Types Of User Profile Data
Heya,
There are a few different kinds of profile data stored in CIAM systems.
credentials
user provided profile data
consents
groups
authorization data
system provided profile data
Let's look at each of these in turn.
Credentials
Credentials are any data that allows a user to identify themselves. This includes:
login identifiers such as username, phone number or email address
password hashes and other password related data such as salts, algorithms and iterations
public keys and other WebAuthn related data
MFA information, such as email addresses, phone numbers, or TOTP seeds
data for messaging a user for a magic link login, such as an email address or phone number
Some of these may need to be kept securely, such as password hashes and TOTP seeds. Others are innocuous, such as public keys.
They are all related to the primary purpose of a CIAM system, which is to identify people.
User Provided Profile Data
This is any profile attributes provided by a user. Depending on the CIAM system, these may range from basic to complicated, and may be differing levels of fidelity with the real world.
For example, for an online game, the only profile data provided by a user may be a username used as a pseudonym.
For a bank, on the other hand, a real name proven by government documents and an account id managed by the bank may be associated with a user account.
This profile data may be gathered at registration, or it may be gathered over time using a process called progressive registration. With the latter, functionality of an application may be gated on a user providing additional profile data.
This can also include preferences local to a given application. For the game example above, favorite team members or game equipment purchased could be stored as part of the CIAM system.
Consents
Consents are a special form of user provided profile data. They capture user permission granted to an application or the organization behind the application. These can be used to gather information for marketing or legal purposes. Because of the latter, the proper management of some consents depends on the countries the application is served from as well as those that the users are citizens of.
For example, European Union citizens can offer consent to allow processing of personal data: “Processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing.”
Consents are different from other user profile data because they can be explicitly granted or revoked.
Groups
Groups are an internal structure in CIAM systems. They are a software structure which allows for grouping of users. While they can be used to track cohorts of users or otgher indirect effects, membership of one or more groups can also impact permissions or other aspects of how an application treats its users.
For example, you may put users who have administrative privileges into an `admin` group. The CIAM system and other applications can then examine group membership when an administrative action is requested by anyone.
Authorization Data
While groups can be used for other purposes, as mentioned above they are sometimes used for authorization purposes. There are other ways to represent permissions in an application, including role based access control (RBAC), attribute based access control (ABAC), and relationship based access control (ReBAC). These are three common ways to connect users with permissions.
Because this authorization data is usually coupled to application logic, it is not always stored in a CIAM system. However, many CIAM systems offer support for one or more of the permission representation models mentioned above.
Two other common locations for authorization data and logic are:
a specialized authorization system, such as a policy decision point
inside the application logic itself
System Provided Profile Data
The final type of profile data is system gathered is system provided profile data. This is any type of data about a user not provided by themselves.
This could include:
human provided data, such as customer service comments provided by an employee of the organization running the application that users are authenticating against
data from other systems matched to user profiles in the CIAM system, such as credit information from a reporting bureau stored in the CIAM system for easier access or reporting
information generated by the CIAM system through its use, such as login counts, open sessions or authentication event attributes like IP address or login time
These six types of profile data all either affect how a user can access applications downstream of the CIAM system or provide the organization responsible for the CIAM system with a greater understanding of their users.
Dan