I recently had a rather interesting hallway conversation about the new approach to IdM that we are advocating. This was with a senior J2EE architect I work with whose opinion I greatly value. Paraphrasing the question that started the discussion, what he asked was this:
Why do I, as an application architect, care about this? I don’t think that developers are creating their own authentication and authorization modules because the J2EE architecture already addresses those needs. Application developers simply need to define the roles required and map them to a central identity repository. If I can do that, I have solved my authentication and basic authorization decisions.
The key to understanding this is to look at that last sentence and the use of the word “basic”. As we are seeing more and more, the nature of IdM is becoming increasingly complex. And at the center of it all is the notion of context. Code-based paradigms of authorization and control are no longer enough. The move is definitely towards a data-based approach, where notions of authority, relationships and activity come into play.
Also, application-centricity (did I just pull a Colbert?) is about the other aspects of IdM that have been ignored so far. Role providers, fine grained authorization services, virtualized identities and provisioning interactions are also concerns in development that need to fit into the mental model. When an application developer creates a self-registration module in their application, they are spending time and effort building functionality that they shouldn’t be responsible for. How does that self-registration module hook into the enterprise identity environment? How does it interact with the security and compliance policies that need to be centrally managed but enforced in a delegated manner? How does it hook into approval workflows and SoD engines? These are just some of the concerns that the application development process shouldn’t need to worry about beyond knowing how to hook into these services that the central IdM infrastructure is providing. This is at the heart of the application-centric approach.
It is clear to me that we still have a lot of work to do to get the message out. Application-centric IdM is something we firmly believe in as being the way of the future. But like all visions of the future, it is blurry and begs a good discussion. Hopefully that is something we can continue to have as we figure this out together.
Oracle marketing is holding a webinar on Tuesday about Application-Centric IdM where we will be talking about this in a lot more detail. I am part of the panel that includes folks from both the IdM and Applications side of the house. If you would like to join in and give us a good grilling, register here. It should be an interesting conversation.