Identity and Access Management

I read xacml  [James McGovern] entry around representing the authorization model. He has raised a great point on how to translate the authorization use-case narratives in to a simple representations. So far based on the various conversations around the authorization models, I have not been able to find a way to represent the complete authorization model as a diagram. The simple reason being that at the core of the authorization model are business rule and it is tough to represent them as diagram. Let me elaborate on that. Basically, when you start looking at the authorization use-cases, at a very high level the following components typically form the part of the authorization data model Users and their organization into groups, roles, client organization, etc Resources and their organization into hierarchy, groups, etc Actions and probably some form of their organization Attributes of the user, resources (and may be actions), environment that help perform fine grained evaluation

Update September 6, 2015: Part II in the series is now available . Update August 19,2006: I am rewriting this entry based on the methodology I am using for some of other domains. Hopefully, the new methodology would make it more useful to some of you. I talk to a lot of people from developer background who still do not have a good background in the IAM technology. Eventhough there is a lot of information on the web, I have felt a lack of good technological discussion on the various component that  actually form the IAM domain. Some of the good sources for the information on IAM are Microsoft Identity and Access Management Series Archie Reed Oracle Federated Identity Buyers guide Oracle Identity Management Buyer's Guide Identity Management Dissected Most of these document discuss the basic concepts but do not extend it to existing technologies and how it applies to them. This series is an attempt to look at the technology behind the Identity and access manage