Role-Based Access Control

1,623 views

Published on

Overview of the Dot Net Workflow and EmpowerID RBAC model

Published in: Technology
  • Be the first to comment

Role-Based Access Control

  1. 1. Protected ResourcesEmpowerID enforces security across systems<br />Custom Application<br />Windows Servers<br />SAP<br />Microsoft SharePoint Web<br />Types of Protected Resources<br />Active Directory Group<br />Groups<br />Web Resources<br />Microsoft Exchange Mailbox<br />EmpowerID is an authorization platform that can be extended to support any type of application and application resource. Protected systems containing resources are called “Resource Systems”. EmpowerID inventories Resource Systems and enforces permissions. <br />Permissions Management<br />=<br />Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com<br />
  2. 2. Role-Based Access Control Overview<br />
  3. 3. EmpowerID Capabilities<br />EmpowerID’s Role-Based Identity and Entitlement Management answers the question, “who should have access to which IT resources based on their job function and location, and for how long?” and then enforcesthe results across all enterprise systems. <br />With EmpowerID's Business Process Management (BPM) platform, organizations visually design business processes as workflows to automate the lifecycle of enterprise identities, roles, and resources.<br />Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com<br />3<br />
  4. 4. Security Challenges<br />Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com<br />4<br />It should be easier to get access to the IT resources I need to work<br />I want to delegate management but not lose control<br />How can we report on who has access to what across all our systems<br />
  5. 5. The “Make Like Bob” ProblemSecurity Based On a Moving Target<br />Protected Resources<br />Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com<br />Year N<br />Year 2<br />Day 1<br />New Access Granted<br />New Access Granted<br />?<br />Multiple sites and roles<br />SharePoint<br />Who are you?<br />?<br />?<br />?<br />PO Approver<br />?<br />AD User: CMH OU<br />X<br />?<br />Custom Applications<br />CRM LDAP User<br />Send As<br />Bob<br />Sales Executive”<br />?<br />?<br />Payroll & Unix User<br />Person<br />?<br />Full Access<br />?<br />?<br />Sales Share<br />Conference Room 5401<br />New Hire: Jim<br />“Sales Executive”<br />New Hire: Sarah<br />“Sales Executive”<br />
  6. 6. The Challenge with an AD Groups-only Approach?<br />Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com<br />Access Granted<br />Protected Resources<br />?<br />Groups<br />Multiple sites and roles<br />John’s User Accounts<br />?<br />What can you access, when, and why?<br />Who are you?<br />SharePoint<br />?<br />?<br />PO Approver<br />Helpdesk Manager<br />?<br />?<br />No Reportable or Auditable Link<br />?<br />Custom Applications<br />Mailbox Helpdesk I<br />Send As<br />John<br />?<br />?<br />Person<br />Full Access<br />Shared Mailbox<br />?<br />?<br />?<br />Conference Room 5401<br />
  7. 7. Protected ResourcesEmpowerID enforces security across systems<br />Custom Application<br />Windows Servers<br />SAP<br />Microsoft SharePoint Web<br />Types of Protected Resources<br />Active Directory Group<br />Groups<br />Web Resources<br />Microsoft Exchange Mailbox<br />EmpowerID is an authorization platform that can be extended to support any type of application and application resource. Protected systems containing resources are called “Resource Systems”. EmpowerID inventories Resource Systems and enforces permissions. <br />Permissions Management<br />=<br />Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com<br />
  8. 8. Resource Rights and OperationsRights and EmpowerID Operations<br />Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com<br />Operations<br />Rights<br />EmpowerID Operations are specific tasks a user may perform or approve within an EmpowerID workflow or custom application. Granting EmpowerID Operations does not grant the user any capabilities within the native system.<br />Rights are native permissions used by the application or operating system which manages security for the resource type in question. Granting these rights enables capabilities for users outside of EmpowerID in that system. Rights are continually monitored and enforced by EmpowerID.<br />Example: Exchange Mailbox<br />Example Mailbox Operations<br /><ul><li>Increase Quota
  9. 9. Decrease Quota
  10. 10. Edit SMTP
  11. 11. Enable OWA
  12. 12. Enable Calendar Auto-Accept
  13. 13. Edit Forwarding
  14. 14. Grant Send As
  15. 15. Grant Send On Behalf</li></ul>Example Mailbox Rights<br /><ul><li>Read
  16. 16. Send As
  17. 17. Send On Behalf
  18. 18. Full Access</li></ul>8<br />
  19. 19. Resource RolesLogical Bundles of Rights and Operations<br />Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com<br />Operations<br />Resource Role<br />Definition<br />Rights<br /><ul><li>Increase Quota
  20. 20. Decrease Quota
  21. 21. Edit SMTP
  22. 22. None</li></ul>Recipient Admin I<br /><ul><li>Increase Quota
  23. 23. Decrease Quota
  24. 24. Edit SMTP
  25. 25. Enable OWA
  26. 26. Enable Calendar Auto-Accept
  27. 27. Edit Forwarding
  28. 28. Grant Send As
  29. 29. Grant Send On Behalf</li></ul>Recipient Admin II<br /><ul><li>None
  30. 30. None
  31. 31. Full Access</li></ul>Mailbox Supervisor<br />Resource Roles are convenient bundles of Rights and Operations specific for a type of resource and are used for delegation. Rights are permissions used in an external system that can be managed by EmpowerID. Operations are code-based actions protected by EmpowerID (usually in workflows).<br />9<br />
  32. 32. Access In EmpowerIDAll assignments types result in matching a Person to a Resource Role<br />Resource: Mailbox<br />Send On Behalf<br />Assigned To Resource Role<br />Send As<br />Person<br />Full Access<br />All permissions management in EmpowerID occurs by some time of assignment that results in a Person being granted a Resource Role for a Resource.<br />
  33. 33. Management Role DefinitionsDefinitions for Responsibility-based bundles of Resource Roles<br />Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com<br />Resource Roles “Scoped By Location”<br />Management Role Definition<br />Resource Roles<br />“Direct Assigned”<br /><ul><li>Viewer: Person @ %SpecifyLocation%
  34. 34. Viewer: Distribution Group @ %SpecifyLocation%
  35. 35. Password Self-Service User
  36. 36.
  37. 37. Member: All Employees Group
  38. 38. Reader: SharePoint Home
  39. 39. Viewer: Workflow Catalog
  40. 40. …</li></ul>Standard Employee<br /><ul><li>Administrator: Person @ %SpecifyLocation%
  41. 41. Membership Manager: Distribution Group @ %SpecifyLocation%
  42. 42. Administrator: User Accounts @ %SpecifyLocation%
  43. 43. Administrator: Computers @ %SpecifyLocation%
  44. 44. Password Self-Service User
  45. 45.
  46. 46. Member: All Employees Group
  47. 47. Reader: SharePoint Home
  48. 48. Contributor: IT SharePoint Site
  49. 49. Membership Manager: All Employees Group
  50. 50. Viewer: Workflow Catalog
  51. 51. Viewer: Group Manager Page
  52. 52. Initiator: Create Group Workflow
  53. 53. …</li></ul>IT Helpdesk<br />Management Roles are job or responsibility-based bundles of Resource Roles to allow quick and consistent delegation of IT access needed to perform job responsibilities.<br />11<br />
  54. 54. Management RolesResponsibility-based bundles of Resource Roles<br />Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com<br />Resource Roles “Scoped By Location”<br />ManagementRole<br />Resource Roles<br />“Direct Assigned”<br /><ul><li>Viewer: Person @ NA Location and below
  55. 55. Viewer: Distribution Group @ NA Location and below
  56. 56. Password Manager User: Self
  57. 57.
  58. 58. Member: All NA Employees Group
  59. 59. Viewer: Workflow Catalog
  60. 60. …</li></ul>Standard Employee (North America)<br /><ul><li>Administrator: Person @ NA Location and below
  61. 61. Membership Manager: Distribution Group @ NA Location and below
  62. 62. Administrator: User Accounts @ NA Location and below
  63. 63. Administrator: Computers @ NA Location and below
  64. 64. Password Manager User: Self
  65. 65.
  66. 66. Member: All NA Employees Group
  67. 67. Membership Manager: All NA Employees Group
  68. 68. Viewer: Workflow Catalog
  69. 69. Viewer: Group Manager Page
  70. 70. Initiator: Create Group Workflow
  71. 71. …</li></ul>IT Helpdesk (North America)<br />Management Roles are job or responsibility-based bundles of Resource Roles and Resource Type Roles to allow quick and consistent delegation of IT access needed to perform job responsibilities.<br />12<br />
  72. 72. Management Role InheritanceManagement Roles inherit Resource Roles assigned to their definitions<br />IT Helpdesk<br />Management Role Definition<br />IT Helpdesk (North America)<br />Management Roles (Children)<br />IT Helpdesk (Asia)<br />IT Helpdesk (Europe)<br />Management Roles inherit Resource Role assignments from their definition and then include any assignments to the Management Role itself. The inheritance can only be 1 level deep from a definition to a Management Role. Management Roles cannot be children of other Management Roles or have more than 1 parent.<br />
  73. 73. Management Role OverviewManagement Roles inherit Resource Roles assigned to their definitions<br />
  74. 74. Management Role OverviewManagement Roles inherit Resource Roles assigned to their definitions<br />Management Role Definition<br />IT Helpdesk (North America)<br />IT Helpdesk (Asia)<br />IT Helpdesk (Europe)<br />
  75. 75. LocationsRepresent Logical and Actual Directory Hierarchies<br />Physical “Mapped” Trees<br />Logical Trees<br />Inheritance of Delegations<br />Location of a Resource<br />EmpowerID supports both Logical and Physical trees within a single Location tree structure. Resources belong to their physical Location implicitly and can be assigned to any number of logical Locations to scope delegation assignments.<br />
  76. 76. Resource Role AssignmentsResource Role assignments are “scoped” by resource Location<br />Assignment Scope<br />Resource Role<br />Assignee<br />Recipient Admin I<br />Delegations<br />Recipient Admin II<br />John Smith<br />Resource Role assignments are limited or “scoped” by assigning the Resource Role only for Resources in or below a specific EmpowerID Location.<br />
  77. 77. Assignees and ScopesResource Roles Assignees and Scope Options<br />Assignment Scope<br />Resource Role<br />Assignee<br />Conference Room1<br />Mailbox Supervisor<br />Single Resource<br />John Smith<br />Recipient Admin II<br />Domain A: “Helpdesk Admins” group<br />Location showing inheritance<br />Recipient Admin II<br />EmpowerID Business Role: Helpdesk Employees in Sydney<br />Resource Role Assignments can be made to specific People, to Groups, or to EmpowerID Business Role / Locations. In each case, any Person matching the criteria will receive the delegations specified by the Resource Role for all resources within the scope of the delegation.<br />
  78. 78. Polyarchical RBACFlexible Business Roles scoped By Location<br />Primary Business Role: Contractor in Sydney<br />Secondary Business Role: IT Admin in Sydney<br />John Smith<br />An EmpowerID Person can have any number of dynamically or manually assigned Business Roles each scoped by Location. The Person will receive the cumulative RBAC assignments and policies directly assigned or via inheritance.<br />Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com<br />
  79. 79. RBAC MappingMap Physical Directory Locations to Logical Locations<br />20<br />Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com<br />EmpowerID Business Role and Location mappings allows existing physical directory Locations and roles to be mapped to a logical management structure. e.g. Multiple AD or LDAP directory containers for “London” can be visually mapped to a single logical EmpowerID “London” Location for unified management and delegation.<br />
  80. 80. Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com<br />21<br />Resource EntitlementsRole-Based Resource Provisioning and Deprovisioning<br />Resource Entitlements for Contractors in New York<br />EmpowerID Resource Entitlements are policies that automate provisioning, moving, disabling, and deprovisioning resources automatically based upon user Role and Location changes. These automate the initial provisioning of resources when a new Person is created as well as their ongoing management.<br />Resource Entitlements for Standard Employees in Sydney<br />
  81. 81. Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com<br />22<br />Policy-Based Attribute ValuesRole-Based Attribute Assignment<br />Policy-Based Attributes for Contractors in New York<br />EmpowerID policy-based attribute values are policies that automate the maintenance of any directory values that can be defined by Role and Location. Any attribute value of a Person can be assigned by policy and maintained automatically when Role or Location changes. Attribute values will update connected directories based upon attribute flow rules.<br />Policy-Based Attributes for Standard Employees in Sydney<br />
  82. 82. A New Breed Of Identity ManagementFrom Code to Visual Process Management <br />EmpowerID WF Process<br />Traditional Identity Management<br />Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com<br />
  83. 83. Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com<br />24<br />Secure Business Processes DesignWorkflow Studio: Visual Process Designer<br />EmpowerID BPM Studio is a drag and drop design environment for secure process automation. What You See Is What You Get user interface designers generate code free user interfaces.<br />
  84. 84. Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com<br />25<br />Workflow OperationsAutomatic Role-Based Authorization and Approvals<br /><ul><li>Entitlement management and authorization system built-in – workflows automatically routed for approval using Rights-Based Approval Routing(RBAR)
  85. 85. Wizards convert PowerShell Commandlets or custom code into secure workflow Operations.</li></li></ul><li>MetadirectoryManagement of a Person and Their User Accounts<br />Metadirectory Person<br />.NET Applications<br />Authentication<br />John Smith<br />Authentication<br />Account Stores<br />Directories containing a Person’s user accounts managed by EmpowerID<br />SAP<br />LDAP<br />Active Directory<br />Payroll<br />LOB Apps<br />EmpowerID continually inventories and monitors Accounts Stores for changes. New user accounts are discovered and processed through a workflow to evaluate if they should be “Joined” to an existing Person, “Ignored”, or a new Person should be “Provisioned”. <br />Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com<br />

×