According to the question c03.046 of CCSP Official Practice Tests, the process of identity management includes maintenance.
What exactly do you think is maintenance? For example, does it include changing passwords and permissions?
Thank you, @JoeBuilder
I should have given you options of the question. They are as follows.
Then I have reviewed your ideas and my ones. Here are my thoughts:
So I am still wondering what exactly identity maintenance activities are.
Very good question, @Masahiro
As others have pointed out,maintenace would involve reconfirming currently assigned roles, removing roles no longer held by the assignee, adding new roles then approved, and adding or changing other secondary data in the database, such as answers to challenge questions used for forgotten password tasks. Depending on the ID database, it may also involve updating or confirming secondary contact information, assigned supervisor (needed to confirm current privileges and roles), etc.
Thank you, @CraginS
I have understood as follows.
Identities start with provisioning, continue to be maintained and end with deprovisioning. It is identity and access management lifecycle. So there are many activities in the maintenance phase.
I found the definition of the maintenance in the process of identity management. ISO/IEC 24760-1:2019 defines it as follows.
An identity management system can perform maintenance on identity information it has registered by changing one or more of the attribute values in an identity. An identity management system shall specify mechanisms for maintaining the integrity and accuracy of attributes it stores. It shall maintain the identity information stored in the register as an accurate representation of the identity. An identity information authority shall provide the most accurate data available for an identity in a process that respects privacy.
You can download it from the following website for free.
Considering only Identity Management as part of the IAM, it includes provisioning (identity assertions) and password management. Password management covers generation, storage and security controls.
If we talk about permissions, that is part of RBAC, and access management. That is part of IAM, but not of the Identity Management.
I might be wrong. Please refer to the Official Study guide, section 7.4.
Hope it may help,
In my opinion, maintenance in IAM consists of a life cycle approach - JML or Joiners, Movers, and Leavers. Each part of the cycle includes onboarding, role change, and separation. Each of these includes differing amounts of maintenance activities. For example, joiners would include creation of the account, provisioning initial permissions to objects, communication to the end user, etc. Movers would require modification in terms of add or remove permissions, revaluation of application provisioning, etc. Leavers have maintenance of deprovisioning of all access, placing the account in a disabled state, updating reporting, etc.
Maintenance to me is a security operations function.
Agree, mainly is the JML process. joiner, mover and leaver.
Depend how you consider (some consider the below as security compliance):
may also consider as part of maintenance.
The part that catches my eye in *maintenance* not mentioned - is that this is not a 1 time event 3 years ago - but implies an intentional routine check-up frequency or other effort to gain comfort an automated process control design is still working effectively (i.e., does not exclude new systems, entities, directories, attributes, credentialing secret types, changed policies requirements, etc.).