This joint meeting with members of the Security Forum, Directory Interoperability
Forum, Messaging Forum, and Mobile Management Forum, was held to review and develop a
draft Access Control business scenario, based on inputs gathered at the previous meeting
(Boston, July 2002).
Attendees
The meeting was attended by 24 members of the Security Forum, DIF, Messaging Forum and
MMF.
Discussion
The discussion time for this meeting was reduced because the preceeding Identity
Management meeting involved the same members and represented much high-value presentations
and discussion, and Ian Dobson advised hris Harding that this Access Control meeting would
require significantly kless time than had originally been allocated.
Ian explained that despite good intentions, he had been unable to generate an initial
draft of the proposed Access Control business scenario. There were two main reasons for
this.
One is that several important questions in the requirements-gathering workshop in
Boston were not answered, and we need those answers in order to construct a representative
view, particularly of the technical environment and the business and technical processes
involved. The key original questions awaiting answers are:
- How would you enhance the high level model?
- What relationships do you see between elements in the model?
- What are the technology actors and their roles?
Web servers, directories, databases, …
- What key processes are relevant:
- To mission/business?
- To consumer?
- To provider
The other main reason is that in creating this Access Control business scenario, it
became evident that there are major similarities to the business environment and apparent
technical environment of the Identity Management business scenario. So much seemed to be
in common that we need to ask:
- How should we relate our Access Control business scenario to the Identity Management
business scenario?
- What dependencies on identity management (authentication, authorization, etc.) should we
declare?
Feedback from the members present was that this degree of commonality between Identity
Management and Access Control should not be the case. Skip Slone drew a diagram showing
how he would expect the business environment to have Identity Management on one side, with
authentication providing credentials to an authorization mechanism that provided access
control for a Permissions Management function on the other side. Eliot suggested an
enhanced view that involves a Privilege Service in each domain where you wish to access
Protected Resources, access control to the Protected Resource being decided by the
applicable Policy defined for that Resource.
In further discussion, it was agreed that we should revisit the business requirements in
the Identity Management business scenario, to validate them as real business requirements
and not technical ones, and to compare them with those for the Access Control business
scenario. Also, members confirmed that would expect both to relate at the business
requirements level such that Identity Management passes authorizations to a Permissions
Management function, a part of which is Access Control.
It was also suggested that the Executive on the Move business scenario has some
contribution to make here, so we should include that in our review.
Agreement that we want to continue with development of an Access Control business
scenario, and that we should expect the real business requirements that emerge to be
concerned with Permissions Management, this being complementary to those brought out by
the Identity Management business scenario, and linked by authentication and authorization
mechanisms. Two non-contradictory business environment models were suggested.
The interactive Web page at www.opengroup.org/projects/idm/
includes access to the Identity Management business scenario
The interactive Web page at www.opengroup.org/projects/access/
includes access to the work on Access Control
The interactive Web page at www.opengroup.org/mobile/
includes access to the Executive on the Move business scenario, to members only (Log in
required, then look in the Documents section).
