Role-Based Electronic Identity
ID management (IdM) is one of the ICT-security fields on which more effort has been focused and where more new developments have been introduced in the past few years.
Nowadays, identity is handled following a user-centered approach: e-administration focuses on citizens, e-business focuses on private clients, etc.
For organizations, there are two major issues regarding identity:
- Large-scale complexity must be managed, such as a considerable number of users, equipment, divisions, companies, applications, services, Intranet, extranet, paperwork, functions, etc.
- Change is on-going: frequent reorganizations, mergers and acquisitions; personnel transferred to other work functions; amendments to international, European or domestic regulations, etc.
We are geared towards the design of a solution capable of connecting existing and future ID systems in an identity Metasystem. This metasystem, or system of systems, should reinforce the features of the systems that comprise it, affording them interoperability and allowing the creation of a consistent user interface for all of them.
The resulting improvements will benefit everybody, making Internet a more secure place, encouraging e-collaboration, battling against phishing, and solving other digital ID challenges.
This platform will serve as a communications base for crisis management in Europe aiming to:
- Improve competitiveness in the area of ID and security management.
- Respond to the needs in terms of identity, which have not been resolved in the existing works to date.
- Add new features to the identity layer to provide an organization-oriented dimension.
- Develop features pertinent to security and identity to complement developments taking place simultaneously in other collaboration projects.
- Encourage collaboration between users, integrators and investigators in this strategic field.
e-Role will propose working the roles in the identity layer in the five directions shown below:
- Include the figure of function in Identity: the idea is to centralize the function figure in the identity layer to be able to address it in each service.
- Include the figure of virtual user profile in Identity: this figure is adapted particularly to position control where a 24/24 responsibility is required.
- Improve the role modeling path, by adapting existing role engineering tools and concepts to major organizations.
- Allow multi-domain supply, intelligent supply between independently administrated domains.
- Allow users to manage their roles.
Function in Identity
The vision of e-Role derives from a natural evolution of the identity paradigm, in which the function figure is transferred from the services layer to the identity layer. The identity layer will be capable of handling the management of the functions utilized by the user such that this management is not performed by services. Services will deal only with functions. The identity layer will reveal the user/function transfer for audit purposes to enable recognizing which user is behind each function in the service used. In addition, the services will not enable function capabilities, e-Role will provide them instead.
The following figure shows e-Role’s vision, transferring function management from the services to the identity layer, and allowing services to consider only the function and not the user itself. This new development will benefit services, which will not have to manage users and everything this entails: user data base management, user allocation, role management, role allocation, etc. This will benefit the administration personnel as a result of the centralization of role and function management.
Virtual User Profile
A new change in the function notion is the consideration of the virtual user profile. Single users of a system have one or more roles to play within an organization.
Some of these roles require the constant on-line presence of a human user to provide the system and the organization with critical thinking and decision making capabilities. However, meeting on-line presence requirements may be difficult to assure. Current approaches require very complex organizational procedures through which the organization attempts to assure continuous human on-line presence performing the tasks associated to the role.
The burden of the organization may be eased by assuring the existence of at least one user who completes the required roles. This can be achieved by transferring the on-line user and role management task in the information system instead of relying on the services. Moving role management to the system may be achieved by creating the concept of virtual user profile. The following figure illustrates the situation.
Standard user management is found in the identity layer and the virtual user profile is handled through the specific context and role management layer.
The layer includes intelligent management of the roles and information required by the human user playing the role. The delegation of the role includes the necessary transfer of application accessibility, the status of such applications and other required contextual information.
At present, this transfer cannot be achieved automatically, and requires great effort on the part of services. Such delegation may be required due to temporary or permanent user unavailability.