Upload File

entcasepub

prev
next
out of 5
Download EntCasePub

Upload: antonio-p-anselmo

Post on 05-Apr-2018

212 views

Category:

Documents


0 download

Report

TRANSCRIPT

  • 7/31/2019 EntCasePub

    1/5

    REQUIREMENTS AND

    PROCESS MANAGEMENT

    Migrating to Role BasedAccess Control

    A Simple Example

    VERSION 1.0

    This document is article intended for current and potential customers of Altametric, LLC. Except as stated

    herein, none of this materials may be copied, reproduced, distributed, republished, downloaded, displayed,

    posted or transmitted in any form or by any means, including, but not limited to, electronic, mechanical,

    photocopying, recording or otherwise, without the prior written permission of: Altametric, LLC.

    All rights not expressly granted are reserved.

    Copyright 2006

  • 7/31/2019 EntCasePub

    2/5

    REQUIREMENTS&

    PROCESSMANAGEMENT

    Last saved by: - 2 - Revision Number:

    Anselmo Antonio 21

    Statement of the ProblemIn an effort to reduce costs, a middle market firm (note: a composite example) plans to consolidate three

    major and four minor distributed, service delivery systems. These systems provide data and applications toover 75,000 users. The user population is comprised of external users (about 65,000) and employees (about

    10,000). More importantly, the applications within each system will be unified under a common

    authentication platform. Currently, there are seven separate access control systems that operate under

    different entitlement structures. The firm seeks to migrate all users to a single access control paradigm once

    the legacy systems are reworked into a single, modular architecture.

    The Chief Information Officer has decided that the firm will move to a roles based paradigm.

    Unfortunately, only one of the major systems currently uses that approach. Assuming each user will be

    unequivocally authenticated and identified, only a single entitlement system will be operated in the future.

    In order to complete this task your team must:

    Develop a role based access control model. Complete both the business requirements and the technical requirements. Construct and implement a migration plan.

    The Theory of Access Control

    Access Control Systems Architectures

    A role based access control (RBAC) paradigm for the system can reduce the number of operations

    associated with granting user privileges since it attempts to mirror the logical controls of the business.

    Alternatives to the role based entitlement system include discretionary access control (DAC) and

    mandatory access control (MAC). Provisioning for DAC systems require administrators to tailor the control

    profile for each additional user. The MAC systems provide access solely on global rules and attributes.

    Both require significant provisioning and administrative time. Conversely, role based access control

    (RBAC) systems reduce administrative operations by 50% to 90% over discretionary access control (DAC)

    systems and mandatory access control (MAC) systems. This leverage is achieved by reducing the number

    of operations for each additional user or entitlement change.

    Determination of user roles and subsequent assignment requires a role engineering process. Role

    engineering is an iterative and self-refining process. Role engineering methods employ a statistical bottom

    up design and a pattern testing, top down refinement. The users are either migrated from existing

    (DAC/MAC/RBAC) systems or added via the provisioning process. Currently, 6 of the legacy systems usea DAC system.

    Roles in Service Organizations

    The entitlement (access control) system determines what resources an authenticated user can access. The

    typical service industry firm has traditionally assigned individual employees to well defined roles and

    responsibilities (jointly referred to as jobs). Within the firm, these jobs occupy a defined organizational

  • 7/31/2019 EntCasePub

    3/5

    REQUIREMENTS&

    PROCESSMANAGEMENT

    Last saved by: - 3 - Revision Number:

    Anselmo Antonio 21

    hierarchy and control structure. Typical roles include sales manager, production supervisor and call center

    manager. The underlying forces determining these jobs have evolved over the history of the firm and the

    industry it competes within. Institutional structures can be attributed to market activity, regulation, privacy,

    financial control, accounting standards and other influences.

    Correspondingly, the customers (these customers are assumed to be organizations) have also delegated

    responsibility and resources to well defined jobs. These jobs include purchasing managers, account

    payable clerks and accounts receivable clerk. The roles and responsibilities for these individuals are often

    mirrored within systems that they use at their firm.

    Access Control Principles

    The access control principles represent the fundamental business philosophy concerning a users access to

    system resources. The concepts are expressed within the following requirements:

    An access control systems must follow the principle of least privilege.A role, hence the user, must be granted access to each resource in an additive manner. A role must not be

    given access to additional resources unnecessarily.

    An access control systems must provide for logical separation of duties.

    The system must allow for role construction that can represent the firm wide business functionality and

    operating hierarchy. The entitlement system must be able to provide each user with access to resources that

    are job related. The system must also use propositional rules (constraints) to disallow users access to

    conflicting roles.

    An access control systems must follow the principle of finite access time.

    Each resource covered under the entitlement system is available to each user for only a finite period of

    time. Duration of access for each authenticated user must be described as a resource attribute. Access can

    be controlled either by absolute time limits or user idle times.

    Integrating with Other Systems

    Access control systems are tightly integrated with provisioning and authentication systems. The users

    identity is established unequivocally within the authentication system via the provisioning system. The

    provisioning system then sets the users entitlements, defining what resources are accessible. Consequently,

    all provisioned users entering the system are challenged for credentials. Once the users credentials arevalidated, the access control (entitlement) system determines what function and data the user is entitled to

    utilize.

    The Implementation and Conversion Program

    The current legacy systems (with one exception) use a discretionary access control system (DAC or SushiMenu System). The migration team acknowledges that role engineering and conversion procedure will be

    iterative. The migration from this multi-factor model to a hierarchical model follows the following steps:

    Gather data on all users and resources. Create cross probability matrix for each users resource entitlements. Create an access coding (binary) system for each resource and action. Assign access code to each user and create code histogram. Drop all sparse elements (Drop bottom 5 to 10% of the population). Create code subsets of broad base (many resource) codes.

  • 7/31/2019 EntCasePub

    4/5

    REQUIREMENTS&

    PROCESSMANAGEMENT

    Last saved by: - 4 - Revision Number:

    Anselmo Antonio 21

    Create an initial role data model. Assign users to initial roles assuming a small, unallocated remainder. Examine unassigned users and create exception rules.

    Following initial process, the population of about 75,000 is reduced to a population of about 5,000 users

    that dont fit the initial role model. The exempt population needs to be worked either into existing or newly

    created roles. This stage is followed by subsequent iterative procedures:

    Create histogram of the outlying subpopulation Build model with the selected codes. Examine excluded values and see if the access required is operationally unique. Refine model with excluded codes. Look to condense codes.

    Migration Plan

    Once the roles are settled and the exceptions identified, the firm creates a migration team (conversion

    team). The migration team now finalizes a conversion workflow. The majority of the users can be migratedautomatically. The remaining users (about 700) need to be handled manually. This task is assigned to

    customer service under the supervision of the migration (conversion) team.

    The philosophy during the migration phase posits many small, measured steps as opposed to a large,

    simultaneous rollout. The operation will begin with converting current users into the system directory. The

    migration phase ends with the retirement of a legacy systems and the full production operation of the new,

    integrated system. Imperfection in the process require an iterative and sometimes, manual process.

    The migration planning also relies on the architecture and design of the new system. This is a key factor for

    relocating users to the new system from the legacy systems and minimizing disorientation. The review of

    the legacy system will help manage expectations of current users on the new system. A concept ofoperations (Con-Op) describing the new system from a user point of view will be provided to all customers.

    Prior to initiating the conversion process, the user migration team provides users a(n):

    List of system goals and objectives Explanation of system functionality Explanation of non-functional features (performance, security, interoperability) Documentation of new relevant regulations, policies, standards and business rules User manual and training aids.

    Implementing The Pilot ProgramThe complexity created by the pastiche of legacy systems warrants a pilot program. The pilot program

    allows planners to discover problems in the migration operation quickly. The pilot program also measures

    system integrity, performance and user feedback. The population of pilot users is around 250. Once the

    pilot is performed, the results are analyzed, and the remaining 75,000 are migrated electronically.

    The pilot is actually a focused migration effort for a small population of user. The pilot program is not a

    marketing demo. Feedback for possible user interface changes is also examined for possible updates. The

    pilot program will act as the final confirmation stage for the technical architecture and design.

  • 7/31/2019 EntCasePub

    5/5

    REQUIREMENTS&

    PROCESSMANAGEMENT

    Last saved by: - 5 - Revision Number:

    Anselmo Antonio 21

    Post Migration Benefits

    Consistent Client Experience

    Authenticated users are able access all entitled resources without challenge. The user is now assigned a

    consistent role(s) during the provisioning process. A users role will also influence the navigation and

    screen layout features on all entitled applications. The roles are engineered to provide each user with the

    resources they need to perform their duties. The only valid challenge to an entitled resource is related to a

    resource time-out. For cases of resource time-out, the user must re-validate their credentials to update the

    session time-stamp.

    Access Control Clarity

    The entitlement system now encompasses and protects all systems exposed outside the firm. The system

    now acts transparently and provides the administrators a clear report on the resources, actions and subjects

    each user is entitled to. The access control policies that restrict a users activity are now referenced for eachresource denial. The system now stores all access control policies in a central location. Access to these

    policies is provided to dependent systems that also enact these policies. Administrators and dependent

    systems are able to query the system independently.

    Concentrated and Reduce Costs

    Previously, costs for seven authentication systems were generated across at least two separate organizations

    that operate many separate infrastructures. Business planning, project management and expense recovery

    were also spread across many internal departments Exact accounting of services and infrastructure vary

    from department to department. Now the firm has a single, consolidated service agreement and expense

    statement for the entitlement system. Reporting of development, supplier and operating costs are now

    itemized and detailed within a single invoice. Moreover, provisioning personnel are now 4 to 7 times more

    productive.

    Conclusion

    Following the migration plan, over 75,000 users were successfully converted to a new access control

    system that operated above a single, enterprise system. Users could now be added within a much shorter

    turn around time. Furthermore, access to specific applications not only became logical, but audit and other

    compliance personnel now had a clear understanding of all access rules. Moreover, the number of accessassignment errors was dramatically reduced. Utilizing the role based access control system, operating and

    oversight cost were lowered.


Barclays1

Disclaimer

Basic Buffer Overflows Explained

Life Is Just A Dream - Or Is It?

18 Tricks to Teach Your Body

Do you admire Leonardo da Vinci?

Physical Modelling Synthesis Overview

Bodybuilding - The Rock Hard Challenge (Month 1 Training)

Iron Mills Essay

Bhagavad Gita

Aesops Fables

Star Wars Prequel Trilogy Trivia (Episodes I-III)

United States Constitution

Algorithms

Personality Development

Venture Capital

Chapter-01

Daniel Zanella and Alexander Weygers

Introduction to Six Sigma

(Tesla) - The Tesla Magnetic Car Engine

European Colinization of Latin America

Rubik's cube solution

Explore The Levels of Creation

Chapter 24

Keyboard Shortcuts for the Opera Browser for Mac OS X

Simple Functions in Haskell

Improve the Color Quality Of Your Monitor

Cakes Recipes

Oedipus The King: The Ideal Tragic Play

Tragic Heroes

Compressing And Decompressing Folders

Acetone Peroxide

Star Wars Original Trilogy Trivia (Episodes IV-VI)

I Am a Holocaust Denier and I Am Unafraid

How Computer Keyboards Work