Back to Blog Archive
Technology

Identity and Access Management vs Entitlement Management

Oct 26, 2018

It can be confusing when people talk about IAM and Entitlement, and it can be even more confusing when people use the terms “coarse grained entitlement” and “fine grained entitlement”, which can mean different things to different people. This article attempts to clarify the core concepts in the realm of IAM and Entitlement Management so that people can ask right questions in order to be on the same page.

IAM consists of two parts – Identity Management and Access Management. These two parts go hand-in-hand because authentication (login) depends on Identity.

Identity Management

Identity Management provides a central repository—hence the single source of truth—to create, store, and maintain user profile information, including Global Unique Identifiers, organizational information, roles and job functions, credentials, and any other attributes that describe such a user account.  

The Identity repository is usually backed by an LDAP-compatible directory service.

The Identity Management component should provide two functions: Identity Lifecycle Management and Profile Management. Sophisticated IAM solution providers offer both a GUI (usually an out-of-the-box web-based UI) and APIs to enable these two functions.

Identity Lifecycle Management

Typical Identity lifecycle consists of the following stages - they have impacts on validity and the status of the Identity itself.

  • Onboarding/off-boarding
  • Activation/deactivation
  • Credentials (password, secret questions, other MFA, etc.) reset
  • Lock/unlock
  • Suspension/unsuspension

Some IAM providers provide user self-enrollment feature so that Identity admins only need to review, verify and approve enrollment requests.

Identity Profile Management

Identity Profile Management is the management of user attributes that do not impact the validity and the status of the Identity. Some of the attributes can be managed by user themselves and some of the attributes are locked down and can only be managed by Identity admins.

  • User self-serve: update mobile number, address, etc.
  • Controlled by Admins: roles, organizational info, job functions, account numbers, etc.

Profile information is critical for downstream applications. Some organizations have more restrictive control over Identity Management—for example, they require a maker-checker rule on the client onboarding process, hence introducing another buzzword, “Identity Governance.” Essentially, it is just the separation of duties among Identity admins; e.g., some admins can create new IDs but can’t activate them, and some other admins can activate them but can’t create them.

Access Management

Before the system can determine what you have access to (Authorization), it has to determine whether you really are who you claim you are (Authentication).

Authentication

A decade ago it is sufficient to prove you own the Global Unique Identifier if you know its associated password, nowadays, to meet the regulatory requirements, in addition to the password, another secret (2FA) or more than one other secrets (MFA) much be provided to identify yourself.

Modern IAM providers must provide the following features:

  • Global Unique ID and Password verification
  • 2FA/MFA verificaiton, e.g. SMS, biometrics, secret questions, etc.
  • Single-Sign-On (SSO)
    • Any IAM product must have the ability to act as an Identity Provider (IdP) which enables SSO among Applications, aka Service Providers (SP).
    • User credentials including password and other secrets are not exposed to any applications.
    • Identity Provider asserts Service Providers the authenticity of the user requests based on the trust agreement between Identity Provider and Service Providers.

Authorization

Authorization is the most confusing part. Is it simply another word for Entitlements? In general, Authorization, or Entitlement, can be divided into the following three levels

Application level access

Here, an application means a web-based system that provides user interfaces backed by services—for example, an online banking application. If a user is not authorized to access the application, access the entire application—all the resources the application can offer. There are two ways to block unauthorized access:

  • Identity Provider has knowledge of what applications the user is entitled to, and block the access without issuing the SSO assertion to the targeted application. Some IAM solution providers claim this as coarse grained entitlement.
  • Identity Provider issues SSO assertion to the targeted application, and it is up to the targeted application to decide to block it entirely or not.

Resource API level access

Here, a Resource API means a web-based application without user interfaces; it returns or processes data in the back end. For example, a User Profile API can provide create/read/update/suspend operations to user admin modules. This definitely qualifies for coarse-grained entitlement. Whether it can be considered fine-grained entitlement really depends on how granular the resource APIs are. Most modern IAM solution providers — Centrify and Okta, for example — support this level of access management.

Object/row level access

Objects within applications and rows within databases are internal to applications; hence, access control on these resources must be considered fine-grained entitlement. IAM, as an independent external system, has no means to access or control access to these internal resources; therefore, object/row-level access control is NOT in the scope of IAM. If any IAM providers claim they support fine-grained entitlement management, ask them the right questions.

Having said that, there is nothing stopping us from centralizing and storing attributes that can be used to drive object/row-level access control in user profiles within the IAM directory. IAM can simply pass this information on to the targeted applications as assertions for fine-grained decision-making. Alternatively, and as a best practice, applications should externalize such decisions to a central Entitlement Service (again, not IAM), provided the application has the ability to interact with such an Entitlement Service.  

Conclusion

IAM and Entitlement Management can mean different things to different people, hence they can be confusing. In general, the following diagram depicts their scopes.

Previous Post "The Way Of The Sage Is To Work Without Cunning" Next Post A Chatbot Solution PoC powered by AWS Lex
× Full size preview