Policy-based provisioning is a business process with a set of supporting technologies. It classifies users based on their position in an organization, and supporting attributes that describe users. It defines roles as collections of pre-defined kinds of access to information systems and other I.T. infrastructure. Policies are designed to automatically attach users to roles based on their dynamic classification.
This document illustrates why policy-based provisioning, though appealing in theory, is impractical to implement in enterprise-sized organizations. It then describes alternate solutions that can be successfully deployed in such organizations.
The remainder of this document is organized as follows:
A description of the basic process and technology of policy-based provisioning.
Practical considerations that limit the scalability and deployability of policy-based provisioning processes and tools.
Scenarios where policy-based provisioning can be made to work.
How the difficulty of deploying a policy-based provisioning solution impacts the ability to implement role-based access control in a heterogeneous environment.
How simpler provisioning technologies deliver more useful results (i.e., are scalable and deployable) by solving a more tractable problem.
A summary of this paper.