6 thoughts on “Long read: Modelling Identity in Enterprise Architecture / ArchiMate

  1. Jan, great effort. I am not an expert in this field, so I may have some stupid questions for you, I just like to understand your effort. My question are: why don’t you refer you RBAC and ABAC? Why should IDENTITY literally be modelled? Why don’t your refer to this paper? : https://ai2-s2-public.s3.amazonaws.com/figures/2017-08-08/9a5643d19a14b3e32ae2bdeaa7d859736b3454c5/3-Figure2-1.png https://www.semanticscholar.org/paper/Modeling-Access-Control-Transactions-in-Enterprise-Gaaloul-Guerreiro/9a5643d19a14b3e32ae2bdeaa7d859736b3454c5
    In this presentation also RBAC is mentioned as IAM paradigm: https://www.slideshare.net/AlainHuet2/infosafe-ah-iam-2013-26270185

    When I write scientific articles, I always start with: scholar.google.com
    https://scholar.google.nl/scholar?hl=en&as_sdt=0%2C5&q=archimate+rbac&btnG=

    1. Mark, questions are never stupid. (Not asking questions may be.) I don’t refer to RBAC/ABAC because that’s access management, and the conclusion states I’ll address that in another paper (will be another long read). The Gaaloul/Guerreiro/Proper paper is already in my library, but it’s also access management – also it doesn’t cover identity, it directly ties the permissions to “users”. This overlooks the identity context. Thanks for the AlainHuet reference; I’ll investigate.

  2. Jan, I like this article very much, a perfect inspiration in the right moment.
    Thanks!

  3. Jan, this is truly a very helpful description of the various concepts around (digital) identities! It really helped me to establish a common understanding of the concepts at my employer.
    Looking forward to your blog posts about credentials and access.

    Thanks for sharing this with us.
    Till

  4. Jan, like you, I’ve experienced Identity and Entitlement Management as a particularly tricky topic to understand and model. If only all those different standards would align their terms and definitions… So thank you for clarifying the business terminology.
    However, there is a subdomain I feel is missing in this discussion. It’s a concept I’ve learned to call ‘involvement role’. Actually, in many business processes, actors have authorizations based on an assigned involvement with a particular case – researcher, assessor, reviewer, operator, etc. A person can have different involvement with different cases (think: medicine, legal, projects). However, there are restrictions, the person must be qualified to be assigned an involvement role. Qualification may be derived from a business role, but often personal skills (e.g. language) and (valid) certifications also play a role.
    Having a “person” identified by some identity “involved” in a “case” is easy to capture in Archimate. I tend to model the “Identity” object on the assignment relation between a “Subject” actor and the “Involvement Role” business interaction (a bit of a stretch – “a unit of behaviour performed as a collaboration between two” identities, so you could also opt for a business role, although this cannot be part of a business process), which is part of a “Case”, which is a specialized business process. Nowadays, you can even include the qualification in ArchiMate, and have a person realize this qualification. However, I struggle to find a way to express the condition here (only qualified person shall be assigned to involvement role). Any thoughts?
    Thanks, Hans.

    1. Hi Hans,
      There’s a lot to unpack in your question. Nothing like it has been covered yet, because it goes way further than identity only, into authorization and past that. Not something I can easily address fully in a succinct reply. That said, I could throw together these observations:
      I don’t think the business collaboration concept is a particular good fit for what you want to model – and maybe neither is the role. Perhaps an expert is a business actor “subject” associated with a capability “skillset”. If I group these two, then the group “Expert” can serve the business process “Case”. There can be a requiremet “Skill required” associated from “Case”, and it’s the capability “Skillset” that realizes it.
      Not really pretty yet, but ArchiMate primarily serves to model structure and behaviour of some definite (and thus unconditional) reality. Unsatisfactory I know, but hit me on LinkedIn and we can discuss this more in depth.

Comments are closed.

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top