...comes around.

In Sep 2006 I sat on a panel at Digital ID World titled "Are NIST Based Roles the Right Answer?”. I blogged about the session and issues discussed here... I can even point to my 2001 book "The Definitive Guide to Identity Management" which details the same issues again.. Hard to find despite being an ebook, but you can search for it out there.

I am sure others could point to earlier discussions and this just keeps circling the drain.

I point this out because the same conversation is passing by again...

Oracle's Nishant Kaushik posts today attempting to raise controversy around the NIST RBAC standard. Dave Kearns comments... and then... who next?

Well... here's 2c

Fundamentally, the standard is just that and not much more - and the issue is how folks can manage whatever they decide to implement. The Government certainly like standards, so they use it as much as possible. However, the same issues remain...

• Even in the broad identity management implementation sphere, most have not even read the NIST RBAC standard and if they have, it didn't really help them do their implementation any better.
• Because no one (vendors or customers) implements RBAC completely per se, and roles are even less consistent across applications, it doesn’t help that much to have done much more than skim the standard – If at all
• The hierarchical approach pushed by the NIST RBAC model does not extend far enough to support the variety of needs of security, business and IT
• From any starting point, anyone choosing to use the standard or not will deviate from almost every other implementation.
• Folks cannot migrate from one Identity Management implementation to another without reworking their role model to suit whatever application they want to add into the mix - even using products from the same vendor...
• There are still some better standards/approaches to look at (today)
• The Healthcare Level 7 (HL7) model http://www.hl7.org/ regardless of whether you’re in healthcare or not, as it provides a good approach for defining roles.
• The Software Engineering Institutes Capability Maturity model at http://www.sei.cmu.edu/cmm/ is another more mature model on how to do enterprise role implementations.

What has changed over the last few years perhaps are several things:

• More people are interested in, and working on, tools to manage roles
• NIST is working on a new iteration of roles. As Kevin Kampan blogged after the Burton Group 2008 Catalyst Conference here.
• Tim Weil, Vice Chair of the INCITS CS 1.1 Role-Based Access Control (RBAC) Working Group discussed their effort. His group is developing a standard for the implementation and interoperability of RBAC components described in INCITS 359-2004.
• More projects have hit snags as a result of their initial obsession with roles and role definition.
• Microsoft took a "Claims Based Access Control" tack to try and approach the access control and contextual requirements but did not solve the overall role modeling issue - this is more like one of the approaches I described in my 2001 book "The Definitive Guide to Identity Management".

Anyway- thought I would throw a small note into the thread as its been a long (time based) thread indeed.