3. Company Overview
Founded in 2002
Headquarters: Cologne
Represented throughout
Germany
40 employees
30.10.2013
ORG Product Presentation
3
4. Company Overview:
Software & Consulting
Software
Business Consulting
• Access Governance Concepts
• Process Optimization
• Project- / Test Management
IT Consulting & Development
• Software Development
• IT Security
• IT-Project- / Test Management
30.10.2013
ORG Product Presentation
4
7. Access Management:
Conventional method
RACF
Group
SAP HR
SAP-Role
Indiv. Applications
Groups / Individual Rights
P&C Administration
Individual Rights
Partner System
Individual Rights
Notes/Outlook
Group
LDAP
e.g. Group Membership
Databases
Employee
Several System-Administrators
Indiv. / Role
Individual Systems often use Individual Rights
New Entry, Fluctuation,
Departmental Change
30.10.2013
ORG Product Presentation
7
8. Solution: ORG
Central administration of user rights
Interfaces:
SPML-Systems:
- Novell Identity Manager
- IBM Tivoli Directory Integrator
- openSPML
Directory Systems
‐
‐
‐
-
Employee
New Entry
Fluctuation
Departmental Change
Central, lean Administration
User Rights based on:
- Roles/Rights model
- Attributes
Other systems
‐ SAP R3
‐ RACF
‐ INTERFLEX
APIs
-
External
Known customer
Prospect
…
Microsoft AD
IBM Tivoli Directory Server
openLDAP
Novell eDirectory
SUN one Directory Server
…
Java (SE & EE)
Windows / Unix (C)
z/OS (Cobol, PL/1, C)
automated provisioning
30.10.2013
ORG Product Presentation
8
11. Model: Historicizing, life cycle
Time
Status:
future
Create
Status:
current
Edit or delete
No physical deletion:
The database entry is
marked as „deleted“
Status:
historicized
Expired or deleted
Historicizing of all changes of an
object or a relation between objects
including the initiator and the time
30.10.2013
ORG Product Presentation
11
12. SPML Webservice: Architecture
Interface to approval workflow:
• ORG Approve
• Lotus Notes
• SharePoint
• etc.
• Interface to higher-level systems:
• HR-Systems (z.B. SAP HR, …)
• IDM-Systems (z.B. IBM TIM, Novell IDM, …)
• etc.
30.10.2013
ORG Product Presentation
12
13. Approval Workflow (with ORG Approve)
• Self Service
• Appliable permission requests depend on the owners role
(e.g. a normal employee is not permitted to request an
executive‘s role)
• 4-eyes principle supported
(parallel and sequentially)
• MaRisk AT 7.2 conform
30.10.2013
ORG Product Presentation
13
15. Model: Standard software
Modeling
• User and Role are always available.
• Position, Role group and
Organization Unit are optional.
External system
User
Organization
- unit
Typical use
Position
• Storage systems with their own
detailled permissions.
• E. g. the system has to enable roles
or groups to carry authorizations.
Role group
Role
Examples
• LDAP-Directory (z.B. Active Directory)
• SAP
• RACF
30.10.2013
User
Role or group
Indiv. rights
ORG Product Presentation
15
17. ORG Connector: Attribute mapping
Attribute mappings are free configurable
Source in ORG can be:
Attribute of the user
Values of a users competence to a random Competence Scheme
Composite values via formation rule
30.10.2013
ORG Product Presentation
17
19. Model: Homegrown software
Modeling
User
• Users and competency scheme are
always available
• Position, role group, role and OU
are optional.
• Competencies can be defined for
users, roles or positions.
Typical use
• House developments
• Systems in which an
exit is provided for the procurement of
allowances.
30.10.2013
Position
Organization
- unit
Role group
Role
Competence
Competence scheme
ORG Product Presentation
19
20. ORG APIs: Access to runtime db
30.10.2013
ORG Product Presentation
20
21. Process logic: Runtime DB access
Application
life
Functional
Authorization capsule
ORG
API
Verify the payout
isPayoutPermitted(userid,value)
hasCompetence(userid,“PayoutContract“,“Life“,value
)
Database-consultation
Result (Yes or No)
Result (Yes or No)
•
•
The Process-logic is basically at all APIs the same.
It makes sense to summarize all functional authorizations of a application to one specific Functional
Authorization capsule.
30.10.2013
ORG Product Presentation
21
22. Interfaces
SPML systems:
• Novell Identity Manager
• IBM Tivoli Directory Integrator
• openSPML
Other connectors available for:
Directory systems:
•
SAP R3
• Microsoft Active Directory
•
RACF
• IBM Tivoli Directory Server
•
SharePoint
• openLDAP
•
INTERFLEX
• Novell eDirectory
• SUN one Directory Server
APIs available for the following platforms:
• ApacheDS
•
Java (SE & EE)
• RACF LDAP-Server
•
Windows / Unix (C)
• other systems
•
z/OS (Cobol, PL/1, C)
30.10.2013
ORG Product Presentation
22
23. Summary
• Single Point of Administration and Control
• Reduction of Time, Cost and Complexity
• History management / Revision proof
• Supports RBAC / ABAC
• Integration in company-wide environments is proven
• Integration of organizational structure information
• Distributed and delegated administration (configurable)
• Multi-client capable
• High performance & fail save
• Corporate Design applicable
30.10.2013
ORG Product Presentation
23