is there an equivalent of 'entity attribute relationship' model, CRUD matrix and data flow diagram for Identity and Access Management | Identity Lifecycle Management?

[anwarmahmood1]

Hello,

Dobbs, G. B., (2021) “IAM Reference Architecture (v2)”, IDPro Body of Knowledge 1(10). doi: https://doi.org/10.55621/idpro.76
...is a great document.

Inevitably showing my age, but in the relational database world, it's possible to 'reduce' a system to an entity attribute relationship (EAR) model, Create | Read | Update | Delete (CRUD) matrix, and data flow diagrams (DFD)s.

Is there anything approaching these artefacts to describe an identity system?

I think it's possible to begin with these approaches, but believe they are simply not expressive or comprehensive enough to describe identity systems. But one is required.

So, you'd be able to ask...

• how is the 'department' field updated? which system receives updates?
• who is entitled to access the accounts transaction system, but not the invoice reporting system?
• etc

Are there any tools that we might use?

I've used Forefront Identity Manager (FIM) in the past - many years ago - and I recall there were useful, generic concepts and terminology there. They have somewhat been carried over to SCIM.

A contemporary approach might use a (graph database)

[asking here because I think this would be it's natural home | starting point]

[anwarmahmood1]

I think I'm asking for something building on...

• X.511 Directory Access Protocol
• LDAP (RFC4511)
• DSML

...but a general purpose model at a 'operational | business' layer.

• closely coupled to the technology,
• somewhat abstracted away from technology
  • but not so far away that it becomes a theoritical ideal

This would enable me to represent IAM | ILM in a way that makes sense to non-IAM experts.

Does such a thing exist?

[anwarmahmood1]

An example.

information technology service delivery has coalesced around a standardised model; ITIL;

• incidents
• problems
• requests
• continuous improvement
• etc

Products like ServiceNow use this model quite closely.

So, I guess what I'm seeking is an equivalent of ITIL but for IAM | ILM.

[gbd-idpro]

@anwarmahmood1 Its a fair question. But I am not aware of a successful universal model. At a previous employer, I did build something along these lines for that specific business.

Going much further back I recall being disappointed at the standard fields in the inetorgperson schema. That had the further problem that the data structure was not sufficient to handle my needs. Things like how to represent multiple credentials for a single person?

I'm glad you liked the article. If you find or develop something along the lines you are thinking it would be wonderful if you wanted to share it in the body of knowledge by writing out a data model. Even if it is not totally general, someone else might find it useful.

In the meantime you might want to try the Slack channel to see if someone can share a model that worked for their case.