IAM Registry questions to evaluate features and functionality against standard business requirements.
Category |
Description or Question for solution provider |
Response |
Link(s) to Documentation |
|---|---|---|---|
General architecture |
Describe how ID match capability is provided by the registry solution. For example, is it (a) an integral part of the solution as provided or (b) must it be integrated with an external ID match engine or (c) can it be provided in some other way? |
Our current solution for matching within the CPR has two parts, an external engine which generates match codes and an algorithm that is part of the registry. So I would say our answer is a and b. And its flexible enough that another solution can be dropped in. With regards to the match codes that are generated by the appliance, they take into account variations in name, and address. So a match code for Bill Smith, William Smith and Billy Smith would be the same thing. When we do the matching process we attempt to do an exact match using either our Penn State Identifier Number (PSU ID Number), or Social Security Number or the userid. If the exact match fails, a near match is done using the match codes. The result of which is a ranking of the match between 1 and 550. A match is anything that has a score of at least 330. We have two match algorithms one for domestic and one for international. In addition to the identity match, we found it important to attempt to cleanse the address data, so we purchased an external product that does address validation. |
|
|
Describe how groups management (for use with authZ controls and other purposes) is provided. For example, is it (a) handled internally by the solution or (b) integrated with an external group management engine such as Grouper or (c) provided in some other way? |
Under the umbrella of our IAM project, we have a sub-project related to Access Management. Groups management will be part of that project, not our registry one. At this time, we have only gathered requirements from our stakeholders. We do feel that Grouper will probably be part of our Access Management solution in the future. |
|
Data model |
Describe how the registry solution supports an extensible set of attributes about (a) persons, (b) applications or other external resources, and (c) other, arbitrary entities? |
|
|
AuthZ support |
Describe how the registry data model supports defining arbitrary user roles in support of authZ functions. |
Roles are an integral part of any Access Management solution. Our registry can be used to provide information in the construction of roles, however the roles themselves will not live in the registry, as they will reside in an access management solution like Grouper for example. |
|
Features |
Describe how the registry solution supports audit logging of sensitive transactions, including support for the recording of historical changes made to sensitive data. Describe how this log includes the requester and authorizer identities, and transaction timestamps. |
Our registry has various levels of auditing, the first of which is database logging. We log all transactions to a service log. In addition, for each database table we maintain history of changes to records. Whenever a record is changed, the existing record is marked inactive and a new record is cut. For each database table we have the following fields that determine our history: |
|
|
Describe how the registry solution supports the secure storage of security questions and answers for use in password recovery. |
|
|
|
Is there support for multiple name and address types as well as history? If yes, please describe. |
Yes, our registry does support multiple types of names, addresses, phones, and email addresses. The types can be directly traced back to our IAM policy (which is in draft mode). Each type is associated with each record stored in our names, addresses, phones and email address types. So for example, for a Name record it can either be a LEGAL_NAME, PREFERRED_NAME or a DOCUMENTED_NAME. For a documented name which is obtained from a legal document, we also record the document type (which can be password, driver's license, state identification card or a military identification card). In addition the types are used as part of our authorization decisions. We have designed our authorization scheme to allow RAs to only assign particular types of data, if need be. This authorization is control using Grouper. |
|
Identity Assurance |
Are registration events captured as they occur? Do these events automatically trigger assignment/deassignment of an IAP |
|
|
|
Is there support for real time provisioning of Identities/services |
|
|
|
Describe how data is processed (batch, web services) |
|
|
|
Is registry dependent on other open source or vendor products? If yes, please provide details. |
|
|
|
Where is the business logic stored? Is there support for delegation to maintain these rules? |
|
|
|
How does the registry notify external entities of data changes? (for example name is changed) |
|
|
|
Is code located in public repository |
No, not at this time. A snapshot of the code is available at a shibboleth protected web site. |
|
|
How are changes, marketing, etc communicated to public? (wiki, lists, web presence) |
Our registry is currently not in production, we do however have numerous stakeholder and developer listservs. In addition IAM at Penn State has a presence on Twitter, Yammer, Youtube and Facebook. |
|
|
Is there proper OSS license? |
We are using a license which has been approved by our CIO. |
|
|
Is there a clear project lead? |
Yes for our project, the leader is Renee Shuey (prs4@psu.edu). |
|
|
Is there an existing project steering committee/governance? |
Yes, there is an overall IAM governance council. |
|