Information Technology Reference
In-Depth Information
Having a
meaning-free
identifier, on the other hand, provides tremendous
flexibility. It can be
associated with
any set of identity attributes on any
number of different systems. Those attributes and their mapping to this
identifier can be modified quite easily to suit changing circumstances (e.g., a
user changing their name or login ID on a system), and control can still be
maintained.
So instead of linking attributes and meaning
directly
to a user's identity,
make it meaning-free and associate it loosely with groups of attributes,
including local identifiers on different systems.
Tip 2
: A UUID is the most flexible meaning-free identifier
Universally Unique IDs (UUIDs) are extremely large numbers (128 bits long),
traditionally expressed as 36-character hexadecimal strings
12
. UUIDs that are
randomly generated have another very useful property. They are virtually
guaranteed never to conflict, because their range of values is so large.
Therefore, unlike sequence numbers, UUIDs don't have to be generated by a
single source to guarantee their uniqueness. Multiple sources can
simultaneously generate UUIDs, and they would still be guaranteeably
unique. This becomes useful in IAM because more than one “upstream”
system may provision new users.
Standardising on a UUID gives you the flexibility to let such upstream
systems generate a UUID themselves and maintain a mapping from it to any
local ID they may define. The treatment of user identity then becomes
uniform from then on. You don't need to rely on a centralised component to
provide unique identifiers to users from different provisioning sources.
Tip 3
: Exploit the UUID to aid the audit function
One of the requirements of the audit function is to correlate activities
performed on different systems. The challenge with traditional approaches is
that when a message goes from one system to another, the user IDs on the
two systems could be different, and the timestamps would also invariably be
different. This makes it hard to prove that a log record on one system
corresponds to a log record on another system. The User UUID is a good
bridging mechanism. If each system logs the user's local ID and the UUID, it
will be far easier to correlate activities across systems that belong to the
12
A 128-bit integer would be expected to translate to a 32-character hexadecimal
string, not 36. It's the convention though, to express UUIDs with hyphens separating
groups of digits. E.g., 0fec5f44-1dc6-4b4e-8dd0-a5404520118d
