GS.Identity+Permission Management

From OIAr
Jump to navigation Jump to search


This is a Generic Service document GS Identity & Permission Management Version: 0.1 OIAr logo
Document type: Generic Service Owner:

J.A.H. Schoonderbeek



Description

This service maintains the propagation and consistency of digital identities and digital permissions that are recognized within the organization. Ideally, there is only a single Identity & Permission Management service active in the organization, that cooperates with all the Authentication & Authorization (A&A) services.

Identity management

This service provides the following, identity related sub-services:

  • Providing new digital identities to instances of A&A services when when the circumstances call for it (either an eligible new identity presents itself, or an existing identity becomes eligible), including all accompanying identity attributes that are used in that particular A&A service instance;
  • Providing new digital groups to instances of A&A services that are going to be involved with Role Based Access Control under that A&A service's authority;
  • Directing A&A services to change group membership of a digital identity to reflect a change in roles;
  • Conveying the effects of a change in business rules on the relevant aspects of the digital identities under an affected A&A service;
  • When an update occurs in a digital identity's attribute under an A&A service that's deemed authoritative for that attribute, then this update is applied to all A&A services that contain that same identity and attribute;
  • Directs A&A services to disable or remove identities as soon as that identity's eligibility for an account in that particular A&A service ends, or the digital identity is disabled or removed from an authoritative A&A service;
  • Resolves conflicts in account information between different A&A services.

Permission management

This service provides the following, permissions related sub-services:

  • Directs an A&A service to create or update the necessary permissions associated with a digital resource, when a digital identity becomes eligible for use of this resource;
  • Directs an A&A service to update or remove the relevant permissions associated with a digital resource, when a digital identity loses eligibility for use of this resource;
  • Resolves conflicts between specific permissions assigned to a digital identity by a specific A&A service (or not) and the permissions that should actually be granted to it (or not).

Generic Pattern realizing this Generic Service

There are no Pattern Definitions available in this repository that have a referal to this Service Definition.