[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Jeff Bohren and SPML get analyst mention.
Today's focus: The answer to a provisioning MIB could be forthcoming from OASIS By Dave Kearns You'll remember, hopefully, that we've been talking about standardizing an audit log protocol, which was described as Simple Network Management Protocol for identity. It was also described as "SNMP for identity management" and "SNMP for identity access management." That led to a description of a "management information base-like" structure for provisioning tools. Now Jeff Bohren of OpenNetwork Technologies, has reminded me that Service Provisioning Markup Language, or SPML (the folks on its technical committee hate it when I pronounce it as SPAM-el) contains at least the germ of a provisioning MIB through its common schema. Bohren knows it's the germ of a MIB because he proposed it to the XRPM Working Group for Extensible Resource Provisioning Management, and actually called it the "Provisioning MIB." This was back before the Provisioning Services Technical Committee of OASIS, the "owners" of SPML, even existed. Originally, the XRPM (Extensible Resource Provisioning Management) group was an ad-hoc committee that created the XRPM specification, and later became the OASIS Provisioning Services Technical Committee. (The ad-hoc group's former Web site, xprm.org, is now a porn site. Don't go there!) According to Bohren, "The SPML 1.0 and 2.0 specs both support this concept of a 'Provisioning MIB' by another name - 'Provisioning Schema.' Further, an effort was started to create the equivalent of 'MIB-2' for provisioning, but was put on hold to focus on finalizing the SPML 2.0 protocol. I expect that after 2.0 is sent for approval, that effort will start up again." SPML 1.0 was voted as an OASIS Standard in November 2003, and SPML 2.0 is expected to be submitted for approval early next year. Let's try to bring this back to where it started, though. In this newsletter about a month ago, I mentioned that suppose software, applications and services had their own MIB for audit controls, who better to know what and how to audit that than the vendor that creates the service or application? Note also that this was in the context of regulatory compliance. We're talking about a standard protocol for monitoring audit logs automatically so that every application or service that needs to be - or might be - audited for compliance would have a standard interface for the auditing software to access. Provisioning can certainly be a part of that system since good provisioning apps can, for example, monitor and log changes to authentication and authorization criteria. The "provisioning MIB" is very likely a good start, as is the initiative of Integrating the Healthcare Enterprise we looked at a couple of weeks ago ( <http://www.nwfusion.com/newsletters/dir/2004/1115id2.html> ). The real question is where to go next. Who should have jurisdiction for this project - OASIS, the IETF, The Open Group? Or should an ad-hoc committee try to bring it all together? I have my own idea, of course, but I want to hear yours. Drop me a note either just pointing to a group or explaining why a particular group would be best. As always, I'll share with everyone in a few weeks.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]