Friday Aug 22, 2008

Ongoing Discussion: A provisioning-centric view of how enterprise applications do security

As an Identity Management practitioner, you are expected to thoroughly understand how dozens or maybe hundreds of different applications in your enterprise "do" security. You need to know each application well enough to mine it for existing permissions, create and manage roles containing its fine-grained permissions, provision users to it, structure attestation processes for it, and so on. This is no easy job. Each of your applications has its own security model and those models, some of which are decades old, can be... quirky. I've begun a project to document the internal security models of about fifty different enterprise systems, from LDAP to RACF to the Oracle eBusiness Suite. I'm going to share that information, one system at a time, on this blog. I won't be describing the entire internal security model of each application. Rather, I'll be describing the parts that we need to know in order to build a provisioning and role management system. I could really use your contribution. If you understand the security model of a popular or even not so popular enterprise software package, write it down and send it to me. I'll publish your work - and give you credit of course. Also, if you read something that I've written and see that I've got it wrong, use the comment form at the bottom of each post.[Read More]

Friday Aug 15, 2008

What's wrong with the ANSI RBAC standard? Part 3 - what happens when you remove an inheritance relationship?

The ANSI standard for RBAC (ANSI 359-2004) includes role hierarchies as an optional feature. The model of role hierarchies defined is simple, easy to understand, and generally good stuff. It does have a few problems, one of which I think should be addressed: When in a role hierarchy an inheritance relation between two roles is removed, the specification doesn't say what should happen. It should. There are two possible behaviors in theory. In a world where workflow, approval, and attestation are important - our world - there is really only one good behavior.

[Read More]

Friday Aug 08, 2008

What's wrong with the ANSI RBAC standard? Part 2 - Role-Role SOD is just too simple to work

The ANSI INCITS 359-2004 specification (get your copy for a few dollars here) spends a good number of pages talking about something very near and dear to me: Separation of Duties (SOD). The specification describes “constrained” RBAC generally and then outlines two types of constraints – static SOD and dynamic SOD. I am very glad that SOD made its way into the ANSI specification. I am also glad that the specification allows SOD rules that consist of role sets and not just role pairs – nice work guys. I’m not so happy about restricting SOD policies to sets of roles. In the “real” world, I have found that this approach is highly problematic. My view is that SOD policies should allow Role-Role, Permission-Permission and possibly even Role-Permission sets within SOD policies. A simplified scenario should illustrate the point. [Read More]

Friday Aug 01, 2008

What's wrong with the ANSI RBAC standard? Part 1 - Sessions should be optional

I must first say that the ANSI 359-2004 RBAC standard* is absolutely critical. While RBAC has been around for about two decades, ANSI and its predecessors only (relatively) recently gave us a shared language and got us talking about roles and role management. Some of that talk is about how flawed the rather academic ANSI standard is when applied to real-world identity management, but at least we're all talking! I could spend time talking about what's right about the current standard. Perhaps I will some day soon. For now, however, to fulfill my promise of at least one post per week, here is the first item in a fairly long list of gripes about the standard. Remember, we only complain about those we love! Issue 1: Sessions and Role Activation don't belong in core RBAC[Read More]

Welcome to IdentityThink

I won't argue that the world needs another blog talking about identity management. My new blog exists, that's my topic, what more needs to be said? I will talk about my goals for the blog: I hope to learn from and share my knowledge with experts in the fields of role management, provisioning, and other closely related disciplines. By experts I mean you, those thinking and living identity management at corporations, analyst firms, and public entities around the world. I firmly believe that much of what we need to know about identity management is already known, by you, in little bits here and there, and that we just need to gather this knowledge and synthesize it properly**. What are my qualifications? I am a VP at Oracle working on role management and provisioning products. I joined Oracle a bit less than a year ago from Bridgestream where I was VP Engineering and Operations up until the very welcome acquisition by our friends at Oracle. During my time in the field, at Bridgestream and now at Oracle, I have visited with no less than hundreds of identity and security experts in the US and Europe who collectively have many hundreds of years of practical experience in identity management. You are some darn smart people and I have benefited from your knowledge. I like to think that I've contributed a bit of my own - but you be the judge of that. I am looking forward to talking with you! [Read More]

Articles and thoughts, many far too long, relating to Identity Management.


Top Tags
August 2008