This document discusses modeling and evaluating complex user entitlements using JSON and REST. It provides background on the author and his experience in identity and access management. It then outlines ways to model entitlements using JSON attributes in a directory, including defining matching rules and constraints. Examples of modeling entitlements for employees and consumers are provided. Finally, it discusses evaluating entitlements via REST APIs and how Ping Data Governance can enable flexibility in modeling and modifying data returned to clients.
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Modelling and evaluating complex user entitlements in directory services using JSON and REST
1. Mark Perry, APAC CTO
markperryau
markperry@pingidentity.com
Modelling and evaluating complex
user entitlements in directory
services using JSON and REST
2. • Based in Melbourne, Australia
• Nearly 30 years in IT
• Most in Identity
• Likes whiskey, good coffee
• Passionate about Australian Rules
Football
• Plays golf
3. Career in IAM and Digital Identity
• IBM
• /etc/password, YP, NIS
4. Career in IAM and Digital Identity
• IBM
• /etc/password, YP, NIS
• Netscape
• Directory Server v1 & 3
5. • Career in IAM and Digital Identity
• IBM
• /etc/password, YP, NIS
• Netscape
• Directory Server v1 & 3
• Sun Microsystems
• SunAM, SunIM, Liberty Alliance, SAML
6. • Career in IAM and Digital Identity
• IBM
• /etc/password, YP, NIS
• Netscape
• Directory Server v1 & 3
• Sun Microsystems
• SunAM, SunIM, Liberty Alliance, SAML
• Ping Identity
• OAuth2, OIDC
• Open Banking
7. LDAPsql
• Command line tool
• PL/SQL-like
• Use SQL syntax
against directories
• Create views,
synonyms, etc.
• DISTINCT, COUNT,
MAX, MIN, ORDER BY
ASC DESC, etc.
• Written in Java
• Pretty output & LDIF
• CRUD
• INSERT is wizard-
driven
11. Why Store
Entitlements In
The Directory?
§ Centralisation
– Single View, Audit
§ Control
– Limit rogue admins
§ Performance
– vs CRM, MDM, etc.
§ Access
– Developer friendly