Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Introduction

IDM Model subsystem implements the theoretical security and access control model that is applied to the system. It implements logic to synchronize users and accounts, fill in the missing values, validate existing values, direct the propagation of changes and so on. Generally speaking, it is enforcing overall identity management policy. IDM Model is the real heart of the system.

Currently the IDM model evaluates a set of expressions that can be used to guide provisioning and synchronization. Later the model will implement a dynamic variant of Role-Based Access Control (RBAC) model. The IDM Model is theoretically replaceable with entirely different implementation, bringing quite an extreme flexibility to the system.

Responsibility

  • Hiding the low-level components behind a single facade
    • The distinction between repository and provisioning is partially hidden from the clients therefore model provides a kind of location transparency.
    • Provisioning functionality is not be exposed directly. The provisioning actions are carried out by a modification of user or account object. Therefore the model provides (partial) uniformity of access to all objects.
  • Enforce access control policies (with respect to target resources)
    • RBAC-based models will maintain roles, their definitions, etc.
    • RBAC-based models will enforce creation/deletion of accounts based on role membership
    • RBAC-based models may enforce account attributes based on role membership
    • the model may implement any mechanism to enforce policies (RuBAC, ABAC, ...) as long as it is usable and consistent.
  • Only one model can be active in a specific deployment (models cannot be mixed in the same system)
  • Maintain values of virtual attributes
    • e.g. attributes implied by role membership, organization, policy, ...

Component Diagram

TODO

Data Structures

The objects defined in the IDM Model Schema is specific for IDM model component. However, it is also using other parts of the Data Model, especially the dynamic Resource Schema. IDM model is interpreting the schema and also evaluating the expressions specified in the Resource Schema Handling part.

One of the most important data model concepts that is processed by IDM model is a concept of Assignment.

Description

TODO

IDM Model and Busines Logic

TODO: how workflows are executed from the model (callback hooks), relative changes, approvals, notifications, pointer to System Interactions.

Replacing the Model

TODO:

Please note that both business logic and GUI depends on the model. Therefore replacing the model may break both default GUI and default business logic.

TODO

  • No labels