This is the third post in my series:
We start at the beginning – The Source of our Identity.
Identity Management systems require a number of basic building blocks to apply and automate corporate policies and procedures for account access, authentication and authorisation. We first need to start at where the Identities originate from – The Source.
Corporate entities will look for specific applications that contain all staff data to be the source of truth for the staff identities. In many cases organisations expand this application to include casual staff, contractors and volunteers (non paid casuals). What was typically known as the Human Resources department captured all the data relevant to staff and other identities engaged by the company. So it is a natural fit to extend this database of staff identities to become the Source of Truth for the organisations identity foundation. There have been cases where particular HR departments have shied away from this responsibility. The additional overhead of maintaining the identity information so that it contains up to date data for the staff can be considerable. There are ways to delegate this capability though with many if not all HR / HCM systems providing Employee Self Service (ESS) capability allowing individuals to update their own details.
Unfortunately, no single system provides a similar role in the consumer world, requiring a considerably different model to be developed when managing Identities across the World Wide Web and the many applications that we may use as consumers hence the reference back to Facebook as so many people are using this application and it is fast becoming the identity store that we can almost always guarantee someone has an account in.
In the corporate environment we can start our journey to manage Identities at the HR system considered our Source of Truth or the Authoritative Source for staff identities. Some organisations require additional sources of truth for identities such as students in an education environment which may look for the Student Management System to be the authoritative source for this information.
Other applications can be used to augment the identity data in the HR system with additional information such as email address from the email system, phone number from the telecommunications system or even security pass information from building security systems where these applications are integrated.
Many organisations will use their authentication directory as a source of truth. This is a mistake as the source of truth needs to be managed and accurate. The authentication domain may be the identity vault, combining or augmenting each of the sources to provide a single view of the identity, but it is not the specific source of truth for each attribute as it can never be the highest authority for the email address. Any source of truth needs to ensure that no other system has a higher level of authority over the data it contains.
In my experience in the corporate world, this typically relates to the HR system.
We will next look at the Identity Vault.