Section 19.3. How does identity management change within ESA?

19.3. How does identity management change within ESA?

It's no longer sufficient to secure the first service encountered by users in a business process (i.e., the interface); in fact, it never has been. Identity management-based security must extend across every system touched by the process about to be initiated because what's ultimately being exposed is not just a single service, but the entire business process. What the user orders at the onset of the process must be verified and delivered at the end with the guarantees that: a) that is indeed what she ordered, and b) she is indeed entitled to request it. If the request were to pass through any unsecured service along its route, neither premise could be proven to have remained true.

From a service infrastructure standpoint, this responsibility will likely fall to the security operations layer in each. But it will also become necessary to integrate identity management processes and user profiles into a single repository. This repository will distribute that information to all the systems, providing them with the information required to assess the validity of a requirement, or it may be accessible from anywhere within the landscape, called by the system hit by the user's request, and provide the information in real timeessentially becoming an enterprise service itself. In the early stages of a company's ESA adoption, this might take the form of an LDAP integration effort. But as the environment continues to grow and evolve, the next step is federationmultiple identity repositories which contain different instantiations of the same user profile, and in which these various instantiations are linked. In practice, this would allow the external participants in cross-company processes to decide for themselves how much access and what role that user will have in its systems and which is resolved automatically when the user logs into her native environment.