IDPros / bok

This is a public comment environment for the IDPro body of knowledge.
70 stars 26 forks source link

is there an equivalent of 'entity attribute relationship' model, CRUD matrix and data flow diagram for Identity and Access Management | Identity Lifecycle Management? #121

Open anwarmahmood1 opened 1 year ago

anwarmahmood1 commented 1 year ago

Hello,

Dobbs, G. B., (2021) “IAM Reference Architecture (v2)”, IDPro Body of Knowledge 1(10). doi: https://doi.org/10.55621/idpro.76 ...is a great document.

Inevitably showing my age, but in the relational database world, it's possible to 'reduce' a system to an entity attribute relationship (EAR) model, Create | Read | Update | Delete (CRUD) matrix, and data flow diagrams (DFD)s.

Is there anything approaching these artefacts to describe an identity system?

I think it's possible to begin with these approaches, but believe they are simply not expressive or comprehensive enough to describe identity systems. But one is required.

So, you'd be able to ask...

Are there any tools that we might use?

I've used Forefront Identity Manager (FIM) in the past - many years ago - and I recall there were useful, generic concepts and terminology there. They have somewhat been carried over to SCIM.

A contemporary approach might use a (graph database)

[asking here because I think this would be it's natural home | starting point]

anwarmahmood1 commented 1 year ago

I think I'm asking for something building on...

...but a general purpose model at a 'operational | business' layer.

This would enable me to represent IAM | ILM in a way that makes sense to non-IAM experts.

Does such a thing exist?

anwarmahmood1 commented 1 year ago

An example.

information technology service delivery has coalesced around a standardised model; ITIL;

Products like ServiceNow use this model quite closely.

So, I guess what I'm seeking is an equivalent of ITIL but for IAM | ILM.

gbd-idpro commented 1 year ago

@anwarmahmood1 Its a fair question. But I am not aware of a successful universal model. At a previous employer, I did build something along these lines for that specific business.

Going much further back I recall being disappointed at the standard fields in the inetorgperson schema. That had the further problem that the data structure was not sufficient to handle my needs. Things like how to represent multiple credentials for a single person?

I'm glad you liked the article. If you find or develop something along the lines you are thinking it would be wonderful if you wanted to share it in the body of knowledge by writing out a data model. Even if it is not totally general, someone else might find it useful.

In the meantime you might want to try the Slack channel to see if someone can share a model that worked for their case.