...
In addition to managing entity data sourced from various business processes, identity registries typically are source systems (i.e., are authoritative) for some data, in particular institutional identifiers. A common registry-managed identifier is a registry ID (also called unique ID, or UUID) that is an opaque non-reusable identifier serving as an institutional "key" for the entity. Another common registry-managed identifier is a network ID (also called NetID or username) that is used by end-users for login and other services such as email. Creation and management of NetIDs, and other similar identifiers such as Distinguished Names, may be integrated with credential assignment processes that also include management of authentication information such as passwords and public keys. This is a touchpoint between identity registries and authentication systems.
Registration, matching, reconciliation
...
It may be found that due to a failure of matching in the registration process more than one registry entity exists for an entity. In this case two or more entries must be merged. Similarly, it may be found that an entry contains a mix of information from different entities. In this case the entry must be split into two or more entries. Merging and splitting are typically administrative processes; in the case of person entries the processes may involve active participation of the affected people.
Identity information distribution
Information in identity registries is made widely available to many processes and systems to support institutional-scale identity integration. This implies a touchpoint between identity registries and information distribution (or presentation) systems such as directories, web services, etc. This may imply requirements for low latency of change propagation, high fanout, etc.
Affiliations, lifecycle
Many different institutional processes bring entity information into a registry. In addition to the entity's type (person, e.g.), the registration process and the information in the entry typically reflect the nature of the process that brought the entry in. For example, the entry for a person who is a student will likely have a different input process and hold different information from that of a person who is an employee (a person may be both, of course). The different relationships that affect entry data and maintenance are called affiliations. The policies and procedures that codify how an entry is managed over time are called lifecycles of the various affiliations. In addition to ..Identity registries may need to support affiliation catalogs, representations of lifecycles and policies, and integration with business systems such as student and human resources systems that implement the lifecycles for key institutional affiliations. Affiliation lifecycles also often affect service access by people and other actors, implying a touchpoint of affiliation and lifecycle management with access management systems.
Contact / profile information
A common class of identity data is contact information, or more generally profile information. Contact information includes items such as phone numbers, email addresses, web URLs, etc. Profile information may include many types of information including departmental associations, interests, and other relatively unstructured information.
Identity assurance
identity proofing / vetting
credential assignment
Institutions have a wide range of relationships with people, from rich and long-term to brief and casual. Information about people in an identity registry may be well-managed and vetted by trusted business processes, or it may be self-asserted or untrustworthy, depending on circumstances. This consideration leads to notions of representing these qualities of information, a concept called identity assurance (registry information is only one piece of overall identity assurance). Identity registries may have requirements for storing and managing assurance-related information, such as vetting processes, times/locations of data checking, etc. This also implies touchpoints with other aspects of identity assurance, in particular authentication systems.
Management operations / user access
Identity registries are maintained via many processes; some of these involve interactive access by registry-associated staff to do such operations as status checking, handling merges and splits, investigating data anomalies, viewing entry history, generating reports, etc. This implies requirements for user interfaces to support these operations, including appropriate access control. Other functions may imply a need for end-user access for operations such as profile management, self-service merging, service requests, etc.management operations / user access