GS.Identity+Permission Management

This service maintains the propagation and consistency of digital identities and digital permissions that are recognized within the organization. Ideally, there is only a single Identity & Permission Management service active in the organization, that cooperates with all the Authentication & Authorization (A&A) services.

Identity management

This service provides the following, identity related sub-services:
 * Providing new digital identities to instances of A&A services when when the circumstances call for it (either an eligible new identity presents itself, or an existing identity becomes eligible), including all accompanying identity attributes that are used in that particular A&A service instance;
 * Providing new digital groups to instances of A&A services that are going to be involved with Role Based Access Control under that A&A service's authority;
 * Directing A&A services to change group membership of a digital identity to reflect a change in roles;
 * Conveying the effects of a change in business rules on the relevant aspects of the digital identities under an affected A&A service;
 * When an update occurs in a digital identity's attribute under an A&A service that's deemed authoritative for that attribute, then this update is applied to all A&A services that contain that same identity and attribute;
 * Directs A&A services to disable or remove identities as soon as that identity's eligibility for an account in that particular A&A service ends, or the digital identity is disabled or removed from an authoritative A&A service;
 * Resolves conflicts in account information between different A&A services.

Permission management

This service provides the following, permissions related sub-services:
 * Directs an A&A service to create or update the necessary permissions associated with a digital resource, when a digital identity becomes eligible for use of this resource;
 * Directs an A&A service to update or remove the relevant permissions associated with a digital resource, when a digital identity loses eligibility for use of this resource;
 * Resolves conflicts between specific permissions assigned to a digital identity by a specific A&A service (or not) and the permissions that should actually be granted to it (or not).