RealTime IT News

OASIS Stamps Approval on Provisioning Standard

Electronics business standards group OASIS (Organization for the Advancement of Structured Information Standards) has approved the Service Provisioning Markup Language (SPML) version 1.0 as a official standard, paving the way to assign user accounts and access privileges to phone systems, e-mail accounts and enterprise applications via the Web between different companies.

The specification, unveiled by OASIS at conference in July, means there is now a standard method of provisioning electronic assets with accounts and privileges to grant users access. It also provisions physical resources such as cell phones and credit cards in a broader attempt to encapsulate secure identity management.

Previously, there was no one way to do this in a uniform manner. With SPML, companies don't have to waste what could be millions of dollars on development work in order to get people provisioned or deprovisioned, said ZapThink Senior Analyst Ronald Schmelzer.

"What this means for companies is that as they purchase applications that require some sort of user access, they should make sure that they have a standard way of provisioning users on, and deprovisioning users from that application," Schmelzer told internetnews.com.

Though often done with servers in data centers, provisioning has become an increasingly popular method of helping companies move their business to the online realm, with Veritas, IBM and Sun Microsystems all making purchases in the realm in the last year. Analysts have said provisioning will greatly help companies automate their network infrastructures.

SPML is related to Security Assertion Markup Language (SAML), an OASIS standard geared to manage identities on the Web for services such as single sign-on. Together SPML and SAML may offer the basis for integrating single sign-on and provisioning software for Web services.

"As provisioning becomes a more widely available network service, the need for an open standard to support the integration of account and service management in identity infrastructures is clear," said Darran Rolls, chair of the OASIS Provisioning Services Technical Committee, which is currently working on a second version of SPML.

"By fostering interoperability across business units or with business partners, SPML frees companies to focus on the business rules for provisioning user accounts and not on the technology to wire everything together."

Those who want to turn to Web services still have hurdles to vault, said Schmelzer. In order for SPML to work well, a standard way of defining user identity and user policy must be established.

"SPML will most likely work within a broader framework for enterprise-wide security infrastructure such as those provided by other standardization initiatives, such as WS-Security and WS-Policy," he said. "WS-Security and WS-Policy are more concerned with specific user access to business logic, but there are clearly going to be cases when the two specifications will need to overlap. At the very least, any comprehensive security platform for Web Services will need to handle both of these sets of specifications -- provisioning of physical and virtual assets and the access to these applications."

Companies who worked to ensure the passage of SPML include Abridean, BEA Systems, BMC Software, Business Layers, Computer Associates, Entrust, Netegrity, OpenNetwork, Waveset, and other users and providers of identity management software.