10.16.2007

Tilting at Windmills 1: Identity Management v Access Control Management

I said I'd say why I use the term access control rather than the term identity management. I'm tilting at windmills, I know - but I don't think we manage Identities - though its a cool marketing idea. In fact we manage symbols we bind to notions of real persons like "Alice" or "Bob", and that we bind to non-real but useful notions such as "root," or "Administrator." We manage identifiers, which may be defined as the attributes of entities, real and non-real, having representations in some system. A login identifier or username is no more an identity than is my driver's license. The latter is in fact a certificate that contains identifying attributes about me; it is neither me nor my identity.

Access control management is the name that has historically (until about 2001) encompassed the management of subjects or users - their names and symbolic references; objects, resources, or targets - entities on which subjects may act; actions which describe what actions a subject may execute upon an object; and conditions or context unrelated to attributes of subjects or objects, which will inform an access control decision. Separating user administration from access management and calling it Identity Managment, has had debatable success from a number of perspectives.

Renaming something may enable us to look at it from different perspectives, and learn new things about it. The whole introduction of life cycle management into user administration has been a demonstrable benefit of identity management. But this wasn't a consequence of renaming it, it was a consequence of trying to address user administration in enterprise scale. I think the confusion caused by the divorce between access control management and user administration, I'm sorry - Identity Management - may have provided short term marketing benefits, but in the long run it has damaged the application of well founded principles.

While marketing departments and techno-strategists will vociferously defend their newly named product or try to explain why identity management is not user administration, or for that matter why SOA isn't client/server, or an attribute service isn't a virtual or meta-directory - call me a fundamentalist (no fun, and slightly mental) - but I ain't buyin' it.

~r

No comments: