GP.Identity+Permission Management

Instances of this Generic Pattern are able to maintains the propagation and consistency of digital identities and digital permissions that are recognized within the organization.

Identity management This Generic Pattern can perform the following tasks related to digital identities:
 * It can provide new digital identities to instances of A&A services when the circumstances call for it (either an eligible new identity presents itself in another connected A&A system that's deemed authoritative, or an existing identity becomes eligible), including all accompanying identity attributes that are used in that particular A&A service instance;
 * It can provide new digital groups to instances of A&A services that are going to be involved with Role Based Access Control under that A&A service's authority;
 * It can direct A&A services to change group membership of a digital identity to reflect a change in roles;
 * It can convey the effects of a change in business rules on the relevant aspects of the digital identities under an affected A&A service;
 * When an update occurs in a digital identity's attribute under an A&A service that's deemed authoritative for that attribute, then the Pattern can detect this update, and have it applied to all A&A services that contain that same identity and attribute;
 * It can direct A&A services to disable or remove identities, as soon as that identity's eligibility for an account in that particular A&A service ends, or the digital identity is disabled or removed from an authoritative A&A service;
 * It can automatically resolve certain conflicts in account information between different A&A services.

Permission management This Generic Pattern can perform the following tasks related to permission management:
 * It can direct an A&A service to create or update the necessary permissions associated with a digital resource, when a digital identity becomes eligible for use of this resource;
 * It directs an A&A service to update or remove the relevant permi rsions associated with a digital resource, when a digital identity loses eligibility for use of this resource;
 * It can detect and resolve certain conflicts between specific permissions assigned (or not) to a digital identity by a specific A&A service, and the permissions that should (or should not) actually be granted to it