Identity synchronization: which is the best conflicts resolving model?
In every identity management solution there is one identity management system and one or more managed systems, also known as target or resource systems.
Identity synchronization is the task of synchronize identity data across a wide range of heterogeneous applications, directories, databases, and other data stores that are connected to the identity management system in order to capitalize its provisioning capabilities and, inherently, all the benefit that the identity management systems brings.
So, we can say that the main duties of identity synchronization is to keep synchronized and aligned identity data stored across different systems.
One of the most common approach in enterprise level identity management solution, is to get digital identities from one or more authoritative sources, usually from the HR systems, elaborate it, and send the data to the identity management system. Once received, identity management system applies the configured roles and policies on those identities and, depending on them, takes care of the synchronization process on the different target systems.
In this simplified description of the provisioning process we can imagine the entire process as a one-way flow that: starts from HR, passes through the identity management system and then ends on target systems.
The problem is that, often, identity management system is neither the only actor performing action on managed systems’ accounts nor the authoritative source for some account’s attributes. For example, we can have an administrator that sometimes performs manual actions directly on a managed systems in order to address specific ad-hoc requirements.
When identity management system is not the only authoritative source for all the managed identities, eventually conflicts arise.
Depending on the configuration of your identity management system, you can apply one or more of the following conflicts resolving models.
You can configure your system with a one-way authoritative approach: if a conflict arises on one identity, the attributes of the account on managed system are overwritten with the values coming from the identity management system. Otherwise you can configure the system to let one of the target system be the authoritative against the identity management system.
An alternative approach is to define a per attribute authoritative source where, for each attribute synchronized between identity management system and target systems, you select which system must be authoritative, or, again, prefer to always maintain the last value stored for an attribute, with a last change win approach and without defining any authoritative system.
Obviously, you can find advantages and disadvantages for each different model. The model selection must be consequence of different factors like:
- Organizational and environmental issues
- Performance issue
- Involved systems capabilities
- Data protection laws and rules
- Processes and policies
Even if, as always, is not possible to define which is the best approach to use, I can give you some guide lines to reduce conflicts and maximize identity management solution benefits:
- Make identity management systems authoritative for the most of the synchronized attributes in order to maximize policies enforcement
- Assure that, for each attribute, values stored across different systems are aligned each other in order to simplify and make more reliable and truthful the results of reporting and compliance processes
- Reduce at most the activities performed directly on the managed systems and, if needed, implement a feedback flow able to report all those manual changes to the identity management solution so that their conformity could be evaluated against defined policies
- In order to reduce conflicts, send to each managed system only the attributes required to correctly manage accounts
Tags: compliance, digital identity, identity management, identity provisioning, identity synchronization, information security, policy, reporting