05 May Entitlement Management: Identity Governance that makes business sense
An application access is generally expressed as a business function/permission on a set of resources/assets/datasets. Each application has its own access control model (ACLs, RBAC, Discretionary/Mandatory access control etc.). To simplify administration, these fine grained authorization policies are published as a set of “entitlements”.
Application delegates authentication/authorization enforcement to specialized set of security platforms like enterprise repositories (LDAP/Active Directory), access management/SSO (reverse proxies), entitlement servers (RACF, OES etc.). These security platforms manage application entitlements and their assignment to users. To access a business application, user needs to be assigned to multiple entitlements across different platforms ex. AD group membership (course grained) and an application entitlement (fine grained).
Identity governance processes in practice are generally applied to entitlements and their assignments but have minimal or no information about underlying entitlement definitions. This over-simplification makes Identity governance less business friendly.
- What access a user has on an application?
- How can requester/approver/certifier comprehend that an entitlement assignment, presented individually, correspond to a single business function?
- How to model an “entitlement” when entitlement definitions are resource-centric ex. user’s access to business application function should be restricted to a region/locality/specific datasets. Have as many entitlements as protected application resources? Number of entitlements = Business functions * Number of protected resources
- As application resources are added/removed/modified, how to entitle/de-entitle access to user.
- What if application administrator change application security configuration intentionally/unintentionally and maps sensitive resources/business function to a “low risk” entitlement?
Entitlement Definition Management should be one of the key component of Identity Governance processes.
Confluxsys Identity Analytics solution enables business users to manage entitlement definitions in a self-service manner, govern rogue changes to entitlement definitions & assignments, provides additional context information to requester/approver/certifier for effective identity governance, and integrates with application’s resource life cycle.
One of the biggest challenge is the integration given each application have their own access control model. Organization can implement Entitlement Definition in a phased approach:Phase 1: Present context. Provide additional context information about entitlement to requester/approver/certifier: solution supports collection of entitlement definition “as it exists” on the business application. Data is then transformed, validated, co-related within the framework. Information is made available to the users in form of restful webservice and integrated to Identity Governance interfaces.
Phase 2: Govern entitlement definitions. Reconciliation & Certification. Solution reconciles entitlements into the certification engine for periodic/event based access reviews. In certification, certifier manage business application function, resources/datasets association with the entitlement.
Phase 3: Entitlement definition management. Solution provides an interface to manage entitlement definitions in a business friendly whereby:
- Instead of listing specific set of resource/dataset, business user chooses business metadata of the resource or a “resource profile“. Ex. For an insurance company, all datasets that relates to a specific region, division.
- Operation/Permissions are expressed as business functions.
Phase 4: Application Resource lifecycle management. As resources are added/de-commissioned/modified, system automatically entitles/de-entitles user access based on the entitlement definition provided by the business users.