Download - EntCasePub
-
7/31/2019 EntCasePub
1/5
REQUIREMENTS AND
PROCESS MANAGEMENT
Migrating to Role BasedAccess Control
A Simple Example
VERSION 1.0
This document is article intended for current and potential customers of Altametric, LLC. Except as stated
herein, none of this materials may be copied, reproduced, distributed, republished, downloaded, displayed,
posted or transmitted in any form or by any means, including, but not limited to, electronic, mechanical,
photocopying, recording or otherwise, without the prior written permission of: Altametric, LLC.
All rights not expressly granted are reserved.
Copyright 2006
-
7/31/2019 EntCasePub
2/5
REQUIREMENTS&
PROCESSMANAGEMENT
Last saved by: - 2 - Revision Number:
Anselmo Antonio 21
Statement of the ProblemIn an effort to reduce costs, a middle market firm (note: a composite example) plans to consolidate three
major and four minor distributed, service delivery systems. These systems provide data and applications toover 75,000 users. The user population is comprised of external users (about 65,000) and employees (about
10,000). More importantly, the applications within each system will be unified under a common
authentication platform. Currently, there are seven separate access control systems that operate under
different entitlement structures. The firm seeks to migrate all users to a single access control paradigm once
the legacy systems are reworked into a single, modular architecture.
The Chief Information Officer has decided that the firm will move to a roles based paradigm.
Unfortunately, only one of the major systems currently uses that approach. Assuming each user will be
unequivocally authenticated and identified, only a single entitlement system will be operated in the future.
In order to complete this task your team must:
Develop a role based access control model. Complete both the business requirements and the technical requirements. Construct and implement a migration plan.
The Theory of Access Control
Access Control Systems Architectures
A role based access control (RBAC) paradigm for the system can reduce the number of operations
associated with granting user privileges since it attempts to mirror the logical controls of the business.
Alternatives to the role based entitlement system include discretionary access control (DAC) and
mandatory access control (MAC). Provisioning for DAC systems require administrators to tailor the control
profile for each additional user. The MAC systems provide access solely on global rules and attributes.
Both require significant provisioning and administrative time. Conversely, role based access control
(RBAC) systems reduce administrative operations by 50% to 90% over discretionary access control (DAC)
systems and mandatory access control (MAC) systems. This leverage is achieved by reducing the number
of operations for each additional user or entitlement change.
Determination of user roles and subsequent assignment requires a role engineering process. Role
engineering is an iterative and self-refining process. Role engineering methods employ a statistical bottom
up design and a pattern testing, top down refinement. The users are either migrated from existing
(DAC/MAC/RBAC) systems or added via the provisioning process. Currently, 6 of the legacy systems usea DAC system.
Roles in Service Organizations
The entitlement (access control) system determines what resources an authenticated user can access. The
typical service industry firm has traditionally assigned individual employees to well defined roles and
responsibilities (jointly referred to as jobs). Within the firm, these jobs occupy a defined organizational
-
7/31/2019 EntCasePub
3/5
REQUIREMENTS&
PROCESSMANAGEMENT
Last saved by: - 3 - Revision Number:
Anselmo Antonio 21
hierarchy and control structure. Typical roles include sales manager, production supervisor and call center
manager. The underlying forces determining these jobs have evolved over the history of the firm and the
industry it competes within. Institutional structures can be attributed to market activity, regulation, privacy,
financial control, accounting standards and other influences.
Correspondingly, the customers (these customers are assumed to be organizations) have also delegated
responsibility and resources to well defined jobs. These jobs include purchasing managers, account
payable clerks and accounts receivable clerk. The roles and responsibilities for these individuals are often
mirrored within systems that they use at their firm.
Access Control Principles
The access control principles represent the fundamental business philosophy concerning a users access to
system resources. The concepts are expressed within the following requirements:
An access control systems must follow the principle of least privilege.A role, hence the user, must be granted access to each resource in an additive manner. A role must not be
given access to additional resources unnecessarily.
An access control systems must provide for logical separation of duties.
The system must allow for role construction that can represent the firm wide business functionality and
operating hierarchy. The entitlement system must be able to provide each user with access to resources that
are job related. The system must also use propositional rules (constraints) to disallow users access to
conflicting roles.
An access control systems must follow the principle of finite access time.
Each resource covered under the entitlement system is available to each user for only a finite period of
time. Duration of access for each authenticated user must be described as a resource attribute. Access can
be controlled either by absolute time limits or user idle times.
Integrating with Other Systems
Access control systems are tightly integrated with provisioning and authentication systems. The users
identity is established unequivocally within the authentication system via the provisioning system. The
provisioning system then sets the users entitlements, defining what resources are accessible. Consequently,
all provisioned users entering the system are challenged for credentials. Once the users credentials arevalidated, the access control (entitlement) system determines what function and data the user is entitled to
utilize.
The Implementation and Conversion Program
The current legacy systems (with one exception) use a discretionary access control system (DAC or SushiMenu System). The migration team acknowledges that role engineering and conversion procedure will be
iterative. The migration from this multi-factor model to a hierarchical model follows the following steps:
Gather data on all users and resources. Create cross probability matrix for each users resource entitlements. Create an access coding (binary) system for each resource and action. Assign access code to each user and create code histogram. Drop all sparse elements (Drop bottom 5 to 10% of the population). Create code subsets of broad base (many resource) codes.
-
7/31/2019 EntCasePub
4/5
REQUIREMENTS&
PROCESSMANAGEMENT
Last saved by: - 4 - Revision Number:
Anselmo Antonio 21
Create an initial role data model. Assign users to initial roles assuming a small, unallocated remainder. Examine unassigned users and create exception rules.
Following initial process, the population of about 75,000 is reduced to a population of about 5,000 users
that dont fit the initial role model. The exempt population needs to be worked either into existing or newly
created roles. This stage is followed by subsequent iterative procedures:
Create histogram of the outlying subpopulation Build model with the selected codes. Examine excluded values and see if the access required is operationally unique. Refine model with excluded codes. Look to condense codes.
Migration Plan
Once the roles are settled and the exceptions identified, the firm creates a migration team (conversion
team). The migration team now finalizes a conversion workflow. The majority of the users can be migratedautomatically. The remaining users (about 700) need to be handled manually. This task is assigned to
customer service under the supervision of the migration (conversion) team.
The philosophy during the migration phase posits many small, measured steps as opposed to a large,
simultaneous rollout. The operation will begin with converting current users into the system directory. The
migration phase ends with the retirement of a legacy systems and the full production operation of the new,
integrated system. Imperfection in the process require an iterative and sometimes, manual process.
The migration planning also relies on the architecture and design of the new system. This is a key factor for
relocating users to the new system from the legacy systems and minimizing disorientation. The review of
the legacy system will help manage expectations of current users on the new system. A concept ofoperations (Con-Op) describing the new system from a user point of view will be provided to all customers.
Prior to initiating the conversion process, the user migration team provides users a(n):
List of system goals and objectives Explanation of system functionality Explanation of non-functional features (performance, security, interoperability) Documentation of new relevant regulations, policies, standards and business rules User manual and training aids.
Implementing The Pilot ProgramThe complexity created by the pastiche of legacy systems warrants a pilot program. The pilot program
allows planners to discover problems in the migration operation quickly. The pilot program also measures
system integrity, performance and user feedback. The population of pilot users is around 250. Once the
pilot is performed, the results are analyzed, and the remaining 75,000 are migrated electronically.
The pilot is actually a focused migration effort for a small population of user. The pilot program is not a
marketing demo. Feedback for possible user interface changes is also examined for possible updates. The
pilot program will act as the final confirmation stage for the technical architecture and design.
-
7/31/2019 EntCasePub
5/5
REQUIREMENTS&
PROCESSMANAGEMENT
Last saved by: - 5 - Revision Number:
Anselmo Antonio 21
Post Migration Benefits
Consistent Client Experience
Authenticated users are able access all entitled resources without challenge. The user is now assigned a
consistent role(s) during the provisioning process. A users role will also influence the navigation and
screen layout features on all entitled applications. The roles are engineered to provide each user with the
resources they need to perform their duties. The only valid challenge to an entitled resource is related to a
resource time-out. For cases of resource time-out, the user must re-validate their credentials to update the
session time-stamp.
Access Control Clarity
The entitlement system now encompasses and protects all systems exposed outside the firm. The system
now acts transparently and provides the administrators a clear report on the resources, actions and subjects
each user is entitled to. The access control policies that restrict a users activity are now referenced for eachresource denial. The system now stores all access control policies in a central location. Access to these
policies is provided to dependent systems that also enact these policies. Administrators and dependent
systems are able to query the system independently.
Concentrated and Reduce Costs
Previously, costs for seven authentication systems were generated across at least two separate organizations
that operate many separate infrastructures. Business planning, project management and expense recovery
were also spread across many internal departments Exact accounting of services and infrastructure vary
from department to department. Now the firm has a single, consolidated service agreement and expense
statement for the entitlement system. Reporting of development, supplier and operating costs are now
itemized and detailed within a single invoice. Moreover, provisioning personnel are now 4 to 7 times more
productive.
Conclusion
Following the migration plan, over 75,000 users were successfully converted to a new access control
system that operated above a single, enterprise system. Users could now be added within a much shorter
turn around time. Furthermore, access to specific applications not only became logical, but audit and other
compliance personnel now had a clear understanding of all access rules. Moreover, the number of accessassignment errors was dramatically reduced. Utilizing the role based access control system, operating and
oversight cost were lowered.