Q: What is the Open Role Exchange initiative?
A. The Open Role Exchange is a vendor-neutral initiative designed to bring the identity management community together to define role interoperability standards that will solve difficult integration problems and simplify role-based governance across diverse identity infrastructures. The initiative is intended to facilitate collaboration and open discussion on the definition of new role interoperability standards and extensions to existing role standards.
Q: What does role interoperability mean?
A. Role interoperability addresses the need to integrate roles and role models between tools and systems. Roles as a construct exist throughout the IT environment – in applications, in identity management systems, even in specialized role management products. The reality is that customers always have more than one role model in their IT environments. In order to use roles as a framework for identity governance, risk and compliance, organizations need to be able to exchange and interoperate between these role models. The unfortunate reality is that most role interoperability that takes place today is done with custom integration. It’s a one-off, vendor-to-vendor type approach.
Q: How will customers benefit from role interoperability?
A. Role exchange standards will enable customers to deploy role-based governance models without incurring the expense and complexity of building custom role integration on a product-by-product basis. Open role interoperability standards will allow organizations to remain flexible and avoid being locked into a specific technology and/or vendor, making it easier to mix and match technologies from best-of-breed vendors based on their needs. By choosing solutions that conform to an open standard for role exchange and avoiding custom integration, organizations can reduce the total cost of ownership (TCO) of role-based governance and other identity management projects.
How will the Open Role Exchange benefit vendors?
A. Vendors who participate in the Open Role Exchange will gain immediate benefits through access to an open communication channel and networking forum with peers in the industry. Participating vendors gain the ability to influence the development of the standards and to be recognized for participation. The most significant benefits will come when new role interoperability standards are released and accepted by the community. Vendors fostering standards in general will benefit from increased market acceptance, ease of data integration, and lower costs of deployment.
In the future, contributors and participants in the Open Role Exchange (and any follow-on standards efforts) will be able to take advantage of:
Q: What technical issues will the Open Role Exchange address?
A. Initially, this effort aims to address the following issues:
A. The first step is to come to an agreement on the problem scope this group wishes to address, because roles and role-based access control is a very broad subject area. Once the forum has agreed upon the scope, the next step toward creating a specification is to write a clear and concise charter. With that in hand, the group will then decide on a suitable IP-free standards forum for the ongoing development of the specification.
A. The existing role management standards address some of the issues related to role interoperability, but none provide a complete solution.
For example, the recent work at INCITS around RBAC exchange operations provides a starting point for a set of exchange methods, but it does not provide guidance on the actual implementation of the abstract model it defines. At the same time, the XACML RBAC profile presents strong, concise guidance on how to describe a role model in XML, but its focuses on using RBAC in an access control decision, not how to define interoperation or how to define an operational context for roles in general.
The goal of the Open Role Exchange initiative is to build on the work of these existing standards to create a new specification for role interoperability and exchange that defines the types of change control semantics needed when autonomous systems share a governance context around a common role model.