84
certain degree of convenience (centralised singular authentication or even
single sign‐on for all applications) and high security for authentication and
the centralised management of roles and permissions (authorisation).
Centralised management of identities and authorisation
User databases are obviously no Cloud era discovery. LDAP (Lightweight
Directory Access Protocol) has been available for decades in different
product‐specific types as a way to manage an enterprise's identities.
LDAPWIKI provides a history of the protocol and also lists systems and
products that support the protocol and identity management in the form of
directory services.
As far as the centralised management of identities goes, that also calls for
the surrounding systems that make use of that centralised management.
Seen on its own, a LDAP directory remains a trivial database; its contents
can naturally be consulted but they serve no other purpose.
What characterises the centralised management of identities?
Identity and role management
LDAP user directories are organised by schemas. Usually, each LDAP‐based
product implements one or more standard schemas (e.g. the OpenLDAP
core.schema creates the basis for a typical user data record with fields such
as name, company, title, telephone numbers, address details, email, etc.).
The IdM or IAM challenge in relation to role management is to present the
most generic approach possible. What makes this difficult is not the
technical storage in LDAP. Pre‐defined schemas have been implemented;
freely defined enterprise‐specific schemas can generally be added
individually to all products. The challenge lies in coming up with a
sufficiently generic and at the same time comprehensive design for role
management.
A simple example would be a content management system that supports
workflows with the following roles: Viewer, Contributor/Editor, Content
Administrator, Approver, System Administrator
The opposite is a system built on permissions without roles, e.g. a web
application platform including the following permissions: system login,
monitoring, application deployment, restart servers, view log files