1.3.5 Identity Life Cycle Management Processes

 

Figure 9: Identity Life Cycle Management


Figure 10: Identity Management Life Cycle


(Process) Activity Details
Attribute Management
(add, update)
The principal's attributes are administered. According to the policy and metadata attributes might need to be proved and verified.
Credential Replacement Replacements might have different reasons, e.g.
  • credential is lost;
  • an attack on the credential is suspected or known;
  • the credential expired.
Termination Termination is a multi-step process:
- archive identity information of the principal;
- replace identity information with deletion stubs in identity and attribute registry;
- after the expiration of the archiving period purge the archived information including backups.

Class Details
Attribute Maintenance Application The Attribute Maintenance Application provides the facility to maintain attributes over the life cycle of the Principal. Depending on the type of users and privileges, it can be classified as:
  • Self service
  • Delegated administration
  • Centralized administration
Attribute Registry Stores attributes (subset of Identity Information)

(goal) Class Details
Entity is registered The goal of the enrollment process is to register the entity and have its credentials proved, validated and its identity information registered.
Identity information is complete and accurate The goal of the enrollment process is to register the entity and have its credentials proved, validated and its identity information registered.
Principal is deprovisioned according to the policy The goal of the termination process is to deactivate the Principal's credentials within the timeframe specified by the policy, archive the identity information in the specified extend and duration, and purge all identity information after the expiration of the archival period.

Event Details
Application for subscription Entity applies (self or proxy) to become subscriber at the Identity Management Authority
Attribute change  
Principal termination  
trigger "new credential event"  
trigger "new credential" event  
trigger "provision entity" event Depending on the access policy (and optionally attributes) the identity information is provisioned to requested services.
trigger "revoke credential event"  

(resource) Object Details
Document Registry A registry or service that can be used to verify that
  1. a credential presented to establish the identity does exist with the issuing authority and
  2. it has not been revoked.

(result) Object Details
Principal deleted, archived, purged  
Registry entry created The entity is registered as Principal in the Identity Registry
Updated registry entry The are updated (added, modified, deleted) to the Principal in the Identity Registry

 

Tags: