Is there a mismatch between the reality in organizations and the implementations of at least several of the Identity Provisioning and Access Governance solutions when it comes to the representation of physical persons in IT? To me it appears that there is a mismatch.

The reality in all large organizations I know is that the real world is sort of 3-tiered:

  • There is a physical person - let's call him Mr. X
  • Mr. X can act in very different contexts. You might call them roles or digital identities, however all of these terms are overloaded with meanings. I'll give three examples for that. 1. Mr. X might be an employee of an insurance company and a freelance insurance broker for the insurance company at the same time. 2. Mr. X might be an employee of a bank and a customer. 3. Mr. X might be the managing director of both company ABC, Inc. and DEF, Inc., which both are owned by XYZ, Ltd where he is employed as well.
  • In each of these contexts, Mr. X might have more than one account. If he acts as external freelance insurance broker or customer, that might only be one account. If he is the managing director of some corporations within a group, he might have different Active Directory accounts, different RACF accounts, different SAP accounts, and so on.
You might argue that these are exceptions. However, being a customer of the employing company isn't an exception in many organizations. And, by the way: A good and valid model has to support not only a standard approach but the exceptions as well. With other words: There are few situations in which a real-world model isn't 3-tiered.

And there are good reasons to model the systems according to that. If someone is a customer of a bank and an employee, there are very obvious SoD rules which apply to this. He shouldn't give loans to himself. If someone is a freelance insurance broker and an employee of the insurance, the same is true. He shouldn't manage the insurance contracts he is selling. If someone is a customer and and employee, it's the same again. He shouldn't give discounts, grant consumer loans, or just change the delivery queue.

However, several tools follow a 2-tiered approach. They know for example an "identity" and "accounts" or "users" which are associated with the identity. If someone has more than one such identity, the problems begin. In some cases, it is very easy to adopt the object model. In others, you have to find workarounds like mapping the unique IDs of these identities into the other identities, which then might require a lot of additional code and is error-prone.

From my perspective, supporting a 3-tiered model out-of-the-box, with

  • Persons
  • Context, Identities,... (whatever term you prefer)
  • Users (in specific systems), accounts,... (again - choose your term)
is mandatory to reflect the reality in organizations and to support the business requirements - especially when it comes to SoD policies. If you don't need three tiers, it is easy to just use two of them. But if your tool supports only two tiers out-of-the-box, it might become a tough task to implement your real-world model. Looking at that point is, from my perspective, one of the most critical aspects when it comes to technology decisions.