Burton Group Identity Blog

Whenever I get involved in a discussion of role engineering, I am invariably asked what the appropriate ratio of roles to users ought to be. This is a challenging question and, I believe, difficult to quantify. Some academics cite a ratio of about three percent of the population (1:33), and previous research we’ve conducted ranges from one and one-half percent of the population (1:59) for enterprise applications, to 1:8,000 for generalized roles, to 1:44,000 for customer-facing, e-business environments. These wide ranges make some sense, but leaves us with more questions than answers.

Burton Group’s perspective is to distinguish between business responsibilities and IT privileges or resources. We call these Business and IT Roles, reflecting what someone needs to do, and the tools needed to do it. It makes sense to have this point of abstraction when you consider that the people deciding what responsibilities are in play come from the business, while those providing the tools usually come from the information technology community. Questions that make the numbers difficult to discern from this perspective include:

• Can a person act in more than one business role?
• Can they access more than one set of IT roles?
• Can business and IT roles be aggregated or disaggregated?
• Are these roles consistent for all of the organization, or are they specific to a particular line of business?
• Can we follow models established for our industry? Other industries?

Given the rapid growth of products designed to manage roles, we’ve stepped back from the problem and consider that the real question is not how many roles, but how many you can manage effectively. It’s fine to set boundaries to make sure that things aren’t out of control. For example, if you have more roles than users, you may or may not have a problem (we hear that this is OK in some educational environments). It is more than likely that 1-3 percent keeps the situation bounded, but there will always be exceptions.

Burton Group is conducting research in Q2-2007 to establish the feasibility and adoption trends of role management in organizations. We are conducting an enterprise survey of organizations having role management programs in development or implementation. If you’d like to get a sense for how you stack up to others, we invite you to participate. Send an email to kkampman@burtongroup.com for your copy of the survey instrument. Let’s decide if the numbers stack up.

[posted by Kevin Kampman]

The March 20 announcement proposing a charter for a new OASIS Technical Committee for WS-Federation is rekindling a fire that has been smoldering for some time. Many a debate occurred at Catalyst and in other forums as to the merits of the WS-* long-term vision for web services security vs. SAML’s immediate focus on browser-based federation scenarios.  A common theme to these debates was a call for convergence of SAML, Liberty Alliance, and WS-Federation efforts. Meanwhile, vendors staked out positions regarding SAML, WS-Federation, and Liberty Alliance. Microsoft has held its ground in withholding support for the SAML protocol. IBM straddled the fence after initial reluctance to support Liberty ID-FF, ultimately supporting standards and specifications as demanded by customers. Most other vendors in the federation space hedged their bets by grudgingly supporting multiple protocols and specifications.

As Yogi Berra would say, “It’s déjà vu all over again.”

Nearly two years ago, Burton Group published a report titled “SAML 2.0: Convergence Point for Browser-Based Federation.” It contained the following statements, “Security Assertion Markup Language (SAML) 2.0 represents a watershed moment for federation standards because it combines the efforts and features of SAML 1.x, Liberty Alliance Identity Federation Framework (IDFF), and Shibboleth” and “OASIS may also attempt to foster more convergence for browser-based federation by working with the supporters of WS-Federation passive profile (WF-PP).” Obviously, this is not the case. Several have commented on the TC proposal, including Nokia, France Telecom, NTT, Sun, Oracle, and Neustar. In addition, Tim Bray posted a rip on his blog. 

The WSFED charter gives lip service to working on convergence with SAML 2.0. Like other commenters, we find this less than convincing; the WSFED charter's invitation to other standards committees looks like a passive-aggressive maneuver. It puts the onus on SAML 2.0, which has already been standardized, to come to WSFED on their terms and make changes to an established standard to accommodate features of a specification which was not developed in an open forum and is not yet a standard.

In 2004, we wrote “The industry is showing signs of concern over standards convergence, but having two standards for federation and SSO is better than having 20, or zero. It is likely the market will need more than a one-size-fits-all standard and one can hardly imagine any single standard fitting every scenario, regardless of its composability. “ Well, it looks like convergence is going to resurface as an issue, particularly when there is so much overlap between SAML 2.0 and the proposed WS-Federation work.

If Microsoft, et al, were to merge the WS-Federation passive profile with SAML 1.x and then focus this TC on the active profile – that would clear up a lot of confusion and limit redundancy.

What happens next?
•    OASIS has scheduled a call to review the proposed charter on April 5th. OASIS members are permitted on the call.
•    Post your comments here or elsewhere to have your opinions heard
•    Shameless Catalyst plug: attend the conference this year where much of day 1 is dedicated to the identity interoperability discussion

[posted by Gerry Gebel, after much discussion on an internal email thread]