The sophisticated architecture is the foundation of the unique
features. The software is fail safe, provides high performance and
supports RBAC and ABAC.
Numerous connectors make sure that ORG can be
used across many different platforms.
The many ORG interfaces offer easy connection with existing systems.
Novell Identity Manager, IBM Tivoli Directory Integrator, openSPML
Microsoft Active Directory, IBM Tivoli Directory Server, openLDAP, Novell eDirectory, SUN one Directory Server, ApacheDS, RACF LDAP-Server and further systems
Other connectors available for:
SAP R3, RACF, INTERFLEX
APIs available for the following platforms:
Java (SE & EE), Windows (C), z/OS (Cobol, PL/1, C)
The ORG system is divided into the administrative and productive environment (Illustration: left and right side). This separation ensures high reliability.
There are two ways of transportation from the ORG Server Admin-database to the productive environment.
This architecture allows quick authorization request and ensures high performance.
The ideal solution is a centralized and standardized user rights administration which automatically provisions the access rights to the business applications regardless whether these are Mainframe, C/S or Web applications.
The central administration database of ORG contains all current, future and past permissions of all applications (standard applications and custom developments). Therefore, ORG meets the highest auditability and enables the Single Point of Administration and Control.
An authorization request had to be implemented separately for each system by various system administrators. This process took a long time, was error-prone and lead to non-productive times.
The centralized and standardized authorization system ORG was the ideal solution for a large insurance company. Access and user rights will now be provisioned automatically to the individual business applications. The central database providesan overview of past, current and future privileges across all platforms at any time. Changes to permissions because of organizational reasons, fluctuation etc. are provisioned by pressing a button.
Auditors and accountants are happy about the centralized, enterprise-wide, current, historicized and valid credentials.
Administration can be Role Based (RBAC - Role Based Access Control) as well as Attribute Based (ABAC - Attribute Based Access Control).
The central component of the administration environment is the ORG server with the ORG administration database. The ORG server runs on z/OS, Unix and Windows. In the ORG Admin DB (DB/2 or Oracle), the entire companies implemented permission model is mapped. In addition to the currently valid data, the whole history and the planned administrations are stored tamper and audit proof.
The ORG connector architecture is of modular structure. The interface to the ORG Server and the logic for the exchange of information is the same for all target systems. Agents for specific target systems interfaces are available. The ORG connector architecture allows bi-directional synchronization and quick implementations of new agents.
ORG supports RBAC:
Business applications with proprietary (e.g. SAP) or standard (e.g. LDAP) role based user rights storage can easily be supported by ORG. The ORG connector pushes the user role information into the specific user rights data storage. The business applications still use their role based access control without any changes.
ORG provides three APIS for the fine-grained access to privilege information on the runtime databases:
The requests are due to the de-normalized tables of the runtime databases are highly performant.
ORG supports ABAC:
Business applications that need fine grained access right information use ORG APIs. An ORG access right decision is based on any attributes the business application supplies.
The business application itself no longer needs a business application specific access rights storage.
The homegrown access control system could not be extended to fine grained access management. The necessary fuctional extensions to the Novell IDM would have been substantial and expensive.
Novell IDM was set as the main system for identity and role assignment. ORG was responsible for the fine grained authorization checks. Novell IDM and ORG were connected via SPML interface. The application development department now uses ORG as an EAM system (Externalized Authorization Management). They now can define complex rules set in order to enable fine-grained access management.
This simplifies the application development and guarantees a consistent authorization model for all business applications.
The following table provides a mapping of the ORG components to the corresponding XACML components.
(XACML = eXtensible Access Control Markup Language):
|ORG terms||XACML terms|
|The ORG Server and administration database||
PAP (Policy Administration Point, which is used to define access policies and their component rules)
PRP (Policy Retrieval Point, which is the policy store for all applications)
|ORG Runtime database||
PRP (Policy Retrieval Point; In ORG it is the de-normalized policy store for at least one particular application in a particular environment)
|ORG API’s in connection with the ORG Runtime databases||
PDP (Policy Decision Point, which evaluates rules to make policy decisions)
|Central module in applications which calls "ORG API"||
PEP (Policy Enforcement Point, which enforces policy decisions)
In the future, ORG will be enhanced to follow the OpenAz standard in order to provide a standardized model for application and middleware to invoke access control capabilities.
ORG supports a variety of different entities.
The model supports DV-based data
collection of the organizational structure, the construction of a role
model and the detection of fine-grained detail rights. ORG calls them
What supported entities are actually used depends on the particular environment of the client. The only requirements are "user" and "role". When fine-grained privileges are used, "competence" and "competence scheme" are also neccessary.
The ORG SPML interface is a Web service, currently using SPML 1.0. Via the ORG SPML interface ORG objects (e.g. user, position, role, mappings, etc.) can be created, changed, deleted or read by a preceding system (e.g. SAP HR). Every activity is controled and historicized by ORG. An existing IDM system can be upgraded by ORG by defining complex technical authorization rules.
The administrative access to ORG Server is via web or
Fat-Client. Upstream systems (e.g. SAP HR) are able to send contracts
for the automated administration to the ORG Server via SPML web service.