Managing Role Explosion with Attribute-based Access Control - Webinar Series - Part 1
•
2 gefällt mir•1,844 views
As companies globalize and consolidate their SAP systems, they face an increasing need to control access to sensitive data based on fine grained user profiles. Traditionally, companies have managed this access by defining fine grained roles, leading to an explosion of roles that are inconsistent and hard to manage. In this webinar series, attendees will learn: - The key trends driving role explosion - The challenges of role explosion - Example use cases that drive role explosion - How attribute-based access control (ABAC) can alleviate the problem Attendees will also see demonstrations of use cases illustrating how role explosion happens, and how ABAC can help reduce role explosion.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Managing Role Explosion with Attribute-based Access Control - Webinar Series - Part 1
Ähnlich wie Managing Role Explosion with Attribute-based Access Control - Webinar Series - Part 1 (20)
Mehr von NextLabs, Inc.
Mehr von NextLabs, Inc. (16)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Managing Role Explosion with Attribute-based Access Control - Webinar Series - Part 1
- 1. © 2005-2013 NextLabs Inc. Managing Role Explosion with Attribute-based Access Control: More Roles than Employees? Sandeep Chopra Director of Product Management NextLabs, Inc.
- 2. © 2005-2013 NextLabs Inc. Slide 2 2-Part Series Part 1 – More Roles than Employees Trends and drivers for role explosion, cost of role management Demonstrations of typical use cases that drive role explosion Part 2 – “Attributes” is the new Role Basics of ABAC and how it can help reduce role explosion Demonstrations of typical use cases and how ABAC works.
- 3. © 2005-2013 NextLabs Inc. Slide 3 Agenda Session1 Access Control Challenges Today Authorization Dimensions Role Based Access Control and Role Explosion Authorization Decision Map Next Week’s Preview Session 2 Attribute Based Access Control and Information Control Policies Demonstration Examples Question and Answers
- 4. © 2005-2013 NextLabs Inc. Slide 4 Information Risk Management Challenge Compliance with Regulations • Global Business Model • External Partners • Distributed Supply Chain Collaboration • Business Process Transformation • Single Application Instance • Shared Services • Compliance with Contractual Obligations (NDAs, PIAs) • Disclosure of Critical IP Intellectual Property Protection • Export Control (ITAR, EAR, UKMOD) • Financial • Health and Privacy Consolidation and Efficiency “How do I control access to information across server, cloud, and client applications in a cost-effective manner?” Information Sharing Information Governance
- 5. © 2005-2013 NextLabs Inc. Slide 5 Business Authorization Dimensions ● Functional Access ● Determine the actions a user can perform ● Data Access ● Determine the data a user can see ● Governance ● Rules for access management Functional Access DataAccess
- 6. © 2005-2013 NextLabs Inc. Slide 6 Authorization Layers
- 7. © 2005-2013 NextLabs Inc. Slide 7 Real need for more controls Finance Engineering Manufacturing Purchasing Suppliers Partners Cost Analysis Engineering Designs Vendor Analysis BOM Structures Demand Forecasts Information
- 8. © 2005-2013 NextLabs Inc. Slide 8 Finance Engineering Manufacturing Purchasing Suppliers Partners Finer grained controls Engineerin g Designs Program Data Export Controlled Proprietary Usage Control
- 9. © 2005-2013 NextLabs Inc. Slide 9 Resources Type Scale Application 100-1,000s Service 1,000s Functions 1,0000s Data Type 10,000-100,000s Documents 1,000,000s-100,000,000s Data 1,000,000,000s+ What type of resources do you need to authorize?
- 10. © 2005-2013 NextLabs Inc. Slide 10 Real life example Attributes Possible Values # Project Membership PR01, PR02.. 10 US Citizen No/Yes 2 Location US, China 5 Export License NR, ITAR, EAR 5 NDA No, NDA-01 5 Usage View, Change, Copy, Send 4 10,000
- 11. © 2005-2013 NextLabs Inc. Slide 11 Challenge – Exploding Access Complexity Companies have multiple access variables • Multiple Export Jurisdictions (e.g. ITAR, EAR, BAFA) • Multiple IP Control Agreements (e.g. PIEA, NDA) • Multiple Applications and Systems (e.g. PLM, ERP, SCM) Traditional role based access control (RBAC) explodes based on the number of variables Number of Access Variables RequiredAccessRules
- 12. © 2005-2013 NextLabs Inc. Slide 12 Roles – Numerical Example Scenario Derived Role Enabler Role 50 Functional roles & 5 Subsidiaries 300 total roles: 50 Functional roles 5 derived company code 35 derived Plants 56 roles: 50 Functional roles 1 enabler template – Company code 1 enabler roles for Plant 35 Plants under 5 subsidiaries 1840 Roles 50 x 35 = 1,750 1,750 + 5+ 35 + 50 = 1840 Roles 1802 Roles 50 Functional roles x 35 plants = 1,750 1750 + 50 + 2 = 1802 Benefit Baseline 5% less than Derived roles 1Company 5Subsidiaries 7 Plants/Subsidiary = 35 Plants
- 13. © 2005-2013 NextLabs Inc. Slide 13 Roles across multiple systems RolesAttributes BW Users
- 14. © 2005-2013 NextLabs Inc. Slide 14 Customization & Maintenance Costs $241.01 User Adoption cost per role 56% think there is lack of standardization in roles across different applications and systems. * Reference 2010 Economic Analysis of Role-Based Access Control Guide to Attribute Based Access Control 9 applications per user 17 roles per user across applications 35 Administrative actions per role $40M Life time cost on 10,000 Users
- 15. © 2005-2013 NextLabs Inc. Slide 15 About NextLabs NextLabs Entitlement Manager is an SAP-Endorsed Business Solution Policy-driven, information risk management software for Global 5000 enterprises. Help companies achieve safer and more secure internal and external collaboration Ensure proper access to applications and data Facts Locations HQ: San Mateo, CA Boston, MA Hangzhou, PRC Malaysia Singapore 40+ Patent Portfolio Major go-to-market Partners: IBM, SAP, HCL-AXON, Hitachi Consulting “We allow companies to preserve confidentiality, prevent data loss and ensure compliance across more channels and more points with a single unified solution with unmatched user acceptance and total cost of ownership.” - Keng Lim, Chairman and CEO NextLabs Overview
- 16. © 2005-2013 NextLabs Inc. Slide 16 Thank You! Thank you for viewing a preview of Part 1 of our Managing Role Explosion with Attribute-Based Access Control webinar series. To watch our complete recording, CLICK HERE. In the remainder of this webinar, you will see Demonstrations of typical use cases that drive role explosion.
Hinweis der Redaktion
- And whether you are trying to protect data within different teams inside your company or trying to protect the information being shared outside your company, more information shared translates to more information controls.You have multiple functional teams in your company. Every department produces different kind of data in your and shares them across departments and sometime outside your company.Take the example I have above. Finance creates a cost analysis for a project and shares the information with the Purchasing department with approval for the project. Now this information is proprietary and cannot be shared outside the project, department and even company. How do you control the usage of this information once a authorized user accesses the information.Similarly, Engineering design documents and BOM Structures are generally shared across multiple departments. Lets further refine the example for just access controls on Engineering design documents. We understand that your Engineering, Manufacturing, Suppliers and Partners all need access to appropriate transactions in your SAP landscape. But is this just a transactional level access to all departments? Would you imagine providing access to all users in different functional roles to the Engineering Design documents will suffice given the complexity of your growing business?
- And whether you are trying to protect data within different teams inside your company or trying to protect the information being shared outside your company, more information shared translates to more information controls.You have multiple functional teams in your company. Every department produces different kind of data in your and shares them across departments and sometime outside your company.Take the example I have above. Finance creates a cost analysis for a project and shares the information with the Purchasing department with approval for the project. Now this information is proprietary and cannot be shared outside the project, department and even company. How do you control the usage of this information once a authorized user accesses the information.Similarly, Engineering design documents and BOM Structures are generally shared across multiple departments. Lets further refine the example for just access controls on Engineering design documents. We understand that your Engineering, Manufacturing, Suppliers and Partners all need access to appropriate transactions in your SAP landscape. But is this just a transactional level access to all departments? Would you imagine providing access to all users in different functional roles to the Engineering Design documents will suffice given the complexity of your growing business?
- Now lets take this example to a level closer to the complexity in your organization and see how much more complex the role design gets. Imagine your company needs to control access based not just based on functional roles but also based on Project Membership, Citizenship, Location, Export Licenses, NDAs and Usage of data. Imagine Engineers, Partners, Supplier are part of 10 different projects. And the data access is restricted based on 2 possible values of Citizenship. Also, these users are spread across 5 countries and some information like the BOM structures is restricted access for a user in specific country. Also, access to non-us citizens can be extended using some Export Licenses and your company maintains 5 such licenses. In addition to this the usage of data should also be restricted based on details like project, location and functional role. Now with all these access control restrictions, you will have to create 10,000 role combinations for users in these different departments irrespective of their functional roles. And given the fact that these authorizations are not part of your standard authorization model, you will have to design custom authorization models to cater to these needs.
- We can achieve the same level of organizational controls using the attributes such as Company and Department attached to the user and mapping that to the organization attributes of the resource being accessed. With dynamic matching of attributes, we can achieve the same result with just 50 functional role and 1 policy. The policy will match appropriate resource and user attributes to provide access to users for a specific resource.Even if we have to extend the requirements to a finer grained level such as user location and export controlled data, it is just another attribute that needs to be matched in a policy, not create another set of roles for different types of citizens.This results in reducing the number of roles created and managed by a minimum of 97% in the best possible scenario we discussed so far with Roles. That’s a huge reduction in cost and management time with 97% less roles to manage and maintain.
- And when we expand this to an actual landscape with a number of different systems, you are creating multiple roles for users for different systems and application. Whats important to note here is the users who are given access to different systems are the same users with a set of attributes like department, role etc., already attached to them. These attributes define the kind of access they are allowed Irrespective of the role. And even so, users are attached to static roles and everytime these attributes are changed, they are assigned to new roles which reflect the attributes. Wouldn’t it be easy to write permissions by directly using the user attributes?
- What is the current state SAP Users compared to roles?What is the average role assignment per user?What is the average assignment of transaction codes assigned per user?Of the transaction codes assigned, what is the percentage of use?