SPML

As any general knows, an effective system for distributing and managing appropriate provisions for the troops is essential to success on the battlefield. The same is true of companies trying to win wars in the marketplace. But instead of bombs, bullets and MRE rations, a corporation must provision access to items like cell phones and credit cards and, perhaps more important, to digital assets, such as networks and applications.

More

Computerworld
QuickStudies
The provisioning process has always been a security and administrative nightmare for IT and human resources departments. In the past, it generated tons of paper, ate up administrators' time and caused plenty of errors that resulted in decreased productivity, security vulnerabilities and lost physical assets.

A Piece of the Puzzle

The advent of provisioning software within identity management systems has improved the situation. With automation, companies have a better chance of keeping up with the growing number and variety of systems, applications and devices within their organizations. Automation can also help contain the costs of managing user IDs and permissions.

But self-enclosed, proprietary provisioning systems can solve only a piece of the problem. As companies increasingly consolidate their systems and open them up to customers and partners over the Internet, the need for a standard that will allow centralized provisioning within and across organizations is clear to users and vendors.

This summer, a technical working group of the Organization for the Advancement of Structured Information Standards (OASIS) publically unveiled the Services Provisioning Markup Language to meet that need. SPML 1.0 is built on OASIS's Directory Services Markup Language V.2, which is an XML representation of the Lightweight Directory Access Protocol. If it's ratified as expected next month, SPML will join a family of standards designed to ease the implementation of Web services, including XACML, SAML, UDDI, WSDL and SOAP.

The goal of ratifying the specification is to establish interoperability among provisioning systems that will allow organizations to securely create end-user accounts for Web services and applications from a single point in an organization.

In July, at Burton Group's Catalyst Conference in San Francisco, 10 vendors that had been working to create SPML under the aegis of OASIS demonstrated that they could use one SPML request message to simultaneously create user accounts in all of their provisioning systems.

In San Francisco, all the vendors were set up in one hotel meeting room, but the idea is that SPML-enabled provisioning systems will work across geographic and corporate boundaries.

In a typical scenario, when a company hires a new employee, the HR system generates an SPML request to the company's provisioning system that creates all the access accounts the employee needs within the company. The provisioning system then automatically generates another SPML request to the provisioning systems of customer companies that give the employee access to the applications and data he needs to do his job.

Deprovisioning can be accomplished by HR by generating an SPML message request closing the employee's access accounts upon his leaving the company. The automated chain of SPML messages will then wipe out the employee's access to customer systems as well, eliminating the scourge of orphaned accounts. Used with SAML, the XML-based protocol for exchanging user authentication and authorization information, SPML may eventually be at the heart of a true single-sign-on system.

Although OASIS is just finalizing its approval of SPML, the standard has already drawn fire from critics who say that it doesn't do enough. For example, it doesn't enable functions such as moving or suspending accounts.

Chief among the naysayers have been IBM and Microsoft Corp., which have contended that SPML isn't powerful or flexible enough to work in conjunction with the group of standards the big vendors are developing, called WS-*, which includes WS-Security and WS-Federation.

SPML 1.0 is likely to emerge as a provisional standard as OASIS, IBM and Microsoft work toward compromise.

SPML Scenario The HR department of a supplier company adds a new employee to its personnel system, which generates an SPML document. The document is passed to the supplier's provisioning system, triggering the creation of appropriate internal accounts for the employee. The internal provisioning system forwards an SPML request to the company's customer provisioning system to create appropriate accounts there.

See additional Computerworld QuickStudies