Role-based access control to drive identity projects

The foundation for security and enterprise management

Last issue I promised that today I’d reveal my predictions for 2007. But what should I do about one that’s already coming true?

As I reminded you last week, for 2006 I predicted a convergence of standards – specifically, a melding together of the Liberty Alliance specification and the Microsoft/IBM-generated WS-* protocols. As I noted, convergence hadn’t yet occurred, but interoperability was coming closer. I intended, today, to predict that the differences would be overcome in 2007.

Then the Liberty Alliance up and stole my thunder!

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Last issue I promised that today I’d reveal my predictions for 2007. But what should I do about one that’s already coming true?

As I reminded you last week, for 2006 I predicted a convergence of standards – specifically, a melding together of the Liberty Alliance specification and the Microsoft/IBM-generated WS-* protocols. As I noted, convergence hadn’t yet occurred, but interoperability was coming closer. I intended, today, to predict that the differences would be overcome in 2007.

Then the Liberty Alliance up and stole my thunder!

Just last week, along with announcing new officers (Oracle’s Roger Sullivan as the new president is an excellent choice!), the Liberty Alliance also announced its goals for 2007, one of which is “driving convergence in the identity sector.”

Now the alliance doesn’t specifically state that it will push for alignment with the WS-* standards, but its statement seems to be clearly unambiguous: “In an era when governments and enterprises require open and interoperable identity solutions and developers and system integrators are moving to leverage a variety of open source and Web 2.0 initiatives, Liberty Alliance will continue to lead in moving the global identity sector toward industry-wide convergence in 2007.” We will hold it to that promise.

While last year saw convergence also occurring in the “user-centric” identity space, with everyone seemingly flocking to the OpenID banner, I expect that this will slow in 2007 as Microsoft CardSpace gathers momentum on users’ desktops. There appears to be (as frequently happens with open source projects) too many cooks involved in trying to make the dish. There’ll be some fallout, some backing off and a redrawing of the battle lines before the open source identity movement picks up again, possibly in 2008.

On the enterprise front, I expect that Roles and Role-based Access Control (RBAC) will take center stage as the driving force behind identity management projects. While provisioning and compliance projects may not yet be completed, the “glamour” of RBAC will the buzz in identity management gatherings.

InMezzo’s Tim Craig doesn’t agree with me on that, however. He told me: “You cannot share information across business boundaries with only role based systems, because you have no control of the roles of your partners, so cannot provision services for them. We have to be talking about 'attribute management'. Role based access control cannot handle content or environment based decisions, e.g., does the user gain different rights if he is coming in from his unsecured palm top compared with his secured office machine?” I think there’s a flaw in his logic, but we’ll get into that in a later issue.

Read more about security in Network World's Security section.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.