Más contenido relacionado
La actualidad más candente (20)
Similar a [Final] best practices for access management (mule soft meetups riyadh) - july 2021 (20)
Más de satyasekhar123 (10)
[Final] best practices for access management (mule soft meetups riyadh) - july 2021
- 1. All contents © MuleSoft, LLC
Royston Lobo
Senior Customer Success Architect,
JAPAC Customer Success Strategy and Architecture.
Best Practices For Access Management
(MuleSoft Meetup - Riyadh)
July 2021
Bernard Tay
Customer Success Strategy and Architecture Intern,
JAPAC Customer Success Strategy and Architecture.
- 3. All contents © MuleSoft, LLC
Agenda
3
● Why is Access Management important?
● Best Practices
○ Business Groups
○ Audit Logging
○ External Identity Management
○ Teams
- 6. All contents © MuleSoft, LLC
Source: Former Employee Admits Hacking, Damaging Cisco Systems
- 7. All contents © MuleSoft, LLC
IT and HR systems
aren’t well integrated
Challenges in Access Management
7
Size introduces
complexity
Audits and
Reviews are
deprioritised
- 9. All contents © MuleSoft, LLC
Business Groups
Business groups are self-contained resource groups that contain Anypoint Platform resources
such as applications and APIs. Business groups provide a way to separate and control access
to Anypoint Platform resources because users have access only to the business groups in which
they have a role.
- 11. All contents © MuleSoft, LLC
Anypoint – Business Groups Hierarchy
Anypoint
Organisation
(master)
Business Group 1
Business Group 2
Business Group 3
Sub Business Group
1.1
Sub Business Group
1.2
Sub Business Group
1.1.1
Parent Business Group
Anypoint Master Org: The hierarchy model is
optional. Best practices is to adapt to your
organization’s needs.
Child Business Group (sub-group)
11
- 12. All contents © MuleSoft, LLC
Anypoint – Business Groups Hierarchy
House (master)
Ground floor
Group 1
Upper level Group
2
Garden Group 3
Kitchen 1.1
Guest bedroom 1.2
Kitchen store room
1.1.1
Parent Business Group
Anypoint Master Org: The hierarchy model is
optional. Best practices is to adapt to your
organization’s needs.
Child Business Group (sub-group)
12
- 13. All contents © MuleSoft, LLC
Each parent business group can be allocated;
• Prod vCores
• Non-Prod vCores
• vDesign Cores
• VPCs
• Static IPs
• Environments
Anypoint – Business Groups Hierarchy
Anypoint
Organisation
(master)
Business Group 1
Business Group 2
Business Group 3
Sub Business Group
1.1
Sub Business Group
1.2
Sub Business Group
1.1.1
Each child business group allows for
fine-grained access control.
Note: Rights are not inherited from parent
business groups
- 14. All contents © MuleSoft, LLC
Tips
➢ Shared resources should be created in the Master Organisation (root)
○ Eg: VPCs, DLBs
➢ Assets and APIs can be shared between Business Groups
- 17. All contents © MuleSoft, LLC
Audit logging
● Queryable history of actions performed within the Anypoint Platform
● Retention period of 6 years
● Can be accessed via Audit Logging API or downloaded for longer retention
- 20. All contents © MuleSoft, LLC
Introducing Multi-Factor Authentication (MFA)
Secure accounts at login in layers
Require users to enter two or more factors of
evidence to authenticate accounts with password
and an additional verification method
Balance security and convenience
Support for Salesforce Authenticator mobile app,
third-party authenticator apps, and security keys
Enhance security with additional identity verification at login
Available
Now
jbyrum+cicdservice@mulesoft.com
- 21. All contents © MuleSoft, LLC
Simple and effective ways to protect your data
Secure your user accounts with multi-factor authentication
Something you know
Login Credentials
Something you have
MFA
- 22. All contents © MuleSoft, LLC
Visit Access Management in Anypoint to enable
Admins can manage and monitor MFA for users
Manage
● Option to require MFA logins for
all local Anypoint users
● Easily exclude specific users
used for integrations - “service
users”
● Revoke MFA from a user, when
they lose a device
- 23. All contents © MuleSoft, LLC
External Identity Management
Secure Anypoint Platform control plane by configuring
● OpenID Connect: End-User identity verification by an IdP including SSO
● SAML 2.0: Web based authorization including cross domain SSO
OpenID Connect supports
● PingFederate
● OpenAM
● Okta
SAML supports
● PingFederate
● OpenAM
● Okta and many more
Access Management:
- 24. All contents © MuleSoft, LLC
SSO (Single Sign On) Configuration
Why use SSO?
● IT can define access based on user profile, groups, network, client and consent
● API access can be provisioned as easily as you provision application access
● API dev teams can securely design, develop, test, deploy and operate APIs in hours
- 26. All contents © MuleSoft, LLC
Teams
All about Teams - You need to know
- 27. All contents © MuleSoft, LLC 27
Why Teams?
Customer pain points:
● Difficult to manage users and permission across multiples business groups
● Org admins have to define roles and assign users to roles for each business
group
● Not possible to set a global permission
● Unable to share Exchange asset with a specific team
- 28. All contents © MuleSoft, LLC 28
What is Teams?
Teams provide user grouping mechanisms in Anypoint Platform that enable
collaboration and reuse
Teams allows for Org Admin to do the following:
● Implement their hierarchical org structure in Anypoint
● Easily assign both global and team-level permissions
● Map SSO groups to Teams
- 29. All contents © MuleSoft, LLC
Teams for org admins
With Teams, org admins can:
● Implement their hierarchical org
structure in Anypoint
● Easily assign both global and
team-level permissions
● Map SSO groups to Teams
- 30. All contents © MuleSoft, LLC
● Set a global permissions for
everyone in the organization,
such as “Exchange Viewer”
● Set a permission for the
“Engineering” team, and it will
be inherited by its subteams
Set global or team-level permissions
- 31. All contents © MuleSoft, LLC
Add employees to teams
31
● Easily add users to teams
- 32. All contents © MuleSoft, LLC
Business Groups vs Teams
32
Business Groups and Teams work in tandem to provide Anypoint
Platform user more flexibility with access control management.
Business Group
Delegate management and cost
allocation within the organization eg.
number of vcores per LoB, environments,
etc.
Teams
Group of organization users that reflect a
company structure. Allows for the
allocation of permission rights as per
segregated groups.
- 34. All contents © MuleSoft, LLC
Utilization of SSO
Summary slide
Using Audit to monitor
accounts activities
Access Control Management
using Teams