Processes of Identity and Access Management

”We create a generic reference business modell for identity and access management”

Roles are the organisation

Sat June 30, 2007 Posted by Horst Walther, SIG Software Integration

On one of the experts panels on the 1st European Identity conference in Munich this spring densely populated with high ranking and well respected experts I heard one of the experts mention in middle of a heated discussion: „What is the sense of a role model if when ever we complete an organisations role model and are about to implement it, the organisation has changed considerably meanwhile. “

Well “that’s real life” we are tempted to say … but wait a minute! Can this really be true? I remember a second quotation from the same event “Roles are the DNA of an organisation” stated Ron Rymon, the founder of the role engineering firm Eurekify.

O.k. if you consider any commercial endeavour as a mild form of sparsely ordered chaos, if you run a company merely ad hoc and a role model is considered as an unnecessarily rigid structure imposed on top of a fluid ecosystem, that reinvents itself at every very moment – ok, in this case forget about role models.

But what, when it comes to automation? Many, if not most, enterprises are now strained by global competition. A manufacturer in Pittsburgh or Gelsenkirchen may compete with one in Chongqing (庆) or Poona where at least the labour cost are dramatically lower. One can imagine that besides dirty political tricks it may take some bit of innovation and automation to succeed in this battle field.

But what is automation? In order to automate an organisation you need to express it in a formal way so that it can be processed by machines or - more often - in a blended fashion by machines and humans. You need to formally document your policies & rules, processes and roles in a complete, consistent and machine readable way. Only then they can be repeatedly applied by those above mentioned processors.

Considering this scenario, how can the organisation have changed while the role model is still controversially discussed? No way! The roles are the organisation, or at least an important part of it.

Filed in Definitions, Process Modelling | 1 Comment »

What is identity?

Wed March 7, 2007 Posted by Horst Walther, SIG Software Integration

What is identity? What a boring question you might think? Hasn’t it been answered since centuries? Well, one might think so.

Considering the Gartner Hype cycle a couple of technologies and practices (Federated Identity Management, Microsoft Active Directory/Kerberos, User Provisioning, Metadirectories, Smart Tokens) are climbing out of the "Trough of Disillusionment". Some (Enterprise Single Sign-On, Web Access Management, Hardware Tokens, Password Management) have happily reached the "Plateau of Productivity". Identity Management as a whole is maturing it appears to us.

So what is identity after all? In philosophy is the sameness of two things. So if two things have the same identity they must be considered as one thing. In object-oriented programming we consistently apply this concept of Identity. Here it is defined as a property of objects that allows those objects to be distinguished from each other. In an OO-System the OID (Object Identifiers) is defined to be unique.

But within the very discipline which is built on top of the concept of identity our perception is not so clear. Looking up the first book on digital identity written by Phil Windley, we read sentences like: “We usually speak of identity in the singular, but in fact subjects have multiple identities.” or “These multiple identities or personas, as they are sometimes called, …”. Oops, persona, what is this? Obviously according to Phil Windleys definition it is the same like a digital identity.

Dave Kearns once asked the readers of his newsletter “And what’s the sum of all these personas?” As Andre Durand of PingID suggested that’s the Identity. But not the digital one? Hmmm.

Coming bottom up we might argue, that several access rights may be bundled to a role. For example in my company the SiG I have the role of being ma own principal consultant, a role of being the president and well, that’s true, the most important (and only) shareholder. The sum of all my business roles forms my business ”. But going further I have to admit, that I not only flesh out my business persona, but - rarely enough - my family persona, my globetrotter persona, etc.

So, what’s the sum of all these Personas? Some kind of virtual unified identity or just “my identity”? And those personas are to be understood as its projection to the space of information demand in a specific context?

So if the Identity is not just the OID, the Object ID, a universal unique Identifier, which makes different individuals indisputably different, it could be this unification of all our digital identities.

Perhaps this view will become more common, when biometrics finally will arrive, as biometric identification will always refer to the (unique) physical identiy.

By the way - in the context with certificates you can find the following statement in Phil Windleys same book: “Free certificates from Thawte are not very useful in establishing your identity, because Thawte doesn’t do anything to verify the identity of the requester”. He obviously has yet another kind of identity in mind while missing this verification – the real world physical identity.

So what is identity? First I thought the answer is easy – but it is not.

At least there is still one commonly understood term missing.

Filed in Definitions | 4 Comments »