Mark Dixon's quest to explore the world of Identity Management

        Subscribe to blog
        Subscribe to comments
Please note:

The primary site for this blog is now located at DiscoveringIdentity.com. While I will continue to shadow-post to the blogs.sun.com site, all new structural changes and innovation will be provided only at the DiscoveringIdentity.com site.

  If you care to follow my postings on the new site, please bookmark the new RSS feed.

feed-icon-16x16


« August 2010
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
    
       
Today
« Location Monitoring... | Main | CIO Roundtables:... »
Identity Trend 3: Authorization
Monday - October 5, 2009

This post is the third in a series of eleven posts I am writing about trends in the Identity Management industry.

imageOne might say that simple authorization is like permitting entry through the front gate of an amusement park, while fine grained authorization is like granting access to each individual attraction within the amusement park separately, based on some sort of policy.  Following this analogy, the most common method of Identity Management Authorization is like a full-day pass to Disneyland granting access to the front gate as well as every ride in the park.  Similarly, simple Identity Management authorization allows access to all functions within an application.

imageHowever, a trend is growing towards using standards-based, fine grained authorization methods to selectively grant access to individual functions within applications, depending on user roles or responsibilities.  For example, one user could be granted access to only simple data browsing privileges, while another user could be grated data creation or edit privileges, as determined by a policy stored in XACML format.   The definition and enforcement of this fine-grained authorization would be externalized from the application itself.

At the present time, fine grained authorization is desirable but difficult to implement.  It appears to be easier to define and control policies in an Identity system than changing each application to rely on an external system for authorization policy. 

Much is being discussed about policy management standards (e.g. XACML).  Several vendors are effectively demonstrating interoperability based on XACML, but such systems are not yet in broad production.

Recommendations:

As progress is being made in both management of standards-based policies and the enforcement of such policies within applications, the following questions could be considered:

  1. Which of your applications could benefit most from fine-grained authorization?
  2. How would externalizing policy management and enforcement streamline your applications?
  3. How could standards such as XACML improve the management of security and access control policies in you organization?
  
[ Comments [0] ]
Permalink
Trackback Link
12:37 PM MST
Comments:

Post a Comment:

Comments are closed for this entry.
Ask to see my identity at www.Trufina.com

Click here to request a copy of my Trufina-validated identity card and contact information.
Click to see my FOAF card
Click here to see my FOAF Card.






For more widgets please visit www.yourminis.com