Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Page Properties

ID

OM-IND-0012

Formal Name

Managed Workforce Identity CountPopulation

In-text Name

number of workforce managed identities

Version

1.0

Type

Status
colourBlue
titleBase Indicator

Scale

Status
colourGreen
titleRatio Scale

Status

Status
colourYellow
titleDraft

Definition

Number of digital identities linked to workforce entities within the scope of responsibility of the entity, excluding unmanaged distributed identities.

Components

Digital identity

cf. Digital Identity (Dictionary Entry).

Workforce entity

This typically comprises permanent staff members, contractors, apprentices, etc.

Entity

The organization or organizational unit for whom performance is being measured.

Scope of responsibility

An application instance item is within the scope of responsibility of an entity when that entity owns the instanceitem, or has been delegated responsibilities in relation with the instance.

TODO

  •  Distinguish Entity Count from ID Count
  •  The IDs of an Entity may be spread across multiple systems
  •  Distringuish counting primary identities from secondary identites

item.

Unmanaged distributed identity

When digital identities are replicated (cf. Distributed Identity (Dictionary Entry)), the replica may or may not need to be actively managed by the entity (whatever the detailed responsibilities of the entity are). This mainly depends on whether the entity is required to actively manage complementary attributes on the replica.

By definition, an identity replica that does not need to be actively managed by the entity should be excluded from the count because it does not require individual attention or efforts from the entity.

Samples

  • Application X uses SSO and is integrated with directory Y. Identities in Y are automatically synchronized in X with all required attributes. No individual management of identities in X is required. In consequence, identities in Y are counted but identities in X are not counted.

  • Identity federation is setup between organizations X and Y, Y trusting X identities. But Y has implemented a complementary verification process over X identities, thus manages actively these identities. X identities federated in Y should thus be counted.

Estimation Methods

Counting the number of managed identities requires a mature IAM platform documented with the architecture of identity distribution schemes. Because this may be too complex or out of reach, an organization may perform an estimation instead.

The outcome of such an estimation should be a 95% confidence interval.

An organization that has a central identity directory may use it to find a lower bound value for the estimated range.

From there, complementary information may be obtained to reach an estimate, such as:

  • Directories and applications known for containing the highest number of identities may be measured individually. This is an especially efficient approach if the organization uses a few large directories and applications and many small applications.

  • Provisioning information stored in an IAM platform (manual provisioning of identities is a good indication of identities being actively managed),

  • SSO or authentication attributes in IT applications inventories.

Once the estimation assumptions are documented, updating the estimate from period to period should be much easier. But the estimation assumptions should be regularly re-evaluated as well.

Rationale

Knowing the number of digital identities within an entity’s scope of responsibility is of critical importance to assure the fulfillment of this responsibility, whatever the responsibility consist inis.

This indicator provides an indication of the volume of digital identities that the entity is expected to manage.

The number of identities is distinct from the number of entities. For instance, the number of entities only evolves as staff members and contractors are hired or leave the organization. The number of identities will be factor of that number that will very much depend on whether the replication of identities throughout the information system is optimal (equal to the number of entities) or sub-optimal (too larger than the number of entities).

Limitations and Complexities

[] Speak about replication of ID thourgh Counting digital identities is complex. This is in good part due to the fact that digital identities may be found in and replicated throughout systems, directories, metadirectories and federation, etc. What to count?distributed as part of federation schemes.

Data Sources

  • Applications

  • Directories

  • IAM Platforms

  • IT Applications Inventories

  • Metadirectories

Formula

Let X be the set of known identity repositories.

...

The formula for the indicator is then: i = |s(X, e, R)|

Derived Indicators

  • Workforce Entity / Identity Population Ratio

Related Indicators

  • Workforce Entity Population