OM-IND-0012: Managed Workforce Identity Population (Indicator)

ID

OM-IND-0012

Formal Name

Managed Workforce Identity Population

In-text Name

number of workforce managed identities

Version

1.0

Type

Base Indicator

Scale

Ratio Scale

Status

Draft

Definition

Number of digital identities linked to workforce entities within the scope of responsibility of the entity, excluding unmanaged distributed identities.

Components

Digital identity

cf. Digital Identity.

Workforce entity

This typically comprises permanent staff members, contractors, apprentices, etc.

Entity

The organization or organizational unit for whom performance is being measured.

Scope of responsibility

An item is within the scope of responsibility of an entity when that entity owns the item, or has been delegated responsibilities in relation with the item.

Unmanaged distributed identity

When digital identities are replicated (cf. Distributed Identity (Dictionary Entry)), the replica may or may not need to be actively managed by the entity (whatever the detailed responsibilities of the entity are). This mainly depends on whether the entity is required to actively manage complementary attributes on the replica.

By definition, an identity replica that does not need to be actively managed by the entity should be excluded from the count because it does not require individual attention or efforts from the entity.

Samples

  • Application X uses SSO and is integrated with directory Y. Identities in Y are automatically synchronized in X with all required attributes. No individual management of identities in X is required. In consequence, identities in Y are counted but identities in X are not counted.

  • Identity federation is setup between organizations X and Y, Y trusting X identities. But Y has implemented a complementary verification process over X identities, thus manages actively these identities. X identities federated in Y should thus be counted.

Estimation Methods

Counting the number of managed identities requires a mature IAM platform documented with the architecture of identity distribution schemes. Because this may be too complex or out of reach, an organization may perform an estimation instead.

The outcome of such an estimation should be a 95% confidence interval.

An organization that has a central identity directory may use it to find a lower bound value for the estimated range.

From there, complementary information may be obtained to reach an estimate, such as:

  • Directories and applications known for containing the highest number of identities may be measured individually. This is an especially efficient approach if the organization uses a few large directories and applications and many small applications.

  • Provisioning information stored in an IAM platform (manual provisioning of identities is a good indication of identities being actively managed),

  • SSO or authentication attributes in IT applications inventories.

Once the estimation assumptions are documented, updating the estimate from period to period should be much easier. But the estimation assumptions should be regularly re-evaluated as well.

Rationale

Knowing the number of digital identities within an entity’s scope of responsibility is of critical importance to assure the fulfillment of this responsibility, whatever the responsibility is.

This indicator provides an indication of the volume of digital identities that the entity is expected to manage.

The number of identities is distinct from the number of entities. For instance, the number of entities only evolves as staff members and contractors are hired or leave the organization. The number of identities will be factor of that number that will very much depend on whether the replication of identities throughout the information system is optimal (equal to the number of entities) or sub-optimal (too larger than the number of entities).

Limitations and Complexities

Counting digital identities is complex. This is in good part due to the fact that digital identities may be found in and replicated throughout systems, directories, metadirectories and distributed as part of federation schemes.

Data Sources

  • Applications

  • Directories

  • IAM Platforms

  • IT Applications Inventories

  • Metadirectories

Formula

Let X be the set of known identity repositories.

Let e be the entity.

Let R be a set of responsibilities assigned to e.

Let s(X, e, R) = Y be defined as the function that returns Y, a subset of X where for each digital identity y in Y, the entity e has at least some responsibility in R.

The formula for the indicator is then: i = |s(X, e, R)|

Derived Indicators

  • Workforce Entity / Identity Population Ratio

Related Indicators

  • Workforce Entity Population

 


Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.


This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.