Bernhard Findeiss
Friday May 16th, 2008

The basics of account management

In my last blog post (see here), I introduced a classification of IdM-Systems based on the FIDIS model.

Based upon this classification, I now want to talk a little bit more about the basics of type-1-identity Management (aka “account management”): What is it, and what are the main challenges and difficulties?

Next time, I will explain why it is worth doing, and sometimes even mandatory.

By the way, this blog post is based upon a talk I gave last year at one of InterFace AG’s “blue Fridays”. If someone is interested in the slides, or wants me to repeat the talk, feel free to contact me at .

As mentioned in the last post, account management can be defined as the consistent administration of identities, and their access to (IT-) resources of an organisation during their entire life cycle.

This includes:

Persons, e.g. employees and external consultants, but also technical objects as long as they need access to resources (for example printers which can send automated status emails etc).

Storage of identity based data (mostly supplied by HR systems)

Transfer of data to target systems, e.g. to create accounts, to assign and/or revoke access rights, but also to synchronise data between the IDM system and the target system. The number and nature of target systems significantly contributes to the complexity of IDM projects, by the way.

Support for workflows needed in everyday (corporate) life, like creation/editing/deletion of identities, assignment/revocation of resources, role definition etc.

Account management is not a new topic for most organisations. In fact, it has existed for as long as access controlled (IT-) resources have existed in an organisation.

Until now, however, most of the work has been done manually by specialised administrators. Of course, this is very expensive and time consuming, and it also involves a much higher error ratio compared to doing it automatically via an IDM system.

Also, there is the problem of data synchronisation and consistency. Access to all of a user’s IT systems should be based on the same set of identity data. These are not unalterable, however, but can change over the course of time (through marriage, relocation etc.). Keeping identity data consistent in all IT systems can therefore be quite a challenge, e.g. when 2 systems contradict each other.

To solve this problem, directory services were introduced (starting in the 1990s). They gather all individual-related data and make them available through a standardised interface (with LDAP being the one mostly used). This directory is then defined as “leading” in respect of identity data. All other systems from now on only synchronise with this directory, and so eliminate the problem of data inconsistency.

Unfortunately, it became clear that even directories could not solve all problems. Not all IT systems support the externalisation of identity data. For some systems, (like HR), it might even be undesirable to do so.

By the use of an identity management system, however, even this situation can be managed:

Now, all systems may keep control of their data. Only relevant changes are propagated to the IDM system. The IDM system then manages synchronisation with all other affected systems in the organisation.

Here too, data consistency throughout the organisation can be guaranteed.

This is only one of the advantages of an IDM system. I will mention more advantages in my next article.

Kommentar verfassen