I mentioned that Marty and others are working on an Identity Reference Model. I came to the conversation late and am trying to understand the progress they've made so far so I might be able to contribute to the discussion. Marty's latest post adds context around what they're trying to do. My original reply to this post was via email, but so that others can read along, I'm providing the email content below (Marty is the "you" I refer to).
--
The context you provided is helpful. It gives me an idea of what you are intending to accomplish, which is a model for identifying identity data, right?
So, this isn't about modeling the authentication process or provisioning process. This is just about identifying the types of information that is used to represent an identity. Correct?
I'm still unclear about the differences between entity, subject, persona, and account. The way I see it, a "persona" is like a mask (or character being played by an actor). So, if I am an "entity", I could have multiple "personas" and would use each based on situational context. In our current-day real-world, personas tend to manifest themselves as "user accounts". With information cards, I see each card as being representative of a persona. So, an entity (me) would have numerous personas. Each persona will likely have its own account, but the account seems to be something that doesn't need to be represented on this model.
I see "account" as a digital representation of a particular persona. But, that's melding "model world" with "implementation world". In the model, I think persona captures the idea that people (entities) will have subsets of information about themselves for various contexts. I know you said there was already a lot of discussion about accounts.
Each persona could have entitlements, roles, etc. I'm not sure why a sponsor would be relevant to this model? If the model is intended to illustrate the universe of information about an identity (an entity, its personas, and its entitlements), sponsor seems erroneous. Sponsor is important in the provisioning process, but is not part of the identity data itself.
I also don't get the difference between an entity and a subject. It seems to me that when you show the model in-line (when an entity is trying to access a resource), the entity is doing so AS A PARTICULAR PERSONA. Otherwise, there's no context for the policy decision point. So, it would be an instantiation of a persona that makes the request and the policy decision point would query the identity store for attributes and roles that relate to a particular persona. It wouldn't even know about the entity's other personas.
What do you think? Am I missing some of the terminology?
1 comment:
Conversation Continued:
Answering Matt's Questions
Post a Comment