Monday, July 17, 2006


Thoughts on Entitlements and XACML

At work, in the next couple of weeks, we will be conducting a vendor bakeoff between several different entitlement engine providers. Wanted to gain insight from folks in the blogosphere as to what would make for interesting scenarios...

In my travels, the folks over at Citigroup seem to have the most mature thinking in this space having built in-house, their own entitlements engine several years ago when no products existed. I know that folks from Bank of America and Wachovia have also travelled down this path, but haven't ran across many others in the Fortune 500 space that have embraced the notion of entitlements engines.

For those who are not familiar with this problem space I would suggest considering the following. In the early 90's, enterprises realized that they shouldn't embed basic identity within enterprise applications and moved towards the notion of a corporate directory based on the LDAP protocol. When the web became popular, enterprises realized that externalizing authentication capability away from enterprise applications provided them with the potential of doing single signon which created products such as Yale CAS, Netegrity Siteminder, Oracle CoreID and so on.

The notion of externalizing entitlements (fine grained authorization) away from enterprise applications is now on the forefront as it provides an enterprise a single location to figure out for auditing / control purposes who has access to what at a fine grain of detail. The notion of using a consistent way to express policies around who can access what is moving towards the widespread adoption of XACML which is an OASIS specification.

Anyway, if there is anyone in the blogosphere that can provide insight into any of the below thoughts, please do not hesitate to trackback:

<< Home
| | View blog reactions

This page is powered by Blogger. Isn't yours?