Information Technology Reference
In-Depth Information
Tip 5
: Understand the difference between “protected applications” and
“associated systems”
They're both business applications, but “protected applications” in the IAM
context are those that have an exposed URL protected by IAM. “Associated
systems” are those that have users provisioned in them. So “protected
application” is an Access Management concept, while “associated system” is
an Identity Management concept. You need separate tables to hold their
attributes and the different relationships they have with users. Needless to
say, some systems may be both protected applications and associated
systems .
Tip 6
: Consider maintaining a set of “Associated Roles” for a given role, to
automatically cascade role assignment
Sometimes, one application role implies another one. It may be that an
Administrator role within a B2B application implies a Requester role within
the IAM user management application, because such a user tends to request
the creation of other users. Holding such associations in another table can
remove the need to remember these role dependencies by automatically
cascading them. When a user is assigned one application role, the system
can derive the other application roles that must also be assigned, and do the
assignment transparently. Of course, revocation of roles must also follow the
same logic.
Given a two-step request/authorise workflow, you will need to think about
whether to cascade role assignment requests and show all the resulting role
assignments as pending changes to an authoriser, or whether to create only
the main role assignment request at first and create the other role
assignments once this has been approved by the authoriser.
The Associated Roles functionality can be a labour-saving enhancement to
the IAM system that is funded separately when the workload justifies it.
Tip 7
: Consider using “Role Profiles” as a shorthand to assign a set of
application roles that usually go together
Here's an alternative approach to associating roles with each other, so you
may only need one or the other scheme.
A corollary of having application-specific coarse-grained roles is that groups
of users tend to require similar sets of roles. For example, every customer
