Professional Documents
Culture Documents
Axiomatic S
Axiomatic S
Axiomatics in Brief
Focus on Entitlement Management Attribute Based Access Control Risk Intelligent Access Control
Who should be granted access to which information assets where, when, how and why and how is it controlled?
Res1 Res2 X X
Res3 X X
Robert Susan
Ian Mary Keith X X
X X X
X X X
X X X
X X X
X X
X X X X
X
X X X
Grouping Permissions
Grouping permissions to simplify administration
Res1 Res2 X X
Res3 X X
Robert Susan
Ian Mary Keith X X
X X X
X X
X X
X
X X
X X X
X
X
X
X X X X X X
Res1 Res2 X
Res3 X
X
X X X X X X
X
X X X X
An example
Visibility
2006
2005 ?
Technology trigger
Trough of Disillusionment
Slope of Enlightenment
Plateau of Productivity
Maturity
Users
1 Roles Permissions
Removing conflicting permissions from Role 1 and/or Role 2 may solve problem for user group 2 but create new problems for user group 1 and 3.
2 Role 1 Role 2
SoD violation
Application B
GrA1
GrA2
GrA3
GrB1
GrB2
GrB3 Role B2
Role A1
Role A2
Role B1
SoD violation
SoD violation
SoD violation
What?
Bottom Up Perspective
Who should have access to transaction XD01?
User Provisioning
Built on the assumption that privileges can be predefined and preconfigured as static mappings between users and their information assets!!
Environment
UserRolePermissions
Attributes Policies/Rules
Examples: A medical doctor A banks client wants to open and edit wants to withdraw 300 a patients health record from an account in the hospitals emergency room at 3 p.m via an ATM machine in X city
PEP
PDP
Policy Administration Point (PAP) Administration GUI for maintenance of policies Policy Information Point (PIP) Services providing additional information to help resolve an access request from a PEP in cases where complimentary data is needed
PAP
PIP
User B
XACML Request/ Response
AD LDAP (PIP)
Policy Repository
Administrator
Attribute values describing Subjects Resources Actions Environment (maintained in day-to-day operations)
Drivers License
Users
Approve payment
1
Roles
2
Role 1 Role 2
BILL
from Fake Corp.
SoD violation If action=approve resource=payment subject has a Drivers License then permit else deny
SoD violation
SoD Enforcement
Approve payments
Approval banned
My manipulated vendors: 1) Company A 2) Company B
Approval permitted
X OK BILL
BILL
Mitigating controls built into a policy-based authorization system
from Company Z
from Company A
User B
XACML Request/ Response
AD LDAP (PIP)
XACML Policy
Administrator
Policy Repository
AMF
User A Administrator
Data
Application 2
XACML Request/ Response
XACML Policy
Attrib Mgmt
User B
Real-world scenarios
Customers already have an infrastructure Re-using SAP roles to manage access to document store Additional attributes about documents and users are needed SAP role management complies with corporate governance rules
AMF
Other sources
Documents
Existing but possibly not trusted attributes reused for authorization although they currently are being maintained for other purposes
Questions?
Discussions? For more information, dont hesitate to contact me: finn.frisch@axiomatics.com