This document provides a general description of the components and functions of the identity registry component of an institutional-scale Identity and Access Management (IAM) suite. It also suggests touch points with other subsystems in such a suite. Requirements for identity registry functionality and operation can be written based on the terms and concepts presented in this model.
Overview
The function of an identity registry is to register information about entities of interest to the organization operating the registry. This model is concerned with identity registries serving institutional needs: thousands or millions of entities, operated according to institutional policies to meet institutional goals such as accountability, compliance, security, and collaboration.
Entities, entries and identity
An entity is a "thing" of interest to the institution, distinguishable from other entities of its type. Entities of most interest are typically "actors", making things happen in online systems. The most common kind of entity is a person, hence identity registries are often called person registries. Other common "actor" entities are processes, applications, computers, and organizations. An entity is represented in the identity registry by a record called an entry that contains structured information about the entity. A data element that is designed to distinguish entities in a set is called an identifier. An entry typically contains several kinds of identifiers, as well as other identity data. A key goal of a registry, typically, is to ensure, as much as possible, that each entity is represented by exactly one registry entry. Each entry in a registry has a type, and each type has a schema. Different types may be handled by different registries, or a single registry may deal with several types.
Registration, matching, reconciliation
Registration is the process of creating a new identity registry entry. Identity data may come into a registry from source systems (typically also registries), or interactively via human entry processes. A person who engages in registering entries is called a registration agent. In support of the goal of one entry per entity, it is necessary for the registration process to determine whether a set of identity data coming into the registry refers to an existing entry, or represents a new entity, hence requiring the creation of a new entry. The process of distinguishing new from existing is called matching. The matching process may rely on many different data elements, and may involve human decision-making in addition to automated processing. The process of adding or modifying identity data in an entry based on incoming data is called reconciliation.
Merging, splitting
It may be found that due to a failure of matching in the registration process more than one registry entity exists for an entity. In this case two or more entries must be merged. Similarly, it may be found that an entry contains a mix of information from different entities. In this case the entry must be split into two or more entries. Merging and splitting are typically administrative processes; in the case of person entries they may involve the affected people.
entry metadata
create/mod dates, sources, etc
sources
kinds of entities
identity data / store
identifiers
affiliations / relationships
contact / profile information
lifecycle
assurance
identity proofing / vetting
credential assignment
management operations / user access