{"id":120,"date":"2008-06-30T18:06:46","date_gmt":"2008-06-30T18:06:46","guid":{"rendered":"https:\/\/www.wapshere.com\/missmiis\/?p=120"},"modified":"2023-01-09T02:51:20","modified_gmt":"2023-01-09T02:51:20","slug":"the-need-for-unique-identifiers","status":"publish","type":"post","link":"https:\/\/www.wapshere.com\/missmiis\/the-need-for-unique-identifiers","title":{"rendered":"The need for unique identifiers"},"content":{"rendered":"

Identity management is made a heck of a lot easier if you have a fool-proof way of identifying someone – no wonder governments are so keen on the idea of identity cards<\/a>. I make no claim either way on the id cards, but I will say that unique identifiers make ILM\/MIIS system so much easier to run that, more than a best practise, they are an absolute essential.<\/p>\n

<\/p>\n

Some points to consider…<\/p>\n

The identifier must be unique in the metaverse<\/strong><\/p>\n

There is no technical<\/em> reason preventing you re-using an identifier,\u00a0 but there are a lot of good design<\/em> reasons. You should always be able to re-join to a metaverse object using the identifier, with no possibility of multiple matches.<\/p>\n

I recommend not even re-using the same identifier across different object types.<\/p>\n

Export the identifier into all your connected directories<\/strong><\/p>\n

Find a suitable attribute, set up an export flow rule, and get the identifier out. Then use the same attribute to join back (you should always<\/em> have join rules, on every<\/em> MA).<\/p>\n

Very rarely there will be some application where you can’t find a suitable attribute to stick the identifier in. In my experience so far, these have always involved extensible MAs, and with XMAs I always maintain a SQL table<\/a> where I can record extra info that will not go into the target system – such as a mapping between my unique identifier and whatever I’m being forced to use in the external app.<\/p>\n

Use something that won’t change<\/strong><\/p>\n

Usernames, email addresses and names are no good. They can change. Forget them.<\/p>\n

Ideally use something that comes out of a database system which will already be enforcing a unique ID, such as an HR system.<\/p>\n

Ensuring uniqueness<\/strong><\/p>\n

Many organisations are suffering under multiple import systems – perhaps company mergers mean multiple HR systems to incorporate, or different user types being generated in different systems. If there is any risk of a conflict, use an import flow rule to insert a prefix, or stage via a database where you can manipulate the identifier and assure uniqueness.<\/p>\n

Don’t use the metaverse GUID<\/strong><\/p>\n

I was, I confess, somewhat horrified when I realised people do this. Just don’t! You never know when you will need to clear out and re-import. You should always plan for this possibility!<\/p>\n

Don’t use something system specific<\/strong><\/p>\n

I also have concerns when I hear of the AD SID being used as a unique identifier. I feel that a person (or group, or other object) should be uniquely identifiable whether it is currently in AD or not<\/em>. Sometimes accounts get deleted and re-created, but that doesn’t stop the person being themself.<\/p>\n

I would only consider this a defensible design if AD was your primary, and most trustworthy, data source.<\/p>\n

So remember:-<\/strong><\/p>\n

the unique identifier is unique, it doesn’t change, you get it everywhere, and you can rely on it in join rules. Perfect KISS<\/a> philosophy.<\/p>\n","protected":false},"excerpt":{"rendered":"

Identity management is made a heck of a lot easier if you have a fool-proof way of identifying someone – no wonder governments are so keen on the idea of identity cards. I make no claim either way on the id cards, but I will say that unique identifiers make ILM\/MIIS system so much easier…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":[]},"categories":[15,19,3],"tags":[],"class_list":["post-120","post","type-post","status-publish","format-standard","hentry","category-ilm","category-newbie","category-philosophising"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pkp1o-1W","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts\/120","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/comments?post=120"}],"version-history":[{"count":1,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts\/120\/revisions"}],"predecessor-version":[{"id":3323,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts\/120\/revisions\/3323"}],"wp:attachment":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/media?parent=120"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/categories?post=120"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/tags?post=120"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}