Identity Rights Management–Distributed Data and Identity Control for SOA

November 16, 2004

Building applications and automated IT processes that are more responsive to business change is a key goal of business process management (BPM) software and new IT technologies like Web services and service-oriented architectures (SOAs). They enable organizations to create modular components and services with new or existing application logic or data and then assemble those components/services in a way that addresses specific business needs.
As organizations create more flexible and dynamic service-oriented infrastructures built around business process services, the types of applications that can be developed and deployed efficiently will increase dramatically. In addition to the “standard” applications that organizations are using today, we believe that there will be new classes of more dynamic, collaborative applications that will result from these new services-based infrastructures. With these new applications will come new application infrastructure requirements, a good example of which is the idea of identity rights management.
While the issue of permissions-where someone (or something) can or can’t do something (or have access to something)-has been an important part of business applications and IT infrastructure strategy for years, it will become even more critical in these new, process-centric and services-oriented applications. Yet there is more to it than just providing the ability for certain people to access (or not access) certain data. Think of it as a step beyond traditional identity management. It’s service-oriented identity rights management and it can be used to control not only who has access to what application or data, but also what group of people have access to what applications or data and, more importantly, what applications (or application components) have access to what other applications and data.
In effect, identity rights management is the management of information and service rights between identities, where identities are responsible for defining the data and service ownership. In other words, the owners of the data (or applications) define the specific access parameters that are appropriate for their data (or applications), with permissions tied to granular data elements with explicit control parameters such as expiration data, access times, and distribution channels. Instead of having to hand-code access for individual applications, developers can use a ubiquitous access rights layer across all applications.
The idea of managing data exchange and application access through the concept of groups is particularly powerful when the groups have membership that spans multiple organizations, for instance, as you might find when individuals in different government agencies have common interests and shared objectives (like monitoring security issues) and need to share information across those traditional agency or corporate boundaries while still maintaining security. Identity rights management extends that idea to help manage not just individual identities, but the relationship of those identities to specific applications or data sources, across application, corporate, and geographic boundaries.
A good example of an identity rights management solution is Epok, Inc.’s TDX 4.0 platform, a web services framework for providing secure and controlled data exchange across networks (public or private). Epok is a founding member of OASIS (the standards organization) and also driving the adoption of the OASIS XRI standard. TDX 4.0 enables permissions-independent exchange and synchronization of information or services across different trust domains (for example, multiple companies or even countries, in the case of government applications) and is designed for applications that require complete (and granular) control of data that’s distributed over multiple trust boundaries. What’s important is that TDX is a horizontal platform for the data owners to assign and manage granular data access control. As a result, business users (or the data owners) can define and manage access to important data, rather than be limited by the application design or requiring application developers to do it through customized code.
Upside Uptake
Service oriented architectures are giving organizations more flexible, adaptable, and ultimately, more manageable ways to create business logic and applications that can be used to address changing business needs. A service oriented design for identity rights management-an intermediary service that controls and manages who has access to what data as well as one that provides virtual, real-time updating of reference data-enables a range of applications and services that would be difficult to create and manage using traditional approaches.
By providing a way to explicitly model the relationships of the data requestors (be they applications or individual users) to the actual data, an identity rights management system can enable more efficient and effective development of applications in areas where large numbers of casual, temporary, or dynamic relationships exist and need to be managed.
We believe that there will be a move towards infrastructure components and tools that help organizations rationally and efficiently define, manage, and monitor very fine-grained access to data and application components in a decentralized fashion. Enabling dynamic and granular access (for both internal and external needs) to data sources and applications will be an important part of many company’s IT strategies, and will complement BPM-enabled solutions.

Share

Comments on this entry are closed.

Previous post:

Next post: