Editing Identity and access management (section)

== Function ==
In the real-world context of engineering online systems, identity management can involve five basic functions:

* Pure identity function: Creation, management and deletion of identities without regard to access or entitlements
* User access (log-on) function: For example, a [[smart card]] and its associated data used by a customer to log on to a service or services (a traditional view)
* Service function: A system that delivers personalized, role-based, online, on-demand, multimedia (content), presence-based services to users and their devices
* Identity federation: A system that relies on [[federated identity]] to authenticate a user without knowing their password
* Audit function: Monitors bottlenecks, malfunctions and suspect behaviors

=== Pure identity ===
A general model of [[Identity (philosophy)|identity]] can be constructed from a small set of axioms, for example that all identities in a given [[namespace]] are unique, or that such identities bear a specific relationship to corresponding entities in the real world. Such an axiomatic model expresses "pure identity" in the sense that the model is not constrained by a specific application context.

In general, an entity (real or virtual) can have multiple identities and each identity can encompass multiple attributes, some of which are unique within a given name space. The diagram below illustrates the conceptual relationship between identities and entities, as well as between identities and their attributes.

[[File:Identity-concept.svg|400 px|Identity conceptual view]]

In most theoretical and all practical models of [[digital identity]], a given identity object consists of a finite set of [[Property (philosophy)|properties]] (attribute values). These properties record information about the object, either for purposes external to the model or to operate the model, for example in classification and retrieval. A "pure identity" model is strictly not concerned with the external [[semantics]] of these properties.

The most common departure from "pure identity" in practice occurs with properties intended to assure some aspect of identity, for example a [[digital signature]] or [[software token]] which the model may use internally to verify some aspect of the identity in satisfaction of an external purpose. To the extent that the model expresses such semantics internally, it is not a pure model.

Contrast this situation with properties that might be externally used for purposes of [[information security]] such as managing access or entitlement, but which are simply stored, maintained and retrieved, without special treatment by the model. The absence of external semantics within the model qualifies it as a "pure identity" model.

Identity management can thus be defined as a set of operations on a given identity model, or more generally, as a set of capabilities with reference to it.

In practice, identity management often expands to express how model content is to be [[provisioning (technology)|provisioned]] and [[Reconciliation (Accounting)|reconciled]] among multiple identity models. The process of reconciling accounts may also be referred to as de-provisioning.<ref>{{Cite web |title=What is IAM? Identity and access management explained |url=https://www.csoonline.com/article/518296/what-is-iam-identity-and-access-management-explained.html |access-date=2024-04-24 |website=CSO Online |language=en}}</ref>

=== User access ===
User access enables users to assume a specific digital identity across applications, which enables access controls to be assigned and evaluated against this identity. The use of a single identity for a given user across multiple systems eases tasks for administrators and users. It simplifies access monitoring and verification and allows the organizations to minimize excessive privileges granted to one user.  Ensuring user access security is crucial in this process, as it involves protecting the integrity and confidentiality of user credentials and preventing unauthorized access. Implementing robust authentication mechanisms, such as multi-factor authentication (MFA), regular security audits, and strict access controls, helps safeguard user identities and sensitive data. User access can be tracked from initiation to termination of user access.

When organizations deploy an identity management process or system, their motivation is normally not primarily to manage a set of identities, but rather to grant appropriate access rights to those entities via their identities. In other words, access management is normally the motivation for identity management and the two sets of processes are consequently closely related.<ref name=":1">{{Cite news|url=https://searchsecurity.techtarget.com/definition/identity-management-ID-management|title=What is identity management (ID management) ? – Definition from WhatIs.com|work=SearchSecurity|access-date=2018-12-03|language=en-US}}</ref>

=== Services ===
Organizations continue to add services for both internal users and by customers. Many such services require identity management to properly provide these services. Increasingly, identity management has been partitioned from application functions so that a single identity can serve many or even all of an organization's activities.<ref name=":1" />

For internal use identity management is evolving to control access to all digital assets, including devices, network equipment, servers, portals, content, applications and/or products.

Services often require access to extensive information about a user, including address books, preferences, entitlements and contact information. Since much of this information is subject to privacy and/or confidentiality requirements, controlling access to it is vital.<ref>{{Cite book|url=https://www.ncbi.nlm.nih.gov/books/NBK236546/|title=Confidentiality and Privacy of Personal Data|last1=Networks|first1=Institute of Medicine (US) Committee on Regional Health Data|last2=Donaldson|first2=Molla S.|last3=Lohr|first3=Kathleen N.|date=1994|publisher=National Academies Press (US)|language=en}}</ref>

=== Identity federation ===
{{Main|Federated identity}}
Identity federation comprises one or more systems that share user access and allow users to log in based on authenticating against one of the systems participating in the federation. This trust between several systems is often known as a "circle of trust". In this setup, one system acts as the [[Identity provider (SAML)|identity provider]] (IdP) and other systems act as [[Service provider|service providers]] (SPs). When a user needs to access some service controlled by SP, they first authenticate against the IdP. Upon successful authentication, the IdP sends a secure "assertion" to the SP. "SAML assertions, specified using a markup language intended for describing security assertions, can be used by a verifier to make a statement to a relying party about the identity of a claimant. SAML assertions may optionally be digitally signed."<ref>{{Cite journal <!-- Citation bot bypass-->|url = http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf|title = Information Security|access-date = 2015-10-10|first=William E. |last=Burr |first2=Donna F. |last2=Dodson |first3=W. Timothy |last3=Polk |doi = 10.6028/NIST.SP.800-63v1.0.2|year = 2006|citeseerx = 10.1.1.153.2795|journal=NIST Special Publication|oclc=655513066}}</ref>