Professional Documents
Culture Documents
Role Discovery and Rbac Design: A Case Study With Ibm Rapm
Role Discovery and Rbac Design: A Case Study With Ibm Rapm
Role Discovery and Rbac Design: A Case Study With Ibm Rapm
Agenda
Introductions
Role Based
Access
Control
Grey Thrasher
Senior Software Engineer
L2 Technical Team Lead
IBM SWG Client Support Software
Reality Check
Process and
Technology
Results and
Discussion
Q&A
Prolifics at a Glance
W h o Ar e W e ?
Over 30 years in
business, Prolifics is an
end-to-end systems
integrator
specializing
in
Orlando
New York
San Francisco
IBM
Boston
technologies
Philadelphia
London
Washington
Hamburg
Application Testing
Santa Clara, CA USA
DC
S t a b i l i t y, L o n g e v i t y & G r o w t h
Solution Leadership
Serviced over 1600 IBM software accounts in the
past 11 years
Prolifics boasts over 110 Security certifications for
architecture, development, administration.
IBM Tivoli AAA Accredited First For Security
WW
IBM Cloud Certification First of 5 Partners
Authorized for SVP in 5 Industry Capabilities First
in Utilities
Also in SOA, Information Management and
BPM solutions and appliances for Business Process
Business challenges
Difficulty in the business understanding of security information
causing a rubber stamp process, or simply too much data to sort
through for the business
Challenges in the quarterly attestation cycle
Challenges for supervisory personnel understanding how "least
privilege" works in their business unit
Onboarding (new hire user adds) requests requiring additional
time and effort becuase access requests are submitted on a case
by case basis using individual forms
Challenges in managing the access of persons who transfer
between jobs, creating complex modification requests for access
on a case by case basis
Risk due to inappropriate access, which could be misuse or
simply audit findings - this is due to mirrored access (make
John's access look like Mary's) that may grant too much
permission, or through job transfers where old access is not
removed properly
Before
After
Reality check
How many companies want to do RBAC?
How many companies are doing RBAC?
How many companies successfully completed RBAC in 2011?
Our study showed:
97% of IdM customers in 2011 agreed that Role Based Access Control
Why?
Challenges
Time consuming
Correlating massive data
High skill required
Not business user friendly
Inaccurate results
Requires business change the 60/40 mix
Requires proper tooling
Identity and Access management platform
Modeling Tool
Role life-cycle tool
Requires understanding, communication and motivation
Its a process, not a state
IT
Review
Process
Business
Integration
RBAC
Governance Goals
Scope
Business Policies
Interview data
Modeling
Tools
ROLE
ROLE AND
AND POLICY
POLICY MODELER
MODELER
BUSINESS VIEW
TECHNICAL VIEW
VALIDATE
Extensible
Data Layer
Exceptional
Analytics
Intuitive UI
Indepth report
P
DE
Resources
Identities
Entitlements
Roles and policies
IT Systems and
Applications Owners
LO
ISIM
ISIM
(ITIM)
(ITIM)
Approvals/certificatio
n
Risk Analysis
Collaboration
Compliance Reports
ISIM
ISIM
(ITIM)
(ITIM)
TSPM
TSPM
Enterprise
Enterprise
Systems
Systems
Role and Policy
Templates
Reports
IT Management
The beginning
Sizing
Scoping and size control
Focusing on stable business units
Customer service
Financial department
Focusing on well understood applications
Business
View
Role and
Policy
Modeler
Technical
View
Role
Lifecycl
e
Integration
RaPM
RaPM: Home Page
Designed for Business Analyst
Simple View
Model:
Projects
Role Mining/Modeling
Reports
Import
Modeling
CIO, CSO, Compliance
Officers, Business Owners
Governance Goals
Scope
Business Policies
Interview data
Top-down:
Business interviews
Existing model
Modeling
Tools
ROLE
ROLE AND
AND POLICY
POLICY MODELER
MODELER
BUSINESS VIEW
TECHNICAL VIEW
ISIM
ISIM
(ITIM)
(ITIM)
Resources
Identities
Entitlements
Roles and policies
IT Systems and
Applications Owners
Extensible
Data Layer
Exceptional
Analytics
Intuitive UI
Indepth report
Bottom-up:
Data aggregation
System state
Existing knowledge
RaPM
RaPM: Model Roles and Policies
Project Creation
User selection
Permission selection
Technical
View
18
Role
Lifecycl
e
Integration
RaPM
RaPM: Role Generation
IBM Research-created algorithms automatically generate
Roles/Hierarchies
Options affect number of roles and depth of hierarchy
RBAC Modeling
Combine Roles
Split Roles
Technical
View
Role
Lifecycl
e
Integration
Role Quality
Organizational Role
Definition -Business
View
Examine
Cleanup
Empowerment and
Application
Role
Knowledge
Transfer
Definition System
View
Define
Test
Publish
RaPM
RaPM: Role Analysis
Analysis Catalog provide different analyses to help determine potential
role members/permissions
Ensure Membership/Permissions are accurate
Ability to view granular user/permission details in analysis results
Analytics Engine
Technical
View
Role
Lifecycl
e
Integration
RaPM
RaPM: Membership Qualifier
Separation of Duties
Separation of duty constraints and policies, both static
and dynamic in a role model
SOD
Constraints
Role Hierarchy
users
Roles
Permissions
Business
View
Sessions
Role and
Policy
Modeler
Technical
View
Role
Lifecycl
e
Integration
RaPM
RaPM: Separation of Duties (SOD)
Alert when users are in disallowed combination of Roles
Indicates SOD configuration problems (inevitable conflicts)
Details Users/Roles in conflict
A new application or
system, a new group is
added, a group or system
is consolidated or retired
RaPM
RaPM: Reports
RaPM
Role Lifecycle Manager
Business Process Manager
Approval request sent to Role Owner(s)
Attach Role Reports to Approval request for more details
Feed
tion
Integra
Role and
Policy
Modeler
Technical
View
Role
Lifecycl
e
Integratio
Integration
n
RaPM
RaPM: Export Project
Generates XML containing:
Roles
Separation of Duty constraints
User to Role assignments (optional)
RaPM
RaPM: ITIM Load
Utility to load exported Roles/SODs/User-to-Role assignments
Preview option shows number of:
the
Business
View
Role and
Policy
Modeler
Technical
View
Role
Lifecycl
e
Integration
Summing up
Role Based Access Management improves compliance postures
and reduces cost of administration in an evolving IT environment,
.
but there are still challenges achieving this
goal
Face to
Face Collect
Consult
Face to face
Approvals
Reject
Certify
Written
Report
Manual
Data
Collect
Spreadsheet
Evaluation
Written
Reports
Manual
Enforcemen
t
Technical
View
37
Role
Lifecy
cle
Integrati
on
After foundational processes are implemented, and RBAC is in place, these processes can be
leveraged and integrated with RBAC Management Processes
Business
View
Role and
Policy
Modeler
Technical
View
39
Role
Lifecy
cle
Integrati
on