SailPoint Launches Open Role Exchange Initiative
SailPoint Calls for Industry Collaboration on Role Interoperability
Identity Risk Management Leader Jumpstarts Industry Initiative to Standardize Role Exchange
SailPoint Technologies today issued an open call for the development of a new standard that addresses the need to integrate roles and role models between tools and systems. The goal of this initiative is to bring the identity management community together to define role interoperability standards that will solve difficult integration problems and simplify role-based governance across diverse identity infrastructures. An interactive forum has been created at www.openroleexchange.org [Open Role Exchange Forum (ORXF)] to organize the industry effort and to facilitate the collaboration needed to define the model and foster adoption of the new standard.
In order to address the need for role-based governance today, organizations must invest significant time and money building and deploying custom integration between the various role models throughout the enterprise, including provisioning, entitlement management, network access control and business applications. The result is an expensive, brittle, and complex role model system that is difficult to deploy and hard to maintain. If a standard model for role exchange were available, organizations could avoid custom integration and immediately benefit from effective oversight and policy enforcement based on a centralized role management.
Mike Neuenschwander, general manager of Mycroft Inc.'s strategy practice, puts it this way: "Large organizations need to leverage roles across their vast, diverse, and complex IT infrastructures. But today, the concept of 'roles' is contextual and nuanced. Organizations grapple with applying policy to organizational roles, business roles, functional roles, IT provisioning roles, resource roles, etc. If roles are to be applicable at a broad scale and across business boundaries, some forum needs to take up the difficult discussion around role interoperability."
"Role interoperability is a pervasive issue for companies addressing identity governance," said Darran Rolls, SailPoint's CTO. "As an identity management community, I believe it's our responsibility to define a standardized operational exchange model for roles. This effort will reduce the need for custom integration and will lower the cost and complexity of deploying and maintaining integrated role-based systems." Rolls is a identity management standards veteran, having served as the chair of the OASIS Provisioning Services Technical Committee where he led a two-year industry effort to develop the Service Provisioning Markup Language (SPML) specification.
To foster collaboration around the call for role exchange standards, SailPoint is encouraging live debate at the Burton Catalyst Conference June 23-27, 2008 in San Diego, and will host an interactive webcast on July 16, 2008. Companies and individuals interested in participating can go to www.openroleexchange.org, an open forum designed to facilitate an interactive dialogue. The forum also features technical information on the need for a role exchange standard, and will provide updates on the effort moving forward.
The Open Role Exchange seeks to provide a forum to discuss the requirements for role interoperability and to identify areas where new standardization is needed. In an open letter to the industry, Rolls suggests that the industry should begin by addressing five key requirements for role interoperability.
Key Requirements for Role Interoperability
A Common Exchange Format to describe the role-based access control (RBAC) structure and control rules between systems
Query and Exchange Operations so that structure, allocation and usage requests can flow between systems
Change Control and Delegated Administration to determine how systems can extend or modify a shared model
A Role Mapping and Resource Referencing scheme
A Common State Model for shared RBAC systems
SailPoint Technologies, Inc. (http://www.sailpoint.com) develops identity risk management software that helps organizations gain control over user access to critical systems and data, streamline costly IT compliance processes and reduce the risks of fraud, corporate data loss or theft and failed audits. Founded in December 2005, SailPoint is based in Austin, TX.
Tel: +1 978-373-4003
Q. What are the steps involved in creating a role interoperability standard?
A. The first step is to come to an agreement on the problem scope this group wishes to address, because roles and role-based access control is a very broad subject area. Once the forum has agreed upon the scope, the next step toward creating a specification is to write a clear and concise charter. With that in hand, the group will then decide on a suitable IP-free standards forum for the ongoing development of the specification.
Q. How is the Open Role Exchange standard different from the existing standards around roles?
A. The existing role management standards address some of the issues related to role interoperability, but none provide a complete solution.
For example, the recent work at INCITS around RBAC exchange operations provides a starting point for a set of exchange methods, but it does not provide guidance on the actual implementation of the abstract model it defines. At the same time, the XACML RBAC profile presents strong, concise guidance on how to describe a role model in XML, but its focuses on using RBAC in an access control decision, not how to define interoperation or how to define an operational context for roles in general.
The goal of the Open Role Exchange initiative is to build on the work of these existing standards to create a new specification for role interoperability and exchange that defines the types of change control semantics needed when autonomous systems share a governance context around a common role model.
Q. Why isn't OASIS driving this process? Is that group involved at all?
A. SailPoint is a member of OASIS and agrees that OASIS is a very likely target organizational umbrella under which an open role exchange specification could be developed. However, this is a decision that will need to be made by the group as a whole.
Q. Why is SailPoint leading this effort?
A. SailPoint has kick-started the effort to develop open standards for role interoperability. However, the ultimate goal of the Open Role Exchange Forum is to facilitate dialog and industry collaboration that will lead to the formation of a formal technical committee within an organization like OASIS.
Open Role Exchange Initiative:
- Forum web site
- "Establishing an Operational Context for Shared Role-Based Access Control Systems. Making the Case for Interoperability and Standards Development for Autonomously Operating Role-Based Access Control (RBAC) Systems." Darran Rolls, SailPoint Technologies. White Paper. Published June 18, 2008
- Overview: Discover the Open Role Exchange
- Open Role Exchange FAQ Document
- Interactive Forum: Participate in the discussion on Open Role Exchange
- Open Role Exchange: Podcast
Burton Catalyst Conference June 23-27, 2008. See Session 2115: "Role Management and Provisioning: Co-existence or Convergence?" — Role management technologies have gained significant traction in the identity management market. Roles help organizations align responsibilities to resources and entitlements. As such, several organizations have initiated role management projects in conjunction with a provisioning initiative. The division between provisioning and role management has become blurred. Some perceive roles and provisioning to be one and the same. However, each tool addresses separate problems and the business expectations are significantly different. In this session, Burton Group will host a vendor panel and invite participants to discuss how these technologies compliment one another, yet remain distinct and separate solutions.
Prepared by Robin Cover for The XML Cover Pages archive.