Some additional thoughts on SaaS user provisioning…

by

As the term ‘provisioning’ tends to have different meanings depending on who you talk to, we wanted to follow-up on our post last week on SAML / SPML-based ‘just-in-time’ user provisioning to provide some quick additional thoughts…

Effective user provisioning requires much more than just ensuring users have an active account and access to a given service or SaaS application.  User authorizations and permissions within the service also need to be consistent with role-based access control (RBAC), least privilege and segregation-of-duties (SOD) concepts.  This requires that organizations ensure that permissions and authorizations are consistent across services, not just within each individual SaaS silo.   What makes provisioning challenging is that each SaaS service provider has their own unique role, profile and authorization model optimized around the particular problem set they address.   Virtually all SaaS user attribute and permission models are unique to the individual vendor, with some services providing the ability to configure over 50 different user attributes.  In our mind, proper user provisioning ensures that user accounts and all associated authorizations are consistent with corporate policy, which is a much deeper, more challenging problem that it first appears…

Advertisements

One Response to “Some additional thoughts on SaaS user provisioning…”

  1. alextoussaint Says:

    Be sure to check oAuth:

    http://oauth.net/

    Getting very popular with sites such as Twitter:

    http://apiwiki.twitter.com/OAuth-FAQ

    Way simple, and cool. 😉

    –alex

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: