Authorisation Management

A question posed by Gerry Gebel at the Burton Group around the difficulties of implementing authorisation management solutions.

I’m not sure if the use of external authorisation solutions (the “Access Manager” products”) is the most appropriate in all cases. Sure, for use in Web Access Management/Control, they play a good part for coarse-grained authorisation (and the adapters exist already) but implementing these to control access to enterprise-level COTS products can be a pain.

I think that an easier way of implementation is through the use of Provisioning solutions (the “Identity Manager” products) to assign users to access rights via Roles, Rules and the request-based model; but the whole area of Role Definition is a large undertaking and requires a lot of business- and systems- analysis.

What’s the answer? Whats the magic bullet? How can we get the 80/20 rule in place? A few people are thinking around this already, I have some thoughts but not put them into words just yet …