This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Best Practices For Unique Identifiers
Best Practices For Unique Identifiers

Version management

Difference between version and

At line 1 added 73 lines
!!! Overview [1] [2] [3]
A [Best Practices] Gathered from years of experience and other knowledgeable sources.
There are of course, exceptions.
However, anyone who has followed these "Principles" (I doubt) has ever regretted it.
* [Unique Identifiers] [SHOULD] be unique.
* [Unique Identifiers] [SHOULD] be a Lifetime identifier.
* [Unique Identifiers] [SHOULD] be issued from a central authority.
* [Unique Identifiers] [SHOULD] stored in all relevant systems/data bases.
* [Unique Identifiers] [SHOULD] __never__ be re-issued.
* [Unique Identifiers] [SHOULD] be assigned to all [entities|Entity].
In addition to the above, I would strongly recommend that the [Unique Identifier] be used for the naming attribute. If the [Unique Identifier] persists for the lifetime of the [Entity], then there are the following advantages:
* No rename of entries should be encountered.
* [Auditing] trails are easier to follow.
In tree of any size, looking for jdoe0001 or jdoe0002 will be done by performing a search.
!! Things to Think About
* [Security]
* [User Experience]
* Administration
* [Auditing]
!! Avoid Use of [Personal data] or [Private data] in [Unique Identifiers]
The use of any [Personal data] in [Unique Identifiers] [SHOULD] be avoided. The [United States Privacy Act] of [1974|Year 1974], the [Family Educational Rights and Privacy Act] ([FERPA]) and many State statutes regulate the collection, use, and dissemination of [Privacy] [data] information.
The [Best Practice] is suggested that an arbitrary [Unique Identifier] [SHOULD] be created for each [Entity] (or [LDAP Entry]) and this identifier should provide [anonymity] for the [entity].
!! [Best Practices For LDAP Naming Attributes]
Some ideas on [Best Practices For LDAP Naming Attributes]
!! [Ambiguous Naming Resolution Algorithm]
[Ambiguous Naming Resolution Algorithm] may make it easier to locate the proper identity.
!! [Unique Value Finder]
We wrote a [tool to generate Unique Identifiers|Unique Value Finder].
!! Used for Login
If the [Unique Identifier] must be used for [Authentication] (ie [UserId]) the length and complexity becomes important.
Most [Users] will have trouble remembering [UserIds] longer than 8 characters. Of course after a few hundred uses up to 10 characters is usually not an issue for this [Human Limitation]
Using [UUIDs] for [UserId] generally will not work due to the complexity.
!! Some [Examples]
[B003281] was an [Unique Identifier] that was implemented in a large [Organizational Entity]
It just so happen this particular [Organizational Entity] merged with another [Organizational Entity] which all their [Unique Identifiers] started with an "A". So from the [Unique Identifiers] perspective there were not collisions.
[B003281] can handle 999,999 [entities|Entity] and it would be relatively easy to move to A000001 and get another 999,999 [entities|Entity]
If you allow any to be alpha-numeric, then we have 36 possible values for each character which is (26+10)^6 = 2,176,782,336
if we use up to
%%zebra-table
%%sortable
%%table-filter
||Characters||[Example]||Math|Number of
|6|B003281|(26+10)^6|2,176,782,336
|8|B00003281|(26+10)^8|2,821,109,907,456
/%
/%
/%
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Identifiers Best Practices|https://www.incommon.org/docs/other/identifiers-best-practices-200005.html|target='_blank'] - based on information obtained 2013-04-27
* [#2] - [Findley's "LDAP Best Practices" paper, section 3.5|https://people.apache.org/~elecharny/ldapcon/Andrew%20Findlay-paper.pdf] - based on information obtained 2013-04-27
* [#3] - [Why Your Organization Needs an Enterprise-Wide Account Username Convention|http://blog.identityautomation.com/why-your-organization-needs-an-enterprise-wide-account-username-convention] - based on information obtained 2017-10-04
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop