DRAFT - DRAFT- DRAFT
TIER Registry and DATA and API workgroups have provided an ID Match POC in September 2017 This followed work done in earlier projects and Benn Oshrin brought this out for demo purposes. During December and January of 2018 refinement of a proposed architecture and of the POC ID Match has been underway. Calling structures to the RESTFUL API and discussions on how it can fit into the TIER Entity Registry - Identity OnBoarding process.
An architecture flow and event document for TIER ENTITY REGISTRY - Identity OnBoarding can be found at
TIER Entity Registry - Identity Onboarding (1).pdf
The intent of this document is to indicate in a high level sense how to align ID Match in your institutions processes. It is intended to describe a pattern for institutions to use when building a Registry Onboarding process.
The ID Match is a restful API that can be called in many architectural patterns and or sources. The workgroups have discussed over several iteration and about 2.5 months and suggest calling ID Match component from the "Registry Update Controller" shown within the Identity OnBoarding flow.
Step-by-step guide
Determine your initial System of Record(s) (SOR) to be onboarded or interfaced into your entity registry.
Person is entered or updated (or self enters) into any of an institutions SORs. The event/action needs to be captured and or acted upon for updates that must be forwarded to the registry.
Map the attributes in your SOR into the normalized TIER information structure. This would have been done during the process of configuring the SOR to forward data to the registry.
- This structure will reflect the TIER minimal registry structure plus any additional person attributes or extensions you desire to store in your registry.
- The TIER registry working group encourages you to maintain only data needed for access management in the registry. OF course you may extend as needed of course.
- It is intended that in Entities other than people will be accommodated by the registry. Additional entities beyond person are intended to be added in later work. There are proposed structures for application entities in early stages of design.
- Attributes are normalized into a consistent to allow the disparate data formats often encountered in each SOR to be brought into a single agreed upon form and format. Normalized data is more easy to match and compare to locate existing individuals in the registry.
- Some institutions may have only a couple SORs while others could easily have 10 or more significant sources of persons being onboarded into a single Identity Registry.
- There is value in following the normalization and onboarding pattern even if your institution only has a single SOR at implementation time. You will be ready and insured for the eventual addition of additional SOR(s).
- Activities above result in a connector to normalize and feed info from the Source to registry onboarding.
Once you determine the data format. Determine how you will trigger API call or messages (choice is your institutions to make)
When data changes in the SOR it must communicate that change to the registry.
- API or Messaging can be used to move the data.
- You must process the changed data (add, update and deletes), the lifecycles of individuals within the SOR and your institution.
- SIS, HR, Alumni, hospital staff HR, etc all may be managed in distinct manner by the specific SOR, when moved to the registry the key is determining a unique person. Normalized data should be in place before matching is attempted. The SOR itself is generally unaware of what (or if) another SORs may have already provided to the registry.
- Ideally the SOR systems move data in near real time to the registry. If the SOR systems lag in time before sending you can expect to have issues in data currency and accuracy based on SOR data being consumed with time lags. Depending on the specifics of your system cycles this is manageable, expected.
- Call the messaging or restful API to transmit data to the registry intake Receive Source Person Info.
- This is well suited for a message based solution, TIER working groups have built demos with Rabbit MQ. However, you can choose other messaging tools or use an restful API approach if you prefer.
- Receive 'Source Person' info/message, this component of the Registry Update Controller is responsible for
- Handling the SOR information as it arrives for processing.
- Is it correctly normalized
- Is it "complete" to process further (and other such data handling checks
- Call the TIER ID Match component to see if this person has already been onboarded into the registry at a previous date time.
- IdMatch
- This is a restful API
- This component stores information related to previous matching history/experience. These are identified by the idMatch reference identifier.
- Id Match can return three basic responses. ID Match returns a result after recording the results internally.
- This is a "new entity no match found",
- This entity matches this "existing registry entity matched exactly",
- This entity has "multiple potential matches" but Matching component needs help from a data steward.
- An ID Match reference identifier will be returned identifiers will be returned by the API for additional processing options.
- The onboarding Registry update controller will need to be configured to handle the returns from the idMatch based on institutional choices.
- New person no match found - the controller will invoke the no match to ADD a new person in the registry path
- Existing registry person matches exactly - the controller will invoke the update the person in the registry path
- Multiple possible matches requires additional insight of a person to do onboarding. Data Stewards should work with these entries to assure accurate result and minimize duplicates.
- A choice to be made:
- Add the possible match in a "pending resolution" state to the registry. You may also want to mark all possible matches in a pending resolution state.
- Do not add to the registry. Wait for the data steward to review the data involved of the possible matches and the incoming data and then take action to move the data forward.
- Persons with appropriate knowledge at your institution can steward the data and provide the resolution in either case.
- the pending resolution can allow for processes to move forward with the knowledge that this could be a duplicate and corrective action may be needed once the case is resolved.
- do not allow pending entries to move forward. This avoids the need to undo processes that were allowed to proceed. It does create a delay in processes that consume the Institutional Person - pending resolution
- Institutions should carefully consider the choice of whether to use "pending resolution updates" or not. This is a key decision that has consequences regardless of the path chosen.
- Delay entry to the registry for pending resolution
- ...
- Allow update to registry before pending resolution is cleared.
- ...
- Delay entry to the registry for pending resolution
- A choice to be made:
- Manual Investigation of Pending resolution entries.
- Create / Update the registry Entry based on data steward decision
- Institutional Person established and changes communicated.
Other considerations for managing the IdMatch service.
- Should the Institutional Identifier be contained in the ID Match data content with Institutional Identifier.
- This is backfeed to the IdMatch data is a good feature.
- Periodic updates of Id Match database from the registry.
- IdMatch database contains certain information that should be periodically refreshed from the source. (name, phone, etc)
- periodic refresh
- event based update when changes occur to the data elements in the Match database.
- both ( this would be the preferred solution )
There are more steps (7 thru 11 from the identity onboarding ) to consider related to the Identity Onboarding, however since this document is focusing on the ID Match they are not covered here. The Credential Management controller and the Groups Update Controller will not be treated in this document.
Related articles