MyIdentityGraph Ontology
A domain ontology represents concepts. MyIdentityGraph defines an information schema specific to the Identity and IoT Domain and an implementation applied to the use at SSOCircle.
- Entities represent subjects like persons, services, data or devices (Vertices in the Graph)
- Verbs represent relationships between entities (Edges in the Graph)
- Attributes describe properties of an entity or a verb
Entities
Identity vertices represent subjects which own resources or have other access permissions to act on resources. Identities may delegate their rights to other identities and as such hand over their access permissions to other identities. Currently the following classes of identities are available at SSOCircle MyIdentityGraph:
Identities | |
Identity | Super Resource |
Person | Identity |
Group | |
Role | |
Organization | |
Department |
Resource vertices represent objects which are owned by a Person. Currently the following classes of resources are availabe at SSOCircle MyIdentityGraph:
Resources | ||
Identity | Super Resource | Parent Super Resource |
UserProfileData | Data | Resource |
Yubikey | Device | |
Swekey | ||
SAMLServiceProvider | Provider | |
OpenIDProvider |
Verbs
Permissions are represented as Graph Edges of the corresponding type and start at an Identity Vertex and end at a Resource Vertex.
Permissions and Permission Requests | |
Permission / Request | Super Class |
read | Permission |
write | |
execute | |
full | |
reqRead | Request |
reqWrite | |
reqExec | |
reqFull |
Permissions to a resource can be requested at the owner of the resource. Permission requests are represented as Graph Edges and start at an Identity Vertex. The following permission and corresponding request types are defined
Request – Permission correspondence | |
Permission | Request |
read | reqRead |
read | reqRead |
write | reqWrite |
execute | reqExecute |
read | reqRead |
Delegations are represented as Graph Edges and start at an Identity Vertex and end at another Identity Vertex. A Delegation is a special type of Permission.
Delegations | ||
Edge | Super Class | Parent Super Class |
delegate | Delegation | Permission |
Other relationships are represented as Graph Edges. Here we summarize relationships which do not inherit from permission type. For example, a user who federates to a SAML or OpenID service provider creates a “federate” relation between his person node and the provider.
Other Relations | |
Edge | Super Class |
federate | Relation |
Attributes
Attributes are specific to the entity or the verb. Some examples are listed below
Attributes | |
Entity | Attributes |
UserProfileData | Lastname, Givenname, Email, Initials |
Person | public profile attributes like Lastname, Givenname, Email |
SAMLServiceProvider | EntityID |
Yubikey | YubikeyID |
The formal MyIdentityGraph (MIDG) ontology format description is described in Resource Description Format (RDF) – coming soon.