Conceptual Overview

Only individuals having "active" entries in one or more of the primary "source of authority" (SOA) databases, denoted in the "yellow" region of the above figure, have "person" entries in the UTHSC-H Enterprise Directory. Each individual may have simultaneous, multiple affiliations with UTHSC-H if he or she has active entries in two or more SOA databases.

The physical identity attributes of employees, residents, students and guest affiliates are verified by official, institutional hiring and acceptance procedures and policies. The issuance of digital credentials to identified individuals are governed by explicit policies and procedures that define the level of assurance (LOA) that UTHSC-H can assert for specific credentials to relying parties. Policies for identity proofing and credentialing of individuals are designed to meet requirements of the U.T. System Identity Management Federation, the InCommon Federation, United States Federal E-Authentication initiative and the Federal (FBCA) and Higher Education Bridge (HEBCA) Certificate Policies.

UTHSC-H is responsible for assuring accurate, timely binding of personal attribute information to identified and credentialed individuals having person entries in the institution's enterprise directory. .Attribute information is used both to allow relying parties providing restricted services to determine if an authenticated individual meets authorization requirements and to often provision applications provided by both internal and external service providers (SPs)>

The status of "active" entries in the SOA databases are monitored by the INDIS provisioning processes which

• determine if an individual is currently or has previously been officially affiliated with UTHSC-H,
• assigns an individual not having previous affiliations with the university a UTHSC-H permanent identifier and registers that person's identity and identifier in the person registry,
• create a person entry in the enterprise directory service if an individual does already have an active affiliation,
• automatically provision an individual's person entry with appropriate attributes associated with each current affiliation,
• update affiliation attributes when the SOA indicates changes in attribute status have occurred,
• inactivate a person's directory service entry when the individual is no longer affiliated with the university, and
• delete a person's entry from the directory service if that individual has no affiliation with the university for a period of six months.

The Enterprise Directory Service is authoritative in that it provides secure authentication and authorization services to relying parties both internal and external to the university. Identity attribute information is also released to secondary UTHSC-H directories. All attribute releases from the Enterprise Directory Service to relying service providers are governed explicitly by attribute release polices (ARPs) and procedures. Service providers (SPs) may use personal attribute information only as permitted by relying party agreements governing attribute release policies. It is imperative that the security and privacy of personal attribute information be preserved.