Note: This is an out-of-context excerpt from work I am doing elsewhere.
This page is one of a series of three:
- IdEAs Business Architecture – Capabilities
- IdEAs – Production Model for Digital Identity
- IdEAs – Identity Information Management
Digital identity services are too complex in many organisations to be regarded as a simple back-office end-to-end system function.
Platform systems and services need to be decomposed into discrete functions with effective operational independence.
In a factored functional business architecture for digital identity services each function,
- is responsible for a defined business object or activity,
- produces and maintains a set of data objects,
- provides a set of defined services to the other capabilities,
- collaborates with the other functions to produce cross-functional identity services.
Factoring identity services to reduces complexity, increase flexibility and scalability, and allows us to better organise the management of technology, processes, skills, responsibilities and budgeting.
Functional modularity allows the production of services that can be composed and tailored in different ways to meet different business requirements.
Services that have been too complex to manage effectively, such as entitlement provisioning, can be composed of more simple services and delivered through the orchestration and coordination of well defined sub-processes.
Services that are specific to a capability, such as enterprise directory services, can be changed with minimal effect on the other capabilities.
Such a framework also clarifies governance and security requirements. It identifies the business objects, data and services for which each production cycle is responsible. It makes compliance with separation of duties, privacy, and repudiation easier by reducing the data access required to meet production needs.
The Core Functions.
Identity Information Management
Identity information management is responsible for the production of identity as a business asset.
It ensures that identity data is accurate, safe, controlled and appropriately available through technical and business services.
It defines the digital identity lifecycle and ensures that digital identity data reliably reflects the currents state of each identity holder’s relationship with the organisation.
Entitlement management is responsible for the production of access entitlements as a business services.
It discovers and analyses data about identities, identity domains, business roles, organisational affiliations, and application and service roles and privileges. It creates and maintains entitlement packages and access control models that define how identity holders may access resources.
Access management develops and maintains the infrastructure that provides authentication and authorisation services in access transactions.
It is also responsible for planning and implementing access control models, security policies, that are inputs for entitlement management.
It implements specialised services such as adaptive access control and versatile authentication services, mobile access services and token translation services.
Identity analytics monitors, analyses and reports on the use of identity across the University. It has two distinct areas of responsibility.
It provides business intelligence on the use of identity to ensure the operation of identity services is aligned to business requirements and inform planning.
It provides forensic analysis of improper uses of identity and ensures compliance with important governance objectives such as separation of duties, privacy, and repudiation.