org access management: technical details
TRANSCRIPT
30.10.2013
FSP GmbH | Product Presentation
Company Overview
Product Presentation
Access Governance Suite
Live Demo
Discussion
30.10.2013 ORG Product Presentation 2
Agenda
30.10.2013 ORG Product Presentation 3
Founded in 2002
Headquarters: Cologne
Represented throughout
Germany
40 employees
Company Overview
Business Consulting
• Access Governance Concepts
• Process Optimization
• Project- / Test Management
IT Consulting & Development
• Software Development
• IT Security
• IT-Project- / Test Management
30.10.2013 ORG Product Presentation 4
Company Overview: Software & Consulting
Software
Company Overview: Customers
30.10.2013 ORG Product Presentation 5
Company Overview
Product Presentation
Access Governance Suite
Live Demo
Discussion
30.10.2013 ORG Product Presentation 6
Agenda
30.10.2013 ORG Product Presentation 7
Access Management:Conventional method
Employee
New Entry, Fluctuation,
Departmental Change
Individual Systems often use Individual RightsSeveral System-Administrators
SAP HR SAP-Role
RACF Group
Indiv. Applications Groups / Individual Rights
P&C Administration Individual Rights
Partner System Individual Rights
Notes/Outlook Group
LDAP e.g. Group Membership
Databases Indiv. / Role
30.10.2013 ORG Product Presentation 8
Solution: ORGCentral administration of user rights
Central, lean AdministrationEmployee
New Entry
Fluctuation
Departmental Change
External
Known customer
Prospect
…
Interfaces:
SPML-Systems:- Novell Identity Manager
- IBM Tivoli Directory Integrator
- openSPML
Directory Systems‐ Microsoft AD
‐ IBM Tivoli Directory Server
‐ openLDAP
- Novell eDirectory
- SUN one Directory Server
- …
Other systems‐ SAP R3
‐ RACF
‐ INTERFLEX
APIs- Java (SE & EE)
- Windows / Unix (C)
- z/OS (Cobol, PL/1, C)
User Rights based on:
- Roles/Rights model
- Attributes
automated provisioning
30.10.2013 ORG Product Presentation 9
ORG Architecture:Basis for USPs
30.10.2013 ORG Product Presentation 10
Model: Entities
Position
Client
User
Location
Permissions
Competence scheme
Competence
Role model
Role
Role group
Role conflict
Organizational-
Unit
Organizational
Structure
30.10.2013 ORG Product Presentation 11
Model: Historicizing, life cycle
Expired or deleted
Status:
current
Historicizing of all changes of an
object or a relation between objects
including the initiator and the time
Status:
historicized
No physical deletion:
The database entry is
marked as „deleted“
Edit or delete
Tim
e
CreateStatus:
future
30.10.2013 ORG Product Presentation 12
SPML Webservice: Architecture
Interface to approval workflow:
• ORG Approve
• Lotus Notes
• SharePoint
• etc.
• Interface to higher-level systems:
• HR-Systems (z.B. SAP HR, …)
• IDM-Systems (z.B. IBM TIM, Novell IDM, …)
• etc.
30.10.2013 ORG Product Presentation 13
Approval Workflow (with ORG Approve)
• Self Service
• Appliable permission requests depend on the owners role(e.g. a normal employee is not permitted to request an executive‘s role)
• 4-eyes principle supported(parallel and sequentially)
• MaRisk AT 7.2 conform
30.10.2013 ORG Product Presentation 14
Standard: RBAC
30.10.2013 ORG Product Presentation 15
Model: Standard software
Modeling
• User and Role are always available.
• Position, Role group andOrganization Unit are optional.
Typical use
• Storage systems with their owndetailled permissions.
• E. g. the system has to enable rolesor groups to carry authorizations.
Examples
• LDAP-Directory (z.B. Active Directory)
• SAP
• RACFIndiv. rights
Organization
- unit
User
Role or group
External system
User
Position
Role group
Role
30.10.2013 ORG Product Presentation 16
ORG Connector: Architecture
30.10.2013 ORG Product Presentation 17
ORG Connector: Attribute mapping
Attribute mappings are free configurable
Source in ORG can be:Attribute of the user
Values of a users competence to a random Competence Scheme
Composite values via formation rule
30.10.2013 ORG Product Presentation 18
USP: Fine GrainedAttribute based, more than role based
30.10.2013 ORG Product Presentation 19
Model: Homegrown software
Modeling
• Users and competency scheme arealways available
• Position, role group, role and OUare optional.
• Competencies can be defined forusers, roles or positions.
Typical use
• House developments
• Systems in which an exit is provided for the procurement of allowances.
Organization
- unit
Competence scheme
User
Position
Role group
Role
Competence
30.10.2013 ORG Product Presentation 20
ORG APIs: Access to runtime db
30.10.2013 ORG Product Presentation 21
Process logic: Runtime DB access
• The Process-logic is basically at all APIs the same.
• It makes sense to summarize all functional authorizations of a application to one specific Functional
Authorization capsule.
Verify the payout
Result (Yes or No)
hasCompetence(userid,“PayoutContract“,“Life“,value
)
Result (Yes or No)
Database-consultation
Functional
Authorization capsule
isPayoutPermitted(userid,value)
Application
lifeORG
API
Interfaces
SPML systems:
• Novell Identity Manager
• IBM Tivoli Directory Integrator
• openSPML
Directory systems:
• Microsoft Active Directory
• IBM Tivoli Directory Server
• openLDAP
• Novell eDirectory
• SUN one Directory Server
• ApacheDS
• RACF LDAP-Server
• other systems
Other connectors available for:
• SAP R3
• RACF
• SharePoint
• INTERFLEX
APIs available for the following platforms:
• Java (SE & EE)
• Windows / Unix (C)
• z/OS (Cobol, PL/1, C)
30.10.2013 ORG Product Presentation 22
• Single Point of Administration and Control
• Reduction of Time, Cost and Complexity
• History management / Revision proof
• Supports RBAC / ABAC
• Integration in company-wide environments is proven
• Integration of organizational structure information
• Distributed and delegated administration (configurable)
• Multi-client capable
• High performance & fail save
• Corporate Design applicable
30.10.2013 ORG Product Presentation 23
Summary
Company Overview
Product Presentation
Access Governance Suite
Live Demo
Discussion
30.10.2013 ORG Product Presentation 24
Agenda
30.10.2013 ORG Product Presentation 25
Access Governance Suite
Company Overview
Product Presentation
Access Governance Suite
Live Demo
Discussion
30.10.2013 ORG Product Presentation 26
Agenda
30.10.2013 ORG Product Presentation 27
Live Demo
FSP GmbH
Consulting & IT-Services
Albin-Köbis Straße 8
D-51147 Cologne
Tel.: +49 (0) 2203 / 371 000 – 0
www.fsp-org.com