Saturday, January 19, 2008

Systems using Binary Identity Models

When dealing with identity system constructs, such as end users logging into online accounts and the like, I often find it useful to decompose the actors into a system of connected binary identity models. It's kind of like two stars falling around each other in a mutual gravitational embrace.
Or something.
:-)

A Simple Identity Model (SIM)


In so doing, I employ a very atomic and simple abstract identity model. The following is the definition of the Simple Identity Model:

A formalization of entities and their groups. The formalization includes that which distinguishes entities within the group.
Some definitions are in order: An entity is simply something that can formalized, and a group is just a collection of zero or more entities. The definition of identity, in this context, is simple and natural: "that which distinguishes entities within a group". (See again the definition of the "Simple Identity Model" above.)

Examples:

SIM1:   My poker buddies
I play poker with this group every third week.


Entity: A human being with which I play poker.
Group: Jim, Craig, Karen, Lee, and sometimes
Blake.
Identity: Distinguished using my normal means
of separating humans (name, appearance,
etc.)


SIM2: My online widget store's user accounts
My company has a website that it uses to sell
its widgets.


Entity: Record in the user_account SQL table
(along with all child records in
tables email, phone, purchases,
etc.)
Group: All records in user_account table.
Identity: Distinguished by PK of the
user_account table.


SIM3: My blogging website's user comment
identifiers
My company offers a blogging web site where
users can leave comments on blog postings
if they leave an unique identifier (in the
form of a URL).


Entity: Unique "comment identifier URL"
Group: All "comment identifier URLs" ever
used at the blogging website.
Identity: Distinguished by the text value
of the URL.

Here's a quick look at the notion of authentication within the three identity models:

In SIM1, any notion of authentication has to do with my inherent ability to distinguish human beings. (Usually, when I get to the point where I cannot distinguish Craig from Karen, that's when I know that I've had a few too many beers at the old poker table.)

In SIM2, there needs to be a means of verifying that an end user behind a web browser has been authenticated as the owner of a given account. (We are, after all, going to bill his or her credit card, so authentication would be very helpful.)

In SIM3, there needs to be a means of verifying that an end user behind a web browser has been authenticated as the owner of a given comment identifier URL.

If you look closely, you may notice something: None of the three identity models above say anything whatsoever about the notion of authentication (or an end user.) So why don't the SIMs cover this?

It is because the abstract identity model definition (repeated here, from above) ...

A formalization of entities and their groups. The formalization includes that which distinguishes entities within the group.

... does not have any support for notions such as authentication or end users.

Expand the model?

It might be tempting at this point to say that the Simple Identity Model is not very useful--that it doesn't support constructs such as end users and authentication--and that we would need to add these constructs in order to make it useful.

I think it better, however, to keep the identity model abstraction in its atomic form.

Instead we can model the authentication and the end user by spinning off, so to speak, a new SIM--call it SIM4--and then by defining the connections between two SIMS. (And, woohoo, we will have our system of binary identity models.)

Let's look at SIM2. We need a way of verifying that an end user behind a web browser has been authenticated as the owner of a given account, so that he or she can buy widgets. We spin off SIM4 to define that user.

SIM4:   End users who have accounts at at my
online widget store
... and who we'd like to authenticate, because
we are going to bill their credit cards.


Entity: Human being who buys widgets at my
company's online widget store.
Group: All the human beings who buy widgets
at my company's online widget store.
Identity: Distinguished by the Cardspace PPID
used to communication with my the
online widget store.


SIM Connections:

We can now formalize connections between the entities of the given identity models. (Conceptually, we can draw the lines between the entities in one SIM and the entities in another SIM.)

For example, the connection between SIM4 and SIM2 can be formalized as: the entity (the end user) in SIM4 uses the entity (the user account) in SIM2 when he or she buys online widgets. It should be noted that the connections are not necessarily one-to-one. For example, a given end-user in SIM4 might use two separate accounts at the widget store.

Authentication, then, is simply whatever means used to validate a given entity connection between two identity models.

Summary:

Rather than attempting to complicate a simple identity model by adding constructs such as authentication, it is better to keep the abstract model in its most atomic form and then to define notions such as authentication in terms of connections between entities in different identity models.


5 comments:

=andy.dale said...

It's not clear to me how you feel about the reification of relationships in this model. My SIM says that Entities and Relationships are both full fledged top level classes..... you?

Andy

Steve Churchill said...

Andy,

The relationship (I call it "connection") in my example is between the end user in SIM4 and the user account in SIM2 and this particular relationship establishes that a SIM4 entity can authentiticate as the owner of a SIM2 entity.

This particular relationship may or may not be reified in a given implemenation, but certainly it could be.

The point of the article is that the atomic building block is a very simply defined abtract identity model--it only deals with entities and the means of distinguishing them--and then constructs such authentication are layered in at the molecular level.

- Steve

Steve Churchill said...

Andy,

I should add that I don't think that the end-user behind the web browser and the user account in the RDBMS are typically modeled as two entities in two different identities models--but I'm saying that they should be.

I am not saying, however, that this type of modelling necessarily translates into classes or code. I think the two types of modelling fulfill different purposes.

~ Steve

Drummond Reed said...

Steve, great article, crystal clear. I really like this way of modelling it. I bet there might even be a very clean definition of what "authentication" means using this model. Have you thought about that?

=Drummond

Steve Churchill said...

Drummond,

My intention is to define a layer of abstraction that formalizes the entity, group, and how the entities are distinguished within the group--I'm not sure that there needs to be more formalism around the notion of authentiation at this layer of abstraction.

If the online store allows both Cardspace and OpenID authentication, then the entities in its end-user SIM are distinguished by OpenIDs -OR- by PPIDs. Each distinct OpenID clearly identifies a unique entity, and each distinct PPID also identifies a unique entity. It is up to the online store, then, to determine if it wants to allow many-to-one connections from the end-user SIM to the user account SIM (ie., if it wants to allow mapping mutiple OpenIDs, multiple PPIDs, or both, to the same user account.)

My thinking is that this is where this layer of abstraction should end w.r.t. authentication.

~ Steve