User Attributes - Part of Identity?" talks to the point that attributes that make up a person's identity are not going to be located in just the main directory, but distributed across multiple repositories.

I completely agree with this point of view and think that architectural approaches such the "Pull Based Identity Architecture" and technical implementations such as the "FICAM Backend Attribute Exchange (BAE)" exist to pull together the fragmented and distributed aspects of a person's identity, at the moment of need, via a single point of query.

The clarification I would add is that when talking of User Attributes, it is often useful to make distinctions regarding what they are, and what they are used for. The model that I use is the following:

" /> User Attributes - Part of Identity?" talks to the point that attributes that make up a person's identity are not going to be located in just the main directory, but distributed across multiple repositories.

I completely agree with this point of view and think that architectural approaches such the "Pull Based Identity Architecture" and technical implementations such as the "FICAM Backend Attribute Exchange (BAE)" exist to pull together the fragmented and distributed aspects of a person's identity, at the moment of need, via a single point of query.

The clarification I would add is that when talking of User Attributes, it is often useful to make distinctions regarding what they are, and what they are used for. The model that I use is the following:

" /> User Attributes - Part of Identity?" talks to the point that attributes that make up a person's identity are not going to be located in just the main directory, but distributed across multiple repositories.

I completely agree with this point of view and think that architectural approaches such the "Pull Based Identity Architecture" and technical implementations such as the "FICAM Backend Attribute Exchange (BAE)" exist to pull together the fragmented and distributed aspects of a person's identity, at the moment of need, via a single point of query.

The clarification I would add is that when talking of User Attributes, it is often useful to make distinctions regarding what they are, and what they are used for. The model that I use is the following:

" />
Anil John
Making Digital Services Secure and Trustworthy

Anil John

User Attributes - More than Identity

 Tweet  Share  Share  Comment  Print  Email

Mark Dixon's blog post on "User Attributes - Part of Identity?" talks to the point that attributes that make up a person's identity are not going to be located in just the main directory, but distributed across multiple repositories.

I completely agree with this point of view and think that architectural approaches such the "Pull Based Identity Architecture" and technical implementations such as the "FICAM Backend Attribute Exchange (BAE)" exist to pull together the fragmented and distributed aspects of a person's identity, at the moment of need, via a single point of query.

The clarification I would add is that when talking of User Attributes, it is often useful to make distinctions regarding what they are, and what they are used for. The model that I use is the following:

  • Identity Attributes - Attributes of a person that are focused on identifying and/or authenticating a person. These are often attributes that are available on a credential.
  • Authority Attributes - Attributes used to make access control decisions. These are authorities, licences, roles or privileges associated with a person that allow them access to physical and/or logical resources.
  • Preference Attributes - Attributes that are related to user preferences, often self asserted, that allow the tailoring of displays and information.
  • Environmental Attributes - Attributes that relate to the current status of the operational environment (Often not directly person related but relevant) and/or related to security aspects of how the person is coming into the system. e.g. Connecting via VPN or Current Threat Level

By separating User Attributes into these buckets, it immediately becomes obvious that there can be no single directory or repository (especially in large organizations) that can hold all of these attributes that make up a digital person.

Related Info


Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!

I will never share, rent, or sell your information to anyone. Cancel anytime.

This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.

Topic(s):
By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post. Please leave a comment below!

I am a digital security coach. I help technical leaders make digital services secure and trustworthy. Learn more »

Free Updates

I will never share, rent, or sell your information to anyone