Well it seems Mitch is talking about user-centric identity again. :-)

I'd like to say that users should be in control of their identity. And identity exchange systems that make it easier, better and more secure for users to interact with computer systems, both internal to their companies, and externally, are a good thing.

However I think Mitch is confusing issues. Mitch talks about a world where users, not IT Professionals, take control of their PCs. Sadly, there is not going to be a world where users get out from underneath IT Professionals (IT Professionals only really exist in the corporate/enterprise setting, so I'm going to ignore the SOHO segment here). To put it bluntly - users are provided with computers as a tool to do their job, not as something they can play with and use as an extension of their creativity. That's not to say users shouldn't be allowed to play MP3s or have their own favourite background wallpaper. But it does subject their use of computers to corporate policy, and it does restrict their access to resources (i.e. authorization to perform actions) to what the business dictates is necessary to perform their job. Identity belongs to the user, but resources (and hence authorization to use them), belongs to the resource owner.

Now, in many larger enterprises, policies are stricter and less flexible than anyone really wants. However there are usually only "x" IT Professionals in the firm, and "y" amount of work, where "y" is some value very much larger than "x". As the IT Pros are responsible for the availability, stability and security of the network (and not users), they sometimes have to implement policies that might be stricter than desirable simply because they do not have the resources to devote to monitoring and troubleshooting issues. Ultimately, many financial institutions, government departments, legal/accounting firms, and even general corporations will face a raft of legal issues if sensitive information or access to systems is compromised. Ensuring that this doesn't happen is the responsibility of IT Professionals, not end users. End users are there to do marketing, accounting, HR, sales, or whatever job they were hired to do.

As I mentioned in an earlier post, user provisioning technology implementations can go a long way to mitigating issues that users face in getting timely access to the resources they need to be productive. Authorization decisions can be delegated to managers closer to the user, and IT departments can still have some comfort in knowing the current state of permissions on the network. But authorization is not identity, and identity systems will not solve authorization issues. (For a good article on identity, authentication and authorization, see Steve Riley's