Over on the Forrester blogs, I take a look at XACML, advocating that it needs to refactor heavily to meet mobile/cloud authorization policy needs. UMA as a potential enterprise “access management 2.0” solution makes an appearance as well. Quoting the post: “Would an XACML.next that concentrates on ‘growing the pie’ for declarative authorization policy be valuable? Would an integration of web and post-web access management help you achieve your goals?” If you have thoughts on this, check out the post and let me know…
Tag Archives: XACML
In the last year, I’ve done a lot of thinking about the permissioned data sharing theme that runs through everything online, and have developed requirements around making the “everyday identity” experience more responsive to what people want: rebalancing the power relationships in online interactions, making those interactions more convenient, and giving people more reason to trust those with whom they decide to share information.
Together with some very talented Sun colleagues (special shout-out to team members Paul Bryan, Marc Hadley, and Domenico Catalano), I started to get a picture of what a solution could look like. And then we started to wonder why it couldn’t apply to pretty much any act of selective data-sharing, no matter who — or what — the participants are.
So today I’m asking you to assess a proposal of ours, which tries to meet these goals in a way that is:
- identity system agnostic
We call the web protocol portion ProtectServe (yep, you got it). ProtectServe dictates interactions among four parties: a User/User Agent, an Authorization Manager (AM), a Service Provider (SP), and a Consumer. The protocol assumes there’s a Relationship Manager (RM) application sitting above, acting on behalf of the User — sometimes silently. At a minimum, it performs the job of authorization management.
We’re looking for your input in order to figure out if there are good ideas here and what should be done with them. (The proposal is entirely exploratory; my employer has no plans around it at the moment, though our work has been informed by OpenSSO — particularly its ongoing entitlement management enhancements.)
Read on for more, and please respond in this thread or drop me a note if you’re interested in following or contributing to this work. If there’s interest, we’re keen to join up with like-minded folks in a public forum.