Defining a Federated Account
What is a Federated Account and why is it important? In the context of Governance, Risk, and Compliance (GRC) and Security Operations (SecOps), ensuring seamless integration and coordination between different tools and systems is crucial. A federated JSON structure can serve as a standardized method to share user and group information across multiple applications, enabling efficient "baton passing" and maintaining consistent user management. Below, we present an argument for implementing such a structure, supported by the information from the provided documents.
Key Components of the Federated JSON Structure
- Element ID and @id: These unique identifiers ensure that every user and account can be distinctly identified across different systems, preventing duplication and inconsistencies.
- Core Metadata and Context: Including core metadata and context in the JSON structure provides essential details about each entity (user, account, organization), ensuring that all systems have access to the same foundational information.
- Organization and Person Linkage: By linking users to organizations and persons through email addresses, systems can easily identify and manage affiliations, enhancing the coordination of user roles and responsibilities.
- Account Membership and Groups: Defining account memberships with arrays of groups and initiatives allows for clear delineation of user roles within different contexts. This structure supports dynamic and flexible management of user permissions and responsibilities.
- Active Subscription and Enablements: Including subscription information and enablements ensures that all systems are aware of the current status and capabilities of an account, enabling appropriate access and functionality.
Accounts
Accounts exist within Products and are unique entities created for groups of Users serving as the primary access point for utilizing the product’s services. Therefore, elementId, @id, coreMetaData, and context will always be present in Things.
| Property | Expected Type | Description |
|---|---|---|
| elementId | String | A unique and persistent identifier for the record within the system's data set. |
| @id | URL | The full unique link to the item so it's traversable by that property. |
| coreMetaData | Object | The object representation of the Thing CoreMetaData. |
| users | Array | An array of user. |
| context | Context | The JSON-LD context for the item in question. |
| organization | Object | The object representation of the Thing Organization. |
| activeSubscription | Object | The object representation of the Thing ActiveSubscription. |
| accountMembership | Object | The various memberships a User can belong to within an Account. |
| product | Object | The object representation of the Thing Product. |
Users
Accounts contain an array of Users.
Organization
The first User that creates the Account sets the owning Organization.
Active Subscription
The subscription information tracks the Account’s begin and end dates, Live Status, and various enablements.
| Property | Expected Type | Description |
|---|---|---|
| liveStatus | String | A Boolean field of "live" (1::boolean) or "deprecated" (0::boolean). |
| beginDate | Datetime | The start date of an Initiative. |
| endDate | Datetime | The end date of an Initiative. |
| enablements | Array | An array of enablement. |
Enablements
Each Enablement will have a name and an optional description, as well as the enablement’s Live Status. Because enablements can change, an element ID should also be present.
| Property | Expected Type | Description |
|---|---|---|
| name | String | The name of the item or record. |
| liveStatus | String | A Boolean field of "live" (1::boolean) or "deprecated" (0::boolean). |
| description | String | This describes a Thing or Property. |
| elementId | String | A unique and persistent identifier for the record within the system's data set. |
Account Membership
Account Membership contains an array of the Account groups and initiatives that exist within the account. Each Group and Initiative will contain the name and element ID of the Thing represented by the Object.
Account Group
The Account Group (as opposed to a Group which defines a type of organization) doesn’t need to contain much information – just the name, description, and possibly a contact email for the group (which is optional).
| Property | Expected Type | Description |
|---|---|---|
| Primary Electronic Mail address. | ||
| name | String | The name of the item or record. |
| description | String | This describes a Thing or Property. |
| elementId | String | A unique and persistent identifier for the record within the system's data set. |
| @id | URL | The full unique link to the item so it's traversable by that property. |
| coreMetaData | Object | The object representation of the Thing CoreMetaData. |
| context | Context | The JSON-LD context for the item in question. |
Account Initiative
Initiatives are slightly different than Groups in that initiatives normally have begin and end date.
| Property | Expected Type | Description |
|---|---|---|
| Primary Electronic Mail address. | ||
| name | String | The name of the item or record. |
| description | String | This describes a Thing or Property. |
| elementId | String | A unique and persistent identifier for the record within the system's data set. |
| beginDate | Datetime | The start date of an Initiative. |
| endDate | Datetime | The end date of an Initiative. |
| @id | URL | The full unique link to the item so it's traversable by that property. |
| coreMetaData | Object | The object representation of the Thing CoreMetaData. |
| context | Context | The JSON-LD context for the item in question. |
Product
This is simply the name of the product the Account is assigned to.