SlideShare une entreprise Scribd logo

Authorization Services

E
EmpowerID

This document discusses authorization services that provide claims-based and role-based access control for enterprise-wide security. It summarizes challenges with security and access management across multiple systems and locations. It then describes how the solution implements flexible role-based access control models to address these challenges.

Technologie
1  sur  18
Authorization ServicesClaims and Role-Based Access Control for Enterprise Wide Security Copyright © 2010. Dot Net Workflow is a trademark of The Dot Net Factory, LLC. |www.TheDotNetFactory.com 1
Security Challenges Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.TheDotNetFactory.com 2 It should be easier to get access to the IT resources I need to work I want to delegate management but not lose control How can we report on who has access to what across all our systems
The “Make Like Bob” ProblemSecurity Based On a Moving Target Protected Resources Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.TheDotNetFactory.com Year N Year 2 Day 1 New Access Granted New Access Granted ? Multiple sites and roles SharePoint Who are you? ? ? ? PO Approver ? AD User: CMH OU X ? Custom Applications CRM LDAP User Send As Bob Sales Executive” ? ? Payroll & Unix User Person ? Full Access ? ? Sales Share Conference Room 5401 New Hire: Jim “Sales Executive” New Hire: Sarah “Sales Executive”
The Challenge with an AD Groups-only Approach Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.TheDotNetFactory.com Access Granted Protected Resources ? Groups Multiple sites and roles John’s User Accounts ? What can you access, when, and why? Who are you? SharePoint ? ? PO Approver Helpdesk Manager ? ? No Reportable or Auditable Link ? Custom Applications Mailbox Helpdesk I Send As John ? ? Person Full Access Shared Mailbox ? ? ? Conference Room 5401
Protected Resource TypesEmpowerID Is an Open Box System Supporting an Unlimited # of Resource Types Custom Applications Windows Servers SAP Microsoft SharePoint Types of Protected Resources Groups Groups Web Resources Mailboxes Dot Net Workflow is an authorization platform that can be extended to support any type of application and application resource. Protected systems containing resources are called “Resource Systems”. EmpowerID modules inventory Resource Systems and enforce permissions. Permissions Management = Copyright © 2011. empowerID is a trademark of The Dot Net Factory, LLC. |www.TheDotNetFactory.com
Protected Resource ObjectsEach Resource Type Is a Rich Strongly Typed Object That Flows in Processes Dot Net Workflow leverages strongly typed objects to enable drag and drop process design where objects can be passed between workflow steps and processes in a code free manner and bound to forms as live data. Copyright © 2011. empowerID is a trademark of The Dot Net Factory, LLC. |www.TheDotNetFactory.com
Resource Types Define Rights and OperationsRights are External Permissions and Operations are EmpowerID Actions Copyright © 2011. empowerID is a trademark of The Dot Net Factory, LLC. |www.TheDotNetFactory.com Operations Rights Operations are specific tasks a user may perform or approve within an EmpowerID workflow or custom application. Granting EmpowerID Operations does not grant the user any capabilities within the native system. Rights are native permissions used by the application or operating system owning the resource. Granting rights enables capabilities in that system. Rights are continually monitored and enforced by EmpowerID. Example: Exchange Mailbox Example Mailbox Operations ,[object Object]
Decrease Quota
Edit SMTP
Enable OWA
Enable Calendar Auto-Accept
Edit Forwarding
Grant Send As
Grant Send On BehalfExample Mailbox Rights ,[object Object]
Send As
Send On Behalf
Full Access7
Resource Roles (Application Roles)Logical Bundles of Rights and Operations Copyright © 2011. empowerID is a trademark of The Dot Net Factory, LLC. |www.TheDotNetFactory.com Rights Operations Resource Role Definition ,[object Object]

Recommandé

Exchange Manager
Exchange ManagerExchange Manager
Exchange Manager
EmpowerID
 
Federation Services
Federation ServicesFederation Services
Federation Services
EmpowerID
 
Group Manager
Group ManagerGroup Manager
Group Manager
EmpowerID
 
User Manager
User ManagerUser Manager
User Manager
EmpowerID
 
Password Manager
Password ManagerPassword Manager
Password Manager
EmpowerID
 
EMC ECD Documentum D2
EMC ECD Documentum D2EMC ECD Documentum D2
EMC ECD Documentum D2
mister_moun
 
Documentum content server
Documentum content serverDocumentum content server
Documentum content server
Sanjay Singh
 
Idm Workshop
Idm WorkshopIdm Workshop
Idm Workshop
Mohamed Atef
 

Recommandé

Exchange Manager
Exchange ManagerExchange Manager
Exchange Manager
EmpowerID
 
Federation Services
Federation ServicesFederation Services
Federation Services
EmpowerID
 
Group Manager
Group ManagerGroup Manager
Group Manager
EmpowerID
 
User Manager
User ManagerUser Manager
User Manager
EmpowerID
 
Password Manager
Password ManagerPassword Manager
Password Manager
EmpowerID
 
EMC ECD Documentum D2
EMC ECD Documentum D2EMC ECD Documentum D2
EMC ECD Documentum D2
mister_moun
 
Documentum content server
Documentum content serverDocumentum content server
Documentum content server
Sanjay Singh
 
Idm Workshop
Idm WorkshopIdm Workshop
Idm Workshop
Mohamed Atef
 
Overview of Documentum
Overview of DocumentumOverview of Documentum
Overview of Documentum
sushl
 
EMC Documentum Product Line Overview
EMC Documentum Product Line OverviewEMC Documentum Product Line Overview
EMC Documentum Product Line Overview
Emirates Computers
 
Presentation for taste of it 2014 wide - no clients
Presentation for taste of it 2014 wide - no clientsPresentation for taste of it 2014 wide - no clients
Presentation for taste of it 2014 wide - no clients
Robert LeRoy
 
Oracle Identity Manager Basics
Oracle Identity Manager BasicsOracle Identity Manager Basics
Oracle Identity Manager Basics
Chekka Venkateshwar Rao
 
Liferay portal advantages
Liferay portal advantagesLiferay portal advantages
Liferay portal advantages
Manish Kumar Jaiswal
 
Workflow Services
Workflow ServicesWorkflow Services
Workflow Services
EmpowerID
 
Oracle Access Manager Overview
Oracle Access Manager OverviewOracle Access Manager Overview
Oracle Access Manager Overview
guestf6dc99b
 
Benefits of using liferay
Benefits of using liferay Benefits of using liferay
Benefits of using liferay
SKALI Group
 
oracle ebs free web service integration tools
oracle ebs free web service integration toolsoracle ebs free web service integration tools
oracle ebs free web service integration tools
SmartDog Services
 
Identity Manager OpenSource OpenIDM - introduction
Identity Manager OpenSource OpenIDM - introductionIdentity Manager OpenSource OpenIDM - introduction
Identity Manager OpenSource OpenIDM - introduction
Aidy Tificate
 
Documentum Overview
Documentum OverviewDocumentum Overview
Documentum Overview
Hisham Abdel Moneim
 
Documentum training
Documentum trainingDocumentum training
Documentum training
tekslate1
 
Liferay portal – moving beyond content management
Liferay portal – moving beyond content managementLiferay portal – moving beyond content management
Liferay portal – moving beyond content management
Ambientia
 
Enterprise Access End User Guide
Enterprise Access End User GuideEnterprise Access End User Guide
Enterprise Access End User Guide
eFileCabinet
 
Building business applications using business connectivity services using sha...
Building business applications using business connectivity services using sha...Building business applications using business connectivity services using sha...
Building business applications using business connectivity services using sha...
Chakkaradeep Chandran
 
OIM11g R2PS2 Architecture
OIM11g R2PS2 ArchitectureOIM11g R2PS2 Architecture
OIM11g R2PS2 Architecture
Atul Goyal
 
OOW09 Integration Architecture EBS R12
OOW09 Integration Architecture EBS R12OOW09 Integration Architecture EBS R12
OOW09 Integration Architecture EBS R12
jucaab
 
Presentation- on OIM
Presentation- on OIMPresentation- on OIM
Presentation- on OIM
Tamim Khan
 
Demystifying Oracle Cloud ERP Financials
Demystifying Oracle Cloud ERP FinancialsDemystifying Oracle Cloud ERP Financials
Demystifying Oracle Cloud ERP Financials
Perficient, Inc.
 
OHUG 2015 Updated
OHUG 2015 UpdatedOHUG 2015 Updated
OHUG 2015 Updated
Kiran Mundy
 
TDNF Seminar
TDNF SeminarTDNF Seminar
TDNF Seminar
EmpowerID
 
Workflow Studio
Workflow StudioWorkflow Studio
Workflow Studio
EmpowerID
 

Contenu connexe

Tendances

Overview of Documentum
Overview of DocumentumOverview of Documentum
Overview of Documentum
sushl
 
Benefits of using liferay
Benefits of using liferay Benefits of using liferay
Benefits of using liferay
SKALI Group
 
Building business applications using business connectivity services using sha...
Building business applications using business connectivity services using sha...Building business applications using business connectivity services using sha...
Building business applications using business connectivity services using sha...
Chakkaradeep Chandran
 
OOW09 Integration Architecture EBS R12
OOW09 Integration Architecture EBS R12OOW09 Integration Architecture EBS R12
OOW09 Integration Architecture EBS R12
jucaab
 
Presentation- on OIM
Presentation- on OIMPresentation- on OIM
Presentation- on OIM
Tamim Khan
 
Demystifying Oracle Cloud ERP Financials
Demystifying Oracle Cloud ERP FinancialsDemystifying Oracle Cloud ERP Financials
Demystifying Oracle Cloud ERP Financials
Perficient, Inc.
 
OHUG 2015 Updated
OHUG 2015 UpdatedOHUG 2015 Updated
OHUG 2015 Updated
Kiran Mundy
 

Tendances (20)

Overview of Documentum
Overview of DocumentumOverview of Documentum
Overview of Documentum
 
EMC Documentum Product Line Overview
EMC Documentum Product Line OverviewEMC Documentum Product Line Overview
EMC Documentum Product Line Overview
 
Presentation for taste of it 2014 wide - no clients
Presentation for taste of it 2014 wide - no clientsPresentation for taste of it 2014 wide - no clients
Presentation for taste of it 2014 wide - no clients
 
Oracle Identity Manager Basics
Oracle Identity Manager BasicsOracle Identity Manager Basics
Oracle Identity Manager Basics
 
Liferay portal advantages
Liferay portal advantagesLiferay portal advantages
Liferay portal advantages
 
Workflow Services
Workflow ServicesWorkflow Services
Workflow Services
 
Oracle Access Manager Overview
Oracle Access Manager OverviewOracle Access Manager Overview
Oracle Access Manager Overview
 
Benefits of using liferay
Benefits of using liferay Benefits of using liferay
Benefits of using liferay
 
oracle ebs free web service integration tools
oracle ebs free web service integration toolsoracle ebs free web service integration tools
oracle ebs free web service integration tools
 
Identity Manager OpenSource OpenIDM - introduction
Identity Manager OpenSource OpenIDM - introductionIdentity Manager OpenSource OpenIDM - introduction
Identity Manager OpenSource OpenIDM - introduction
 
Documentum Overview
Documentum OverviewDocumentum Overview
Documentum Overview
 
Documentum training
Documentum trainingDocumentum training
Documentum training
 
Liferay portal – moving beyond content management
Liferay portal – moving beyond content managementLiferay portal – moving beyond content management
Liferay portal – moving beyond content management
 
Enterprise Access End User Guide
Enterprise Access End User GuideEnterprise Access End User Guide
Enterprise Access End User Guide
 
Building business applications using business connectivity services using sha...
Building business applications using business connectivity services using sha...Building business applications using business connectivity services using sha...
Building business applications using business connectivity services using sha...
 
OIM11g R2PS2 Architecture
OIM11g R2PS2 ArchitectureOIM11g R2PS2 Architecture
OIM11g R2PS2 Architecture
 
OOW09 Integration Architecture EBS R12
OOW09 Integration Architecture EBS R12OOW09 Integration Architecture EBS R12
OOW09 Integration Architecture EBS R12
 
Presentation- on OIM
Presentation- on OIMPresentation- on OIM
Presentation- on OIM
 
Demystifying Oracle Cloud ERP Financials
Demystifying Oracle Cloud ERP FinancialsDemystifying Oracle Cloud ERP Financials
Demystifying Oracle Cloud ERP Financials
 
OHUG 2015 Updated
OHUG 2015 UpdatedOHUG 2015 Updated
OHUG 2015 Updated
 

En vedette

Authorization - it's not just about who you are
Authorization - it's not just about who you areAuthorization - it's not just about who you are
Authorization - it's not just about who you are
David Brossard
 

En vedette (6)

TDNF Seminar
TDNF SeminarTDNF Seminar
TDNF Seminar
 
Workflow Studio
Workflow StudioWorkflow Studio
Workflow Studio
 
User Experience
User ExperienceUser Experience
User Experience
 
Authorization - it's not just about who you are
Authorization - it's not just about who you areAuthorization - it's not just about who you are
Authorization - it's not just about who you are
 
Practical guide for sap security
Practical guide for sap security Practical guide for sap security
Practical guide for sap security
 
Micro Expressions
Micro ExpressionsMicro Expressions
Micro Expressions
 

Similaire à Authorization Services

Microsoft Active Directory
Microsoft Active DirectoryMicrosoft Active Directory
Microsoft Active Directory
thebigredhemi
 
Beyond simple search – adding business value in the enterprise
Beyond simple search – adding business value in the enterpriseBeyond simple search – adding business value in the enterprise
Beyond simple search – adding business value in the enterprise
lucenerevolution
 
Hibernate training at HarshithaTechnologySolutions @ Nizampet
Hibernate training at HarshithaTechnologySolutions @ NizampetHibernate training at HarshithaTechnologySolutions @ Nizampet
Hibernate training at HarshithaTechnologySolutions @ Nizampet
Jayarajus
 

Similaire à Authorization Services (20)

Role-Based Access Control
Role-Based Access ControlRole-Based Access Control
Role-Based Access Control
 
A Practical Approach for Web Portal Security Using Roles
A Practical Approach for Web Portal Security Using RolesA Practical Approach for Web Portal Security Using Roles
A Practical Approach for Web Portal Security Using Roles
 
2004 10 21 Rbac At Mazda Horst Walther
2004 10 21 Rbac At Mazda Horst Walther2004 10 21 Rbac At Mazda Horst Walther
2004 10 21 Rbac At Mazda Horst Walther
 
DC
DCDC
DC
 
Microsoft Active Directory
Microsoft Active DirectoryMicrosoft Active Directory
Microsoft Active Directory
 
Short Overview
Short OverviewShort Overview
Short Overview
 
RavenDB overview
RavenDB overviewRavenDB overview
RavenDB overview
 
Oim Poc1.0
Oim Poc1.0Oim Poc1.0
Oim Poc1.0
 
IDM Introduction
IDM IntroductionIDM Introduction
IDM Introduction
 
Oracle Open World S308250  Securing Your People Soft Application Via Idm
Oracle Open World S308250  Securing Your People Soft Application Via IdmOracle Open World S308250  Securing Your People Soft Application Via Idm
Oracle Open World S308250  Securing Your People Soft Application Via Idm
 
Active Directory
Active DirectoryActive Directory
Active Directory
 
Ooluk Data Dictionary Manager
Ooluk Data Dictionary ManagerOoluk Data Dictionary Manager
Ooluk Data Dictionary Manager
 
Putting Kit back in SDK
Putting Kit back in SDKPutting Kit back in SDK
Putting Kit back in SDK
 
Beyond simple search – adding business value in the enterprise
Beyond simple search – adding business value in the enterpriseBeyond simple search – adding business value in the enterprise
Beyond simple search – adding business value in the enterprise
 
Role based access control - RBAC
Role based access control - RBACRole based access control - RBAC
Role based access control - RBAC
 
Identity Manager Opensource OpenIDM Architecture
Identity Manager Opensource OpenIDM ArchitectureIdentity Manager Opensource OpenIDM Architecture
Identity Manager Opensource OpenIDM Architecture
 
Hibernate training at HarshithaTechnologySolutions @ Nizampet
Hibernate training at HarshithaTechnologySolutions @ NizampetHibernate training at HarshithaTechnologySolutions @ Nizampet
Hibernate training at HarshithaTechnologySolutions @ Nizampet
 
Salesforce External Objects for Big Data
Salesforce External Objects for Big DataSalesforce External Objects for Big Data
Salesforce External Objects for Big Data
 
Scylla Summit 2018: Access-control in Scylla - What You Can Do, How It Works,...
Scylla Summit 2018: Access-control in Scylla - What You Can Do, How It Works,...Scylla Summit 2018: Access-control in Scylla - What You Can Do, How It Works,...
Scylla Summit 2018: Access-control in Scylla - What You Can Do, How It Works,...
 
Implementing Active Directory and Information Security Audit also VAPT in Fin...
Implementing Active Directory and Information Security Audit also VAPT in Fin...Implementing Active Directory and Information Security Audit also VAPT in Fin...
Implementing Active Directory and Information Security Audit also VAPT in Fin...
 

Plus de EmpowerID

Plus de EmpowerID (6)

SSO Manager
SSO ManagerSSO Manager
SSO Manager
 
Short Sales Overview of EmpowerID
Short Sales Overview of EmpowerIDShort Sales Overview of EmpowerID
Short Sales Overview of EmpowerID
 
Active Directory Self-Service Suite Overview
Active Directory Self-Service Suite OverviewActive Directory Self-Service Suite Overview
Active Directory Self-Service Suite Overview
 
Products
ProductsProducts
Products
 
Connector Framework
Connector FrameworkConnector Framework
Connector Framework
 
Solutions
SolutionsSolutions
Solutions
 

Dernier

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Dernier (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

Authorization Services

  • 1. Authorization ServicesClaims and Role-Based Access Control for Enterprise Wide Security Copyright © 2010. Dot Net Workflow is a trademark of The Dot Net Factory, LLC. |www.TheDotNetFactory.com 1
  • 2. Security Challenges Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.TheDotNetFactory.com 2 It should be easier to get access to the IT resources I need to work I want to delegate management but not lose control How can we report on who has access to what across all our systems
  • 3. The “Make Like Bob” ProblemSecurity Based On a Moving Target Protected Resources Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.TheDotNetFactory.com Year N Year 2 Day 1 New Access Granted New Access Granted ? Multiple sites and roles SharePoint Who are you? ? ? ? PO Approver ? AD User: CMH OU X ? Custom Applications CRM LDAP User Send As Bob Sales Executive” ? ? Payroll & Unix User Person ? Full Access ? ? Sales Share Conference Room 5401 New Hire: Jim “Sales Executive” New Hire: Sarah “Sales Executive”
  • 4. The Challenge with an AD Groups-only Approach Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.TheDotNetFactory.com Access Granted Protected Resources ? Groups Multiple sites and roles John’s User Accounts ? What can you access, when, and why? Who are you? SharePoint ? ? PO Approver Helpdesk Manager ? ? No Reportable or Auditable Link ? Custom Applications Mailbox Helpdesk I Send As John ? ? Person Full Access Shared Mailbox ? ? ? Conference Room 5401
  • 5. Protected Resource TypesEmpowerID Is an Open Box System Supporting an Unlimited # of Resource Types Custom Applications Windows Servers SAP Microsoft SharePoint Types of Protected Resources Groups Groups Web Resources Mailboxes Dot Net Workflow is an authorization platform that can be extended to support any type of application and application resource. Protected systems containing resources are called “Resource Systems”. EmpowerID modules inventory Resource Systems and enforce permissions. Permissions Management = Copyright © 2011. empowerID is a trademark of The Dot Net Factory, LLC. |www.TheDotNetFactory.com
  • 6. Protected Resource ObjectsEach Resource Type Is a Rich Strongly Typed Object That Flows in Processes Dot Net Workflow leverages strongly typed objects to enable drag and drop process design where objects can be passed between workflow steps and processes in a code free manner and bound to forms as live data. Copyright © 2011. empowerID is a trademark of The Dot Net Factory, LLC. |www.TheDotNetFactory.com
  • 7.
  • 14.
  • 18.
  • 21.
  • 28. Grant Send On Behalf
  • 29.
  • 31. Send AsOutlook Full Control Resource Roles are convenient bundles of Rights and Operations specific for a type of resource and are used for delegation. Rights are permissions used in an external system that can be managed by EmpowerID. Operations are code-based actions protected by EmpowerID (usually in workflows). 8
  • 32. The Bottom Line: Access = Person  Resource RolesAll Assignments Types Result in Matching a Person to a Resource Role Resource: John Doe’s Mailbox ? Person: Steve Smith Editor Via Any Possible Assignment Path Administrator Outlook Full Control All permissions management in EmpowerID occurs by some type of assignment that results in a Person being granted a Resource Role for a Resource.
  • 33. The Measure of an RBAC System is its Flexibility in Obtaining Collections of People and Collections of Resources Left Side = People Right Side = Resources Resource Role ? The key is how to assign theproper people to the proper Resource Roles without creating and managing large numbers of static assignments
  • 34.
  • 35. Right Side: Collections of ResourcesResource Roles are Assigned to Single Resources or By Location Collection of Resources: “Scope” Resource Role Actor Editor ? Direct to a Single Resource Any Actor Type Administrator By Location with Inheritance Resource Role assignments are limited or “scoped” by assigning the Resource Role only for a single Resource or for all Resources in or below a specific EmpowerID Location.
  • 36. LocationsRepresent Logical and Actual Resource System Hierarchies Physical “Resource System” Trees Logical Trees Inheritance of Delegations Location of a Resource The Dot Net Workflow metadirectory supports both Logical and Physical trees within a single Location tree structure. Resources belong to their physical Location implicitly and can be assigned to any number of logical Locations to scope delegation assignments.
  • 37.
  • 38.
  • 39. RBAC MappingMap Physical Directory Locations to Logical Locations 15 Copyright © 2011. empowerID is a trademark of The Dot Net Factory, LLC. |www.TheDotNetFactory.com Business Role and Location mappings allows existing physical directory Locations and roles to be mapped to a logical management structure. e.g. Multiple AD or LDAP directory containers for “London” can be visually mapped to a single virtual “London” Location for unified management and delegation.
  • 40. Management Role InheritanceManagement Roles inherit Resource Roles assigned to their definitions IT Helpdesk Management Role Definition IT Helpdesk (North America) Management Roles (Children) IT Helpdesk (Asia) IT Helpdesk (Europe) Management Roles inherit Resource Role assignments from their definition and then include any assignments to the Management Role itself. The inheritance can only be 1 level deep from a definition to a Management Role. Management Roles cannot be children of other Management Roles or have more than 1 parent.
  • 41.
  • 42. Viewer: Distribution Group @ %SpecifyLocation%
  • 44.
  • 48.
  • 49. Membership Manager: Distribution Group @ %SpecifyLocation%
  • 50. Administrator: User Accounts @ %SpecifyLocation%
  • 51. Administrator: Computers @ %SpecifyLocation%
  • 53.
  • 57. Membership Manager: All Employees Group
  • 61. …IT Helpdesk Management Roles are job or responsibility-based bundles of Resource Roles to allow quick and consistent delegation of IT access needed to perform job responsibilities. 17
  • 62.
  • 63. Viewer: Distribution Group @ NA Location and below
  • 65.
  • 66. Member: All NA Employees Group
  • 68.
  • 69. Membership Manager: Distribution Group @ NA Location and below
  • 70. Administrator: User Accounts @ NA Location and below
  • 71. Administrator: Computers @ NA Location and below
  • 73.
  • 74. Member: All NA Employees Group
  • 75. Membership Manager: All NA Employees Group
  • 79. …IT Helpdesk (North America) Management Roles are job or responsibility-based bundles of Resource Roles and Resource Type Roles to allow quick and consistent delegation of IT access needed to perform job responsibilities. 18