This section defines identity management categorizations that are featured in the use cases presented in this document. Use cases may list one or more of these categorizations within the “Categories Covered” box of the “Notable Categorizations and Aspects” section of each use case.
This document will use the following categories to classify identity in the cloud use cases:
This category includes use cases that feature establishment of identity and trust between cloud providers their partners and customers and includes consideration of topics such as Certificate Services (e.g. x.509), Signature Validation, Transaction Validation, Non-repudiation, etc..
1.4.2Identity Management (IM)
This category includes use cases that feature Identity Management in cloud deployments.
This categorization is used if the use case features the need for Identity Management in general terms without specify or referencing particular methods or patterns.
22.214.171.124Infrastructure Identity Management (IIM)
This subcategory includes use cases that feature Virtualization, Separation of Identities across different IT infrastructural layers (e.g. Server Platform, Operating System (OS), Middleware, Virtual Machine (VM), Application, etc.).
126.96.36.199Federated Identity Management (FIM)
This subcategory includes use cases that feature the need to federate Identity Management across cloud deployments and enterprise.
This category includes use cases that describe user and service authentication methods applicable to cloud deployments.
This categorization is used if the use case features the need for Authentication in general terms without specify or referencing particular methods or patterns.
188.8.131.52Single Sign-On (SSO)
This subcategory of authentication includes use cases that feature Single Sign-On (SSO) patterns across cloud deployment models.
This subcategory of authentication indicates the use cases uses more than one factor or credential to establish the identity of a user or service. The more factors that can be verified or authenticated about an identity the greater the weight or “strength” is given to the authenticated identity; this causes an association to the term “strong authentication”.
This category features use cases that feature granting of Access Rights to cloud resources to users or services following establishment of identity. Use cases in this section may include authorization concepts such as Security Policy Enforcement, Role-Based Access Control (RBAC) and representations and conveyance of authorization such as Assertions to cloud services.
This category is used if the use case features the need for authorization in general terms without specifying or referencing particular methods or patterns.
This category is used if the use case features the need for the administration of access control policies.
1.4.5Account and Attribute Management
This category includes use cases that feature account establishment including Security Policy Attributes along with their Management or Administration. Use cases may include descriptions of established provisioning techniques, as well as developing examples of Just-In-Time (JIT) Account Provisioning.
This subcategory of Account and Attribute Management highlights use cases that feature provisioning of identity and accounts within cloud deployments. This includes provisioning of any attributes that are associated with an identity that may affect policy decisions and enforcement.
This category includes use cases that feature Security Token Formats and Token Services including Token Transformation and Token Proofing.
This category includes the secure management of identities and identity related information (including privacy information) so that actions taken based on those identities can be legally used to validate adherence to the rules that define the security policies of the system.
1.4.8Audit & Compliance
This category includes use cases that feature Identity Continuity within cloud infrastructure and across cloud deployment models for the purpose of non-repudiation of identity associated with an action permitted against security policy.
1.5Actor Name Construction
In order to have consistent names for actors (roles) referenced in use cases, this document defines qualification syntax comprising four terms.
This syntax is intended to provide a detailed context of where the actor is performing their use case function, under which organization, against what resources and under what role.
These four terms are:
Deployment Type – Qualifies the actor‘s domain of operation (i.e. the deployment entity where they perform their role or function).
Organizational Type – Further qualifies the actor by the organization within their deployment entity
Resource Type – Further Qualifies the actor by the resources they have been entitled to interact with.
Role Type – Further qualifies the actor by their role-based entitlements.
The general syntax for creating a name for an actor is as follows:
Deployment Type | Organizational Type | Resource Type | Role Qualification
The following sections include diagrams that show the logical derivation (inheritance) for each of these qualification terms.