SlideShare una empresa de Scribd logo

Role-Based Access Control

E
EmpowerID

Overview of the Dot Net Workflow and EmpowerID RBAC model

Tecnología
1 de 25
Role-Based Access Control Overview
EmpowerID Capabilities EmpowerID’s Role-Based Identity and Entitlement Management answers the question, “who should have access to which IT resources based on their job function and location, and for how long?” and then enforcesthe results across all enterprise systems. With EmpowerID's Business Process Management (BPM) platform, organizations visually design business processes as workflows to automate the lifecycle of enterprise identities, roles, and resources. Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com 2
Security Challenges Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com 3 It should be easier to get access to the IT resources I need to work I want to delegate management but not lose control How can we report on who has access to what across all our systems
The “Make Like Bob” ProblemSecurity Based On a Moving Target Protected Resources Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com Year N Year 2 Day 1 New Access Granted New Access Granted ? Multiple sites and roles SharePoint Who are you? ? ? ? PO Approver ? AD User: CMH OU X ? Custom Applications CRM LDAP User Send As Bob Sales Executive” ? ? Payroll & Unix User Person ? Full Access ? ? Sales Share Conference Room 5401 New Hire: Jim “Sales Executive” New Hire: Sarah “Sales Executive”
The Challenge with an AD Groups-only Approach? Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com Access Granted Protected Resources ? Groups Multiple sites and roles John’s User Accounts ? What can you access, when, and why? Who are you? SharePoint ? ? PO Approver Helpdesk Manager ? ? No Reportable or Auditable Link ? Custom Applications Mailbox Helpdesk I Send As John ? ? Person Full Access Shared Mailbox ? ? ? Conference Room 5401
Protected ResourcesEmpowerID enforces security across systems Custom Application Windows Servers SAP Microsoft SharePoint Web Types of Protected Resources Active Directory Group Groups Web Resources Microsoft Exchange Mailbox EmpowerID is an authorization platform that can be extended to support any type of application and application resource. Protected systems containing resources are called “Resource Systems”. EmpowerID inventories Resource Systems and enforces permissions. Permissions Management = Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com
Resource Rights and OperationsRights and EmpowerID Operations Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com Operations Rights EmpowerID Operations are specific tasks a user may perform or approve within an EmpowerID workflow or custom application. Granting EmpowerID Operations does not grant the user any capabilities within the native system. Rights are native permissions used by the application or operating system which manages security for the resource type in question. Granting these rights enables capabilities for users outside of EmpowerID in that system. Rights are continually monitored and enforced by EmpowerID. Example: Exchange Mailbox Example Mailbox Operations ,[object Object]
Decrease Quota
Edit SMTP
Enable OWA
Enable Calendar Auto-Accept
Edit Forwarding
Grant Send As
Grant Send On BehalfExample Mailbox Rights ,[object Object]
Send As
Send On Behalf
Full Access7
Resource RolesLogical Bundles of Rights and Operations Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com Operations Resource Role Definition Rights ,[object Object]
Decrease Quota
Edit SMTP
NoneRecipient Admin I ,[object Object]
Decrease Quota
Edit SMTP
Enable OWA
Enable Calendar Auto-Accept

Recomendados

Role based access control
Role based access controlRole based access control
Role based access control
Peter Edwards
 
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerRole Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Prolifics
 
Role Based Access Control - Overview
Role Based Access Control - OverviewRole Based Access Control - Overview
Role Based Access Control - Overview
Hitachi ID Systems, Inc.
 
Rbac
RbacRbac
Rbac
أحلام انصارى
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best Practices
Amazon Web Services
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
IBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - PortfolioIBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - Portfolio
IBM Sverige
 
Privileged identity management
Privileged identity managementPrivileged identity management
Privileged identity management
Nis
 

Recomendados

Role based access control
Role based access controlRole based access control
Role based access control
Peter Edwards
 
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerRole Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Prolifics
 
Role Based Access Control - Overview
Role Based Access Control - OverviewRole Based Access Control - Overview
Role Based Access Control - Overview
Hitachi ID Systems, Inc.
 
Rbac
RbacRbac
Rbac
أحلام انصارى
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best Practices
Amazon Web Services
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
IBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - PortfolioIBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - Portfolio
IBM Sverige
 
Privileged identity management
Privileged identity managementPrivileged identity management
Privileged identity management
Nis
 
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019 The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
Amazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
Amazon Web Services
 
OneIdentity - A Future-Ready Approach to IAM
OneIdentity - A Future-Ready Approach to IAMOneIdentity - A Future-Ready Approach to IAM
OneIdentity - A Future-Ready Approach to IAM
Adrian Dumitrescu
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best Practices
Amazon Web Services
 
Identity Access Management (IAM)
Identity Access Management (IAM)Identity Access Management (IAM)
Identity Access Management (IAM)
Prof. Jacques Folon (Ph.D)
 
OAuth
OAuthOAuth
OAuth
Iván Fernández Perea
 
IAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with ConditionsIAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with Conditions
Bryant Poush
 
Applications Performance Monitoring with Applications Manager part 1
Applications Performance Monitoring with Applications Manager part 1Applications Performance Monitoring with Applications Manager part 1
Applications Performance Monitoring with Applications Manager part 1
ManageEngine, Zoho Corporation
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
Cognito Customer Deep Dive
Cognito Customer Deep DiveCognito Customer Deep Dive
Cognito Customer Deep Dive
Amazon Web Services
 
F5 Web Application Security
F5 Web Application SecurityF5 Web Application Security
F5 Web Application Security
MarketingArrowECS_CZ
 
Iam presentation
Iam presentationIam presentation
Iam presentation
AWS UG PK
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWS
Mike Felch
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Amazon Web Services
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
Amazon Web Services
 
What is an API Gateway?
What is an API Gateway?What is an API Gateway?
What is an API Gateway?
LunchBadger
 
Wrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS OrganizationsWrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS Organizations
Amazon Web Services
 
Authorization Services
Authorization ServicesAuthorization Services
Authorization Services
EmpowerID
 
IDM Introduction
IDM IntroductionIDM Introduction
IDM Introduction
Aidy Tificate
 

Más contenido relacionado

La actualidad más candente

Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWS
Mike Felch
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 

La actualidad más candente (20)

The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019 The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 
OneIdentity - A Future-Ready Approach to IAM
OneIdentity - A Future-Ready Approach to IAMOneIdentity - A Future-Ready Approach to IAM
OneIdentity - A Future-Ready Approach to IAM
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best Practices
 
Identity Access Management (IAM)
Identity Access Management (IAM)Identity Access Management (IAM)
Identity Access Management (IAM)
 
OAuth
OAuthOAuth
OAuth
 
IAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with ConditionsIAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with Conditions
 
Applications Performance Monitoring with Applications Manager part 1
Applications Performance Monitoring with Applications Manager part 1Applications Performance Monitoring with Applications Manager part 1
Applications Performance Monitoring with Applications Manager part 1
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Cognito Customer Deep Dive
Cognito Customer Deep DiveCognito Customer Deep Dive
Cognito Customer Deep Dive
 
F5 Web Application Security
F5 Web Application SecurityF5 Web Application Security
F5 Web Application Security
 
Iam presentation
Iam presentationIam presentation
Iam presentation
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWS
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
 
What is an API Gateway?
What is an API Gateway?What is an API Gateway?
What is an API Gateway?
 
Wrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS OrganizationsWrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS Organizations
 

Similar a Role-Based Access Control

Interview Questions For Microsoft Dynamics CRM
Interview Questions For Microsoft Dynamics CRMInterview Questions For Microsoft Dynamics CRM
Interview Questions For Microsoft Dynamics CRM
Kumari Warsha Goel
 
Resouce management system1
Resouce management system1Resouce management system1
Resouce management system1
Guni Sonow
 
Microsoft Active Directory
Microsoft Active DirectoryMicrosoft Active Directory
Microsoft Active Directory
thebigredhemi
 
IDM Resume _ Kiran
IDM Resume _ KiranIDM Resume _ Kiran
IDM Resume _ Kiran
Kiran Kumar
 

Similar a Role-Based Access Control (20)

Authorization Services
Authorization ServicesAuthorization Services
Authorization Services
 
IDM Introduction
IDM IntroductionIDM Introduction
IDM Introduction
 
Short Overview
Short OverviewShort Overview
Short Overview
 
User Manager
User ManagerUser Manager
User Manager
 
Role based access control - RBAC
Role based access control - RBACRole based access control - RBAC
Role based access control - RBAC
 
Oracle Identity Manager Basics
Oracle Identity Manager BasicsOracle Identity Manager Basics
Oracle Identity Manager Basics
 
TDNF Seminar
TDNF SeminarTDNF Seminar
TDNF Seminar
 
Interview Questions For Microsoft Dynamics CRM
Interview Questions For Microsoft Dynamics CRMInterview Questions For Microsoft Dynamics CRM
Interview Questions For Microsoft Dynamics CRM
 
2004 10 21 Rbac At Mazda Horst Walther
2004 10 21 Rbac At Mazda Horst Walther2004 10 21 Rbac At Mazda Horst Walther
2004 10 21 Rbac At Mazda Horst Walther
 
Short Sales Overview of EmpowerID
Short Sales Overview of EmpowerIDShort Sales Overview of EmpowerID
Short Sales Overview of EmpowerID
 
Automating Security Management in PBCS!
Automating Security Management in PBCS!Automating Security Management in PBCS!
Automating Security Management in PBCS!
 
SIF IDM Profile Usage Guide - Presentation at the 2014 annual conference
SIF IDM Profile Usage Guide - Presentation at the 2014 annual conferenceSIF IDM Profile Usage Guide - Presentation at the 2014 annual conference
SIF IDM Profile Usage Guide - Presentation at the 2014 annual conference
 
Saipraveen_Cirrculum_Vitae
Saipraveen_Cirrculum_VitaeSaipraveen_Cirrculum_Vitae
Saipraveen_Cirrculum_Vitae
 
Oracle Open World S308250  Securing Your People Soft Application Via Idm
Oracle Open World S308250  Securing Your People Soft Application Via IdmOracle Open World S308250  Securing Your People Soft Application Via Idm
Oracle Open World S308250  Securing Your People Soft Application Via Idm
 
ODTUG Learn from Home S E R I E S-Automating Security Management in PBCS!
ODTUG Learn from Home S E R I E S-Automating Security Management in PBCS!ODTUG Learn from Home S E R I E S-Automating Security Management in PBCS!
ODTUG Learn from Home S E R I E S-Automating Security Management in PBCS!
 
Resouce management system1
Resouce management system1Resouce management system1
Resouce management system1
 
Microsoft Active Directory
Microsoft Active DirectoryMicrosoft Active Directory
Microsoft Active Directory
 
Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...
Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...
Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...
 
IDM Resume _ Kiran
IDM Resume _ KiranIDM Resume _ Kiran
IDM Resume _ Kiran
 
IRJET- Research Paper on Active Directory
IRJET- Research Paper on Active DirectoryIRJET- Research Paper on Active Directory
IRJET- Research Paper on Active Directory
 

Más de EmpowerID

Más de EmpowerID (12)

SSO Manager
SSO ManagerSSO Manager
SSO Manager
 
Active Directory Self-Service Suite Overview
Active Directory Self-Service Suite OverviewActive Directory Self-Service Suite Overview
Active Directory Self-Service Suite Overview
 
Products
ProductsProducts
Products
 
Exchange Manager
Exchange ManagerExchange Manager
Exchange Manager
 
Workflow Studio
Workflow StudioWorkflow Studio
Workflow Studio
 
Workflow Services
Workflow ServicesWorkflow Services
Workflow Services
 
User Experience
User ExperienceUser Experience
User Experience
 
Federation Services
Federation ServicesFederation Services
Federation Services
 
Connector Framework
Connector FrameworkConnector Framework
Connector Framework
 
Solutions
SolutionsSolutions
Solutions
 
Group Manager
Group ManagerGroup Manager
Group Manager
 
Password Manager
Password ManagerPassword Manager
Password Manager
 

Último

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Último (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Role-Based Access Control

  • 2. EmpowerID Capabilities EmpowerID’s Role-Based Identity and Entitlement Management answers the question, “who should have access to which IT resources based on their job function and location, and for how long?” and then enforcesthe results across all enterprise systems. With EmpowerID's Business Process Management (BPM) platform, organizations visually design business processes as workflows to automate the lifecycle of enterprise identities, roles, and resources. Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com 2
  • 3. Security Challenges Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com 3 It should be easier to get access to the IT resources I need to work I want to delegate management but not lose control How can we report on who has access to what across all our systems
  • 4. The “Make Like Bob” ProblemSecurity Based On a Moving Target Protected Resources Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com Year N Year 2 Day 1 New Access Granted New Access Granted ? Multiple sites and roles SharePoint Who are you? ? ? ? PO Approver ? AD User: CMH OU X ? Custom Applications CRM LDAP User Send As Bob Sales Executive” ? ? Payroll & Unix User Person ? Full Access ? ? Sales Share Conference Room 5401 New Hire: Jim “Sales Executive” New Hire: Sarah “Sales Executive”
  • 5. The Challenge with an AD Groups-only Approach? Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com Access Granted Protected Resources ? Groups Multiple sites and roles John’s User Accounts ? What can you access, when, and why? Who are you? SharePoint ? ? PO Approver Helpdesk Manager ? ? No Reportable or Auditable Link ? Custom Applications Mailbox Helpdesk I Send As John ? ? Person Full Access Shared Mailbox ? ? ? Conference Room 5401
  • 6. Protected ResourcesEmpowerID enforces security across systems Custom Application Windows Servers SAP Microsoft SharePoint Web Types of Protected Resources Active Directory Group Groups Web Resources Microsoft Exchange Mailbox EmpowerID is an authorization platform that can be extended to support any type of application and application resource. Protected systems containing resources are called “Resource Systems”. EmpowerID inventories Resource Systems and enforces permissions. Permissions Management = Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com
  • 7.
  • 14.
  • 18.
  • 21.
  • 28.
  • 29. None
  • 30. Full AccessMailbox Supervisor Resource Roles are convenient bundles of Rights and Operations specific for a type of resource and are used for delegation. Rights are permissions used in an external system that can be managed by EmpowerID. Operations are code-based actions protected by EmpowerID (usually in workflows). 8
  • 31. Access In EmpowerIDAll assignments types result in matching a Person to a Resource Role Resource: Mailbox Send On Behalf Assigned To Resource Role Send As Person Full Access All permissions management in EmpowerID occurs by some time of assignment that results in a Person being granted a Resource Role for a Resource.
  • 32.
  • 33. Viewer: Distribution Group @ %SpecifyLocation%
  • 35.
  • 39.
  • 40. Membership Manager: Distribution Group @ %SpecifyLocation%
  • 41. Administrator: User Accounts @ %SpecifyLocation%
  • 42. Administrator: Computers @ %SpecifyLocation%
  • 44.
  • 48. Membership Manager: All Employees Group
  • 52. …IT Helpdesk Management Roles are job or responsibility-based bundles of Resource Roles to allow quick and consistent delegation of IT access needed to perform job responsibilities. 10
  • 53.
  • 54. Viewer: Distribution Group @ NA Location and below
  • 56.
  • 57. Member: All NA Employees Group
  • 59.
  • 60. Membership Manager: Distribution Group @ NA Location and below
  • 61. Administrator: User Accounts @ NA Location and below
  • 62. Administrator: Computers @ NA Location and below
  • 64.
  • 65. Member: All NA Employees Group
  • 66. Membership Manager: All NA Employees Group
  • 70. …IT Helpdesk (North America) Management Roles are job or responsibility-based bundles of Resource Roles and Resource Type Roles to allow quick and consistent delegation of IT access needed to perform job responsibilities. 11
  • 71. Management Role InheritanceManagement Roles inherit Resource Roles assigned to their definitions IT Helpdesk Management Role Definition IT Helpdesk (North America) Management Roles (Children) IT Helpdesk (Asia) IT Helpdesk (Europe) Management Roles inherit Resource Role assignments from their definition and then include any assignments to the Management Role itself. The inheritance can only be 1 level deep from a definition to a Management Role. Management Roles cannot be children of other Management Roles or have more than 1 parent.
  • 72. Management Role OverviewManagement Roles inherit Resource Roles assigned to their definitions
  • 73. Management Role OverviewManagement Roles inherit Resource Roles assigned to their definitions Management Role Definition IT Helpdesk (North America) IT Helpdesk (Asia) IT Helpdesk (Europe)
  • 74. LocationsRepresent Logical and Actual Directory Hierarchies Physical “Mapped” Trees Logical Trees Inheritance of Delegations Location of a Resource EmpowerID supports both Logical and Physical trees within a single Location tree structure. Resources belong to their physical Location implicitly and can be assigned to any number of logical Locations to scope delegation assignments.
  • 75. Resource Role AssignmentsResource Role assignments are “scoped” by resource Location Assignment Scope Resource Role Assignee Recipient Admin I Delegations Recipient Admin II John Smith Resource Role assignments are limited or “scoped” by assigning the Resource Role only for Resources in or below a specific EmpowerID Location.
  • 76. Assignees and ScopesResource Roles Assignees and Scope Options Assignment Scope Resource Role Assignee Conference Room1 Mailbox Supervisor Single Resource John Smith Recipient Admin II Domain A: “Helpdesk Admins” group Location showing inheritance Recipient Admin II EmpowerID Business Role: Helpdesk Employees in Sydney Resource Role Assignments can be made to specific People, to Groups, or to EmpowerID Business Role / Locations. In each case, any Person matching the criteria will receive the delegations specified by the Resource Role for all resources within the scope of the delegation.
  • 77. Polyarchical RBACFlexible Business Roles scoped By Location Primary Business Role: Contractor in Sydney Secondary Business Role: IT Admin in Sydney John Smith An EmpowerID Person can have any number of dynamically or manually assigned Business Roles each scoped by Location. The Person will receive the cumulative RBAC assignments and policies directly assigned or via inheritance. Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com
  • 78. RBAC MappingMap Physical Directory Locations to Logical Locations 19 Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com EmpowerID Business Role and Location mappings allows existing physical directory Locations and roles to be mapped to a logical management structure. e.g. Multiple AD or LDAP directory containers for “London” can be visually mapped to a single logical EmpowerID “London” Location for unified management and delegation.
  • 79. Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com 20 Resource EntitlementsRole-Based Resource Provisioning and Deprovisioning Resource Entitlements for Contractors in New York EmpowerID Resource Entitlements are policies that automate provisioning, moving, disabling, and deprovisioning resources automatically based upon user Role and Location changes. These automate the initial provisioning of resources when a new Person is created as well as their ongoing management. Resource Entitlements for Standard Employees in Sydney
  • 80. Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com 21 Policy-Based Attribute ValuesRole-Based Attribute Assignment Policy-Based Attributes for Contractors in New York EmpowerID policy-based attribute values are policies that automate the maintenance of any directory values that can be defined by Role and Location. Any attribute value of a Person can be assigned by policy and maintained automatically when Role or Location changes. Attribute values will update connected directories based upon attribute flow rules. Policy-Based Attributes for Standard Employees in Sydney
  • 81. A New Breed Of Identity ManagementFrom Code to Visual Process Management EmpowerID WF Process Traditional Identity Management Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com
  • 82. Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com 23 Secure Business Processes DesignWorkflow Studio: Visual Process Designer EmpowerID BPM Studio is a drag and drop design environment for secure process automation. What You See Is What You Get user interface designers generate code free user interfaces.
  • 83.
  • 84.