Don’t duplicate Groups in Identity Systems
There is often a better way
I recently posted about how you should try to avoid duplicating Identity in Software Systems because there is almost always a better way to organise things. This short post is on a similar theme and has a similar conclusion.
Identity systems store identities. Users (people) and other entities like bots or service accounts. Using various protocols and technologies you can use a trusted external identity system to authenticate an entity. To provide confidence that you are dealing with what you think you are dealing with. You can then authorise the entity within your application. This is assigning specific permissions — the ability to do stuff, perform actions.
To enable effective management of AuthN and AuthZ the above concepts can be implemented using a class-based system. Similar entities can be organised into groups in the identity system. And permission sets can be organised into roles in the different applications. Mappings can be made between groups and roles to make it all work. The mappings depend on how you can configure the application and so the mapping implementation is case-by-case.
The observability software Grafana provides a good example of how external identities can integrate with internal permissions. In this case Active Directory using the OAuth2 protocol. The integration works by mapping an AD Group to and AD Role and then mapping the AD Role to a Grafana Role.
It’s uncontroversial to say that you should enact a clear and comprehensive strategy when it comes to identity groupings in your organisation but there are probably different sensible ways to achieve this. I have my own opinions that I will try to express in another post.
The only advice I want to provide on this topic through this post is the following:
If you have many groups in your identity system and many of those groups include the exact same entities ( the sets are equivalent ) then please consider better ways to structure your groups and mappings.
What do your identity groupings look like?
This is a particularly good area to focus on and try to simplify because whilst the identity system is only one application, the nature of its function means it has a significant relationship with lots of other applications. And a significant effect on the daily work of many teams across the organisation.
