org access management: technical details

27
30.10.2013 FSP GmbH | Product Presentation

Upload: fsp-gmbh

Post on 27-Jun-2015

184 views

Category:

Technology


0 download

TRANSCRIPT

Page 1: ORG Access Management: Technical Details

30.10.2013

FSP GmbH | Product Presentation

Page 2: ORG Access Management: Technical Details

Company Overview

Product Presentation

Access Governance Suite

Live Demo

Discussion

30.10.2013 ORG Product Presentation 2

Agenda

Page 3: ORG Access Management: Technical Details

30.10.2013 ORG Product Presentation 3

Founded in 2002

Headquarters: Cologne

Represented throughout

Germany

40 employees

Company Overview

Page 4: ORG Access Management: Technical Details

Business Consulting

• Access Governance Concepts

• Process Optimization

• Project- / Test Management

IT Consulting & Development

• Software Development

• IT Security

• IT-Project- / Test Management

30.10.2013 ORG Product Presentation 4

Company Overview: Software & Consulting

Software

Page 5: ORG Access Management: Technical Details

Company Overview: Customers

30.10.2013 ORG Product Presentation 5

Page 6: ORG Access Management: Technical Details

Company Overview

Product Presentation

Access Governance Suite

Live Demo

Discussion

30.10.2013 ORG Product Presentation 6

Agenda

Page 7: ORG Access Management: Technical Details

30.10.2013 ORG Product Presentation 7

Access Management:Conventional method

Employee

New Entry, Fluctuation,

Departmental Change

Individual Systems often use Individual RightsSeveral System-Administrators

SAP HR SAP-Role

RACF Group

Indiv. Applications Groups / Individual Rights

P&C Administration Individual Rights

Partner System Individual Rights

Notes/Outlook Group

LDAP e.g. Group Membership

Databases Indiv. / Role

Page 8: ORG Access Management: Technical Details

30.10.2013 ORG Product Presentation 8

Solution: ORGCentral administration of user rights

Central, lean AdministrationEmployee

New Entry

Fluctuation

Departmental Change

External

Known customer

Prospect

Interfaces:

SPML-Systems:- Novell Identity Manager

- IBM Tivoli Directory Integrator

- openSPML

Directory Systems‐ Microsoft AD

‐ IBM Tivoli Directory Server

‐ openLDAP

- Novell eDirectory

- SUN one Directory Server

- …

Other systems‐ SAP R3

‐ RACF

‐ INTERFLEX

APIs- Java (SE & EE)

- Windows / Unix (C)

- z/OS (Cobol, PL/1, C)

User Rights based on:

- Roles/Rights model

- Attributes

automated provisioning

Page 9: ORG Access Management: Technical Details

30.10.2013 ORG Product Presentation 9

ORG Architecture:Basis for USPs

Page 10: ORG Access Management: Technical Details

30.10.2013 ORG Product Presentation 10

Model: Entities

Position

Client

User

Location

Permissions

Competence scheme

Competence

Role model

Role

Role group

Role conflict

Organizational-

Unit

Organizational

Structure

Page 11: ORG Access Management: Technical Details

30.10.2013 ORG Product Presentation 11

Model: Historicizing, life cycle

Expired or deleted

Status:

current

Historicizing of all changes of an

object or a relation between objects

including the initiator and the time

Status:

historicized

No physical deletion:

The database entry is

marked as „deleted“

Edit or delete

Tim

e

CreateStatus:

future

Page 12: ORG Access Management: Technical Details

30.10.2013 ORG Product Presentation 12

SPML Webservice: Architecture

Interface to approval workflow:

• ORG Approve

• Lotus Notes

• SharePoint

• etc.

• Interface to higher-level systems:

• HR-Systems (z.B. SAP HR, …)

• IDM-Systems (z.B. IBM TIM, Novell IDM, …)

• etc.

Page 13: ORG Access Management: Technical Details

30.10.2013 ORG Product Presentation 13

Approval Workflow (with ORG Approve)

• Self Service

• Appliable permission requests depend on the owners role(e.g. a normal employee is not permitted to request an executive‘s role)

• 4-eyes principle supported(parallel and sequentially)

• MaRisk AT 7.2 conform

Page 14: ORG Access Management: Technical Details

30.10.2013 ORG Product Presentation 14

Standard: RBAC

Page 15: ORG Access Management: Technical Details

30.10.2013 ORG Product Presentation 15

Model: Standard software

Modeling

• User and Role are always available.

• Position, Role group andOrganization Unit are optional.

Typical use

• Storage systems with their owndetailled permissions.

• E. g. the system has to enable rolesor groups to carry authorizations.

Examples

• LDAP-Directory (z.B. Active Directory)

• SAP

• RACFIndiv. rights

Organization

- unit

User

Role or group

External system

User

Position

Role group

Role

Page 16: ORG Access Management: Technical Details

30.10.2013 ORG Product Presentation 16

ORG Connector: Architecture

Page 17: ORG Access Management: Technical Details

30.10.2013 ORG Product Presentation 17

ORG Connector: Attribute mapping

Attribute mappings are free configurable

Source in ORG can be:Attribute of the user

Values of a users competence to a random Competence Scheme

Composite values via formation rule

Page 18: ORG Access Management: Technical Details

30.10.2013 ORG Product Presentation 18

USP: Fine GrainedAttribute based, more than role based

Page 19: ORG Access Management: Technical Details

30.10.2013 ORG Product Presentation 19

Model: Homegrown software

Modeling

• Users and competency scheme arealways available

• Position, role group, role and OUare optional.

• Competencies can be defined forusers, roles or positions.

Typical use

• House developments

• Systems in which an exit is provided for the procurement of allowances.

Organization

- unit

Competence scheme

User

Position

Role group

Role

Competence

Page 20: ORG Access Management: Technical Details

30.10.2013 ORG Product Presentation 20

ORG APIs: Access to runtime db

Page 21: ORG Access Management: Technical Details

30.10.2013 ORG Product Presentation 21

Process logic: Runtime DB access

• The Process-logic is basically at all APIs the same.

• It makes sense to summarize all functional authorizations of a application to one specific Functional

Authorization capsule.

Verify the payout

Result (Yes or No)

hasCompetence(userid,“PayoutContract“,“Life“,value

)

Result (Yes or No)

Database-consultation

Functional

Authorization capsule

isPayoutPermitted(userid,value)

Application

lifeORG

API

Page 22: ORG Access Management: Technical Details

Interfaces

SPML systems:

• Novell Identity Manager

• IBM Tivoli Directory Integrator

• openSPML

Directory systems:

• Microsoft Active Directory

• IBM Tivoli Directory Server

• openLDAP

• Novell eDirectory

• SUN one Directory Server

• ApacheDS

• RACF LDAP-Server

• other systems

Other connectors available for:

• SAP R3

• RACF

• SharePoint

• INTERFLEX

APIs available for the following platforms:

• Java (SE & EE)

• Windows / Unix (C)

• z/OS (Cobol, PL/1, C)

30.10.2013 ORG Product Presentation 22

Page 23: ORG Access Management: Technical Details

• Single Point of Administration and Control

• Reduction of Time, Cost and Complexity

• History management / Revision proof

• Supports RBAC / ABAC

• Integration in company-wide environments is proven

• Integration of organizational structure information

• Distributed and delegated administration (configurable)

• Multi-client capable

• High performance & fail save

• Corporate Design applicable

30.10.2013 ORG Product Presentation 23

Summary

Page 24: ORG Access Management: Technical Details

Company Overview

Product Presentation

Access Governance Suite

Live Demo

Discussion

30.10.2013 ORG Product Presentation 24

Agenda

Page 25: ORG Access Management: Technical Details

30.10.2013 ORG Product Presentation 25

Access Governance Suite

Page 26: ORG Access Management: Technical Details

Company Overview

Product Presentation

Access Governance Suite

Live Demo

Discussion

30.10.2013 ORG Product Presentation 26

Agenda

Page 27: ORG Access Management: Technical Details

30.10.2013 ORG Product Presentation 27

Live Demo

FSP GmbH

Consulting & IT-Services

Albin-Köbis Straße 8

D-51147 Cologne

Tel.: +49 (0) 2203 / 371 000 – 0

www.fsp-org.com