Information Technology Reference
In-Depth Information
same “thread” of execution. This doesn't remove the need for other
correlating attributes like transaction IDs, but it strengthens the association
of the activity with the user.
The other major advantage of including the UUID in log records is that the
logs can be held on another system. Perhaps a centralised, enterprise
logging service may in time replace the individual logging mechanisms of
various systems, and you would then need to replace the system-specific
identifiers with something global. Including the UUID reference from the
start would make log records readily portable.
Identity versus Access
Identity refers to who someone is. Access refers to what they are allowed to
do. While the two concepts are closely related, they are not the same.
Therefore, they should not be coupled together more tightly than they need
to be.
Tip 4
: Decouple identity information from access control information
Following from Tip 1, treat the two groups of attributes relating to identity
and access independently, and associate both of them with the user they
refer to through a meaning-free identifier. In practical terms, this means the
user repository that deals with authentication should be independent of the
user repository that deals with authorisation. This counter-intuitive insight is
explored in greater detail when we discuss the design of the IAM directory
and database.
User Provisioning
The major benefit from automating user provisioning is the saved effort that
would otherwise go towards setting users up on all the systems where they
need to be defined. But almost by definition, this multi-system provisioning
scheme needs to deal with multiple schemes for identifiers. Some older
systems only take limited length numeric identifiers (e.g., “7634”), while
others take longer alphanumeric ones (E.g., “jdoe” or “john.doe”). Still
others may use email addresses as identifiers. Some are case-sensitive while
others are not. It's not feasible to unify the schemes used for identifiers
because of this diversity. A number of techniques could be used to manage
this complexity, though.
