. It maintains links between each person it carries and the specific records that correspond to that person in each connected SoR
  6. SoRs are authoritative for their own attributes, but all other systems rely primarily on the PIR as the authoritative point of access to those attributes

Group and Access Management Service

  1. In principle, access to resources and services is granted to sets of people, by virtue of an organizational position or because they are entitled to, or responsible for specific application functions.
  2. Ideally, access rights are not assigned to individuals. The primary exception to that rule is for self-service operations.
  3. Systems of Record may carry information that logically determines some of the positions, functions, and entitlements a given person holds. That determination is a key responsibility of the Group and Access Management Service.
  4. Other functional roles are assigned and maintained manually by administrative staff using the Group and Access Management Service.

Provisioning and Deprovisioning Service

  1. A Provisioning Engine is responsible for creating and managing status of user accounts and supporting other operations on those end-user systems that the Access Management Service determines to be associated with that user.

Authentication and Federation Service

  1. TBD
  • No labels