Thursday, November 06, 2008

Enterprise Identifiers

I've been thinking recently about how one should be identified within the enterprise.
It's no secret that there are several identifiers that are used by an organization for identification. Some examples include:
  • Government issued numbers - Using identifiers such as Social Security or Driver's license numbers is legal, if not mandatory in some places. These are nice since they don't have to be maintained by private organizations, but this can also present problems, not to mention privacy and legal conflicts.
  • Email Address - IDs based on email address offer guaranteed uniqueness, however these can change over time especially with life changes, particularly when they are based on the user's name.
  • Name combinations - Creating an ID that is made up of x number of characters from first name and y number of characters from surname has both good and bad points. These are wonderful because they are easy to remember for the end user, however there can be challenges to IT making sure that all IDs are unique.
  • Application centric ID's - Some applications create their own sequenced ID's. These tend to be easier for IT and application owners, however they tend not to be as easy for people to remember. They also have the advantage of not revealing too much information about what is behind the login ID in the way of personal information. For instance there's no way for anyone to know that user ID H10032 is really Matt Pollicove (FYI - not my userID) But they can give some basic information by simple formatting, such has having certain characters indicate employment status, whether or not the ID is for a service account, if the account is tied to a particular group or location, etc. However this degree of tight formatting tends to make the user IDs not terribly portable as status changes occur. Once conventions are set for how users are to be identified within the enterprise, some additional challenges depending on how the user entries are used within the enterprise.

Which one is right? Which one is wrong? I don't think there is any one correct answer besides what works for the organization. Certainly from a security and privacy perspective showing less information that more is better but does this really solve anything? Identity information is still exposed via external services such as portals, white pages and other search methods. So even if personal information is abstracted by a different identifier, it can still be determined.

Post a Comment