Jeff Bohren and SPML get analyst mention.

[Gary P Cole <Gary.P.Cole@Sun.COM>]

Today's focus:  The answer to a provisioning MIB could be forthcoming 
from OASIS

 

By Dave Kearns

 

You'll remember, hopefully, that we've been talking about standardizing 
an audit log protocol, which was described as Simple Network Management 
Protocol for identity. It was also described as "SNMP for identity 
management" and "SNMP for identity access management." That led to a 
description of a "management information base-like" structure for 
provisioning tools.

 

Now Jeff Bohren of OpenNetwork Technologies, has reminded me that 
Service Provisioning Markup Language, or SPML (the folks on its 
technical committee hate it when I pronounce it as SPAM-el) contains at 
least the germ of a provisioning MIB through its common schema.

 

Bohren knows it's the germ of a MIB because he proposed it to the XRPM 
Working Group for Extensible Resource Provisioning Management, and 
actually called it the "Provisioning MIB." This was back before the 
Provisioning Services Technical Committee of OASIS, the "owners" of 
SPML, even existed.

 

Originally, the XRPM (Extensible Resource Provisioning

Management) group was an ad-hoc committee that created the XRPM 
specification, and later became the OASIS Provisioning Services 
Technical Committee.  (The ad-hoc group's former Web site, xprm.org, is 
now a porn site. Don't go there!)

 

According to Bohren, "The SPML 1.0 and 2.0 specs both support this 
concept of a 'Provisioning MIB' by another name - 'Provisioning Schema.' 
Further, an effort was started to create the equivalent of 'MIB-2' for 
provisioning, but was put on hold to focus on finalizing the SPML 2.0 
protocol. I expect that after 2.0 is sent for approval, that effort will 
start up again." SPML 1.0 was voted as an OASIS Standard in November 
2003, and SPML 2.0 is expected to be submitted for approval early next year.

 

Let's try to bring this back to where it started, though.

 

In this newsletter about a month ago, I mentioned that suppose software, 
applications and services had their own MIB for audit controls, who 
better to know what and how to audit that than the vendor that creates 
the service or application? Note also that this was in the context of 
regulatory compliance. We're talking about a standard protocol for 
monitoring audit logs automatically so that every application or service 
that needs to be - or might be - audited for compliance would have a 
standard interface for the auditing software to access. Provisioning can 
certainly be a part of that system since good provisioning apps can, for 
example, monitor and log changes to authentication and authorization 
criteria.

 

The "provisioning MIB" is very likely a good start, as is the initiative 
of Integrating the Healthcare Enterprise we looked at a couple of weeks 
ago ( <http://www.nwfusion.com/newsletters/dir/2004/1115id2.html> ).

The real question is where to go next.

 

Who should have jurisdiction for this project - OASIS, the IETF, The 
Open Group? Or should an ad-hoc committee try to bring it all together? 
I have my own idea, of course, but I want to hear yours. Drop me a note 
either just pointing to a group or explaining why a particular group 
would be best. As always, I'll share with everyone in a few weeks.