Overview of the Dot Net Workflow and EmpowerID RBAC model

1. Role-Based Access Control Overview

2. EmpowerID Capabilities EmpowerID’s Role-Based Identity and Entitlement Management answers the question, “who should have access to which IT resources based on their job function and location, and for how long?” and then enforcesthe results across all enterprise systems. With EmpowerID's Business Process Management (BPM) platform, organizations visually design business processes as workflows to automate the lifecycle of enterprise identities, roles, and resources. Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com 2

3. Security Challenges Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com 3 It should be easier to get access to the IT resources I need to work I want to delegate management but not lose control How can we report on who has access to what across all our systems

4. The “Make Like Bob” ProblemSecurity Based On a Moving Target Protected Resources Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com Year N Year 2 Day 1 New Access Granted New Access Granted ? Multiple sites and roles SharePoint Who are you? ? ? ? PO Approver ? AD User: CMH OU X ? Custom Applications CRM LDAP User Send As Bob Sales Executive” ? ? Payroll & Unix User Person ? Full Access ? ? Sales Share Conference Room 5401 New Hire: Jim “Sales Executive” New Hire: Sarah “Sales Executive”

5. The Challenge with an AD Groups-only Approach? Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com Access Granted Protected Resources ? Groups Multiple sites and roles John’s User Accounts ? What can you access, when, and why? Who are you? SharePoint ? ? PO Approver Helpdesk Manager ? ? No Reportable or Auditable Link ? Custom Applications Mailbox Helpdesk I Send As John ? ? Person Full Access Shared Mailbox ? ? ? Conference Room 5401

6. Protected ResourcesEmpowerID enforces security across systems Custom Application Windows Servers SAP Microsoft SharePoint Web Types of Protected Resources Active Directory Group Groups Web Resources Microsoft Exchange Mailbox EmpowerID is an authorization platform that can be extended to support any type of application and application resource. Protected systems containing resources are called “Resource Systems”. EmpowerID inventories Resource Systems and enforces permissions. Permissions Management = Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com

8. Decrease Quota

9. Edit SMTP

10. Enable OWA

11. Enable Calendar Auto-Accept

12. Edit Forwarding

13. Grant Send As

15. Send As

16. Send On Behalf

17. Full Access7

19. Decrease Quota

20. Edit SMTP

22. Decrease Quota

23. Edit SMTP

24. Enable OWA

25. Enable Calendar Auto-Accept

26. Edit Forwarding

27. Grant Send As

29. None

30. Full AccessMailbox Supervisor Resource Roles are convenient bundles of Rights and Operations specific for a type of resource and are used for delegation. Rights are permissions used in an external system that can be managed by EmpowerID. Operations are code-based actions protected by EmpowerID (usually in workflows). 8

31. Access In EmpowerIDAll assignments types result in matching a Person to a Resource Role Resource: Mailbox Send On Behalf Assigned To Resource Role Send As Person Full Access All permissions management in EmpowerID occurs by some time of assignment that results in a Person being granted a Resource Role for a Resource.

33. Viewer: Distribution Group @ %SpecifyLocation%

34. Password Self-Service User

35. …

36. Member: All Employees Group

37. Reader: SharePoint Home

38. Viewer: Workflow Catalog

40. Membership Manager: Distribution Group @ %SpecifyLocation%

41. Administrator: User Accounts @ %SpecifyLocation%

42. Administrator: Computers @ %SpecifyLocation%

43. Password Self-Service User

44. …

45. Member: All Employees Group

46. Reader: SharePoint Home

47. Contributor: IT SharePoint Site

48. Membership Manager: All Employees Group

49. Viewer: Workflow Catalog

50. Viewer: Group Manager Page

51. Initiator: Create Group Workflow

52. …IT Helpdesk Management Roles are job or responsibility-based bundles of Resource Roles to allow quick and consistent delegation of IT access needed to perform job responsibilities. 10

54. Viewer: Distribution Group @ NA Location and below

55. Password Manager User: Self

56. …

57. Member: All NA Employees Group

58. Viewer: Workflow Catalog

60. Membership Manager: Distribution Group @ NA Location and below

61. Administrator: User Accounts @ NA Location and below

62. Administrator: Computers @ NA Location and below

63. Password Manager User: Self

64. …

65. Member: All NA Employees Group

66. Membership Manager: All NA Employees Group

67. Viewer: Workflow Catalog

68. Viewer: Group Manager Page

69. Initiator: Create Group Workflow

70. …IT Helpdesk (North America) Management Roles are job or responsibility-based bundles of Resource Roles and Resource Type Roles to allow quick and consistent delegation of IT access needed to perform job responsibilities. 11

71. Management Role InheritanceManagement Roles inherit Resource Roles assigned to their definitions IT Helpdesk Management Role Definition IT Helpdesk (North America) Management Roles (Children) IT Helpdesk (Asia) IT Helpdesk (Europe) Management Roles inherit Resource Role assignments from their definition and then include any assignments to the Management Role itself. The inheritance can only be 1 level deep from a definition to a Management Role. Management Roles cannot be children of other Management Roles or have more than 1 parent.

72. Management Role OverviewManagement Roles inherit Resource Roles assigned to their definitions

73. Management Role OverviewManagement Roles inherit Resource Roles assigned to their definitions Management Role Definition IT Helpdesk (North America) IT Helpdesk (Asia) IT Helpdesk (Europe)

74. LocationsRepresent Logical and Actual Directory Hierarchies Physical “Mapped” Trees Logical Trees Inheritance of Delegations Location of a Resource EmpowerID supports both Logical and Physical trees within a single Location tree structure. Resources belong to their physical Location implicitly and can be assigned to any number of logical Locations to scope delegation assignments.

75. Resource Role AssignmentsResource Role assignments are “scoped” by resource Location Assignment Scope Resource Role Assignee Recipient Admin I Delegations Recipient Admin II John Smith Resource Role assignments are limited or “scoped” by assigning the Resource Role only for Resources in or below a specific EmpowerID Location.

76. Assignees and ScopesResource Roles Assignees and Scope Options Assignment Scope Resource Role Assignee Conference Room1 Mailbox Supervisor Single Resource John Smith Recipient Admin II Domain A: “Helpdesk Admins” group Location showing inheritance Recipient Admin II EmpowerID Business Role: Helpdesk Employees in Sydney Resource Role Assignments can be made to specific People, to Groups, or to EmpowerID Business Role / Locations. In each case, any Person matching the criteria will receive the delegations specified by the Resource Role for all resources within the scope of the delegation.

77. Polyarchical RBACFlexible Business Roles scoped By Location Primary Business Role: Contractor in Sydney Secondary Business Role: IT Admin in Sydney John Smith An EmpowerID Person can have any number of dynamically or manually assigned Business Roles each scoped by Location. The Person will receive the cumulative RBAC assignments and policies directly assigned or via inheritance. Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com

78. RBAC MappingMap Physical Directory Locations to Logical Locations 19 Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com EmpowerID Business Role and Location mappings allows existing physical directory Locations and roles to be mapped to a logical management structure. e.g. Multiple AD or LDAP directory containers for “London” can be visually mapped to a single logical EmpowerID “London” Location for unified management and delegation.

79. Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com 20 Resource EntitlementsRole-Based Resource Provisioning and Deprovisioning Resource Entitlements for Contractors in New York EmpowerID Resource Entitlements are policies that automate provisioning, moving, disabling, and deprovisioning resources automatically based upon user Role and Location changes. These automate the initial provisioning of resources when a new Person is created as well as their ongoing management. Resource Entitlements for Standard Employees in Sydney

80. Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com 21 Policy-Based Attribute ValuesRole-Based Attribute Assignment Policy-Based Attributes for Contractors in New York EmpowerID policy-based attribute values are policies that automate the maintenance of any directory values that can be defined by Role and Location. Any attribute value of a Person can be assigned by policy and maintained automatically when Role or Location changes. Attribute values will update connected directories based upon attribute flow rules. Policy-Based Attributes for Standard Employees in Sydney

81. A New Breed Of Identity ManagementFrom Code to Visual Process Management EmpowerID WF Process Traditional Identity Management Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com

82. Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com 23 Secure Business Processes DesignWorkflow Studio: Visual Process Designer EmpowerID BPM Studio is a drag and drop design environment for secure process automation. What You See Is What You Get user interface designers generate code free user interfaces.