Potential Solution Response to Questionnaire

Standard Questions Template

IAM Registry questions to evaluate features and functionality against standard business requirements.


Description or Question for solution provider

General architecture

Describe how ID match capability is provided by the registry solution. For example, is it (a) an integral part of the solution as provided or (b) must it be integrated with an external ID match engine or (c) can it be provided in some other way?


Describe how groups management (for use with authZ controls and other purposes) is provided. For example, is it (a) handled internally by the solution or (b) integrated with an external group management engine such as Grouper or (c) provided in some other way?

Data model

Describe how the registry solution supports an extensible set of attributes about (a) persons, (b) applications or other external resources, and (c) other, arbitrary entities?

AuthZ support

Describe how the registry data model supports defining arbitrary user roles in support of authZ functions.


Describe how the registry solution supports audit logging of sensitive transactions, including support for the recording of historical changes made to sensitive data. Describe how this log includes the requester and authorizer identities, and transaction timestamps.


Describe how the registry solution supports the secure storage of security questions and answers for use in password recovery.


Is there support for multiple name and address types as well as history?  If yes, please describe.

Identity Assurance

Are registration events captured as they occur?  Do these events automatically trigger assignment/deassignment of an IAP


Is there support for real time provisioning of Identities/services


Describe how data is processed (batch, web services)


Is registry dependent on other open source or vendor products?  If yes, please provide details.


Where is the business logic stored?  Is there support for delegation to maintain these rules?


How does the registry notify external entities of data changes?  (for example name is changed)


Is code located in public repository


How are changes, marketing, etc communicated to public? (wiki, lists, web presence)


Is there proper OSS license?


Is there a clear project lead?


Is there an existing project steering committee/governance?

  • No labels