Exploring Generic Identity Management Processes

According to our experience and the reports of the main analysts the definition of processes for the Identity & Access Management (IAM)[1]requires major effort.

Although most corporations regard their processes as unique and individually tailored, a core set of standard processes remains remarkably stable over the majority of examples. Obviously considerable similarities between the processes of different corporations exist.

This situation raises the questions: Why do we always start with a blank sheet of paper? Why " reinvent the wheel" again and again? Shouldn't we instead focus our efforts on the obvious differences and use the common set of standard processes " off the shelf" ?

The NIFIS[2]initiative " GenericIAM" (Generic processes for the Identity & Access Management) was set up with the mission to extract a generic IAM process model from existing IAM processes implemented in major corporations.

However we found that even for the most experienced process modelling experts abstraction and documentation of generic commonalities from enterprise specific solutions following a bottom-up approach turned out to be remarkably difficult.
Based on the assumption that the IAM processes of an enterprise could be described completely by the actions of a limited and manageable number of subjects (actors) on an equally limited number of objects (figure 1), we herewith try to derive a generic model following a seven-step top-down approach.

The 7 steps are …
  1. Identify the fundamental objects which are involved in IAM processes.
  2. Detect the derived objects which describe the relationships of the fundamental objects.
  3. Identify the subjects (actors) who operate on the objects.
  4. Name the elementary actions which …
    • express the actions of the subjects on the objects,
    • express the interactions of the objects, or
    • perform object state transitions.
  5. Detect business events as triggers for processes.
  6. Assemble essential processes by combining the elementary actions to net of flows yielding a meaningful result in business terms.
  7. Complement the essential processes by physical actions (check-, translation- and transport-steps) in order to cope with imperfections of existing implementations.
The intention of this series of posts is to demonstrate how the top-down- and the bottom-up approach combine seamlessly to a self-contained and consistent model.

[1] Identity and access management combines processes, technologies, and policies to manage digital identities and specify how digital identities are used to access resources.
[2] Nationale Initiative für Informations- und Internet-Sicherheit (NIFIS e.V., http://www.nifis.de/)

No comments:

Post a Comment