LeanIX Virtual Workspaces make it possible for enterprises to operate across a shared IT inventory while setting specific access rights to protect confidential data or reducing the complexity of a workspace for certain business units. LeanIX admins now have the ability to decide which users can access Fact Sheets and to segment their workspaces according to e.g. enterprise brands or business units—all while e.g. keeping a common Business Capability model intact. The new feature is based on a flexible concept using Access Control Entities (ACEs) and Access Control Lists, and a group-view is available built-in to allow for centralized analyses.
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
How to reduce complexity by segregating your data with Virtual Workspaces
1. Webinar
How to reduce complexity by
segregating your data with Virtual
Workspaces
Felix Hoffmann, Product Management
2019-07-04
2. 2
Felix Hoffmann
Product Manager @ LeanIX GmBH
@Sisp3ks
Felix Hoffmann
felix.hoffmann@leanix.net
Mathematician by trade
Strong interest into Data Science (NLP, ML, …)
Responsible for Core Product at LeanIX
Ask me about: Ballroom Dancing and Table Tennis
3. 3
Agenda
...
• How it works
Virtual Workspaces
• Live Demo
LeanIX Introduction
Q&A
• Overview
5. 5
Continued, healthy growth of LeanIX in last 6
months
200+
Customers
129
Employees
29
Open Jobs
100%
Y-o-Y Growth
6. 6
LeanIX enables intuitive analysis in business
context and facilitate faster decision taking
Large Enterprises
High-growth tech
7. 7
We are a thought-leader in modern IT
Architectures
Interactive, fast visualization and strong reporting capabilities
Fully flexible data model in cost-efficient, multi-tenant approach
Developer-friendly GraphQL API to build extensions
Integration with Enterprise Eco-system – ServiceNow, Signavio
State-of-the art Microservices architecture & Docker deployment
Pathfinder Technology
11. Motivation:
Restrict Users‘ View to Essential Information
Average size of
workspaces1 increases
• 6700 Fact Sheets (max 70 k)
• 23 k Relations (max 215 k)
Necessity to keep
Overview
• Instant access to relevant
information
• Streamline information
• Interactive collaboration
(1)
Among customers in ultimate edition
12. 12
When you think of Virtual Workspaces ...
"As a user it should feel like there is nothing else in the [EA] world."
- Senior Manager of EAM in Pharmaceuticals
13. 13
Key Concepts
ACE
Virtual
Workspaces
RBAC
ACL
• Access Control Entity
• ID (internal)
• Name
• Display name
• Description
• Access Control List
• List of ACEs, e.g. on a Fact Sheet
• Name of the Feature
• Each VW is defined by an ACE
• A virtual workspace establishes a boundary within a (physical workspace)
• Role-based access control
• Works on a per Fact Sheet type basis
14. Role-based permission model (1/2) – Separate
Admin, Member and Viewer by default
14
Name & Description
Projects
Business Support
Data Management
Sourcing
Administration
Name & Description
Projects
Business Support
Data Management
Sourcing
Administration
Name & Description
Projects
Business Support
Data Management
Sourcing
Administration
1 Admin 2 Member 3 Viewer
• Default Roles can be managed inside the customer’s IdP or in LeanIX
• Custom Roles can be added, then roles need to be managed inside the customer’s IdP*
• Different Permissions can be maintained per Fact Sheet Type*
• Write and read access can be controlled on attribute level *
* Requires Add-On “Configuration Full” Read & Write Access Read Access No Access
15. Role-based permission model (2/2) – Bring in
new roles and/or permissions
15
Name & Description
GDPR
Projects
Business Support
Data Management
Administration
Name & Description
GDPR
Projects
Business Support
Data Management
Administration
Name & Description
GDPR
Projects
Business Support
Data Management
Administration
1 Admin 2 Member 3 Viewer
Sourcing Sourcing Sourcing
Name & Description
GDPR
Projects
Business Support
Data Management
Administration
4
Sourcing
• Default Roles can be managed inside the customer’s IdP or in LeanIX
• Custom Roles can be added, then roles need to be managed inside the customer’s IdP*
• Different Permissions can be maintained per Fact Sheet Type*
• Write and read access can be controlled on attribute level *
* Requires Add-On “Configuration Full” Read & Write Access Read Access No Access
Data Privacy Officer
16. 16
Virtual Workspaces allow full separation in a
workspace
A One Workspace Multiple Physical WorkspacesVirtual WorkspacesB C
Region EU
Workspace
Region EU
Brand 1
Brand 2
Bus
Cap A
Bus
Cap A
Brand n Bus
Cap A
Group
View
Bus
Cap A
App 1
App 2
App 3
Bus
Cap A
App 1
App 2
App 3
User
Group A
User
Group B
User
Group C
Region EU
Other Workspaces
Workspace
Bus
Cap A
App 1
App 2
App 3
User
Group A
User
Group B
User
Group C
Other Workspaces
Brand 1
Brand 2
Brand 3
Brand 1
Brand 2
Brand 3
• Transparency across brands
• Common Business Capabilities
• Group-view built-in
• One configuration for all
• Logical Separation of brands
• Common Business Capabilities
• Group-view built-in
• One configuration for all
• Strong Separation of brands
• Separate Business Capabilities
• Specific configurations per brand
• Custom implementation to
generate Group View (via API)
17. 17
Role-based permission model vs.
Virtual Workspaces
Virtual Workspaces
Set Read / Write permissions on a single
Fact Sheet
Role-based permission model
Set Permissions for some operation
among all FS of a type
19. 19
A flexible concept using Access Control
Entities (ACE) and Access Control Lists (ACL)
ACE
ACE
ACE
ACE
Brand
1
Brand
2
Brand
3
Group
View
Board
Manag-
ment
Teams Global
EA BPM
IT OPS
Brands
Information
Access
Views on data
EMEA APAC
AMER OTHER
Regions
20. 20
Divide LeanIX Workspace by
Geographic Distribution / Brands / Subsidiaries
…
Structure your Workspace by
company structures
Specific configurations/brand
Strong Separation of brands
User Group Application
21. 21
Protect only some assets for a very sensitive
part of company
SensitiveSensitive
Confidentiality
Secure data segregation
22. 22
Divide LeanIX Workspace by Department /
Business Capability
Built-in Group-view
One configuration for all
Logical Separation by
Business Capabilities
Data Objects
Business
Capabilities
User Groups
Applications
IT Components
Technical Stacks
Providers
23. 23
Outlook on Write-Protection: Teams
All users can see everything, but I can only edit the Fact Sheets of ‘my team‘.
ACE
ACE
ACE
ACE
25. 25
A user gets Access Control Entities via SSO
User‘s
Workspace
Permission
can have..
Fact Sheet
can have …
ACL
has..
has common
entities?
ACE = Access Control Entity
ACL = Access Control List
Active
Directory
SSO
ACE
ACE
ACE
ACE
ACE
ACE
ACE
ACE
26. 26
Read Access is included into Write Access
Global
Read
Write
Whitelist approach
Users will automatically assign
“correct” permission
Admins can configure more
sophisticated scenarios
Define on a per Fact Sheet
type basis
Fact Sheets that I have access to
29. 29
Summary: LeanIX Virtual Workspaces
Granular Data Segregation
Scalable
Customizable
Secure
Enterprise-Ready
Professional &
Ultimate Editions
Paid
Add-On
Available
Now
• Control access to individual Fact Sheets
• Minimal administrative work by populating
access controls via SSO