It is almost always a bad idea to create extra objects types for the same basic “thing”. An object type should encompass all the possible states an identity can transition to. A person can never become a group, but they can definitely be staff, contractor or student (sometimes all at the same time) – so a single “person” object type should be used for all people.
This best practice applies to both the Metaverse and the Portal. It may be tempting to try and extend the number of RCDC forms available in the Portal by declaring new object types for similar identities – but it is a mistake. Some of the pitfalls:
- You will run into problems where multiple roles lead to multiple identities and accounts,
- You will find it very difficult to transition an identity to a different object type – in fact they will have to be re-imported into the IAM system, and re-joined to existing accounts, and you will have to do a lot of this by hand,
- You will do a lot of work re-creating schema definitions and Sync Rules and Portal policy objects, and then having to maintain them, and
- You’ll end up losing benefits from task automation by working in too much fundamental complexity and inflexibility in dealing with moves and changes.
It really is better to stick to the one object type and make do with roles, attribute values and flags to differentiate between your categories.
Got something to add? Disagree? Comments are open!