describes the management of individual principals, their authentication, authorization, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks.
"Identity Management" and "Access and Identity Management" (or AIM) are used interchangeably in the area of Identity access management while identity management itself falls under the umbrella of IT Security.
Identity management systems, products, applications and platforms manage identifying and ancillary data about entities that include individuals, computer-related hardware and applications.
Technologies, services and terms related to identity management include Active Directory, Service Providers, Identity Providers, Web Services, Access control, Digital Identities, Password Managers, Single Sign-on, Security Tokens, Security Token Services (STS), Workflows, OpenID, WS-Security, WS-Trust, SAML 2.0, OAuth and RBAC.
Identity management (IdM) is the task of controlling information about users on computers. Such information includes information that authenticates the identity of a user, information that describes information and actions they are authorized to access and/or perform. It also includes the management of descriptive information about the user and how and by whom that information can be accessed and modified. Managed entities typically include users, hardware and network resources and even appications.
Digital identity is an entitys online presence, encompassing personal identifying information (PII) and ancillary information. It can be interpreted as the codification of identity names and attributes of a physical instance in a way that facilitates processing.
Identity management functions
In the real-world context of engineering online systems, identity management can involve three basic functions:
- The pure identity function: Creation, management and deletion of identities without regard to access or entitlements;
- The user access (log-on) function: a smart card and its associated data used by a customer to log on to a service or services (a traditional view);
- The service function: A system that delivers personalized, role-based, online, on-demand, multimedia (content), presence-based services to users and their devices.
A general model of identity can be constructed from a small set of axioms, for example that all identities in a given namespace are unique, or that such identities bear a specific relationship to corresponding entities in the real world. Such an axiomatic model expresses "pure identity" in the sense that the model is not constrained by a specific application context.
In general, an entity (real or virtual) can have multiple identities and each identity can encompass multiple attributes, some of which are unique within a given name space. The diagram below illustrates the conceptual relationship between identities and entities, as well as between identities and their attributes.
In most theoretical and all practical models of digital identity, a given identity object consists of a finite set of properties (attribute values). These properties record information about the object, either for purposes external to the model or to operate the model, for example in classification and retrieval. A "pure identity" model is strictly not concerned with the external semantics of these properties.
The most common departure from "pure identity" in practice occurs with properties intended to assure some aspect of identity, for example a digital signature or software token which the model may use internally to verify some aspect of the identity in satisfaction of an external purpose. To the extent that the model expresses such semantics internally, it is not a pure model.
Contrast this situation with properties that might be externally used for purposes of information security such as managing access or entitlement, but which are simply stored, maintained and retrieved, without special treatment by the model. The absence of external semantics within the model qualifies it as a "pure identity" model.
Identity management, then, can be defined as a set of operations on a given identity model, or more generally as a set of capabilities with reference to it. In practice, identity management often expands to express how model contents is to be provisioned and reconciled among multiple identity models.
User access enables users to assume a specific digital identity across applications, which enables access controls to be assigned and evaluated against this identity. The use of a single identity for a given user across multiple systems eases tasks for administrators and users. It simplifies access monitoring and verification and allows the organization to minimize excessive privileges granted to one user. User access can be tracked from initiation to termination of user access.
Organizations continue to add services for both internal users and by customers. Many such services require identity management to properly provide these services. Increasingly, identity management has been partitioned from application functions so that a single identity can serve many or even all of an organizations activities. For internal use identity management is evolving to control access to all digital assets, including devices, network equipment, servers, portals, content, applications and/or products.
Services often require access to extensive information about a user, including address books, preferences, entitlements and contact information. Since much of this information is subject to privacy and/or confidentiality requirements, controlling access to it is vital.
In addition to creation, deletion, modification of user identity data either assisted or self-service, Identity Management is tasked with controlling ancillary entity data for use by applications, such as contact information or location.
Verification that an entity is who/what it claims to be using a password, biometrics such as a fingerprint, or distinctive behavior such as a gesture pattern on a touchscreen.
Managing authorization information that defines what operations an entity can perform in the context of a specific application. For example, one user might be authorized to enter a sales order, while a different user is authorized to approve the credit request for that order.
Roles are groups of operations and/or other roles. Users are granted roles often related to a particular job or job function. For example, a user administrator role might be authorized to reset a users password, while a system administrator role might have the ability to assign a user to a specific server.
Delegation allows local administrators or supervisors to perform system modifications without a global administrator or for one user to allow another to perform actions on their behalf. For example, a user could delegate the right to manage office-related information.
The SAML protocol is a prominent means used to exchange identity information between two identity domains.