Front page
Archive

Bookmark and Share


About Dave Kearns

follow me on Twitter

Dave's Other Musings


IdM Journal
Wired Windows

Dave Kearns' Fusion newsletters on:
Identity Management
Windows Networking
NetWare

Technorati Profile

 

Wednesday, May 13, 2009

Posted 1:25 PM

"Entitled" to an opinion?

My good friend Ian Glazer, over at the Burton Group, had an interesting post today called Nailing Down the Definition of "Entitlement Management". Unfortunately, he missed.

Ian started out pointing to Ian Yip’s definition ("Entitlement management is simply fine-grained authorisation + XACML") and showing why it's wrong. And I do completely agree with Glazer on that.

But he goes on to say that the enterprises that Burton is talking to use the term differently. He says:

"The enterprises that we talked to use 'entitlement management' to mean:
· The gathering of entitlements from target systems (for example, collecting all the AD groups or TopSecret resource codes)
· Reviewing these entitlements to see if they are still valid
· Reviewing the assignment of these entitlements to individuals to see if the assignments are appropriate
· Removing and cleaning up excessive or outdated entitlements"



My first question to Ian, then, is this: if your clients (as many have in the past) referred to the enforcement of access controls/policies as "authorization" would you assume that definition for further discussion or try to get people to use the term properly?

"AD groups" are not, but any stretch of the definition, an entitlement. Nor should an "entitlement" be assigned to "an individual". Let's use entitlement at least in an analogous way to the real world - no one is "entitled" to something based on their name. All entitlement comes from their group or role. The same should be said of digital entitlements. So gather users' access rights, please. But then group those rights into an entitlement and grant them to a role and/or group.

Differentiate entitlement management from access management, also (else, why use both terms?). Individuals get access, roles/groups get entitlements. Access is granted to resources (hardware, applications, services, etc.) while entitlements specify what a particular role/group can do with or within that resource.

If we all try really hard, maybe we can all speak the same language! That said, we should always be aware of what Richard Feynman said: "You can know the name of a bird in all the languages of the world, but when you're finished, you'll know absolutely nothing whatever about the bird... So let's look at the bird and see what it's doing -- that's what counts. I learned very early the difference between knowing the name of something and knowing something."

Labels: ,

Comments: Post a Comment

© 2003-2006 The Virtual Quill, All Rights Reserved

Home

[Powered by Blogger]

-->