Internet2’s Trust and Identity in Education and Research (TIER) program provides a range of core functionality, including group and access management, single sign-on, and federation management. But peering deeper into the layer that forms the basis for Identity and Access Management (IAM) functionality, the TIER Entity Registry Working Group and the TIER Data Structures and APIs Working Group have proposed a data ecosystem required to support the TIER components. Central to this ecosystem is a well-defined strategy for the creation and use of data repositories. These repositories must be complete, flexible, and extensible.
The aforementioned working groups recommend that TIER include a “thin” registry—one which contains the minimum number of attributes that are common to all institutions’ needs which an individual institution would augment according to its own local needs. This as opposed to a “thick” registry, which would contain a rich (but lengthy) set of attributes, with each institution choosing a subset to use for its purposes. You can read more about the rationale for this choice later in the blog. First, we need to explore the Identity Ecosystem.
The IAM ecosystem includes three major data classes in a repository and a fourth supportive data class. The three data classes include:
(Left - click for larger image)
A fourth class of repository information is rules for mappings—and a consistent (normalized) view—across all Systems of Record (SOR).
The registry, group and person data classes can be as thick or thin as an institution’s practice allows. The classes do allow for an evolution over a period of time. The TIER Entity Registry Working Group recommends that the registry remain thin if possibleand be limited to only the information that affects access management related service. The grouping and provisioning structure (such as Grouper) will in turn keep track of all of the relevant groups.
Think about the notion of “IAM is simply another vertical application” with respect to those data hub efforts. IAM should provide data to the hub, and also consume data from the hub, just like other applications. What are the advantages of a minimal/thin registry?