OASIS Stamps Approval on Provisioning Standard

Electronics business standards group OASIS (Organization for the Advancement of Structured Information Standards) has approved the Service Provisioning Markup Language (SPML) version 1.0 as a official standard, paving the way to assign user accounts and access privileges to phone systems, e-mail accounts and enterprise applications via
the Web between different companies.

The specification, unveiled
by OASIS at conference in July, means there is now a standard method of provisioning electronic assets with accounts and privileges to grant users access. It also provisions physical resources such as cell phones and credit cards in a broader attempt to encapsulate secure identity management.

Previously, there was no one way to do this in a uniform manner. With SPML,
companies don’t have to waste what could be millions of dollars on development work in order to get people
provisioned or deprovisioned, said ZapThink Senior Analyst Ronald Schmelzer.

“What this means for companies is that as they purchase applications that
require some sort of user access, they should make sure that they have a
standard way of provisioning users on, and deprovisioning users from that application,” Schmelzer told internetnews.com.

Though often done with servers in data centers, provisioning has become an
increasingly popular method of helping companies move their business to the
online realm, with Veritas, IBM and Sun
Microsystems all making purchases in the realm in the
last year. Analysts have said provisioning will greatly help companies
automate their network infrastructures.

SPML is related to Security Assertion Markup Language (SAML), an OASIS
standard geared to manage identities on the Web for services such as single
sign-on. Together SPML and SAML may offer the basis for integrating single
sign-on and provisioning software for Web services.

“As provisioning becomes a more widely available network service, the need
for an open standard to support the integration of account and service
management in identity infrastructures is clear,” said Darran Rolls, chair
of the OASIS Provisioning Services Technical Committee, which is currently
working on a second version of SPML.

“By fostering interoperability across
business units or with business partners, SPML frees companies to focus on
the business rules for provisioning user accounts and not on the technology
to wire everything together.”

Those who want to turn to Web services still have hurdles to vault, said
Schmelzer. In order for SPML to work well, a standard way of defining user
identity and user policy must be established.

“SPML will most likely work within a broader framework for enterprise-wide
security infrastructure such as those provided by other standardization
initiatives, such as WS-Security and WS-Policy,” he said. “WS-Security and
WS-Policy are more concerned with specific user access to business logic,
but there are clearly going to
be cases when the two specifications will need to overlap. At the very
least, any comprehensive security platform for Web Services will need to
handle both of these sets of specifications — provisioning of physical and
virtual assets and the access to these applications.”

Companies who worked to ensure the passage of SPML include Abridean, BEA
Systems, BMC Software, Business Layers, Computer Associates, Entrust,
Netegrity, OpenNetwork, Waveset, and other users and providers of identity
management software.

News Around the Web