Identify Management is an often-ignored software component. For most users, it manifests as a directory services application in the form of a global address book, where a common address book on the server can be made available on each users email client, via the LDAP protocol. But identity management is much more. Esther Dyson, writing in Release 1.0 (June 2002) provides the context and components of identity management:
Virtually every application in the future will make use of identity information, but there are some specific areas that will lead in its development and use. Of course, what can be managed is not the ineffable identity of a person, but all the relationships with and data about that individual the profile. Identity-based functions include authentication, authorization, security and access. Those functions support applications such as billing and payment, direct marketing and CRM, provisioning, roaming (basically, remote provisioning), presence management, workflow, and knowledge management (especially as managers start to realize that most knowledge is in peoples heads, not in databases).
The essence of identity management is defining people and things as classes or groups, to which you can apply policies or draw conclusions. Identity management crosses contexts and reduces complexity by finding the common elements across individuals so that they can be handled on the basis of policies rather than one by one yet treated as individuals if they happen to call a help desk, check in at a hotel, ask for a particular set of data or make a phone call from a cell phone in a foreign country using a third-party wireless carrier. They want responses in their own language, tailored to their own history and preferences.
Identity management, broadly defined, includes a data store (the directory or meta-directory), and a variety of processes that populate it, update it, and rely on its information to derive roles and control (access to) other system resources everything from plain old access through a firewall to discrete permission (“authorization”) to use a specific application function on a specific set of data at a specific time of day. Many of these components can be either bound together or, increasingly, teased apart. Role information and access rules can be kept in the directory, or they can be separated out into an authorization or control layer.
At its simplest, identify management ensures a single sign-on to all applications the same user name and password will work across all the applications, and provide access rights based on the users profile. This is very important because it is impractical to expect users to keep remembering different login names and passwords for the various applications that they need to access. Not using an identify management layer will either result in lax security or in lesser use of the applications, both of which are undesirable.
So far, little attention has been paid to identify management in the context of SMEs. In part, this has been because most SMEs are consuming very few business applications. As the usage increases, it will become increasingly important to have identity management which has a directory to manage authorisation and authentication of users. This will necessarily mean that even the applications used will need to interface with this identity management layer rather than having their own independent login-password database.
Tomorrow: Systems Software Architecture (continued)