Pegasi Wiki

This wiki acts as a memo for our own work so why not share them? Feel free to browse and use out notes and leave a note while at it.

Identity management 1-0-1

Basics of IDM

Every place you access with your login credentials, every place that has information about you or information meant for you is a potential identity management target. A target or a source for identity information.

These kind of systems are growing in numbers and complexity in organizations all over the world. Functionalities in organizations are being automated and migrated to networked services replacing older manual systems. Most of these systems and their functions are somehow grouped or based on identities: workstation accounts, emails, intra nets, project management, personnel registries, access to company resources.

example sketch of IDM system

When the number of these systems increase so does the number of hours to keep the identity information in them up to date. And so does the number of human errors while keeping it up to date. And so does the number of hours spend by the users to deal with the manual process delays and errors. And so does the risk of classified information falling on wrong hands, forgotten user accounts exploitation or even information leakage outside the organization.

This is where identity management, or IDM, comes in. In situation like this it's main purposes are simply the following:

  • Cost reduction
  • Security
  • Development

Cost reduction comes from following advantages gained with automatic identity management

  • The time wasted by users' login acquirement decreases significantly
  • The time wasted by error situations decreases significantly
  • The time spent by the administration processes decreases significantly
  • The money lost due to dysfunctional identity based systems decreases
  • The licence costs saved due to decreased number of unknown users

Security increases due to following advantages of automatic identity management

  • No more forgotten logins in connected systems
  • No more wrong access rights in connected systems
  • Every user's access rights are easily checked and modified

Development is enhanced significantly by identity management due to following advantages

  • Ease of adding new connected systems, identity management is easily expanded
  • Enables modern services due to accurate identity information, usable in high standard environments
  • Enables easy installation of new technologies
  • Gives accurate, real time identity based information and statistics

Identity and access management

In today's terms the access management is associated identity management, giving us identity and access management, shorter put IAM.

Access management comes as a natural next step When your identity based systems are a part of automated identity management system. Most of identity based systems that require authentication also do authorization based on the person or entity who is accessing the system. For example the project owner is authorized to modify the project memberships in project portal or an accountant is allowed to see company accounts in their accounting system.

There are two things that happen here: authentication and authorization.

Authentication means that the user or entity proves his/her identity by giving asked credentials. Mostly the credentials are login and password. In some cases it may be a certificate from an access card or a fingerprint from a scanner. In any case the authentication information is available to the system being accessed because automated identity management has made it available so that the system can compare and verify the given credentials, that they match with the existing information synchronized by the IDM.

Authorization happens once the user's identity has been proven, for example with login and password, the user's information is checked and based on this information the level of access is granted to the user. This could happen by checking if the user's job title is accountant or if the user belongs to accounting department resulting to allowed modify access to detailed accounting data.

Level of automation

All of these functionalities can be made fully or partially automatic and the common case is somewhere in between. There exists no organization without exceptions when identities are in question and that often brings about a question of compromising between automation and manual intervention. These special exceptions can usually be covered by automatic processes but the effort on creating and updating the intelligence sometimes exceeds the working hours spent on the exceptions themselves.

The sources and targets

A real textbook solution is to have one identity source, a registry of personnel data. The administrators of this registry have the sole responsibility to produce accurate data on the user's life cycle on the organization. The identity management system reacts to changes in this registry by modifying identity information contained in the identity management identity storage, reacting to the changes in the storage by updating, adding, removing, granting or revoking access to connected systems or resources. Other sources of identity information complement identities with specialized information such as project data from project system.

Every identity management system has multiple targets for identity data. One of IDM's basic principals of existence is to produce compatible identity information to every imaginable system that needs identity data. For example it can produce Active Directory accounts to Active Directory domain, project memberships for project database, intra net accounts, SMS warning about an expiring account or happy birthday email to all birthday heroes of the day! A good identity management system such as Novell IDM can produce limitless possibilities on how to utilize identity information.


One approach is to delegate the automatic decision to a person, a responsible person who has the knowledge that the automatic process cannot possess. This is called an approval workflow. For example a manager must approve all allow access to department's storage space. Approval workflow has gotten increased attention in late years and can be a very precise and essential tool since it can combine automatic processes with human intervention and input but needs to be considered carefully since it transfers work hours from automation to people and increases complexity of identity management system.


As with all things so identities must have an end. The identity lifecycle ending is crucial to an IDM system and there should be no insecurity in this matter since the damage of unauthorized users in system can be severe and overall organization security is impaired if the lifecycle is not flawless.

Identity lifecycle information is usually based on identity registry information, for example personnel database work contract information. Sometimes lifecycle needs to be interrupted by manager and some manual options are needed. For example an approval workflow that can be retracted or a separate retirement workflow.

The result

All of these ingredients with good judgement will produce a reliable, cost effective identity management system enabling an easy to use, working IT environment, expandable and flexible with users who can concentrate on whatever they do best.

Leave a comment

Enter your comment:

  //check if we are running within the DokuWiki environment if (!defined("DOKU_INC")){ die(); } //place the needed HTML source codes BELOW this line