The document discusses discretionary access management, outlining its definition, application, and varying models such as static, dynamic, and blended approaches. It highlights best practices in managing authorization and the importance of governance in access control systems. Additionally, it emphasizes attributes and policies' role in ensuring effective entitlement management.

1. Understanding &
Managing
Discretionary
Access
The TAO of Entitlement
Management
Darran Rolls
CTO, SailPoint Technologies

8. Chief Technology Officer

9. Chief Information Security Officer

10. Today’s Agenda
• Discretionary Access
- Definition
- Application
• The Spectrum of Authorization
- Static Models
- Dynamic Models
- Blended Models
• Striking the Right Balance
- What Fits Best Where?
- Some General Best Practices…

11. Discretionary Access ?

12. “Passing or Embedding Control for
an access control decision”

15. The Spectrum of
Discretionary Access

16. Discretionary Access Scale
Approval Based - StaticModel Based - Dynamic
Access Control Decisions
Discretionary Access Scale

17. Discretionary Access Scale
Approval Based - StaticModel Based - Dynamic
Access Control Decisions
Fully Resolvable Policy Based

18. Discretionary Access Scale
Approval Based - StaticModel Based - Dynamic
Access Control Decisions
Partial of Full Human Interaction

19. Discretionary Access Scale
Approval Based - StaticModel Based - Dynamic
Access Control Decisions
Balance of Both

20. Static

21. “Pertaining to
or characterized by
a fixed or stationary
condition”
www.dictionary.com

22. “An application access security
mechanism, controlled by local
configuration”
www.darranrolls.com

27. Distributed…

28. Heterogeneous…

29. Static & Isolated…

30. Who has access to what ?

31. Centralized Control !

32. Identity Governance
& Administration

33. Identity Governance
& Administration
Approvals

34. Dynamic

35. “Pertaining to
or characterized by
energy or effective
action”
www.dictionary.com

36. “An application access security
mechanism, controlled by an
external late binding decision
making process”
www.darranrolls.com

37. Dynamic Models
ABAC - Entitlements & Context
PIP Attribute
Provider
VDS
PDP
System
System
Target
Target
PEP
PEP
Environment Attributes
+
Rules…

38. Dynamic Models
ABAC - Entitlements & Context
PIP Attribute
Provider
VDS
PDP
System
System
Target
Target
PEP
PEP
Entitlement
Giving
Attributes…
Environment Attributes
+
Rules…

39. Entitlement Giving Attributes
Creating High Fidelity Attributes…
High Fidelity Attributes provide assurance that controls and
governance are in place to appropriately manage Entitlement Giving
Attributes…

40. Dynamic Models
ABAC - Entitlements & Context
PIP Attribute
Provider
VDS
PDP
System
System
Target
Target
PEP
PEP
Environment Attributes
+
Policies…
Policy
Review &
Attestation…

41. Policy Review & Attestation
Maintaining Integrity…
Policy Controls provide assurance that once developed and deployed,
access policy rules can be considered articles of access attestation
with lifecycle controls & audit

42. Dynamic Models
ABAC - Entitlements & Context
PIP Attribute
Provider
VDS
PDP
System
System
Target
Target
PEP
PEP
Attributes…
Policies…
Governance
Visibility…
Review…
Change Control…
Audit…

43. Governance for the Process…
Managing Attributes & Policies
Visibility
• Collection
• Categorization
• Analytics
Review
• Approvals
• Certification
• Policy checks…
Change
• Delegated Admin
• Change
Detection
• Change Approval
Audit
• Reporting
• Activity
• Review
Attribute Integrity Reliability Index

44. Blended

45. “To have mixed smoothly and
inseparably together.”
www.dictionary.com

46. “An application access
security mechanism that
mixes static & dynamic
methods in the
end-to-end process.”
www.darranrolls.com

47. Just-in-Time
Token Authorization with Governance-based Provisioning
Attribute Integrity Reliability Index

48. Real-time Approval
Dynamic Manual
Attribute Integrity Reliability Index

49. Striking a Balance

50. Blended Access Control Models
Example

51. IdentityNOWIdentityIQ
Thank You!
darran@sailpoint.com
@djrolls