Identity Modeling in IGA

The Foundation of Identity Governance Administration

What is Identity Modeling in IGA?

Identity Modeling is the foundational process of defining, structuring, and representing user identities, their attributes, organizational relationships, and the rules that govern how identities are managed throughout their lifecycle within an organization's Identity Governance and Administration (IGA) system.

Identity modeling creates the digital blueprint of an organization's people, structure, and relationships that serves as the authoritative source for all access decisions, provisioning, certifications, and governance activities.

Core Components of Identity Modeling

👤 User Identity Attributes

Data points that define who someone is:

  • Employee ID, Name, Email
  • Job Title, Department, Location
  • Employee Type, Status
  • Hire/Term Dates
  • Security Clearance
  • Compliance Scope

🏢 Organizational Structure

How the organization is arranged:

  • Reporting hierarchies
  • Departmental structure
  • Geographic organization
  • Legal entity structure
  • Matrix management
  • Cost center alignment

🔗 Relationship Modeling

How identities connect:

  • Manager → Direct Reports
  • User → Department/Location
  • Backup manager relationships
  • Data owner assignments
  • Delegation relationships
  • Peer relationships

🔄 Lifecycle States

Identity journey stages:

  • Pre-Employment (Pending)
  • Active (Working)
  • On Leave (Temporary)
  • Notice Period
  • Terminated
  • Archived

🎭 Identity Types

Categories of identities:

  • Full-Time Employees
  • Contractors/Vendors
  • Service Accounts
  • Bot/Automation Accounts
  • Test Accounts
  • Shared Accounts

Organizational Structure Example

CEO
├── CFO
│   ├── Controller
│   │   ├── Accounting Manager
│   │   │   ├── Senior Accountant
│   │   │   └── Junior Accountant
│   ├── Treasury Manager
│   └── Audit Director
├── CTO
│   ├── VP Engineering
│   ├── VP IT Operations
│   └── CISO
└── COO
    ├── VP Sales
    ├── VP Marketing
    └── VP Customer Success

How Identity Modeling Supports IGA Functions

1. Automated Provisioning Based on Identity Attributes

IF (User.EmployeeType = "Full-Time Employee") AND (User.Department = "Sales") AND (User.Location = "United States") AND (User.Status = "Active") THEN Assign Role: "Sales Representative - US" Provision Access: CRM (Salesforce), CPQ, Sales Portal Set Manager: User.Manager Notify: User.Manager of new team member

2. Certification Routing Based on Relationships

// Quarterly Access Certification Campaign FOR EACH User WITH privileged_access Certifier_1 = User.Manager (direct manager certifies need) Certifier_2 = User.Department_Head (dept head reviews) IF (User.Access INCLUDES "SOX_Scoped_Applications") THEN Certifier_3 = Compliance_Officer FOR EACH Service_Account Certifier = Service_Account.Owner IF (Service_Account.Owner = NULL) THEN Escalate_To: IT_Security_Manager

3. Lifecycle Management Triggered by Identity Changes

JOINER: When User.Status CHANGES TO "Active"
  • Trigger: Joiner Workflow
  • Create accounts (Active Directory, Email)
  • Assign base role automatically
  • Provision department-specific access
  • Notify manager of new team member
MOVER: When User.Department CHANGES
  • Trigger: Transfer Workflow
  • Revoke old department role
  • Assign new department role
  • Update manager relationship
  • Recertify existing access with new manager
LEAVER: When User.Status CHANGES TO "Terminated"
  • Trigger: Leaver Workflow (immediate)
  • Revoke all access immediately
  • Disable all accounts
  • Notify manager of departure
  • Transfer file ownership
  • Schedule account deletion after 90 days

4. Risk Scoring Based on Identity Attributes

// User Risk Score Calculation Base_Risk = 0 IF (User.EmployeeType = "Contractor" OR "Vendor") THEN Base_Risk += 10 (external parties higher risk) IF (User.Access INCLUDES privileged_accounts) THEN Base_Risk += 20 IF (User.Status = "Notice Period") THEN Base_Risk += 30 (departing employees) IF (User.Last_Certification_Date > 90_days_ago) THEN Base_Risk += 15 Total_Risk_Score = Base_Risk + Context_Risk IF Total_Risk_Score > 50 THEN Trigger: High_Risk_User_Review Frequency: Monthly certification Enhanced_Monitoring: Enable MFA: Required

Identity Modeling Challenges

⚠️ Data Quality Issues

Problem:

  • HR data incomplete or inaccurate
  • Multiple HR systems with conflicts
  • Missing manager relationships
  • Contractors not in HR system
Solution Approach:
  • Data quality rules and validation
  • Master data management (MDM)
  • Regular data audits
  • Authoritative source designation

⚠️ Complex Organizations

Problem:

  • Matrix organizations with dual reporting
  • Frequent reorganizations
  • Multiple legal entities
  • Shared services centers
Solution Approach:
  • Flexible identity model
  • Multiple hierarchy support
  • Effective-dated changes
  • Historical tracking

⚠️ Non-Human Identities

Problem:

  • Service accounts not in HR
  • No natural "owner"
  • Unclear lifecycle
  • Account sprawl
Solution Approach:
  • Separate identity type
  • Mandatory ownership
  • Application-based lifecycle
  • Regular orphan reviews

⚠️ Contingent Workers

Problem:

  • Contractors not in HR system
  • Contract end dates not tracked
  • Different systems for FTE vs. contractors
  • Vendors managed separately
Solution Approach:
  • Unified identity model
  • Vendor system integration
  • Contract end date enforcement
  • Automated reviews before expiration

🤖 How Identity Co-Analyst Captures Identity Modeling Requirements

Identity Co-Analyst includes Identity Lifecycle Management as one of its core IGA domains, with expert-designed questionnaires that systematically capture all aspects of identity modeling.

1. Identity Attribute Requirements

ICA: "Let's discuss the user identity attributes that drive your IGA processes. What user information do you receive from your HR system?"
Stakeholder: "We get the basics - name, employee ID, department, manager, location, and hire/term dates."
ICA: "Those are the core attributes. Let me ask about additional attributes that often drive access decisions: • Do you have different processes for full-time employees vs. contractors? • Do you track contract end dates for temporary workers? • Do you need to know a user's cost center for financial approvals? • Does job title determine automatic access assignments? • Do you have security clearance levels that restrict data access? • Are there different locations with different access needs?"
ICA-Generated Identity Attribute Documentation

AUTHORITATIVE SOURCE: Workday HR System

CORE ATTRIBUTES:

  • Employee_ID (unique identifier, never reused)
  • Username (format: firstname.lastname)
  • First_Name, Last_Name, Display_Name
  • Personal_Email, Work_Email
  • Employee_Type (Full-Time, Part-Time, Contractor, Vendor)
  • Employment_Status (Active, On-Leave, Terminated)

ORGANIZATIONAL ATTRIBUTES:

  • Job_Title, Department_Code, Department_Name
  • Division, Cost_Center
  • Location_Code, Location_Name, Country
  • Company_Code (for multi-entity organization)

HIERARCHICAL ATTRIBUTES:

  • Manager_Employee_ID (direct manager)
  • Manager_Name, Manager_Email
  • Department_Head_Employee_ID, VP_Employee_ID

TEMPORAL ATTRIBUTES:

  • Hire_Date, Contract_End_Date
  • Termination_Date, Last_Day_Worked
  • Expected_Return_Date (for leave of absence)

SECURITY ATTRIBUTES:

  • Security_Clearance_Level (None, Level_1, Level_2, Level_3)
  • SOX_Scope (Yes/No - indicates if user touches financial systems)
  • Risk_Classification (Standard, Elevated, High)

2. Organizational Structure Requirements

ICA: "Help me understand your organizational structure. How is your company organized?"
Stakeholder: "We have a traditional hierarchy with CEO, then VPs for each major function like Finance, IT, Sales, Operations."
ICA: "Let me dig deeper: • Do you have a pure hierarchy, or do people report to multiple managers? • Are there dotted-line relationships or matrix management? • Do you organize by geography as well (regions, countries)? • Do you have multiple legal entities or subsidiaries? • How do you handle project teams that cross departments? • Do you reorganize frequently? How often?"

3. Lifecycle Management Requirements

ICA-Captured Lifecycle Requirements

JOINER PROCESS:

TRIGGER: HR creates new employee record in Workday

PRE-START (T-3 days before hire date):

  • HR record created with Future_Start status
  • IGA imports identity but does NOT provision access yet
  • Email sent to Manager: "Your new team member starts in 3 days"

START DATE (T=0, Hire Date):

  • HR record status changes to Active
  • IGA Trigger: Joiner Workflow
  • Active Directory account created
  • Email account provisioned
  • Basic role assigned: "Employee - Base Access"
  • Department role assigned based on Department attribute

MOVER PROCESS:

TRIGGER: HR record updated with department or manager change

  • Old department role revoked immediately
  • New department role assigned immediately
  • Manager relationship updated
  • Existing access requires recertification by new manager (30 days)

LEAVER PROCESS:

TRIGGER: HR record updated with termination date

  • All access revoked immediately
  • All accounts disabled
  • Manager notified of departure
  • Email forwarding to Manager (30-day duration)
  • Account deletion scheduled (T+90 days)

Benefits of Strong Identity Modeling

⚡ Operational Efficiency

  • Automated provisioning based on attributes
  • Accurate approval routing
  • Faster onboarding
  • Streamlined certifications

🔒 Security & Compliance

  • Consistent access decisions
  • SoD enforcement via relationships
  • Risk-based governance
  • Complete audit trail

💰 Cost Reduction

  • Less manual intervention
  • Fewer help desk tickets
  • Automated orphan cleanup
  • Efficient reorganizations

📊 Data Quality

  • Single source of truth
  • Relationship integrity enforced
  • Temporal tracking
  • Historical audit for compliance

The Transformation: Traditional vs. ICA

❌ Traditional Identity Modeling

  • Weeks of interviews with HR, IT, and business stakeholders
  • Complex data mapping exercises
  • Attribute definitions scattered across emails and spreadsheets
  • Organizational structure diagrams quickly outdated
  • Relationship modeling often incomplete
  • Identity types and lifecycle rules inconsistently documented
  • 12+ weeks to gather complete identity model requirements

✅ With Identity Co-Analyst

  • Systematic exploration of all identity modeling dimensions
  • Conversational interface - HR and business stakeholders describe in plain language
  • AI-guided discovery of attributes, relationships, and lifecycle rules
  • Conditional branching based on org complexity (matrix, multi-entity)
  • Automated documentation of complete identity model
  • Integration with other IGA domains (roles, provisioning, certification)
  • Under 10 days to capture comprehensive identity modeling requirements

🎯 The Foundation of IGA

Identity modeling is the foundation upon which all IGA capabilities are built. Without a solid identity model, automated provisioning fails, certifications route incorrectly, lifecycle management breaks, and compliance suffers.

Identity Co-Analyst ensures this foundation is solid, complete, and properly documented - capturing every attribute, relationship, lifecycle rule, and identity type that will drive access decisions for years to come.

From 12+ weeks to under 10 days. From scattered requirements to comprehensive documentation. From risky assumptions to expert-validated identity models.