User Attributes - More than Identity

Mark Dixon’s blog post on “User Attributes - Part of Identity?” talks to the point that attributes that make up a person’s identity are not going to be located in just the main directory, but distributed across multiple repositories.

I completely agree with this point of view and think that architectural approaches such the “Pull Based Identity Architecture” and technical implementations such as the “FICAM Backend Attribute Exchange (BAE)” exist to pull together the fragmented and distributed aspects of a person’s identity, at the moment of need, via a single point of query.

The clarification I would add is that when talking of User Attributes, it is often useful to make distinctions regarding what they are, and what they are used for. The model that I use is the following:

• Identity Attributes - Attributes of a person that are focused on identifying and/or authenticating a person. These are often attributes that are available on a credential.
• **Authority Attributes **- Attributes used to make access control decisions. These are authorities, licences, roles or privileges associated with a person that allow them access to physical and/or logical resources.
• Preference Attributes - Attributes that are related to user preferences, often self asserted, that allow the tailoring of displays and information.
• Environmental Attributes - Attributes that relate to the current status of the operational environment (Often not directly person related but relevant) and/or related to security aspects of how the person is coming into the system. e.g. Connecting via VPN or Current Threat Level

By separating User Attributes into these buckets, it immediately becomes obvious that there can be no single directory or repository (especially in large organizations) that can hold all of these attributes that make up a digital person.

Related Info

• Want ABAC? Across Organizations? Start with Policy!