Home Podcast FAQ

Open Role Exchange FAQ

Q: What is the Open Role Exchange initiative?

A. The Open Role Exchange is a vendor-neutral initiative designed to bring the identity management community together to define role interoperability standards that will solve difficult integration problems and simplify role-based governance across diverse identity infrastructures. The initiative is intended to facilitate collaboration and open discussion on the definition of new role interoperability standards and extensions to existing role standards.


Q: What does role interoperability mean?

A. Role interoperability addresses the need to integrate roles and role models between tools and systems. Roles as a construct exist throughout the IT environment – in applications, in identity management systems, even in specialized role management products. The reality is that customers always have more than one role model in their IT environments. In order to use roles as a framework for identity governance, risk and compliance, organizations need to be able to exchange and interoperate between these role models. The unfortunate reality is that most role interoperability that takes place today is done with custom integration. It’s a one-off, vendor-to-vendor type approach.


Q: How will customers benefit from role interoperability?

A. Role exchange standards will enable customers to deploy role-based governance models without incurring the expense and complexity of building custom role integration on a product-by-product basis. Open role interoperability standards will allow organizations to remain flexible and avoid being locked into a specific technology and/or vendor, making it easier to mix and match technologies from best-of-breed vendors based on their needs. By choosing solutions that conform to an open standard for role exchange and avoiding custom integration, organizations can reduce the total cost of ownership (TCO) of role-based governance and other identity management projects.


How will the Open Role Exchange benefit vendors?

A. Vendors who participate in the Open Role Exchange will gain immediate benefits through access to an open communication channel and networking forum with peers in the industry. Participating vendors gain the ability to influence the development of the standards and to be recognized for participation. The most significant benefits will come when new role interoperability standards are released and accepted by the community. Vendors fostering standards in general will benefit from increased market acceptance, ease of data integration, and lower costs of deployment.

In the future, contributors and participants in the Open Role Exchange (and any follow-on standards efforts) will be able to take advantage of:

  • Early access to specifications and reference implementations;
  • The ability to influence the resulting standards;
  • Participation in the promotion of the standards (press releases, press interviews);
  • Participation in technical events, such as workshops, development meetings, interops, etc

  • Q: What technical issues will the Open Role Exchange address?


    A. Initially, this effort aims to address the following issues:

    • A Common Machine-Readable Definition Format: For open systems to share a common RBAC model, they must use a common machine-readable format that describes the RBAC structure and its control rules.
    • Query and Exchange Operations: Once systems share a common RBAC definition model, they must share a well-defined set of query and exchange operations so that structure, allocation and usage requests can flow between systems.
    • Change Control and Delegated Administration: Participating systems should be allowed to extend and modify a shared model in order to meet local operational needs. If local model changes are allowed, they must be controlled so as to maintain the overall integrity of the RBAC model.
    • Role Mapping and Resource Referencing: With the enablement of local model change control (delegated administration) there comes a need for a role mapping capability and for a common resource-referencing scheme.
    • A Common RBAC State Model: For a shared role model to be deployed and used effectively, collaborating systems must agree upon a common state model. This state model should apply to the overall RBAC systems and should be applicable at the individual elements it defines.

    • Q. What are the steps involved in creating a role interoperability standard?

      A. The first step is to come to an agreement on the problem scope this group wishes to address, because roles and role-based access control is a very broad subject area. Once the forum has agreed upon the scope, the next step toward creating a specification is to write a clear and concise charter. With that in hand, the group will then decide on a suitable IP-free standards forum for the ongoing development of the specification.


      Q. How is the Open Role Exchange standard different from the existing standards around roles?

      A. The existing role management standards address some of the issues related to role interoperability, but none provide a complete solution.

      For example, the recent work at INCITS around RBAC exchange operations provides a starting point for a set of exchange methods, but it does not provide guidance on the actual implementation of the abstract model it defines. At the same time, the XACML RBAC profile presents strong, concise guidance on how to describe a role model in XML, but its focuses on using RBAC in an access control decision, not how to define interoperation or how to define an operational context for roles in general.

      The goal of the Open Role Exchange initiative is to build on the work of these existing standards to create a new specification for role interoperability and exchange that defines the types of change control semantics needed when autonomous systems share a governance context around a common role model.