1、 I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n ITU-T X.1257 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (03/2016) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Cyberspace security Identity management Identity and access management taxonomy Recommendatio
2、n ITU-T X.1257 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPEC
3、TS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometrics X.1080X.1099 SECURE APPL
4、ICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199 CYBERSPACE SECURITY Cyberse
5、curity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 PKI related Recommendations X.1340X.1349 CYBERSECURITY INFORMATION EXCHANGE Overview of cybersecuri
6、ty X.1500X.1519 Vulnerability/state exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 CLOUD COMPUTING SECURITY Overview of clo
7、ud computing security X.1600X.1601 Cloud computing security design X.1602X.1639 Cloud computing security best practices and guidelines X.1640X.1659 Cloud computing security implementation X.1660X.1679 Other cloud computing security X.1680X.1699 For further details, please refer to the list of ITU-T
8、Recommendations. Rec. ITU-T X.1257 (03/2016) i Recommendation ITU-T X.1257 Identity and access management taxonomy Summary Recommendation ITU-T X.1257 develops a specification to ensure that the necessary business meaning is assigned to identity and access management (IAM) roles and permissions, and
9、 that this business meaning is traceable and referenceable throughout the IAM process lifecycle. This means that that permissions can be efficiently assigned to users, separation of duties (SoD) controls can be successfully implemented across applications, and access review and reconciliation proces
10、ses can be carried out efficiently. History Edition Recommendation Approval Study Group Unique ID* 1.0 ITU-T X.1257 2016-03-23 17 11.1002/1000/12608 Keywords Access management, IAM lifecycle, identity and access management, role, permission, business meaning, business taxonomy, business task. * To a
11、ccess the Recommendation, type the URL http:/handle.itu.int/ in the address field of your web browser, followed by the Recommendations unique ID. For example, http:/handle.itu.int/11.1002/1000/11830-en. ii Rec. ITU-T X.1257 (03/2016) FOREWORD The International Telecommunication Union (ITU) is the Un
12、ited Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recomme
13、ndations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The ap
14、proval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administr
15、ation“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compli
16、ance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is
17、 required of any party. INTELLECTUAL PROPERTY RIGHTSITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Inte
18、llectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation
19、. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2016 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without
20、the prior written permission of ITU. Rec. ITU-T X.1257 (03/2016) iii Table of Contents Page 1 Scope . 1 2 References . 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation . 2 4 Abbreviations and acronyms 3 5 Conventions 3 6 Introduction . 4 7 Approach overview .
21、4 8 IAM role semantic and syntax requirements 6 Annex A 8 Appendix I IAM taxonomy process lifecycle . 9 Appendix II SCIM 2.0 extension profile proposal 12 Appendix III Suggested extension to XACML 3.0 profile . 14 Appendix IV Task based access management use cases 16 Appendix V Possible mechanisms f
22、or implementation of business taxonomy interface . 17 Appendix VI Business process taxonomy standards 18 Appendix VII IAM ontology domain model 19 Bibliography. 25 Rec. ITU-T X.1257 (03/2016) 1 Recommendation ITU-T X.1257 Identity and access management taxonomy 1 Scope This Recommendation specifies
23、requirements for assigning business meaning to identity and access management (IAM) roles and user permissions by leveraging ITU-T X.1252, ITU-T X.1254 and b-ITU-T X.1255, and extending them to propose the following: An IAM taxonomy to semantically identify and organize IAM phases and processes to r
24、epresent a comprehensive IAM process lifecycle. An IAM ontology model to semantically identify IAM role and permission types, their syntax and corresponding type relationships. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this t
25、ext, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition
26、 of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ITU-T X.1252 Recommendation ITU-T
27、 X.1252 (2010), Baseline identity management terms and definitions. ITU-T X.1254 Recommendation ITU-T X.1254 (2012), Entity authentication assurance framework. 3 Definitions 3.1 Terms defined elsewhere 3.1.1 access control ITU-T X.1252: A procedure used to determine if an entity should be granted ac
28、cess to resources, facilities, services, or information based on pre-established rules and specific rights or authority associated with the requesting party. 3.1.2 attribute ITU-T X.1252: Information bound to an entity that specifies a characteristic of the entity. 3.1.3 context ITU-T X.1252: Enviro
29、nment with defined boundary conditions in which entities exist and interact. 3.1.4 credential ITU-T X.1252: Set of data presented as evidence of a claimed identity and/or entitlements. 3.1.5 entity ITU-T X.1252: Something that has separate and distinct existence and that can be identified in a conte
30、xt. 3.1.6 identifier ITU-T X.1254: One or more attributes that uniquely characterize an entity in a specific context. 3.1.7 identity b-ISO/IEC 24760-1: Set of attributes related to an entity. NOTE Within a particular context, an identity may have one or more identifiers to allow an entity to be uniq
31、uely recognized within that context. 2 Rec. ITU-T X.1257 (03/2016) 3.1.8 role ITU-T X.1252: A set of properties or attributes that describe the capabilities or the functions performed by an entity. NOTE Each entity can have/play many roles. Capabilities may be inherent or assigned. 3.1.9 user ITU-T
32、X.1252: Any entity that makes use of a resource, e.g., system, equipment, terminal, process, application, or corporate network. 3.2 Terms defined in this Recommendation This Recommendation defines the following terms: 3.2.1 access assignment: A process of assigning access rights to user(s). 3.2.2 ac
33、cess change request management: A process for managing access change requests. 3.2.3 access constraints: A set of access constraints based on user location, temporary restricted tasks and temporary restricted resources. 3.2.4 access engineering: A process of creating and maintaining access rights. 3
34、.2.5 access operation: A process of evaluating user access rights for the purpose of executing certain business tasks. 3.2.6 access policy: An access control constraining mechanism (i.e., what business permissions a user can execute during run-time). 3.2.7 access reconciliation: A process of changin
35、g user access rights according to stated access rights requirements to avoid over (or under) privileged user access. 3.2.8 access review: A process of reviewing user access rights for the purpose of subsequent access reconciliation and certification. 3.2.9 assign policy: A permissions assignment con
36、straining mechanism (i.e., what tasks can be assigned to a user). 3.2.10 authorization logic engineering: A process of developing and maintaining authorization logic across related applications. 3.2.11 browser: An application running on a device used by users to interact with a service provider. 3.2
37、.12 business role: A collection of tasks (with or without permissions) that a user can be entitled to perform. 3.2.13 business task access logging: A process of logging successfully completed task execution or user not authorized to perform certain task(s). 3.2.14 business task execution authorizati
38、on: A process for authorizing a user to perform a specific business task on a specific resource. 3.2.15 business task execution: A process of executing specific business task(s). 3.2.16 business taxonomy engineering: A process of creating and maintaining a business process and business product taxon
39、omy. 3.2.17 business process taxonomy: A taxonomy that semantically identifies and organizes business processes and sub-processes into a hierarchical structure. 3.2.18 channel: A communication method a user chooses to interact with a service provider. 3.2.19 device: A mechanism a user uses to enable
40、 the interaction with a service provider. 3.2.20 entitlement: A set of tasks and permissions assigned to a user. Rec. ITU-T X.1257 (03/2016) 3 3.2.21 IAM process lifecycle: A life cycle of identity and access management (IAM) processes and sub processes. 3.2.22 IAM role engineering: A process of cre
41、ating and maintaining IAM roles and permissions. 3.2.23 intent: The user reason or purpose for initiating the interaction with a service provider. 3.2.24 permission: A set of task(s) accessing business resources constrained by corresponding access control policies. 3.2.25 resource: A leaf node of a
42、business product taxonomy also known as business product. 3.2.26 session: A container of runtime authentication and authorization attributes. 3.2.27 task: A leaf node of a business process taxonomy also known as business task. 3.2.28 team: A human resource container of business roles each team membe
43、r has in common. 4 Abbreviations and acronyms This Recommendation uses the following abbreviations and acronyms: APQC American Productivity and Quality Center CPC Central Product Classification eTOM enhanced Telecom Operations Map HTTP Hypertext Transfer Protocol IAM Identity and Access Management I
44、P Internet Protocol IT Information Technology JSON JavaScript Object Notation JSON-LD JSON-based serialization for Linked Data MAC Media Access Control PCF Process Classification Framework RBAC Role Based Access Control REST Representational State Transfer SCIM System for Cross-domain Identity Manag
45、ement SDLC Software Development Life Cycle SKOS Simple Knowledge Organization System SOAP Simple Object Access Protocol SoD Separation of Duties URL Uniform Resource Locator XACML extensible Access Control Markup Language 5 Conventions The following conventions are used in this Recommendation: First
46、 letter word capitalization in the middle of the sentence denotes the use of a term that is part of a model (i.e., IAM ontology model or IAM taxonomy model) such as “Business Role“ or “IAM Role Engineering“ and it can be also be found in corresponding diagrams. The term “business task“ 4 Rec. ITU-T
47、X.1257 (03/2016) and “task“ are used interchangeably for readability purposes. The term “business resource“ and “resource“ are used interchangeably for readability purposes. 6 Introduction The lack of business meaning in current identity and access management (IAM) roles and user permissions negativ
48、ely impacts the entire IAM lifecycle. Even though IAM roles such as “SuperAdmin“, “SuperUpdate“ and “XYZSystemSpecialAccess“ are ambiguous, overly-technical and cryptic they are common in many enterprises. Naturally, instead of reusing such ambiguous roles an IAM role engineer time and time again wo
49、uld create new roles. This however eventually leads to a large amount of hard to manage system specific IAM roles that do not convey the intended business meaning. Such a large number of roles as well as their poor semantic quality negatively impacts key IAM lifecycle phases such as Access Assignment, Access Authorization, Access Review and Access Reconciliation. During Access Assignment an access management specialist that does not understand the meaning of existent roles could assig