# Identity and Access Management (IAM)*

# Acronyms, Abbreviations, and Initialisms

Short Form Full Form
ABAC Attribute-Based Access Control
IAM Identity and Access Management
RBAC Role-Based Access Control
SCIM System for Cross-domain Identity Management
SPML Service Provisioning Markup Language

# Glossary

Access control is restricting access to resources.

Access management is the process of managing access to resources.

Attributes are facets of an identity. Attributes can be relatively static (like an organizational unit) or highly dynamic (IP address, device being used, if the user authenticated with MFA, location, etc.).

Authentication is the process of confirming an identity. When you log in to a system you present a username (the identifier) and password (an attribute we refer to as an authentication factor).

An authoritative source is the root source of an identity, such as the directory server that manages employee identities.

Authorization is the process of granting an identity access to something (.e.g. data or a function).

An entitlement maps an identity (including roles, personas, and attributes) to an authorization. The entitlement is what they are allowed to do, and for documentation purposes we keep these in an entitlement matrix.

The person or "thing" that will have an identity. It could be an individual, a system, a device, or application code.

An association of organizations that come together to exchange information as appropriate about their users and resources to enable collaborations and transactions.

The means by which an identity can be asserted. For digital identities this is often a cryptological token. In the real world it might be your passport.

The unique expression of an entity within a given namespace. An entity can have multiple digital identities, such as a single individual having a work identity (or even multiple identities, depending on the systems), a social media identity, and a personal identity. For example, if you are a single entry in a single directory server then that is your identity.

The expression of an identity with attributes that indicates context. For example, a developer who logs into work and then connects to a cloud environment as a developer on a particular project. The identity is still the individual, and the persona is the individual in the context of that project.


Access decisions can be enforced at various points with various technologies.

Establishes the security and access policies based on business needs and the degree of acceptable risk.

Identities can have multiple roles which indicate context. "Role" is a confusing and abused term used in many different ways. For our purposes we will think of it as similar to a persona, or as a subset of a persona. For example, a given developer on a given project may have different roles, such as "super-admin" and "dev", which are then used to make access decisions.

SCIM is a standard for exchanging identity information between domains. It can be used for provisioning and deprovisioning accounts in external systems and for exchanging attribute information.

  • Standardized
  • Open standard for automating the exchange of user identity information between identity domains or IT systems
  • Newer than SPML

A method for automating account creation.

  • Standardized
  • Seldom implemented due to inflexibility and lack of vendor support
  • Older and uses XML, which is slow

# Overview

IAM is about the people, processes, and procedures used to create, manage, and destroy identities of all kinds. It is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons.

Usually, regulatory compliance drives IAM efforts, not business requirements or needs.

An IAM system includes the following components:

  • Identity Management
  • Access Management
  • Identity Repository and Directory Services

An IAM system should carry out two functions:

  1. Ensure the identity of an entity
  2. Once authenticated, the entity should be given the correct level of access to the systems they are trying to access

IAM sets out to define what a subject (active entity) is allowed to do to an object (passive entity)?

Key phases include:

  • Provisioning
  • Centralized Directory
  • Privileged User Management
  • Authentication
  • Access

# Components

# Identity Management

Identity management is the process whereby individuals are given access to system resources by associating user rights with a given identity. This includes registering, provisioning, and deprovisioning identities for all relevant entities and their attributes, while making that information available to the proper audit.

# Access Management

Access management is the process that deals with controlling access to resources once they have been granted. Access management tries to identify who a user is and what they are allowed to access.

This stage is where the real risk decisions are made. It is more important to control access rights than it is to control the number of identities.

# Identity Repositories and Directory Services

An identity repository is the store of information or attributes of identities.

A directory services is how identities and attributes are managed. There are several directory services available today:

  • X.500 and LDAP
  • Microsoft Active Directory
  • Novell eDirectory
  • Metadata replication and synchronization

# Provisioning and Deprovisioning

# Provisioning Process

Individual components of provisioning and deprovisioning process could be considered parts of identity and access management. In some cases, the process is referred to as "I triple A", starting at the identification phase and ending with accountability.

Typically performed by HR.

Traditionally performed by IT but strides are being made to automate this.

The process of claiming an identity (asserting who you are). This should be unique for accountability (such as a user ID, account number, RFID, or IP/MAC).

The the process that establishes with adequate certainty the identity of an entity. Supports the identification claim by proving by some means (such as a username and password) that this is the user they say they are.; "Who are you?" and "How do I know I can trust you?"

The process of granting access to resources. Enforced at the policy enforcement point.; "What do you have access to?"

Based on identification information; the ability to match a subject's action to their identity.

The process whereby a user account is disabled. This process should be standardized using SPLM or SCIM.

# Provisioning Methods

Account provisioning or identity provisioning technology creates, modifies, disables, and deletes user accounts and their profiles across IT infrastructure and business applications.

Administrators determine which applications and data a user should have access to.

Users participate in some aspects of the provisioning process, thus reducing administrative overhead. Often, users are allowed to request an account and manage their passwords.

Gathers the required approvals from the designated approves before granting a user access to an application or data. For example, the business rules in a finance application might require that every new account request be approved by the company's CFO.

Requires every account to be added the same way through an interface in a centralized management application. This streamlines the process of adding and managing user credentials and provides administrators with the most accurate way to track who has access to specific applications and data sources.

Automated account provisioning is usually accomplished using one of the following two methods:

  • SCIM
  • SPML