Cover Pages Logo SEARCH
Advanced Search
Site Map
CP RSS Channel
Contact Us
Sponsoring CP
About Our Sponsors

Cover Stories
Articles & Papers
Press Releases

XML Query

XML Applications
General Apps
Government Apps
Academic Apps

Technology and Society
Tech Topics
Related Standards

Identity Governance Framework (IGF)

Oracle Announces Open Initiative to Help Organizations Govern Identity Information Across Enterprise Applications

CA, Layer 7 Technologies, Novell, Ping Identity, Securent and Sun Microsystems Join Initiative and Support Draft Framework

Redwood Shores, California, USA. November 29, 2006.

Oracle today announced an open initiative, the Identity Governance Framework (IGF), designed to help organizations better govern and protect sensitive identity-related employee, customer and partner information as it flows across heterogeneous applications. Leading identity vendors including CA, Layer 7 Technologies, Novell, Ping Identity, Securent and Sun Microsystems, Inc. have reviewed a draft of the Framework and plan to work with Oracle to develop full specifications. With today's announcement, Oracle is also inviting additional vendors and customers to review and contribute to the key draft specifications.

Organizations today are struggling to balance the need to meet regulatory mandates and secure personal information while maintaining streamlined business processes. As a consequence, identity-related data is often embedded in numerous applications across an organization, making it prone to inconsistencies, placing information at risk and triggering privacy violations. IGF will uniquely address this problem and establish a standard way of defining enterprise-level policies for organizations to share sensitive personal information securely and confidently between applications and diverse identity sources while helping ensure security and privacy. With the IGF, organizations can more easily determine and control how identity information — including Personally Identifiable Information, access entitlements and personal attributes — is used, stored, and propagated across diverse systems, helping ensure the information is easily auditable and not abused, compromised or misplaced.

"Historically, enterprise architects and developers have struggled with the challenge of seamlessly integrating identity services with business applications — a situation that is further compounded by contemporary regulatory and compliance pressures," said Gerry Gebel, vice president and service director at Burton Group. "Efforts, such as the Identity Governance Framework, can help bring order to unsystematic environments or approaches by addressing areas not covered in other identity and security standards."

The IGF provides a standard mechanism for organizations to establish "contracts" between their applications and sources of identity data. The four key components of the Identity Governance Framework that vendors and customers can currently review include:

  • Client Attribute Requirement Markup Language (CARML): an XML-based declarative contract defined by application developers that informs deployment managers and service providers about the attribute usage requirements of an application

  • Attribute Authority Policy Markup Language (AAPML): a set of policy rules regarding the use of identity-related information from an identity source that allow these sources to specify constraints on use of provided data by consuming applications

  • CARML API: an Application Programming Interface that makes it easier for developers to write applications that consume and use identity-related data in a way that conforms to policies set around the use of such information

  • Identity Service: a policy-secured service for accessing identity-related data from multiple identity sources.

"As a provider of business and infrastructure applications, Oracle understands the challenges our customers face when trying to manage and secure identity-related information that is often scattered across their entire infrastructure and recognizes the increasing importance of establishing auditable policies pertaining to that information," said Hasan Rizvi, vice president, Identity Management and Security products, Oracle. "By creating the Identity Governance Framework we are helping organizations overcome this challenge and gain complete visibility into how identity information is stored and used in their systems."

Industry Support of the Identity Governance Framework

Key vendors in the identity management market support the IGF and plan to help further develop the specifications that will be submitted to a recognized global standards setting organization in the future. Oracle, CA, Layer 7 Technologies, Novell, Ping Identity, Securent and Sun Microsystems are expected to be joined by other technology companies who also plan to contribute to the initiative. Customers are expected to benefit from a common industry standard by being able to share sensitive identity-related data more easily across their heterogeneous IT environment and know where it is, how it's being used and by whom.

"CA is supporting the Identity Governance Framework to help customers more easily protect personal data across their disparate systems and applications," said Vadim Lander, vice president and chief architect, Security Management at CA. "We look forward to working with Oracle and others to develop practical, adaptable XML-based specifications that simplify the creation, enforcement and management of identity security policies."

"Consistent and cross-platform access to identity information is central to good security and compliance," said Toufic Boubez, CTO of SOA security vendor, Layer 7 Technologies. "Nowhere is this more critical than in SOA where identity context needs to be shared across heterogeneous services that span enterprise departments and divisions. Secure, compliant SOA therefore requires a policy-driven framework for consistently working with its partners to help formulate a standards-based framework for delivering these kinds of identity services to the market."

"Novell is committed to working with Oracle and other leaders in the identity management market in the development of an open framework that will facilitate developers' efforts to better identity-enable applications and services independent of the underlying identity infrastructure," said Nick Nikols, vice president, Product Management Identity and Security Novell, Inc. "This commitment goes hand in hand with our existing participation and contributions to the Higgins and Bandit projects."

"The Identity Governance Frame work is a much needed addition to the identity management industry," said Patrick Harding, CTO, Ping Identity. "The Framework, as an extension of Federated Identity Management, will allow our customers to better maintain the privacy of their user information and to have finer-grained control over the release of that information to their business partners."

"Secure access to sensitive identity-related information including HR information, location/presence information, customer information, etc. is increasingly critical for businesses," said Sekhar Sarukkai, Founder and CTO of Securent Inc. "As the leading XACML-based entitlement management vendor, Securent is in the forefront of deploying policy-driven authorization solutions across heterogeneous environments and is happy to contribute its experiences to the creation of the Identity Governance Framework in order to enable an open-standards-based, declarative, mechanism to securely publish, and consume, identity related information."

"The direction which the Identity Governance Framework is heading is positive," said Don Bowen, director of Identity Integration for Sun Microsystems, Inc. "Sun supports its submission to a standards body and thinks the Liberty Alliance may be best, as it is a natural and essential evolution of the work already done within that organization."

To learn more about the Identity Governance Framework and to review the specifications, visit

About Oracle

Oracle (NasdaqGS: ORCL) is the world's largest enterprise software company. For more information about Oracle, visit our Web site at


Rebecca Hahn
Tel: +1.714.445.4611


Additional References

  • General:
  • Client Attribute Requirement Markup Language (CARML):
    • CARML Specification. Edited by Phil Hunt (Oracle). Contributors: Prateek Mishra and Mark Wilcox (Oracle Corporation). Document Identifier: IGF-CARML-spec-03. Working Draft. 12 pages. "Client Attribute Requirements Markup Language is a specification that allows applications to define their attribute requirements as it relates to identity. CARML can be used to automate configuration of identity attribute services and to expose the set of identity-related data consumed by a specific application or groups of applications."
    • CARML W3C Schema (XSD)
    • Example CARML document (XML)
    • Client API (PDF document). Edited by Phil Hunt (Oracle). "The Identity Governance Framework (IGF) is designed to allow: (1) application developers to build applications that access identity-related data from a wide range of sources, (2) administrators and deployers to define, enforce, and audit policies concerning the use of identity-related data... This document outlines the multi-language API to be used with attribute services otherwise known as the 'CARML-API'. The multi-language API itself is non-normative and is provided to demonstrate how CARML might be used in connection with an identity service provider."
  • Attribute Authority Policy Markup Language (AAPML):
    • AAPML Specification. Edited by Prateek Mishra (Oracle Corporation). Contributors: Phil Hunt and Rich Levinson (Oracle Corporation). Document identifier: IGF-AAPML-spec-08. Working Draft. 17 pages. "Attribute Authority Policy Markup Language (AAPML) is a XACML profile designed to allow attribute authorities to specify conditions under which information under management may be used (and possibly modified) by other applications."
  • Press and commentary:

Prepared by Robin Cover for The XML Cover Pages archive.

Globe Image

Document URI:  —  Legal stuff
Robin Cover, Editor: