IAM Registry questions to evaluate features and functionality against standard business requirements.
Category |
Description or Question for solution provider |
Response |
Link(s) to Documentation |
---|---|---|---|
General architecture |
Describe how ID match capability is provided by the registry solution. For example, is it (a) an integral part of the solution as provided or (b) must it be integrated with an external ID match engine or (c) can it be provided in some other way? |
Our current solution for matching within the CPR has two parts, an external engine which generates match codes and an algorithm that is part of the registry. So I would say our answer is a and b. And its flexible enough that another solution can be dropped in. With regards to the match codes that are generated by the appliance, they take into account variations in name, and address. So a match code for Bill Smith, William Smith and Billy Smith would be the same thing. When we do the matching process we attempt to do an exact match using either our Penn State Identifier Number (PSU ID Number), or Social Security Number or the userid. If the exact match fails, a near match is done using the match codes. The result of which is a ranking of the match between 1 and 550. A match is anything that has a score of at least 330. We have two match algorithms one for domestic and one for international. In addition to the identity match, we found it important to attempt to cleanse the address data, so we purchased an external product that does address validation. |
|
|
Describe how groups management (for use with authZ controls and other purposes) is provided. For example, is it (a) handled internally by the solution or (b) integrated with an external group management engine such as Grouper or (c) provided in some other way? |
|
|
Data model |
Describe how the registry solution supports an extensible set of attributes about (a) persons, (b) applications or other external resources, and (c) other, arbitrary entities? |
|
|
AuthZ support |
Describe how the registry data model supports defining arbitrary user roles in support of authZ functions. |
|
|
Features |
Describe how the registry solution supports audit logging of sensitive transactions, including support for the recording of historical changes made to sensitive data. Describe how this log includes the requester and authorizer identities, and transaction timestamps. |
|
|
|
Describe how the registry solution supports the secure storage of security questions and answers for use in password recovery. |
|
|
|
Is there support for multiple name and address types as well as history? If yes, please describe. |
|
|
Identity Assurance |
Are registration events captured as they occur? Do these events automatically trigger assignment/deassignment of an IAP |
|
|
|
Is there support for real time provisioning of Identities/services |
|
|
|
Describe how data is processed (batch, web services) |
|
|
|
Is registry dependent on other open source or vendor products? If yes, please provide details. |
|
|
|
Where is the business logic stored? Is there support for delegation to maintain these rules? |
|
|
|
How does the registry notify external entities of data changes? (for example name is changed) |
|
|
|
Is code located in public repository |
|
|
|
How are changes, marketing, etc communicated to public? (wiki, lists, web presence) |
|
|
|
Is there proper OSS license? |
|
|
|
Is there a clear project lead? |
|
|
|
Is there an existing project steering committee/governance? |
|
|