Identity administration models include centralized, delegated, and self-service administration; delegated administration with workflow approval; public key infrastructure (PKI)-based administration; federated IdM; and automated administration. The identity of the person who is being allowed to administer designated IdM stores, functions, and data is often the principal difference among the models:
- Manual: Administration of identity data and functions by IT personnel or LOB representatives; identity data may be entered directly into application environments that don’t source identity information from a shared service or into a user provisioning system that distributes identity data to multiple applications.
- Automated: Administration based on rules according to business, security, or regulatory policies—accounts are created or access is granted based on the value of certain attributes (e.g., “if cost center is xyz, then permit access to procurement system”); these rules are evaluated and processed without human intervention or workflow approval:
>>Workflow approval: A subset of automated administration requires the review and approval of system, resource, or application owner.
>>Federated: In federated models, identity attributes are sourced from partner systems in an automated fashion at runtime. This is also known as just in time provisioning of access.
- Self-service: Administration of selected user-specific identity data by the users to whom the data pertains. Self-service interfaces are increasingly required to allow internal or external users, who are often the best information source, to update and manage a subset of data about their identities and therefore shoulder a portion of the administrative cost. Self-service capabilities can include self-registration, subscribing to published services, maintaining personal data, and self-help such as password resets.
No comments:
Post a Comment