Para entender o funcionamento de sistemas de gestão de identidade é preciso primeiro entender os “termos” usados por esses sistemas.
vamos ver alguns deles:
Identidade (Identity)
An Identity is the summary of information about a person, group or resource (computer, printer etc.) or any “thing” about which you wish store data. This data is typically contained in different, and often incompatible, directories and databases throughout an organization.
IDM
An IdM (Identity management System) is an application (or service) that co-ordinates information held in different data sources throughout an organization. In most organizations, this information is typically scattered in different directories, databases, and other data repositories throughout the Information Technology (IT) infrastructure. It is usually heavily redundant; it is likely to be inconsistent, giving rise to conflicts; it will generally be frustrating and expensive to administer; and it may the cause of security holes.An IdM system enables you to manage identity information by controlling the flow of identity information between directories.
Metadirectory
A metadirectory collects information from different data sources throughout an organization and then combines all or part of that information into an integrated, unified view. This unified view presents all of the information about an object, such as a person or network resource, that is contained throughout the organization. An IdM system may have a metadirectory at its heart, and MIIS 2003 is such a system
Connected Data Source
A Connected Data Source (CD) is a data source – a directory, database, or other data repository that contains identity data to be integrated within MIIS. CDs can be enterprise directories, NOS directories, databases, or data in flat files, such as LDIF, DSML or delimited text.
Management Agent
A Management Agent (MA) manages the data associated with a specific Connected Data Source (CD). The MA not only connects to the CD, but is responsible for managing the flow of data (inbound and outbound). There is at least one management agent for each CD.
Metaverse
The Metaverse (MV) is a set of tables within MIIS 2003 that contain the integrated identity information from multiple connected sources. All identity information about a specific person or object, which is stored in multiple connected sources, is synthesized into a single entry in the MV.
Connector Space
The Connector Space (CS) is a storage area, and a staging area. It stores the holograms (states) that are used to decide whether information in a CD has changed, or needs to be changed. It is also where changes are staged on their way into or out of MIIS. Each CD has its own logical area in the Connector Space, which is managed by its corresponding MA. The CS is essentially a mirror of the related connected data source, with each object in the connected data source having a corresponding entry in the connector space. The connector space does not contain the Connected Data Source object itself, but a subset of the object’s attributes, as defined by the MA.
Joins e Projections
When a CS object is connected to a corresponding entry in the MV – that is called Joining. If an entry in the Connector Space should be represented in the Metaverse, but no corresponding entry in the Metaverse can be found by the Join process, a new Metaverse object may be created for this entry (according to how the MA is configured). The creation of a new MV object is known as Projection, and following projection, the CS entry will stay connected to the new MV object.
Attribute Flow
Once connections are made (CD to CS to MV, and back again), Attribute Flow can take place according to defined Attribute Flow Rules
Provisioning e Deprovisioning
Essas e muitas outras terminologias devem ser entendidas para que “confusãoes” não aconteção na hora de usá-las!!!It is possible to define object flow rules in MIIS 2003 which imply that the presence of an entry in one Connected Data Source requires the presence of a corresponding entry in another CD. For example, the existence of an entry in a Human Resources system (representing an employee) might require the existence of an Active Directory account for this employee. In order to enforce this rule, MIIS 2003 may be configured to create and remove entries in (for example) the Active Directory – the creation of entries is Provisioning and the removal of entries is Deprovisioning.
Até Mais!