Trends in Provisioning

One of these steps is already in sight. It has been a central theme in connection with SPML http//www.kuppingercole.de/articles/spml_20 und http//www.kuppingercole.de/articles/smpl_20. Using SMPL as a standard makes it superfluous to develop a special connector for each target system. This development is especially important with regard to other applications, for example the activation of Client Lifecycle Management systems or proprietary ERP solutions for which otherwise very specific adapters would need to be developed.

In a way, the second development is the contrary of the first. Looking at Provisioning today, we recognize two steps:

1. Users are merely set up in the target system.
2. Users are also assigned to groups or roles in the target system. In this context, many manufacturers are courageous enough to speak of “entitlement”.

The third logical step, however, is still missing:

3. There is control of what the group or role is authorized to do.

Today, a partitioning of the administration is consciously accepted. Basic settings are configured in the provisioning system, but they are implemented by other administrators in diverse target systems. This might suggest itself in view of the existing IT organization and the technical challenges of a further entitlement, but unfortunately it creates two problems:

1. Only specifically defined organizational regulations are able to guarantee that for example Compliance requirements are consequently met, also in target systems. If the persons in charge with Provisioning systems properly coordinate their actions with the administrations of the linked systems, this might work – apart from the fact that manual processes are always prone to error.
2. This administrative splitting also creates problems with Auditing. Even if it is known which accounts are provisioned in which place, it is not easy to reconstruct what exactly these were authorized to do and already have done. This is not only a Provisioning task, but also one of “next generation Auditing”. Anyhow, the problem must be solved.

One method of solving it is to design connectors in such a way that they are able to control entitlements, for example in an Active Directory. This is a rather complex approach and in some systems – such as SAP – it is not wanted.

I do believe, though, that it is desirable to give users the flexibility to decide how far their Provisioning should go. To do so in a standardized way is undoubtedly a difficult job. It would be necessary to define the resources as objects so as to be able to describe the respective access authorizations in a standardized way. Recently, I had discussions about this issue with some of the mentors of the IAM industry, among others with Jason Rouault of HP. Such a standardization should, in my opinion, be part of a definition of SMPL v3.0. Moreover, it requires that Auditing is standardized as well, in order to receive at least consistent auditing entries from the different systems which then can be easily combined and correlated with new auditing solutions.

This brings us closer to the idea of Enterprise Entitlement as a central control mechanism down to system level. And this is a prominent milestone of the “next generation provisioning” – in addition to the usage of SPML 2.0 in cases when such a deep-reaching control is not required. Another important element is the new role of Workflows. But this will be discussed later.

This whole complex of questions and problems have been discussed on the KCP European Identity Conference dated May 7-10, 2007 in Munich (http://www.kuppingercole.de/events/eic2007).