The basis for all actions concerning a digital identity is the identity lifecycle. Based on events in the lifecycle of a digital identity, workflows are started, approvals are requested, rights are granted or revoked and people involved are informed. Without this solid basis, it is difficult to obtain full control over access and there is no ‘identity trust’ (see our vision: vision on security).
Account & role provisioning
The most important part of the identity lifecycle is the issuing and revoking of accounts and rights. On the basis of data linked to the digital identity, such as start and end date, place of organisation or location, accounts are created and rights set at the right time in the underlying target systems, or rights are revoked and accounts blocked.
Role model
In order to determine what the ‘right’ rights are, there is a role model. This model contains the rules on the basis of which a right is granted or withdrawn. This can be done fully automatically on the basis of predetermined rules and/or with the help of approval by managers, for example. How the model is set up depends on the needs of the organisation.
Self service
In order to influence one’s own digital identity and its life cycle, a self-help page is often made available that allows people to view their own digital identity and adjust a number of attributes. The minimum is the ability to change one’s own password, but other attributes such as address, location, task or name may also be involved.
Business rule management
Business rule management gives the organisation the possibility to control the role model and the composition of things like user name, e-mail address and password on the basis of rules that are understandable for the organisation. This should therefore be seen as a portal on the IAM system that converts functional input into technical rules. For example: ’everyone with a company car has access to the car park’. This rule is translated into: all identities that have the value ‘yes’ for the attribute ‘company car’ get access to the parking garage from the day with the same value as their attribute ‘start date’ from the location from their attribute ‘parking place’ in the access control system configured for that location’, etc.
Delegate authorisation management
Not all business rules can be assessed without human intervention. For such decisions, an authorised person is asked to make the decision.
Request access
A part of self-service is often that people can request access themselves. Behind this, there is the role model to determine which rights this person can request, the delegated authorisation management which ensures that the right people grant permission for this and the provisioning to actually implement it.
Back to Modiam
