Identify Local Users

From GFIPM Implementation Wiki
Jump to: navigation, search
Go back


This section guides you through a process to collect all known information about your organization's users and collect it for use as a basis for a GFIPM Identity Provider (IDP).

To implement a GFIPM IDP, you must gather existing sources of information about your local users. These sources may consist of a user directory, a database system, applications that manage user identities, and organizational policies and other documents.

A user directory may be implemented as LDAP or Active Directory or some other in-house or commercial system. A database may be implemented as a system such as Oracle or SQL Server or one of many other commercial or open-source systems. Other sources may include user applications such as criminal information systems, case management systems, or records management systems. These systems will then serve as the providers of local user information to the federation member's IDP.

Each source about local users should provide information such as the following:

  • Name, address, phone number
  • E-mail address
  • Unique user ID
  • Home organization, employer, assignment, job classification
  • Certifications and clearances
  • Permissions and privileges
  • Electronic or digital identity

In addition, there may be other, more indirect sources of information about users. Organizations typically have documented security policies. Users may also be required to sign user agreements, which typically specify levels of training or qualifications for the user. These may specify conditions of employment such as background checks, user qualifications, certifications, or security clearances.

Three specific instances of these types of documents include the following:

  • Local Security Policy Document
A document that describes the security policy currently in place within your organization.
  • Local User Agreement Document
A document that describes the terms and conditions to which your users must agree as a prerequisite for using an electronic identity issued by your organization.
  • Local User Vetting Policies and Procedures Document
A document that describes the user-vetting policies and procedures that are currently in place within your organization.


Implicit or derived information from the above documents can add to the knowledge base about your users, either individually or as a group. At this point, you should collect these documents from your organization and use them as a basis for additional knowledge about your users. In addition to serving as sources of information about users, the three documents listed above will be used during your organization's federation application process (see [GFIPM OPP]).

An example of information derived from a security policy is the following derivation rule used by CISAnet, which is a federation member in NIEF:

All CISAnet users have 28 CFR training as a documented organizational policy. These users have the CISAnet Criminal Intelligence permission. While the 28 CFR training information is not stored in the local identity management system, the policy is used as a basis for the CISAnet IDP to assert the "28 CFR Privilege Indicator" in the GFIPM user metadata. Furthermore, the CISAnet IDP also asserts the attribute "Criminal Intelligence Data Self Search Home Privilege Indicator" for its users.

After you finish this section, your GFIPM Information Sharing Plan should include details about all your sources of user information and also document details about which specific information is available for users from each source. This information will eventually appear in your Local Attribute Mapping Form.


Go back
Retrieved from "https://impl.gfipm.net/mwiki/index.php?title=Identify_Local_Users&oldid=792"