Searching back through the archives, I realized that I had first used the term “Identity Relationship Diagram” in a blog post on July 21, 2005. I stated then:

In the discipline of database design, Entity Relationship diagrams are used to diagram database schemas. In a database, neither entity nor relationship is complete without the other. It is the definition of relationship between data elements that adds value – hence the pervasive utility of the relational database.

A simple “Identity Relationship Diagram” (my term) helps to illustrate the concept. Identities are shown in boxes; relationships are shown as arrows.

More recently, following Ian Glazer’s proposal that graph databases replace directories and relational databases in Identity systems, I discussed using directed graph diagrams to illustrate identities and relationships:

We can visualize identities as nodes, each with relevant properties, and relationships between identities as edges.  Interestingly, the edges, or relationships, may also have identities and properties of their own.  

After further study and thought, I believe that “Identity Relationship Diagrams” can be very useful in illustrating concepts in the Identity and Access Management domain. The following diagram, prepared using Graphviz graph visualization software, is helpful to illustrate two general areas of discussion.

The top half of the diagram illustrates basic relationships between individuals how those individuals can belong to groups.  This is the basic construct of the Facebook Identity Graph.

The bottom half of the diagram illustrates how people interact with things via services.  These are the basic elements in the Internet of Things.

My thoughts about how to use this diagramming method are still developing.  Stay tuned for more.

PS.  For those interested in trying out the Graphvis software, the Dot graph description language code to create this diagram is:

## Entity Relationship Diagram – prepared by Mark Dixon

digraph test {

rankdir=LR;

graph [ fontname = “Arial”, fontsize = 20, size = “20,10” ];
node [shape=circle,fixedsize=true,width=2.5,color=blue,style=bold, fontname = “Arial”];
edge [color=red, fontname = “Arial”];

i1 [ label=”Person\n Name = Mark\n ID = i1\n hair color = white\n residence = US”];
i2 [ label=”Group\n Name = Dixon Family\n ID = i2\n attribute 1\n attribute 2″];
i3 [ label=”Thing\n Name = My Fridge\n ID = i3\n attribute 1\n attribute 2″];
i4 [ label=”Service\n Name = Fridge Service\n ID = i4\n attribute 1\n attribute 2″];
i5 [ label=”Person\n Name = Holly\n ID = i5\n hair color = brown\n residence = UK”];

i1->i5 [ label = “Parent of\n ID = r1a\n attribute 1\n attribute 2” ];
i5->i1 [ label = “Child of\n ID = r1a\n attribute 1\n attribute 2” ];

i5->i2 [ label = “Belongs to\n ID = r2a\n attribute 1\n attribute 2” ];
i2->i5 [ label = “Contains\n ID = r2b\n attribute 1\n attribute 2” ];

i1->i2 [ label = “Belongs to\n ID = r3a\n attribute 1\n attribute 2” ];
i2->i1 [ label = “Contains\n ID = r3b\n attribute 1\n attribute 2” ];

i1->i3 [ label = “Owns\n ID = r4a\n attribute 1\n attribute 2” ];
i3->i1 [ label = “Serves\n ID = r4a\n attribute 1\n attribute 2” ];

i4->i3 [ label = “Controls and Monitors\n ID = r6a\n attribute 1\n attribute 2” ];
i3->i4 [ label = “Reports Results\n ID = r6a\n attribute 1\n attribute 2” ];

i1->i4 [ label = “Requests Function\n ID = r5a\n Function 1 = set temperature\n Function 2 = request status” ];
i4->i1 [ label = “Reports Results\n ID = r5a\n attribute 1\n attribute 2” ];

 

overlap=false
label=”Identity Relationship Model”

}

In a recent twitter conversation with Andre Koot, he suggested that we needed innovation in both Identity Management and Access Management.  He referred me to his blog, entitled “Let’s Kill the IAM Acroynm.”  Andre suggested:

Identity Management is a process for managing the lifecycle of identities … Access Control is a whole different ballgame …

After reading his blog, it occurred to me that he and I defined those two terms a bit differently.  I promised Andre that I would blog about it.

The diagram below shows how we at Oracle talk about the broad area of Identity and Access Management – encompassing three general areas:

1. Identity Governance is about making sure the right people are granted the right access rights and making sure the wrong ones aren’t
2. Access Management is about enforcing those access rights, within specified policy, when users attempt to access a desire application or system
3. Directory Services provides ways to control where identity information about users and accessed rights are stored.

Does this provide the right demarcation between the various functional areas?  It seems to resonate well with our customers, and provides a valuable model to aid communications.  I’d be happy to hear any feedback you have.

By the way, this diagram is more effective as a PowerPoint build slide.  Let me know and I’d be happy to send you a copy.

Please join me and other interested identerati on a live Tweet Chat  about Mobile Identity Management trends and security challenges.

Amit Jasuja, Senior Vice President, Development - Identity Management and Security Products, will host the chat via @OracleIDM.

When?  Tomorrow, March 7th, at 9:00am PST

Please use hashtag #mobileidm in your tweets.

Our last Tweet Chat  (or was it Tweet Jam?) was a great success.  Let’s make this one even better.

I enjoyed reading Martin Kuppinger’s response to Ian Glazer’s challenge, “Killing Identity Management in Order to Save it.” I tend to align with Martin’s conclusion as a pragmatic approach:

I do not believe in disruptiveness. I believe in approaches that build on existing investments. IAM has to change, no doubt about that. But there will still be a lot of “old school” IAM together with the “new school” parts. Time and time again it has been proven that change without a migration path is an invitation to disaster. Embrace and extend is the classical migration methodology for classical technical transformative strategies.

There is no question that we need continued innovation in Identity and Access Management.  There are new business problems to conquer, new size requirements to scale, new user expectations to master.  But let’s recognize that current systems have also conquered many problems and achieved beneficial levels of effectiveness. Let’s not throw the baby out with the bathwater.

This week, Phil Hunt posted a good educational piece about tokens, entitled, “Standards Corner: Tokens. Can You Bear It?“.  He focuses on how tokens are used in message authentication and explains the differences between bearer tokens and proof tokens, including implications of each.  He describes how the IETF OAuth Working Group is now working on requirements for Holder-of-Key tokens (aka proof tokens) to address how web sites which accept tokens should consider risks of compromise.

Thanks, Phil, for a instructive post.

Some interesting ideas are swirling in my mind in response to Ian Glazer’s challenge, “Killing IAM in Order to Save It” and Dave Kearn’s article “Pervasive and Ubiquitous Identity.”

Whether or not we need, as Ian suggests, to completely restructure IAM systems in order to progress is still subject for debate, but the concept of thinking about and representing relationships between identities in a directed graph format is intriguing to me.

According to Wikipedia, “Graph databases are based on graph theory. Graph databases employ nodes, properties, and edges.” The following diagram gives a simple example. 

 

Using this method, we can visualize identities as nodes, each with relevant properties, and relationships between identities as edges.  Interestingly, the edges, or relationships, may also have identities and properties of their own.  

As Dave suggests, identities are not only for people, but for things, platforms and services.  The simple diagram below begins to illustrate this concept:

 

 

 

The relationships (edges) are primarily verbs that describe what actions the relationship supports.  A primary role of identity management systems is to establish these relationships between people identities and service or thing identities in such a way that valuable actions can be performed.

These are a few of my thoughts.  What do you think?

PS. Can anyone recommend a good directed-graph drawing tool for Mac?

Management: the act or manner of managing; handling, direction, or control. 

Enablement: to provide (someone) with adequate power, means, opportunity, or authority (to do something)

Several years ago, I heard Steve Sanghi, Chairman, Chief Executive Officer and President, Microchip Technology Inc., talk about how organization charts should be drawn upside down from the normal downward flow from CEO to employee.  He stressed that business leaders were more effective when they served those within their sphere of stewardship, rather than directed or controlled people. Leaders should enable their people to succeed, rather that dictate from above.

It occurred to me recently that this same viewpoint may apply to Identity Management (or should we call it Identity Enablement?).  The traditional enterprise viewpoint is to tightly control the assignment of access rights to individuals, while the  seemingly opposite user-controlled identity viewpoint would allow individuals to be in charge of their own identities.

Perhaps the two viewpoints could be more harmonious if we focus on enabling individuals to get the most value out of identities and relationships, rather than controlling the relationships.

Just a thought.

Nishant Kaushik’s tweet today prompted some paranoid thoughts about the use of big data analytics.

Scary #Privacy News Day: Raytheon RIOT – http://t.co/FB4dsnjv AND Equifax selling Employer shared employee data – http://t.co/HZSeqN9E

The first article, “Software that tracks people on social media created by defense firm,” explored how Raytheon has developed a system to track us all:

A multinational security firm has secretly developed software capable of tracking people’s movements and predicting future behaviour by mining data from social networking websites. …

“Riot is a big data analytics system design we are working on with industry, national labs and commercial partners to help turn massive amounts of data into useable information to help meet our nation’s rapidly changing security needs.”

The second article, “Your employer may share your salary, and Equifax might sell that data,” stated:

The Equifax credit reporting agency, with the aid of thousands of human resource departments around the country, has assembled what may be the most powerful and thorough private database of Americans’ personal information ever created, containing 190 million employment and salary records covering more than one-third of U.S. adults.

These two articles triggered thoughts about Axciom …

[Axciom] peers deeper into American life than the F.B.I. or the I.R.S., or those prying digital eyes at Facebook and Google. If you are an American adult, the odds are that it knows things like your age, race, sex, weight, height, marital status, education level, politics, buying habits, household health worries, vacation dreams — and on and on. …

Few consumers have ever heard of Acxiom. But analysts say it has amassed the world’s largest commercial database on consumers — and that it wants to know much, much more. Its servers process more than 50 trillion data “transactions” a year. Company executives have said its database contains information about 500 million active consumers worldwide, with about 1,500 data points per person. That includes a majority of adults in the United States.        

… and Lexis Nexis:

LexisNexis … is the largest data-broker in the world. They create vast profiles on people and use that information to create various reports that they sell to companies of all kinds. These reports are used to make decisions about renting, insurance and more. In the past these reports have been purchased by law enforcement and criminal organizations; all to find out more information about you.

Are there legitimate uses for all this data? Yes.  But is there potential for illicit exploitation and mis-use of that data?  I’d bet my bottom dollar on it.  The unintended consequences of amassing all this personal data are what worry me.

I was introduced to a book I am reading, “The Emergence of the Relationship Economy,” by a tweet from Rohan Pinto:

Leadership Is In The Ideas Not The Titles http://t.co/T7KJk0JK

This led me to a compelling article by Jay Deragon, one of the authors of “The Emergence …”.  In this post, Mr. Deragon made a particularly profound statement: 

An idea is an intangible asset that can be used over and over by millions of people, improved on and rapidly shared and consumed.  Abundance of wealth is being created from these intangible assets, ideas.

The concept of a shared idea was also treated by James Gleick in his book, “The Information.”  He quoted Jacques Monod, a French Nobel Prize winning biologist:

Ideas cause ideas and help evolve new ideas.  They interact with each other and with other mental forces in the same brain, in neighboring brains, and thanks to global communications, in far distant, foreign brains.

It is this concept of evolving of ideas through sharing that intrigues me.  Although ideas germinate in one person’s mind, it is often in the sharing of those ideas with other people that ideas grow and evolve and transform into powerful concepts that can transform our lives and the world around us.

Relationships between individuals – relationships between identities – provide the environment where seeds of ideas germinate, take root and grow.  Again, although individual identities can have great power, relationships can multiply that power immensely.

The older I get (and I’m getting pretty old),  the more I realize how little I know and understand in the ever-expanding universe of information.  But I take comfort in the fact I can learn a little bit new every today.

Today, I learned about Graph Databases.  One of the questions I posed in response to Ian Glazer’s recent post, “Killing IAM in Order to Save It,” was:

Are you proposing an entirely new data structure to manage the relationship graph? Neither LDAP directories or relational databases really model the graph well, but I am not familiar with robust and proven alternate data structures that do a better job.

That shows my ignorance of emerging database technology.  After posting that comment and sheepishly realizing Ian probably knew what he talking about, I googled “Graph Database” and came up with some interesting hits.  While it appears that graph databases are still in a fairly early stages, at least for commercialized products, this technology appears to be well ensconced in the Googles, Facebooks and Twitters of the world.

A helpful article for me was “Graph Databases: The New Way to Access Super Fast Social Data,” published last fall by Mashable.  A couple of excerpts:

While we’re certainly not predicting the demise of traditional databases anytime soon, we are seeing an increasing number of applications where graph databases are being used to accelerate development and massively speed up performance. …

The complexities and dynamics of the real world, however call, for new methods. This is particularly true when the world is moving at the speed of web, and everybody is racing to get ahead of everybody else. Intricate and complex processes like human behavior, as well as dynamic interconnected systems, such as those found in nature and on the web, tend to be less static and predictable, and are ideal candidates for graph databases. 

 That sounds like Ian Glazer talking to me.

  

I look forward to learning more, and particularly extending my discussion with Ian and others on the applicability of these database for Identity and Access Management.