At its March meeting, the Object Management Group (OMG) issued a Request for Information (RFI) for Business Security and Authorization Policy Modeling (http://www.omg.org/cgi-bin/doc?bmi/2008-02-09 ). Security, and particularly authorization management, has become increasingly complex. With Service Oriented Architecture (SOA), the number of access points to applications is expanding, access to shared services cross organizational boundaries, and the community of potential users is also expanding as companies work to optimize performance and control. In addition, government regulations are making managers personally responsible for accountability and control.
Current security mechanisms tend to be in the hands of security gurus. Policies, rules and authorizations are expressed in technical languages such as SAML (Security Assertion Markup Language) and XACML (eXtensible Access Control Markup Language). As a practical matter, it is nearly impossible for managers to specify these controls, let alone understand and validate them.
The goal of the RFI from OMG is to gather an industry perspective on the needs of users and the products or techniques that are currently available. These insights will potentially be used to develop an RFP (Request for Proposals) for development of standard modeling specifications. Standards will enable models to be specified independent of the multiplicity of security implementation products, and will enable models to be exchanged between modeling tools.
For example, Role Based Access Control (RBAC) has gained considerable attention. It allows the separation of resource access specifications from the identification of persons authorized for access. Managers of resources can specify the authorizations associated with roles. Managers of people can specify the people who perform in those roles. Current products implement such techniques, but the specifications require technical specialists. A modeling environment might express these specifications an a form more meaningful to managers, and it might provide analytical reports for review and to identify inconsistencies.
The scope of the RFI is broader than RBAC in order to address other aspects of security that might be enhanced with modeling. Responses to the RFI are not restricted to OMG members.