Domain Model for Identity Management



Similar documents
Using LDAP Authentication in a PowerCenter Domain

Software Development & Education Center. Microsoft Dynamics

Understanding Active Directory. Heng Sovannarith

Chapter 3 Authenticating Users

Forests, trees, and domains

Building an identity repository is at the heart of identity and access management.

Department of Information Technology Active Directory Audit Final Report. August promoting efficient & effective local government

Completeness, Versatility, and Practicality in Role Based Administration

Schemas Supporting Physical Data Storage

Ultimus and Microsoft Active Directory

Active Directory Integration Guide

Outline. Definition. Name spaces Name resolution Example: The Domain Name System Example: X.500, LDAP. Names, Identifiers and Addresses

Oracle Directory Services Integration with Database Enterprise User Security O R A C L E W H I T E P A P E R F E B R U A R Y

Security Provider Integration LDAP Server

Active Directory Integration Manual

An Oracle White Paper September Directory Services Integration with Database Enterprise User Security

Administration Challenges

Admin Report Kit for Active Directory

ADSelfService Plus Client Software Installation Guide

Quest ChangeAuditor 5.1 FOR ACTIVE DIRECTORY. User Guide

Blackbird Management Suite Blackbird Group, Inc.

Infor LN User Guide for Setting Up a Company

CHAPTER THREE. Managing Groups

Synchronizer Installation

How To Authenticate On An Xtma On A Pc Or Mac Or Ipad (For A Mac) On A Network With A Password Protected (For An Ipad) On An Ipa Or Ipa (For Mac) With A Log

WINDOWS 2000 Training Division, NIC

Chapter 8 The Enhanced Entity- Relationship (EER) Model

Integrating PISTON OPENSTACK 3.0 with Microsoft Active Directory

LDAP User Service Guide 30 June 2006

Hierarchical Data Visualization

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

Record-Level Access: Under the Hood

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

Chapter 1 Manage Users, Computers and Groups...2. Chapter 2 Managing and Maintaining Access to Resources...43

[MS-FSADSA]: Active Directory Search Authorization Protocol Specification

Sample Configuration: Cisco UCS, LDAP and Active Directory

Principal MDM Components and Capabilities

LDAP Implementation AP561x KVM Switches. All content in this presentation is protected 2008 American Power Conversion Corporation

CERN, Information Technology Department

How to Enable the Audit of Active Directory Objects in Windows 2008 R2 Lepide Software

Commerce Services Documentation

Utilizing LDAP for User Profile and Corporate Structure Integration

Troubleshooting Active Directory Server

RSA VIA LIFECYCLE AND GOVERNENCE: ROLE MANAGEMENT BEST PRACTICES

Version 9. Active Directory Integration in Progeny 9

Active Directory Change Notifier Quick Start Guide

Whitepaper: Manage Access Control for Network Resources with Securitay s Security Policy Manager

USERS MANUAL FOR OWL A DOCUMENT REPOSITORY SYSTEM

Planning LDAP Integration with EMC Documentum Content Server and Frequently Asked Questions

Windows Logging Configuration: Audit Policy Configuration

DB2 Security. Presented by DB2 Developer Domain

CHAPTER 6 DATABASE MANAGEMENT SYSTEMS. Learning Objectives

Lightweight Data Integration using the WebComposition Data Grid Service

System Center Configuration Manager 2007

Planning and Implementing an OU Structure

Module 4. Managing Groups. Contents: Lesson 1: Overview of Groups 4-3. Lesson 2: Administer Groups Lab A: Administer Groups 4-36

Windows Server 2012 Directory Partition Containers- A Walk Through

Using LDAP for User Authentication

Stellar Active Directory Manager

A Guide to Sharing Architecture

WHITE PAPER. Understanding Transporter Concepts

Chapter 7 Application Protocol Reference Architecture

Configuring and Using the TMM with LDAP / Active Directory

Keeping Tabs on the Top 5 Critical Changes in Active Directory with Netwrix Auditor

How To Protect Your Active Directory (Ad) From A Security Breach

Windows Server 2003 Active Directory: Perspective

Normalization in OODB Design

Profile synchronization guide for Microsoft SharePoint Server 2010

Best Practices for Designing a Secure Active Directory: Multi-Org Exchange Edition. written by Dmitry Sotnikov, Aelita Software.

Introduction to Glossary Business

Using UML Part One Structural Modeling Diagrams

Enterprise Reporter Report Library

Active Directory Manager Pro New Features

Oracle Communications Unified Communications Suite

User Manual for Delivery

Liferay Portal User Guide. Joseph Shum Alexander Chow

SonicOS Enhanced 3.2 LDAP Integration with Microsoft Active Directory and Novell edirectory Support

Creating the Conceptual Design by Gathering and Analyzing Business and Technical Requirements

Role Based Access Control: How-to Tips and Lessons Learned from IT Peers

Cello How-To Guide. Tenant Hierarchy Management

Self-Service Active Directory Group Management

Ektron to EPiServer Digital Experience Cloud: Information Architecture

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

Quick Connect for Cloud Services

Administering Active Directory. Administering Active Directory. Reading. Review: Organizational Units. Review: Domains. Review: Domain Trees

How to Use Microsoft Active Directory as an LDAP Source with the Oracle ZFS Storage Appliance

Active Directory Cleaner User Guide 1. Active Directory Cleaner User Guide

Nightmare on Delegation Street with Native Active Directory Tools

CIFS Permissions Best Practices Nasuni Corporation Natick, MA

Integrating Webalo with LDAP or Active Directory

Portland State University Office of Information Technologies Active Directory Standards and Guidelines for Campus Administrators

New Security Options in DB2 for z/os Release 9 and 10

Introduction to Active Directory Services

Luncheon Webinar Series July 29, 2010

Oracle BI 11g R1: Build Repositories

SafeGuard Enterprise Administrator help

White Paper. 7 Questions to Assess Data Security in the Enterprise

Database Schema Management

Oracle Identity Manager, Oracle Internet Directory

Introduction to Web Services

Transcription:

1 2 Domain Model for Identity Management This document introduces entities and relationships common to the domain of identity management. Organization Group belongs-to member-of performs owns confers Account (1) is-of hasvaluefor AccountType impliesvaluefor (1) Service (1,N) (1,N) AccountAttribute 4 5 6 7 8 9 10 Each of the following subsections presents a subset of the domain model, beginning with the most familiar: The first subsection below presents, Account and Service. The next subsection below presents Organization, Group and. A third subsection below presents AccountType and AccountAttribute. A final subsection entitled SIMPLEST Relationships discusses how the SIMPLEST Schema uses object classes and attributes to represent these entities and relationships. 1 SIMPLEST-domain-model.odt Page 1 of 8

1.1., Account and Service owns Account (1) Service 11 12 13 14 15 16 17 18 19 20 21 22 23 The and Account schema entities are fundamental to Identity Management. An instance of normally represents a human being. An instance of Account normally represents a person within the scope of a particular computer system or application. Each person may own (that is, may be responsible for) any number of accounts. At most one person may own each account. A Service is a computer system or application that accounts. A service may define any number of accounts. Exactly one service each account. The concept of a Service is closely related to SPML's concept of a Target. A Service is a physical endpoint for provisioning, whereas a Target is a logical endpoint for provisioning that a provider exposes to requesters. An SPML provider may expose a service as a target. On the other hand, rather than expose an actual service, an SPML provider may expose as a target an abstract collection of services or (may expose as a target) a functional description that is more like a role. In short: A service may be a target, but a target is not necessarily a service. 2 SIMPLEST-domain-model.odt Page 2 of 8

1.2. Organization, Group and Organization Group belongs-to member-of performs 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 The Organization schema entity is ubiquitous in directory services (and therefore is common in identity management systems). An instance of Organization usually represents the management structure of a corporate entity that is, an entity that consists of more than one person. The most common management structure is a hierarchy: Each organization may nest any number of organizations. Exactly one organization each organization (except the topmost, which none ). s are leaf nodes in an organizational hierarchy. Each person may belong to at most one organization. Any number of persons may belong to each organization. The Group schema entity usually represents an arbitrary collection of persons. (A group need not contain persons, but typically does.) Each person may be a member of any number of groups. Any number of persons may be a member of each group. Classically (as derived from Unix groups) a group cannot contain other groups, but many modern systems and applications allow this. Many modern groups may form hierarchies or may form structures more flexible than hierarchies. Each group may contain any number of groups. Any number of groups may contain each group. Whoever contains groups is responsible for preventing cycles that is, a group must not contain itself directly or indirectly. The most important difference between Group and Organization or is semantic: Group membership is assumed to be orthogonal to (that is, a dimension independent of) both organizational hierarchy and job function. The schema entity represents a job function that a person may perform. Like group membership, role membership is not exclusive. Each person may perform any number of roles. Any number of persons may perform each role. Like organizations, roles may be nested to form a hierarchy. Each role may nest any number of roles. At most one role may nest each role. However, role is assumed to be orthogonal to organization. That is, a role hierarchy represents (a taxonomy of job function that is) a dimension independent of management hierarchy. The semantic difference between Group and is that group membership is generally shallow -- that is, group membership entails little or no data beyond the fact of membership. membership is usually deeper : a role may confer specific types of access to specific services. The section entitled AccountType and AccountAttribute discusses this further. 3 SIMPLEST-domain-model.odt Page 3 of 8

1.3. AccountType and AccountAttribute 53 54 performs owns confers Account (1) is-of hasvaluefor AccountType (1) Service (1,N) (1,N) impliesvaluefor AccountAttribute 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 This section describes the entitities and relationships in this domain model that are the least well formalized in the industry. Nonetheless, almost every commercial identity management system has some notion of the schema (that is, a defined set of attributes) for accounts on a service. Furthermore, any identity management system that allows a person to own multiple accounts on a single service, and that allows a role to specify (that a person who performs the role should own an account on) a particular service, must have some notion of different types of accounts. A note at the end of this section discusses this in more detail. A service may define more than one type of account. (That is, the identity management system may define specific account types that are available on a service.) Each account type represents a named category of account. For example, the default type of account may imply only basic or standard access to that service, whereas an administrator account may imply additional access. (The underlying system or application that the Service represents may not define specific categories of account, or may define categories that differ from those that the identity management system chooses to expose.) Each service may define any number of account types. At least one service must define each account type. A service may define a set of account attributes. Each AccountAttribute represents a managed characteristic of accounts on that Service. The identity management system models these attributes explicitly e.g., in order to enable special policy or control. The identity management system may map these attributes to native i.e., service-specific characteristics of an account. (Accounts on that service may have additional characteristics that are not managed, or that are not modeled explicitly.) Each service may define any number of account attributes. At least one service must define each account attribute. A role often confers some type of account. (That is, each job function that is modeled as a role often requires that the person be granted some level of access or some specific type of access to a particular service.) In the simplest case, a role specifies that any person who performs the role 4 SIMPLEST-domain-model.odt Page 4 of 8

80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 should have at least basic access to a service. That unqualified assignment of access to a service the default type of account confers a normal or standard account for that service. In some cases, however, a role may confer a specific type of account for example, an administrator account. Each role may confer any number of account types. Any number of roles may confer each account type. Each type of account (for example, an administrator account type) may imply a set of values for (each of any number of) attributes that grant additional access on the target. (An administrator account-type might be allowed to affect resources that are not available to other accounts, might be allowed to affect resources that are owned by other accounts, or might be allowed to change the characteristics of other accounts.) Each account type may imply values for any number of account attributes. Any number of account types may imply values for each account attribute. Every account is of some account type. By default, an account is an instance of the default account type for the service that the account. (If a owns a particular account because the person performs a role that confers a specific account type, then the account must reflect its account type in order to maintain the association with the role. Otherwise, it may not be clear which accounts a should keep when that 's roles change. See the note below at the end of this section.) Every account is of some account type. Any number of accounts may be of each account type. NOTE: Identity management systems differ in the extent to which each supports -Based Access Control and (identity management systems also differ) in the manner in which each supports it. However, the fact that a role implies a specific type of account for a service (rather than conferring privileges onto whatever accounts for that service that person owns) becomes clear when a role (or when the set of roles that a particular person performs) implies more than one type of account for the same service. This is especially clear when a person must use each type of account for a distinct purpose. Imagine the following situation: An HRUser role implies a normal user account on the HR target. An HRAdministrator role implies a special administrator account on the HR target. A person who has both roles and who is therefore both an administrator and a user must use the special administrator account to perform all administrative functions and must user the normal user account to perform all end-user functions. This enables the company to keep a clean audit log of who did what when and in what capacity. If the person gains a GlobalAdmin role that also implies a special administrator account on the HR target, then there should be no net change (even if that person subsequently loses the HRAdministrator role). If the person loses both the HRAdministrator role and the GlobalAdmin role, that person should lose the special administrator account on the HR target but that person should keep the normal user account. 5 SIMPLEST-domain-model.odt Page 5 of 8

118 119 120 121 1.4. SIMPLEST Relationships SIMPLEST an object class to represent each of the schema entities in the domain model for identity management. SIMPLEST (for each of these object classes) attributes that represent relationships between (instances of) these object classes. Reworking the domain model to show relationships in terms of attributes yields the following diagram. 122 Organizations-Children / Organization-Parent Groups-Children / Groups-Parents Organization Group Organization-Direct / Groups-Direct / s-direct s-direct s-children / -Parent s-direct Accounts-All / -Owner AccountTypes-All / Account AccountTy pe AccountType Accounts / Serv ice AccountTypes / Serv ice Service AccountAttributes / Service AccountAttribute 123, Account and Service. 124 125 126 127 128 129 130 131 SIMPLEST, Account and Service as object classes. SIMPLEST uses attributes of these object classes to represent relationships between (instances of) and Account. An instance of may expose an Accounts-All attribute. The Accounts-All attribute may have multiple values. Each value of the Accounts-All attribute identifies an instance of Account for which the person is responsible. SIMPLEST also represents the inverse relationship: an instance of Account may expose an -Owner attribute. The -Owner attribute may have at most one value. Any value of the -Owner attribute identifies the (instance of that represents the) person who is responsible for the account. 6 SIMPLEST-domain-model.odt Page 6 of 8

132 133 134 135 136 137 138 139 140 141 142 143 NOTE: Many identity management systems conflate (that is, do not distinguish between) and Account. The SIMPLEST schema distinguishes between (an identity independent of any system or application) and Account (an identity in the context of a specific system or application). An SPML requester or provider that uses the SIMPLEST profile SHOULD clearly distinguish clearly between and Account. SIMPLEST similarly uses attributes to represent relationships between (instances of) Account and Service. An instance of Account always has a Service attribute that contains a single value. The value of the Service attribute identifies the (Service object that represents the) system or application that the account. NOTE: SIMPLEST could expose an Accounts attribute on the Service object-class that would allow a service to refer to every account that it. However, this would scale poorly because an Accounts attribute may have a very large number of values. 144 Organization, Group and. 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 SIMPLEST represents the hierarchical nesting of organizations using the Organization-Parent and Organizations-Children attributes of Organization. SIMPLEST allows an instance of to refer to an instance of Organization using the ou attribute (A.K.A. Organization-Direct ). NOTE: SIMPLEST Organization could expose a s-direct attribute that would allow an organization to refer to each person that the organization contains. However, this approach tends to scale poorly because a s-direct attribute may have a large number of values. This approach also introduces a requirement to synchronize the s-direct attribute with any inverse attribute such as the Organization-Direct attribute of the object class. It is usually better simply to have each instance of refer to an instance of Organization. SIMPLEST allows group nesting using the Groups-Parents and Groups-Children attributes of Group. SIMPLEST allows a person to refer to any number of groups by means of the Groups- Direct attribute of. This approach scales better than having a Group refer to each of its members see the discussion of s-direct above in this section. SIMPLEST allows a role nesting using the -Parent and s-children attributes of. The s-direct attribute of allows a person to refer to any number of roles. This approach scales better than having a refer to each of its members see the discussion of s-direct above in this section. NOTE: Group and are sometimes conflated--much as and Account are sometimes conflated. SIMPLEST therefore the Group and schema entities with many of the same attributes. Nonetheless, an SPML requester or provider that uses the SIMPLEST profile SHOULD clearly distinguish clearly between Group and. 166 AccountType and AccountAttribute. 167 168 169 170 171 172 173 174 175 176 177 178 179 SIMPLEST AccountAttribute as an object class. Each Service may expose a multi-valued attribute called AccountAttributes. Each value of AccountAttributes identifies an instance of AccountAttribute that the Service. Each AccountAttribute a managed characteristic of accounts on that service. NOTE: An instance of Account may have attributes that correspond to instances of AccountAttribute, but this relationship is implicit no attribute represents a relationship between Account and AccountAttribute. Instead, an instance of account may simply have attributes that correspond by name to AccountAttributes that the Service. SIMPLEST also a AccountType as an object class. Each Service may expose a multivalued attribute called AccountTypes. Each value of AccountTypes identifies an instance of AccountType that the Service. Each instance of AccountType a category of account on that service. Each instance of Account has a single-valued AccountType attribute that identifies the type of the account. 7 SIMPLEST-domain-model.odt Page 7 of 8

180 181 182 183 184 NOTE: An instance of AccountType may imply a set of values for an AccountAttribute, but this relationship is implicit no attribute represents a relationship between AccountType and AccountAttribute. Instead, an instance of AccountType may simply have attributes that correspond by name to AccountAttributes that the Service. 8 SIMPLEST-domain-model.odt Page 8 of 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information