Security for Web services

There are three vital parts to the open standards underlying Web services security. There’s authentication, which uses Standard Generalized Markup Language (SGML) to exchange information about a particular user. There’s authorization, which grants access control via Extensible Access Control Markup Language (XACML). And, finally, there’s the administration layer now managed through the use of Service Provisioning Markup Language, or SPML.

SPML automates the creation of user accounts through a role-based access-control model. Using SPML, it’s possible to approve, modify and cancel accounts across the enterprise without having to manually access rules for each account. This means IT folks working on portals and application servers and in service centers have a standard mechanism for creating a request that will work throughout the organization.

For example, if you went to your supply chain partner’s site to grab information stored in a back-office system, the vendor would send a response with a request using SPML to communicate with an identity management software package. The request would automatically acquire the appropriate permissions before granting you access to the data. This would happen without your having to know about your vendor’s back-office system.

As part of the tool kit to build such a Web service, SPML automates the process and acts as an XML-based provisioning service, making it straightforward – at least from the user’s point of view – to dynamically read things from a directory.

Darran Rolls, director of technology at Waveset Technologies Inc. in Austin (and chairman of the Provisioning Services Technical Committee and co-chairman of the Security Standards Joint Committee at OASIS), says SPML should make it possible for companies to move beyond their tentative embrace of Web services.

“SPML is a critical piece of the security stack for Web services,” he says. “It’s useful to have an open-standards-based way to establish accounts.”

You can learn more about OASIS and SPML at, where SPML is available for free.

The odd thing about the release of the SPML standard from OASIS is that on the surface, it would have made more sense to develop SPML before SGML and XACML. In their haste to demonstrate the cohesive security of Web services, vendors ignored the management layer. In a sense, they were so excited to identify people and give them access to a Web service that they forgot the basics of account provisioning.

Although it’s great that SPML is almost here, if it had been here from the beginning, maybe Web services would be more real today instead of so much hype.