IGA Capability: Identity Lifecycle Management

Last modified 06 Sep 2021 11:17 +02:00

Alternative names

  • Lifecycle management

  • Identity lifecycle

Identity Lifecycle Management Functions

  • Identity lifecycle state model. Maintenance of identity state (candidate, active, archived), management of state transitions (on-boarding, off-boarding), handling user registration, profile maintenance and data erasure.

  • Maintenance of identity attributes. Maintenance of identity model, schema and structure of identity attributes.

  • Identifier management. Assignment of identifiers to identities, validation of the identifiers, maintenance of uniqueness constraints.

  • Credential management. Management of passwords and other credentials, cryptographic keys, biometric information and so on.

  • Support for diverse identity types. Supporting both person and non-person identities, allowing several identity types with separate lifecycles and policies.

  • Organizational structure. Maintenance of information regarding organizational units and their structure. Managing assignment of identities in the organizational units.

  • Personas. Support for alternative identities of a person or other entity. Maintenance of relationship between personas representing the same entity.

Overview

Identity lifecycle management deals with maintenance of digital identities. It maintains state of digital identities through various lifecycle changes, such as creation, modification, archival and deletion. Digital identities are usually complex data structures, composed of numerous attributes. The structure of identity data and its relationship with other identity-related objects is specified by an identity model. Identity lifecycle management is responsible for maintaining identity model, keeping the attributes structured and consistent. This includes management of identifiers, including creation and validation of unique identifier values. Identity lifecycle management may include management of credentials, such as passwords and multi-factor authentication cryptographic material.

Lifecycle state model is often used to manage identity lifecycle. An identity is transitioned through a set of lifecycle states such as candidate, active, deprecated and archived. Transitions in the state model are known by "business" names such as "on-boarding" (user joining organization), "off-boarding" (user leaving organization). Such state transitions are often more complicated than it may seem, such as "re-boarding" (user joining an organization that she/he previously left) where identifier re-use is often desired. For example, retirement process is often seen as a one-way process similar to archival. However, there are cases of retirees re-joining the organization, which has to be handled in a special way. Then there are business-related use cases that also require special handling, such as maternal leave, sabbatical, long-term leave of absence and so on. Identity lifecycle is often bound to policies and fulfilment actions, creating functionality such as pre-provisioning of accounts for new employee, delayed delete of accounts, erasure of data on archival due to data protection regulations, and so on. Self-service registration (creation of identity record), self-service delete (user-initiated account delete) and similar events are also part of identity lifecycle management.

IGA systems deal with many identity types (a.k.a. classes or archetypes). The most important identity types are usually person identities, such as employees, students, customers and citizens. However, comprehensive IGA systems must routinely deal with non-person identity types as well, such as services, applications, organizations, devices and "things". Each identity type may have its own characteristics, such as attributes, policies and lifecycle states. Such variation is used to implement various operation modes, such as business-to-employee (B2E), business-to-business (B2B) or business-to-consumer/citizen (B2C). Usual identity types include:

  • Person identities (users):

    • Employees or staff. People that are employed in your organization. Such identities usually have mid-term or long-term lifecycle.

    • External workers, contractors. People that work for your organization, yet they do not have full employment status. Such identities usually have shorter lifecycle.

    • Consumers. Users of products that we are producing. Individual customers buying the products or using our services. Large volume of identities is often expected. Maintenance of identity profile largely relies on self-service.

    • Citizens. Citizens of a state or municipality. Large volume of identities is often expected. Maintenance of identity profile often relies on government-maintained registries.

    • Students. Students of a school, university or similar organization. Medium to large volume of identities is expected. Maintenance of identity information is usually a combination of authoritative data and user-provided data. On-boarding/off-boarding is usually annual, in large batches.

    • Retirees/alumni. Employees, students and other persons that were affiliated with your organization in the past. These identities are still managed due to legal requirements (retirees) and/or other reasons such as community-building. Retirees/alumni are usually identities with very low interaction intensity. Such identities are usually "converted" from employees, students or similar identities at the end of their regular lifecycle.

    • Community. People that expressed interest in the activities of your organization, such as fans and volunteers. Community identities are usually self-registered, maintaining their user profile using a self-service user interface.

    • Suppliers, support staff, employees of supplier/partner organizations. People that work for other organizations, having contractual obligations to provide a service to your organization. They require access to your systems to do their work. Such identities are usually enrolled by designated staff in your organization, based on the contract. Supplier identities are sometimes linked to a sponsor, an internal identity (employee) that is responsible for maintenance of supplier identity.

  • Non-person identities:

    • Applications, including cloud services. Software system that store and process data, especially identity data.

      Note: application is not the same thing as target/source system (identity resource). IGA platform may not need a direct connection to an application. Application can be hidden behind a directory (LDAP, Active Directory) or an identity provider. Yet, IGA platform still needs to maintain application identity, e.g. for entitlement ownership management.

    • Devices and "things". Mobile devices, printers, smart building components and other "things" usually store important data and need access to data.

    • Organizational units such as divisions, departments, sections, but also teams, projects and ad-hoc workgroups. Organizational structure is almost always essential component of policies. Therefore almost every IGA deployment needs to maintain organizational identities and structures. Some organizational identities are hierarchical (divisions, departments, sections), some of them are flat (teams, projects). Ideally, organizational identities should be synchronized from an authoritative data source. However, such source is not always available, therefore the identities are maintained manually in IGA platform.

    • Partner/customer organizations. There are many interactions between organizations in business that need to be managed. While organization-to-organization relationship is often maintained for a long-term, people in the organizations may change. Therefore there is often a delegated administration scheme for maintenance of user identities in partner organizations.

    • Entitlements. Entitlements are sometimes managed as first-class identities. For example, application roles may be synchronized with Active Directory groups, efficiently handling the groups as "identities".

Complex identity models may include concept of personas, an alternative representation of a person designed for use in a specific context.

Partial management of organizational structure may be included in identity lifecycle management. Although organizational structure management is not a responsibility of identity governance and administration per se, policies are often bound to organizational structures. In such case, IGA systems must be able to process organizational structures to be able to evaluate the policies. Even though the depth of organization structure management required by IGA systems is, in theory, very shallow, practical IGA deployment often need to go much deeper than expected (see notes below).

Identity lifecycle management almost always includes administration user interface, allowing identity administrators to review identities managed in the system, or even manage them manually. Self-service interface for ordinary users is usually also present, providing means for a user to maintain parts of user profile.

There are some IGA features related to the identity lifecycle, features that require cooperation of several capabilities. Identity merge/split is related to the synchronization/correlation capability, however it may require support from workflow capability. Similarly, progressive profiling, self-service registration, invites and similar capabilities require parts of workflow capability, or a special-purpose interface.