Authorization ServicesClaims and Role-Based Access Control for Enterprise Wide Security<br />Copyright © 2010. Dot Net Wor...
Security Challenges<br />Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC.  |www.TheDotNetFactory.co...
The “Make Like Bob” ProblemSecurity Based On a Moving Target<br />Protected Resources<br />Copyright © 2010. empowerID is ...
The Challenge with an AD Groups-only Approach<br />Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC....
Protected Resource TypesEmpowerID Is an Open Box System Supporting an Unlimited # of Resource Types<br />Custom Applicatio...
Protected Resource ObjectsEach Resource Type Is a Rich Strongly Typed Object That Flows in Processes<br />Dot Net Workflow...
Resource Types Define Rights and OperationsRights are External Permissions and Operations are EmpowerID Actions<br />Copyr...
Decrease Quota
Edit SMTP
Enable OWA
Enable Calendar Auto-Accept
Edit Forwarding
Grant Send As
Grant Send On Behalf</li></ul>Example Mailbox Rights<br /><ul><li>Read
Send As
Send On Behalf
Full Access</li></ul>7<br />
Resource Roles (Application Roles)Logical Bundles of Rights and Operations<br />Copyright © 2011. empowerID is a trademark...
Upcoming SlideShare
Loading in...5
×

Authorization Services

4,759

Published on

Web site overview of the Dot Net Workflow platform Authorization Services

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
4,759
On Slideshare
0
From Embeds
0
Number of Embeds
16
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Authorization Services"

  1. 1. Authorization ServicesClaims and Role-Based Access Control for Enterprise Wide Security<br />Copyright © 2010. Dot Net Workflow is a trademark of The Dot Net Factory, LLC. |www.TheDotNetFactory.com<br />1<br />
  2. 2. Security Challenges<br />Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.TheDotNetFactory.com<br />2<br />It should be easier to get access to the IT resources I need to work<br />I want to delegate management but not lose control<br />How can we report on who has access to what across all our systems<br />
  3. 3. The “Make Like Bob” ProblemSecurity Based On a Moving Target<br />Protected Resources<br />Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.TheDotNetFactory.com<br />Year N<br />Year 2<br />Day 1<br />New Access Granted<br />New Access Granted<br />?<br />Multiple sites and roles<br />SharePoint<br />Who are you?<br />?<br />?<br />?<br />PO Approver<br />?<br />AD User: CMH OU<br />X<br />?<br />Custom Applications<br />CRM LDAP User<br />Send As<br />Bob<br />Sales Executive”<br />?<br />?<br />Payroll & Unix User<br />Person<br />?<br />Full Access<br />?<br />?<br />Sales Share<br />Conference Room 5401<br />New Hire: Jim<br />“Sales Executive”<br />New Hire: Sarah<br />“Sales Executive”<br />
  4. 4. The Challenge with an AD Groups-only Approach<br />Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.TheDotNetFactory.com<br />Access Granted<br />Protected Resources<br />?<br />Groups<br />Multiple sites and roles<br />John’s User Accounts<br />?<br />What can you access, when, and why?<br />Who are you?<br />SharePoint<br />?<br />?<br />PO Approver<br />Helpdesk Manager<br />?<br />?<br />No Reportable or Auditable Link<br />?<br />Custom Applications<br />Mailbox Helpdesk I<br />Send As<br />John<br />?<br />?<br />Person<br />Full Access<br />Shared Mailbox<br />?<br />?<br />?<br />Conference Room 5401<br />
  5. 5. Protected Resource TypesEmpowerID Is an Open Box System Supporting an Unlimited # of Resource Types<br />Custom Applications<br />Windows Servers<br />SAP<br />Microsoft SharePoint<br />Types of Protected Resources<br />Groups<br />Groups<br />Web Resources<br />Mailboxes<br />Dot Net Workflow is an authorization platform that can be extended to support any type of application and application resource. Protected systems containing resources are called “Resource Systems”. EmpowerID modules inventory Resource Systems and enforce permissions. <br />Permissions Management<br />=<br />Copyright © 2011. empowerID is a trademark of The Dot Net Factory, LLC. |www.TheDotNetFactory.com<br />
  6. 6. Protected Resource ObjectsEach Resource Type Is a Rich Strongly Typed Object That Flows in Processes<br />Dot Net Workflow leverages strongly typed objects to enable drag and drop process design where objects can be passed between workflow steps and processes in a code free manner and bound to forms as live data.<br />Copyright © 2011. empowerID is a trademark of The Dot Net Factory, LLC. |www.TheDotNetFactory.com<br />
  7. 7. Resource Types Define Rights and OperationsRights are External Permissions and Operations are EmpowerID Actions<br />Copyright © 2011. empowerID is a trademark of The Dot Net Factory, LLC. |www.TheDotNetFactory.com<br />Operations<br />Rights<br />Operations are specific tasks a user may perform or approve within an EmpowerID workflow or custom application. Granting EmpowerID Operations does not grant the user any capabilities within the native system.<br />Rights are native permissions used by the application or operating system owning the resource. Granting rights enables capabilities in that system. Rights are continually monitored and enforced by EmpowerID.<br />Example: <br />Exchange Mailbox<br />Example Mailbox Operations<br /><ul><li>Increase Quota
  8. 8. Decrease Quota
  9. 9. Edit SMTP
  10. 10. Enable OWA
  11. 11. Enable Calendar Auto-Accept
  12. 12. Edit Forwarding
  13. 13. Grant Send As
  14. 14. Grant Send On Behalf</li></ul>Example Mailbox Rights<br /><ul><li>Read
  15. 15. Send As
  16. 16. Send On Behalf
  17. 17. Full Access</li></ul>7<br />
  18. 18. Resource Roles (Application Roles)Logical Bundles of Rights and Operations<br />Copyright © 2011. empowerID is a trademark of The Dot Net Factory, LLC. |www.TheDotNetFactory.com<br />Rights<br />Operations<br />Resource Role<br />Definition<br /><ul><li>Increase Quota
  19. 19. Decrease Quota
  20. 20. Edit SMTP
  21. 21. None</li></ul>Editor<br /><ul><li>Increase Quota
  22. 22. Decrease Quota
  23. 23. Edit SMTP
  24. 24. Enable OWA
  25. 25. Enable Calendar Auto-Accept
  26. 26. Edit Forwarding
  27. 27. Grant Send As
  28. 28. Grant Send On Behalf
  29. 29. None</li></ul>Administrator<br /><ul><li>None
  30. 30. Full Access
  31. 31. Send As</li></ul>Outlook Full Control<br />Resource Roles are convenient bundles of Rights and Operations specific for a type of resource and are used for delegation. Rights are permissions used in an external system that can be managed by EmpowerID. Operations are code-based actions protected by EmpowerID (usually in workflows).<br />8<br />
  32. 32. The Bottom Line: Access = Person  Resource RolesAll Assignments Types Result in Matching a Person to a Resource Role<br />Resource: John Doe’s Mailbox<br />?<br />Person: <br />Steve Smith<br />Editor<br />Via Any Possible Assignment Path<br />Administrator<br />Outlook Full Control<br />All permissions management in EmpowerID occurs by some type of assignment that results in a Person being granted a Resource Role for a Resource.<br />
  33. 33. The Measure of an RBAC System is its Flexibility in Obtaining Collections of People and Collections of Resources<br />Left Side = People<br />Right Side = Resources<br />Resource Role<br />?<br />The key is how to assign theproper people to the proper Resource Roles without creating and managing large numbers of static assignments<br />
  34. 34. Left Side: Collections of PeopleActors in the EmpowerID RBAC Model<br />Actor Type<br />Description<br /><ul><li>An metadirectory Person is the base identity in EmpowerID. A Person can be assigned to Resource Roles directly or by virtue of its inclusion in another actor type. A Person may have 0 or more accounts which can be assigned to Resource Roles as a pointer back to the Person owning the account.</li></ul>Person or Account<br /><ul><li>Groups in EmpowerID are simply collections of Accounts that resolve to Person objects. Therefore, Groups can be used to grant Resource Roles for Resources in any type of system.</li></ul>Group<br /><ul><li>Management Roles are the functional roles or “hats” that people may wear in an organization. Management Roles are easy to use and manage as they change over time. Any actor type can be made an “Assignee” or member of a Management Role.</li></ul>Management Role<br /><ul><li>Business Roles and Locations are polyarchical RBAC assignments that implement 2 trees with inheritance to determine a collection of people. Business Roles and Locations support static assignment of People as well as RBAC mapping, group mapping and SetGroup mapping. </li></ul>Business Role and Location<br /><ul><li>SetGroups are made up of Sets which are code-based or LDAP-based queries resulting in collections of People or Resources. Sets are able to query external systems. </li></ul>SetGroups<br />
  35. 35. Right Side: Collections of ResourcesResource Roles are Assigned to Single Resources or By Location<br />Collection of Resources: “Scope”<br />Resource Role<br />Actor<br />Editor<br />?<br />Direct to a Single Resource<br />Any Actor Type<br />Administrator<br />By Location with Inheritance<br />Resource Role assignments are limited or “scoped” by assigning the Resource Role only for a single Resource or for all Resources in or below a specific EmpowerID Location.<br />
  36. 36. LocationsRepresent Logical and Actual Resource System Hierarchies<br />Physical “Resource System” Trees<br />Logical Trees<br />Inheritance of Delegations<br />Location of a Resource<br />The Dot Net Workflow metadirectory supports both Logical and Physical trees within a single Location tree structure. Resources belong to their physical Location implicitly and can be assigned to any number of logical Locations to scope delegation assignments.<br />
  37. 37. Right Side: How Do Resources Get In Locations?Managed Resources in the EmpowerID RBAC Model<br />Method<br />Description<br />Direct Static Assignment<br /><ul><li>Resources can be manually assigned to one more EmpowerID Locations.</li></ul>Implicit Assignment<br /><ul><li>Resources automatically belong to their Resource System as well as to their actual “Location” in that system. E.g. AD objects belong to their Location OUs and SharePoint objects belong to their site in the site tree.
  38. 38. EmpowerID “logical” Locations can be created that map to one or more “physical” Resource System Locations. Resources will automatically belong to any EmpowerID Location that is mapped to their actual Resource System Location.</li></ul>RBAC Mapping<br /><ul><li>Resources automatically belong to “Relative” assignments that can be used in what are called Relative Resource Roles. Relative Resource Roles are evaluated only at runtime and include such options as My Direct Reports and Groups in or below My Location.</li></ul>Relative Location Assignment<br /><ul><li>SetGroups are made up of Sets which are code-based or LDAP-based queries resulting in collections of People or Resources. SetGroups are not Locations themselves but can be mapped to one or more Locations. Resources belonging to a SetGroup belong to all mapped Locations. </li></ul>SetGroups<br />
  39. 39. RBAC MappingMap Physical Directory Locations to Logical Locations<br />15<br />Copyright © 2011. empowerID is a trademark of The Dot Net Factory, LLC. |www.TheDotNetFactory.com<br />Business Role and Location mappings allows existing physical directory Locations and roles to be mapped to a logical management structure. <br />e.g. Multiple AD or LDAP directory containers for “London” can be visually mapped to a single virtual “London” Location for unified management and delegation.<br />
  40. 40. Management Role InheritanceManagement Roles inherit Resource Roles assigned to their definitions<br />IT Helpdesk<br />Management Role Definition<br />IT Helpdesk (North America)<br />Management Roles (Children)<br />IT Helpdesk (Asia)<br />IT Helpdesk (Europe)<br />Management Roles inherit Resource Role assignments from their definition and then include any assignments to the Management Role itself. The inheritance can only be 1 level deep from a definition to a Management Role. Management Roles cannot be children of other Management Roles or have more than 1 parent.<br />
  41. 41. Management Role DefinitionsDefinitions for Responsibility-based bundles of Resource Roles<br />Copyright © 2011. empowerID is a trademark of The Dot Net Factory, LLC. |www.TheDotNetFactory.com<br />Resource Roles “Scoped By Location”<br />Management Role Definition<br />Resource Roles<br />“Direct Assigned”<br /><ul><li>Viewer: Person @ %SpecifyLocation%
  42. 42. Viewer: Distribution Group @ %SpecifyLocation%
  43. 43. Password Self-Service User
  44. 44.
  45. 45. Member: All Employees Group
  46. 46. Reader: SharePoint Home
  47. 47. Viewer: Workflow Catalog
  48. 48. …</li></ul>Standard Employee<br /><ul><li>Administrator: Person @ %SpecifyLocation%
  49. 49. Membership Manager: Distribution Group @ %SpecifyLocation%
  50. 50. Administrator: User Accounts @ %SpecifyLocation%
  51. 51. Administrator: Computers @ %SpecifyLocation%
  52. 52. Password Self-Service User
  53. 53.
  54. 54. Member: All Employees Group
  55. 55. Reader: SharePoint Home
  56. 56. Contributor: IT SharePoint Site
  57. 57. Membership Manager: All Employees Group
  58. 58. Viewer: Workflow Catalog
  59. 59. Viewer: Group Manager Page
  60. 60. Initiator: Create Group Workflow
  61. 61. …</li></ul>IT Helpdesk<br />Management Roles are job or responsibility-based bundles of Resource Roles to allow quick and consistent delegation of IT access needed to perform job responsibilities.<br />17<br />
  62. 62. Management RolesResponsibility-based bundles of Resource Roles<br />Copyright © 2011. empowerID is a trademark of The Dot Net Factory, LLC. |www.TheDotNetFactory.com<br />Resource Roles “Scoped By Location”<br />ManagementRole<br />Resource Roles<br />“Direct Assigned”<br /><ul><li>Viewer: Person @ NA Location and below
  63. 63. Viewer: Distribution Group @ NA Location and below
  64. 64. Password Manager User: Self
  65. 65.
  66. 66. Member: All NA Employees Group
  67. 67. Viewer: Workflow Catalog
  68. 68. …</li></ul>Standard Employee (North America)<br /><ul><li>Administrator: Person @ NA Location and below
  69. 69. Membership Manager: Distribution Group @ NA Location and below
  70. 70. Administrator: User Accounts @ NA Location and below
  71. 71. Administrator: Computers @ NA Location and below
  72. 72. Password Manager User: Self
  73. 73.
  74. 74. Member: All NA Employees Group
  75. 75. Membership Manager: All NA Employees Group
  76. 76. Viewer: Workflow Catalog
  77. 77. Viewer: Group Manager Page
  78. 78. Initiator: Create Group Workflow
  79. 79. …</li></ul>IT Helpdesk (North America)<br />Management Roles are job or responsibility-based bundles of Resource Roles and Resource Type Roles to allow quick and consistent delegation of IT access needed to perform job responsibilities.<br />18<br />

×