How the Open Group views ‘provisioning’

Last week we started taking a close look at a major white paper, “Identity Management,” released by the Open Group earlier this month (link below). We’ve been exploring how the paper treats the key concepts of identity management (last week we examined “trust” and “authentication”) so today we’ll see how the concept of “provisioning” is dealt with.

The paper breaks the provisioning process into two parts, one with two segments. Provisioning itself includes account provisioning and resource provisioning but equally important is the concept of de-provisioning. These are defined by the Open Group as:

* Account provisioning – the creation of accounts to deal with identity-related information associated with individuals, their personal attributes, affiliations, etc.

* Resource provisioning – the acquisition, distribution or management of business assets such as computers, databases, and applications and the management of permissions associated with those assets.

* Account de-provisioning – the termination of access rights to systems and services, and re-allocation of those systems and services when, for example, an individual is moved within or removed from an organization.

Provisioning is also usually closely aligned with meta- or virtual directory services. It’s important to identify the source of authority for any particular piece of data (each piece could have a different SoA) with that SoA being the only place the individual piece of data can be created, changed or removed. This not only improves accuracy but also acts as a deterrent to fraud as well as satisfying any “turf” or “political” issues of who owns the data.

The paper also points out that in addition to creating, changing, and deleting identity information, provisioning should also allow for suspending an identity. The example given is that an identity may go on leave or a group of identities, representing a team, may be temporarily changing from one project to another. The identity(s) are then suspended, thus suspending access to respective systems and services. Suspending allows an easy change back to active status which would take considerably longer with a remove follow (some time later) by an add.

While most readers of this newsletter will already be familiar with the provisioning concept as outlined in the paper (although the “suspend an identity” function may be new to some), you should still read this section and let the Open Group know your thoughts on provisioning so that it might be incorporated in a future revision.

Next time we’ll see what the paper has to say about authorization and permission management.