Identity Management - Emerging Fundamental Points

Emerging Fundamental Points

• IdM provides significantly greater opportunities to online businesses beyond the process of authenticating and granting access to authorized users via cards, tokens and web access control systems.
• User-based IdM has started to evolve away from username/password and web-access control systems toward those that embrace preferences, parental controls, entitlements, policy-based routing, presence and loyalty schemes.
• IdM provides the focus to deal with system-wide data quality and integrity issues often encountered by fragmented databases and workflow processes.
• IdM embraces what the user actually gets in terms of products and services and how and when they acquire them. Therefore, IdM applies to the products and services of an organization, such as health, media, insurance, travel and government services. It is also applicable to means by which these products and services are provisioned and assigned to (or removed from) "entitled" users.
• IdM can deliver single-customer views that include the presence and location of the customer, single products and services as well as single IT infrastructure and network views to the respective parties. Accordingly, IdM relates intrinsically to information engineering, security and privacy.
• IdM covers the machinery (system infrastructure components) that delivers such services because a system may assign the service of a user to: a particular network technology, content title, usage right, media server, mail server, soft switch, voice mailbox, product catalog set, security domain, billing system, CRM, help desk etc.
• It is equally important for users to correctly identify and authenticate service providers as it is for service providers to identify and authenticate users. This aspect has largely been ignored during the early development of identity management.
• Critical factors in IdM projects include consideration of the online services of an organization (what the users log on to) and how they are managed from an internal and customer self-care perspective.

Capabilities of IdM systems include:

• User Management by a Help/Service Desk, as in creation, deletion, modification of user identity data by a staffed desk
• User Self Service, as in user being able to modify one's own mutable or correctable data - e.g. postal address, telephone number, and more importantly and frequently, one's own credentials. Credentials are the, typically, secret piece of information that allows a user to identify himself or herself to the IdM system
• Roles Based Delegated User administration, which involves, as an example a supervisor of an employee being able to modify certain attributes of an employee's user data. Delegation allows for scaling of an IdM solution in that local administrators or supervisors are able to perform permissible modifications without requiring a global administrator perhaps. Roles based aspect allows for the Supervisor, to be a role in this example, as opposed to a specific person. For e.g., today it might be Jane Smith who occupies the supervisor role of a local department store, where Debbie Forsyth is an employee; a few months down the line, the supervisor role might be assigned to a new person say, Joseph Peterson. At that point, no IdM system changes will need to be made, except removing Jane Smith from the Supervisor role and assigning Joseph Peterson that role at the local department store. Roles based access mechanisms also allow for implementation of privacy controls around user attribute data.
• Provisioning resources, as in the assignment of a desk or a phone to a new employee in an office
• Roles Based Access Control, as in the rights to access resources secured using a companion access control agent, by specifying user access roles within IdM system
• Entitlement to resource privileges, as in the privilege to read and update Human Resources paperwork (files and folders on a shared network drive) for a newly recruited Human Resources Administrator

Note that for each of the above, there could be a withdrawal action as well, as in withdrawal of privileges as the opposite of assignment of privileges.