When we talk about matching login accounts to people, groups and systems across multiple silos, we need a reliable mechanism to maintain the connection – a unique identifier. When you are dealing with Enterprise Identity Matching, it is important that you have a unique identifier that will have the appropriate scope to do the job. Using employee number will not do the trick. Let’s look at the details.
GUIDs are too big
A GUID is an acronym for ‘Globally Unique IDentifier’. I have always pronounced it ‘goo-id’ other say ‘gwid’. If you look it up in Wikipedia you find reference to specific programming implementations of GUID’s and variations on that theme. I am using the term more generally here. There are three components to the concept.
- The scope of the application of the identifier (The term Global rarely is referring to the real globe but, some other domain of concern)
- Uniqueness which applies to the target of the identifier (eg only one person can be assigned a given identifier)
- The identifier itself which has a specific, consistent form.
For example: the US Social Security Number (SSN) is a 9 digit number issued to citizens, permanent residents, and temporary working residents. The scope of this is the US Federal Government which uniquely assigns this 9 digit number. There is actually information in the code of the number itself. There is even an urban legend regarding hidden information. There has been a practice in the past for businesses to use a person’s SSN as an identifier within company records. For many privacy and emerging legal reasons this is now considered bad form if not illegal.
CUPIDs are too small
Back in 2002, I had the pleasure of working with Don Bowen, currently the Director of Identity Integration at Sun Microsystems. Prior to Sun, as an early IdM pioneer, Don had done a lot of real world work of installing Identity Management at Caterpillar, Inc. I always pay attention to people who speak from experience with real implementations – even simple observations may be hard earned nuggets of wisdom.
Don had coined the acronym CUPID for Corporate Unique Personal IDentifier. In addition to creating a cute acronym, Don gets nice and clear on the scope of the identifier – the whole corporation – and no more. ie. bigger than the IT silos, departments, and divisions but, not something that spills outside the organization (like SSN).
Don had some well thought through opinions on the form of the CUPID. From my old notes, I recall:
- Only one per person, never changes
- Unique to one person
- Not required to be know – can be looked up
- Used only for the linking process
- Completely numeric with no programmatic meaning. No chance undesirable words or human meaning could enter in. No chance of people reading in meaning or relying on meaning in it.
- Only for person objects.
To my mind these qualities are just right, except the last one. Since over 8% of accounts may belong to systems or groups, we really need an Identifier which can be used to more than people.
An employee number is a type of CUPID but, does not usually include all people that are given access to the system (consultants and other non-employees) and certainly does not contain group or system identifiers. Employee ID’s also can have meaning embedded in them and may have security implications attached to them which makes them unsuitable to be the ultimate matching identifier.
While they may not provide the ultimate solution, if a system has employee numbers, or some other CUPID, populated across systems, then you have a great head-start in the matching process.
TRUIDs are just right.
I have coined a term for our use called TRUID for ‘True Identity”. It is a play on our brand name and refers to the purpose of determining the ‘true identity’ of the person or system controlling a credential. I am not suggesting anyone else use this term but, it is what we use to delineate from the more generic and alternate terms.
A TRUID is very much like a CUPID as defined by Don Bowen but, also can be assigned to other targets that can hold login accounts such as systems and group accounts.
The TRUID is the unique identifier that can be used to build the link table of all resource credentials to their account holders. This is the main deliverable in the Enterprise Identity Matching process.
February 26, 2007 at 8:26 pm |
Interesting and thanks for the walk down memory lane. Keep in mind that at the time I was working through political and not just technical issues. The timeframe was actually 1999 and not 2002
Limiting the scope of CUPIDs to people was the difference between getting the buy-in I wanted and needed to move forward and being like most companies on the planet at that time and just talking. Today Cat’s Global Directory has many objects, not just people and over 1400+ applications that leverage it. The value to their business would be hard to quantify and I’m not even sure they realize what a competitive advantage it has been and is today. I’m not waiting for a pat on the back 
February 26, 2007 at 8:57 pm |
Thanks for the clarification Don.
My reference to 2002 was to the year we met. I never knew when you had done the Cat work. In 1999, you certainly were a pioneer in building big global enterprise directories.
Alas, politics particularly across silos are much harder to overcome than the technical aspects. All the more reason why the work you did is very worthy of recognition.
But, isn’t that the way: when the infrastructure just works, no-one notices; when it breaks down…then they notice. I guess you will have to bask in the glory of 1400+ applications just working with a global directory out there. Sort of like the Maytag Repairman.
I’m curious how hard it was to do the initial data cleansing and matching of the systems prior to assigning the CUPID.
February 27, 2007 at 3:58 am |
I should have looked back to see your date was for when we met. I think it would push the limits of blog comments for me to answer your question, but the story on our data cleansing was quite interesting and very successful. Let me know when you start podcasting
Data cleansing was and still is huge, as you know. I remember talking to a large bank when I was at Burton and I had a Senior VP tell me that my suggestion they had dirty data was ridiculous. I put his key managers on the spot and they told him that in fact is was true. It was priceless.