Product Architecture

The sophisticated architecture is the foundation of the unique features. The software is fail safe, provides high performance and supports RBAC and ABAC.

Numerous connectors make sure that ORG can be used across many different platforms.

architecture

Architectural Highlights

  • Failsave
  • High Performance
  • Single Point of Administration and Control
  • Cross Platform
  • ORG Connector (RBAC)
  • ORG API (RBAC and ABAC)
  • Data Model
  • Links to upstream systems

Interfaces

The many ORG interfaces offer easy connection with existing systems.

SPML-Systeme:
Novell Identity Manager, IBM Tivoli Directory Integrator, openSPML

Directory-Systeme:
Microsoft Active Directory, IBM Tivoli Directory Server, openLDAP, Novell eDirectory, SUN one Directory Server, ApacheDS, RACF LDAP-Server and further systems

Other connectors available for:
SAP R3, RACF, INTERFLEX

APIs available for the following platforms:
Java (SE & EE), Windows (C), z/OS (Cobol, PL/1, C)

 
 
 

Failsave

The ORG system is divided into the administrative and productive environment (Illustration: left and right side). This separation ensures high reliability.

 
 

High Performance

There are two ways of transportation from the ORG Server Admin-database to the productive environment.

  1. The ORG runtime data distribution (ORG RDD) de-normalizes the fine grained rights information that the target systems need and pushes it into the ORG runtime databases. The ORG runtime databases can be part (tables) of productive databases. High performance access is ensured using the ORG APIs.
  2. The ORG connector with its specialized agents for target systems transfers User-Role information to the specific authorization data stores (e.g. LDAP, RACF ,SAP,…)

This architecture allows quick authorization request and ensures high performance.

Technische Informationen
 
 
 

Single Point of Administration & Control

The ideal solution is a centralized and standardized user rights administration which automatically provisions the access rights to the business applications regardless whether these are Mainframe, C/S or Web applications.

The central administration database of ORG contains all current, future and past permissions of all applications (standard applications and custom developments). Therefore, ORG meets the highest auditability and enables the Single Point of Administration and Control.

Use Case: Single Point of Administration and Control / Company-wide Access Governance

Background:
An authorization request had to be implemented separately for each system by various system administrators. This process took a long time, was error-prone and lead to non-productive times.

Solution:
The centralized and standardized authorization system ORG was the ideal solution for a large insurance company. Access and user rights will now be provisioned automatically to the individual business applications. The central database providesan overview of past, current and future privileges across all platforms at any time. Changes to permissions because of organizational reasons, fluctuation etc. are provisioned by pressing a button.

Auditors and accountants are happy about the centralized, enterprise-wide, current, historicized and valid credentials.

Administration can be Role Based (RBAC - Role Based Access Control) as well as Attribute Based (ABAC - Attribute Based Access Control).

central administration
 
 

Cross Platform

The central component of the administration environment is the ORG server with the ORG administration databaseThe ORG server runs on z/OS, Unix and Windows. In the ORG Admin DB (DB/2 or Oracle), the entire companies implemented permission model is mapped. In addition to the currently valid data, the whole history and the planned administrations are stored tamper and audit proof.

 
 

ORG Connector (RBAC)

The ORG connector architecture is of modular structure. The interface to the ORG Server and the logic for the exchange of information is the same for all target systems. Agents for specific target systems interfaces are available. The ORG connector architecture allows bi-directional synchronization and quick implementations of new agents.

ORG supports RBAC:
Business applications with proprietary (e.g. SAP) or standard (e.g. LDAP) role based user rights storage can easily be supported by ORG. The ORG connector pushes the user role information into the specific user rights data storage. The business applications still use their role based access control without any changes.

org connector
 
 

ORG API (ABAC)

ORG provides three APIS for the fine-grained access to privilege information on the runtime databases:

  1. The Java API can be used in Java EE and Java SE environments.
  2. The z/OS API is available for Cobol and PL/1. It can be used within transaction monitors (IMS or CICS) or batch applications.
  3. The Windows/Unix API is designed for C/C++ development on these operating systems.

The requests are due to the de-normalized tables of the runtime databases are highly performant.

ORG supports ABAC:
Business applications that need fine grained access right information use ORG APIs. An ORG access right decision is based on any attributes the business application supplies.
The business application itself no longer needs a business application specific access rights storage.

ORG supports ABAC

Use Case: Fine grained Access Management / Externalized Access Management

Background:
The homegrown access control system could not be extended to fine grained access management. The necessary fuctional extensions to the Novell IDM would have been substantial and expensive.

Solution:
Novell IDM was set as the main system for identity and role assignment. ORG was responsible for the fine grained authorization checks. Novell IDM and ORG were connected via SPML interface. The application development department now uses ORG as an EAM system (Externalized Authorization Management). They now can define complex rules set in order to enable fine-grained access management.

This simplifies the application development and guarantees a consistent authorization model for all business applications.

Feingranulares Berechtigungsmanagement
 
 

ORG - XACML component mapping

The following table provides a mapping of the ORG components to the corresponding XACML components.
(XACML = eXtensible Access Control Markup Language):

ORG terms XACML terms
The ORG Server and administration database

PAP (Policy Administration Point, which is used to define access policies and their component rules)

PRP (Policy Retrieval Point, which is the policy store for all applications)

ORG Runtime database

PRP (Policy Retrieval Point; In ORG it is the de-normalized policy store for at least one particular application in a particular environment)

 

ORG API’s in connection with the ORG Runtime databases

PDP (Policy Decision Point, which evaluates rules to make policy decisions)

Central module in applications which calls "ORG API"

PEP (Policy Enforcement Point, which enforces policy decisions)

In the future, ORG will be enhanced to follow the OpenAz standard in order to provide a standardized model for application and middleware to invoke access control capabilities.

 
 

Data Model

ORG supports a variety of different entities.

The model supports DV-based data collection of the organizational structure, the construction of a role model and the detection of fine-grained detail rights. ORG calls them "competences".

What supported entities are actually used depends on the particular environment of the client. The only requirements are "user" and "role". When fine-grained privileges are used, "competence" and "competence scheme" are also neccessary.

 
 

The ORG SPML interface is a Web service, currently using SPML 1.0. Via the ORG SPML interface ORG objects (e.g. user, position, role, mappings, etc.) can be created, changed, deleted or read by a preceding system (e.g. SAP HR). Every activity is controled and historicized by ORG. An existing IDM system can be upgraded by ORG by defining complex technical authorization rules.

The administrative access to ORG Server is via web or Fat-Client. Upstream systems (e.g. SAP HR) are able to send contracts for the automated administration to the ORG Server via SPML web service.

Links to upstream systems