Information Technology Reference
In-Depth Information
service representative may need to be granted a “User” role on the
corporate intranet (like any other employee), the CRM system and one or
more product systems. This set of roles (i.e., “Intranet User”, “CRM System
User”, “Product System X User”, etc.) is used repeatedly for so many people
that it may make sense to group them into a “Role Profile” as a sort of
shorthand and use that in the User Administration screens to quickly assign a
set of roles to each new user. Under the covers, the association of each user
is still to the different individual roles, so exceptions can be catered for quite
easily by dropping or granting additional application roles to individuals.
As before, the association of application-specific roles to “Role Profiles”
would be a separate table in the IAM database and can be a later
enhancement when patterns of access begin to be established.
Tip 8
: Have a table of security questions and another table of per-user
answers to two or three of these security questions.
Security questions like “What is your mother's maiden name?” or “What was
the name of your first pet?” are alternate ways to identify a user and
therefore very useful for providing self-service password reset or forgotten
password capability. If a user claims to have forgotten their password, they
should enter their user ID. IAM should retrieve their User UUID from the
directory using this User ID, then retrieve and display their security
questions from the database using the User UUID. If the user is able to
answer all the required security questions correctly, a new password should
be generated and sent to the user's email address. This password should also
be updated in the directory and simultaneously marked “expired”, so the
user will be forced to reset it on first login.
Tip 9
: You will almost certainly need a user activity log
From an audit perspective, many user activities like logins, failed logins,
password changes, application accesses, etc., will need to be logged. A
separate table will need to record these events.
As this discussion shows, the IAM database can be built up incrementally like
all the other components of IAM, so it doesn't have to be developed in a “Big
Bang” fashion with an immediate price-tag. The design lends itself to
incremental enhancement through layering of functionality, and this is one
of its big advantages when project budgets are tight.
The following diagram provides some hints on the types of entities you may
need to model, and their likely relationships. You may need about 20-25
tables, which isn't overly complex.
