ORG Identity Governance & Administration Suite

ORG Identity Governance & Administration Suite

IGA Suite
Secure IAM Launch
Functions
Architecture
Use Cases

Assignment and Control of User Rights

FSP Software & Consulting developed and owns the Identity Governance & Administration Suite ORG which supports processes for the appropriate IT authorization assignment and the regular recertification of permissions, as for example, demanded by the current MaRisk AT 7.2 and MaRisk AT 4.3.1. This is explained below using the IGA lifecycle.

Identity Governance & Administration (IGA)

IGA Lifecycle

Explication IGA Lifecycle

Request

The application for new, to change or to withdraw user rights is often initiated by an HR system. Alternatively, the authorization assignment can be done by using the ORG Process Manager - in a configurable framework as a self-service. Workflow systems already used by a company can be connected and integratedused for the application process via interfaces.

Policy check / approval

As part of the process, the software ensures that managers can review and approve the requested permissions.

The ORG Process Manager organizes the whole process; this includes the authorization assignment, the review and the approval process.

Administration

After completing the approval process, the requested rights are entered automatically into the central access management system ORG.

The ORG database includes attribute- and role-based rights information which are provisioned in the following step.

Provisioning

Provisioning is the automated distribution of user account information and permissions to all target systems, no matter what technical platform they run on.

Depending on the target environment, either fine-grained attribute-based authorization information, or, in case of role-based target stores, information about the user and their roles is transferred via connector technology.

Audit / Reporting

Regular auditing of the company's whole authorization memory (ORG, RACF, LDAP, SAP, individual systems, ...) makes it possible to identify operational risks associated within user permissions. To create the reports, business intelligence priciples are applied. Inspection reports are sent to managers, e.g. to verify accounts, authorization rules and personal permissions.

Compliance / Verification

The audit results are verified by the responsible officials regarding timeliness, internal company rules, legal requirements and other compliance requirements.

After the audit can arise new requests.

Secure IAM Launch. Benefits - Step by Step

In the following, we describe how you can launch your access management tamper-proof and step by step.

Every step leads directly to a benefit considering process optimization and compliance. Quite apart the increased security of your business applications.

The following chart explains the progressively model and shows what components of ORG support the single steps.

1. Deduction of the authorization model

  • MaRisk AT 7.2: Allocation of necessary IT authorizations
  • MaRisk AT 4.3.1: Segregation of Duties (SoD)
  • BSI Grundschutz M 2.31: Documentation of assigned IT authorizations

2. Tamper-proof workflow of assignment

  • BSI Grundschutz M 2.8: Allocation of authorizations
  • MaRisk AT 7.2: Processes for an appropriate IT authorization assignment (4 eyes principle)
  • User-Help-Desk- and self-service-Option

3. Semi-automated assignment of permissions

  • COBIT DS 5.3: Compliant access rights
  • BDSG §9: Access authorization only for authorized users
  • Reduction of failure by semi-automation

4. Automated assignment of permissions

  • COBIT DS 5.3: Compliant access rights
  • BDSG §9: Access authorization only for authorized users
  • Elimination of failure by automation

5. Regularly audits and re-certification

  • MaRisk AT 4.3.1: Regularly audits of IT authorizations and segregation of duties (SoD)
  • COBIT DS 5.4: Regularly assignment of all IT authorizations
  • IGA Lifecycle (Identity Governance and Administration)

After the deduction of the authorization model and its rules, the tamper-proof workflow of assignments can be designed.

The gradual connection of business applications raises the efficiency and eliminates manual sources for failure since no human administrator is longer necessary for the assignment of user rights.

The highest level is reached when regular checks of the assigned permissions are performed. Using our progressively model, you have your permanent authorization management under control.

We would like to assist you with step 1 to 5 and look forward to your inquiries.

The unique strength of ORG is the sum of its capabilities:

ORG supports RBAC and ABAC across platform. Performant and failsave.

  • Role Based Access Control (RBAC ) and Attribute Based Access Control (ABAC ) on different technical platforms (host, web, client server) are proven and - very important - performant and failsafe.
  • ORG - because of its ABAC-ability - can be used as an Externalized Access Management System.
  • ORG provisions / de-provisions intelligently in almost every imaginable identity-/rights-storage, no matter what technical platform they are on.
  • Using ORG authorization rules can centrally managed and enforced across the enterprise.
  • Governance functions such as historicization, administration in the future, auditability and re-certification reports cover additional governance requirements.
  • ORG is easy to use, both in request and approval processes and in the authorization administration.
  • Because of its comprehensive multi-tenant capability ORG is readily available as SaaS in the cloud.

Authorization

Hybrid Process

The central objectives is to insure that the users e.g. employees, customers or business partners, have the access rights they need for their work at the right time.

Therefore, it is important for the role mining to pay attention to define enough different roles and on the other hand not to draw up too many roles. The hybrid process model is a suitable approach.
Using the hybrid model, business roles and technical roles are linked. This enables the business department to control their own permissions.

 

ORG’s role- and access management covers the stated requirements fast and reliable. Thereby, the execution of fine-grand attribute based (ABAC) and role based (RBAC) decisions is possible. Within the history concept of ORG it is possible to implement a validity period for every data record. When the data record is expired or has been deleted it is obtained in the ORG data base and is just marked as deleted.

 
 

Administration

ORG makes the Single Point of Administration and Control - the central administration and control of complex access rights – possible.  The processes of allocation, monitoring and withdrawal is easy, efficient, comprehensible and tamper proof. A complete monitoring and control of this process ensue over all applications. Access- and user rights are provisioned automated to all business applications. Independent of the platform it is possible on mainframe-, client/server- and in web applications.

The technically sophisticated connector architecture for the bidirectional exchange of access information with standard software is built modular. The interface to the ORG server and the logic for the exchange of access information is the same for all connected systems. Only the interface specific part of the connected application systems is implemented in so-called agents. This architecture makes it possible to connect further application systems with little effort.

The central administration database of ORG contains current, future and past authorization information of all connected applications (standard applications and in-house developments). Therefore, ORG meets highest requirements of audit security.

Multistage role model

Roles are a core component of the identity management. The conventional role management defines roles as an administrative bundling of access rights. In the context of Access Governance and Business Intelligence, this is no longer sufficient because the tasks and the importance of roles changed. Roles have now to support business-features as application and approval processes additionally. Today, IDM systems consists of role models that reflect the company’s perspective. The target system-specific authorization structures are hidden behind.

Multistage role model

ORG realizes this requirement by a division into business and IT roles. IT roles define the technical term of the permissions assigned and business roles define the functional aspect of the user within the organization. ORGs role management provides the link between business roles and IT roles. A multistage role model is possible (see figure). IT-specific roles are translated into roles that are for the functional department intelligible. A business perspective to the underlying IT infrastructure is designed. Thereby the auditing of permissions by the business departments is possible.

 

Integrated workflow control

ORG can be easily integrated into existing application and approval workflows, so that the manual administration is avoided as far as possible. A four-eye principle is configurable if required. ORG offers a module for the integrated workflow management for automated submission and approval of authorization requirements. This services accesses to the same web service interfaces that are offered to an external workflow. The delegated administration and self-service are standard of ORG.

 
 

Audit / Governance

Certification / Recertification

Reports of ORG-Admin-DB enable:

  • Time travel at a finger tip
  • Understandability and verifiability for business departments
  • Central and tamper proof information attitude

The ORG component ‘Identity GRC’ enables easy and cost effective to identify and edit all operational risks associated with user privileges across all information systems. Identity GRC analyzes the data of all entitlement storages, e.g. SAP, ORG, Novell, AD.

Identity GRC focuses on the creation of rule-based analyzes and reports. Business Intelligence principles are applied. With data queries, rule and analysis engine a web application for business users with variable query capabilities and dashboard displays is created.

An inventory of existing permissions is generated to consolidate user, account and permission information for further processing. Identity GRC delivers intelligent value through multi-criteria analysis for data visualization, segregation of duties management, anomaly identification and compliance reporting – especially for identity and access occurrences.

Using the intuitive dashboard, the extended role mining, the analyze opportunities and the comprehensive reporting function, operational risks can be analyzed and controlled better.

Product Architecture

The sophisticated architecture is the foundation of the unique features. The software is fail safe, provides high performance and supports RBAC and ABAC.

Numerous connectors make sure that ORG can be used across many different platforms.

architecture

Architectural Highlights

  • Failsave
  • High Performance
  • Single Point of Administration and Control
  • Cross Platform
  • ORG Connector (RBAC)
  • ORG API (RBAC and ABAC)
  • Data Model
  • Links to upstream systems

Interfaces

The many ORG interfaces offer easy connection with existing systems.

SPML-Systeme:
Novell Identity Manager, IBM Tivoli Directory Integrator, openSPML

Directory-Systeme:
Microsoft Active Directory, IBM Tivoli Directory Server, openLDAP, Novell eDirectory, SUN one Directory Server, ApacheDS, RACF LDAP-Server and further systems

Other connectors available for:
SAP R3, RACF, INTERFLEX

APIs available for the following platforms:
Java (SE & EE), Windows (C), z/OS (Cobol, PL/1, C)

 
 
 

Failsave

The ORG system is divided into the administrative and productive environment (Illustration: left and right side). This separation ensures high reliability.

 
 

High Performance

There are two ways of transportation from the ORG Server Admin-database to the productive environment.

  1. The ORG runtime data distribution (ORG RDD) de-normalizes the fine grained rights information that the target systems need and pushes it into the ORG runtime databases. The ORG runtime databases can be part (tables) of productive databases. High performance access is ensured using the ORG APIs.
  2. The ORG connector with its specialized agents for target systems transfers User-Role information to the specific authorization data stores (e.g. LDAP, RACF ,SAP,…)

This architecture allows quick authorization request and ensures high performance.

Technische Informationen
 
 
 

Single Point of Administration & Control

The ideal solution is a centralized and standardized user rights administration which automatically provisions the access rights to the business applications regardless whether these are Mainframe, C/S or Web applications.

The central administration database of ORG contains all current, future and past permissions of all applications (standard applications and custom developments). Therefore, ORG meets the highest auditability and enables the Single Point of Administration and Control.

Use Case: Single Point of Administration and Control / Company-wide Access Governance

Background:
An authorization request had to be implemented separately for each system by various system administrators. This process took a long time, was error-prone and lead to non-productive times.

Solution:
The centralized and standardized authorization system ORG was the ideal solution for a large insurance company. Access and user rights will now be provisioned automatically to the individual business applications. The central database providesan overview of past, current and future privileges across all platforms at any time. Changes to permissions because of organizational reasons, fluctuation etc. are provisioned by pressing a button.

Auditors and accountants are happy about the centralized, enterprise-wide, current, historicized and valid credentials.

Administration can be Role Based (RBAC - Role Based Access Control) as well as Attribute Based (ABAC - Attribute Based Access Control).

central administration
 
 

Cross Platform

The central component of the administration environment is the ORG server with the ORG administration databaseThe ORG server runs on z/OS, Unix and Windows. In the ORG Admin DB (DB/2 or Oracle), the entire companies implemented permission model is mapped. In addition to the currently valid data, the whole history and the planned administrations are stored tamper and audit proof.

 
 

ORG Connector (RBAC)

The ORG connector architecture is of modular structure. The interface to the ORG Server and the logic for the exchange of information is the same for all target systems. Agents for specific target systems interfaces are available. The ORG connector architecture allows bi-directional synchronization and quick implementations of new agents.

ORG supports RBAC:
Business applications with proprietary (e.g. SAP) or standard (e.g. LDAP) role based user rights storage can easily be supported by ORG. The ORG connector pushes the user role information into the specific user rights data storage. The business applications still use their role based access control without any changes.

org connector
 
 

ORG API (ABAC)

ORG provides three APIS for the fine-grained access to privilege information on the runtime databases:

  1. The Java API can be used in Java EE and Java SE environments.
  2. The z/OS API is available for Cobol and PL/1. It can be used within transaction monitors (IMS or CICS) or batch applications.
  3. The Windows/Unix API is designed for C/C++ development on these operating systems.

The requests are due to the de-normalized tables of the runtime databases are highly performant.

ORG supports ABAC:
Business applications that need fine grained access right information use ORG APIs. An ORG access right decision is based on any attributes the business application supplies.
The business application itself no longer needs a business application specific access rights storage.

ORG supports ABAC

Use Case: Fine grained Access Management / Externalized Access Management

Background:
The homegrown access control system could not be extended to fine grained access management. The necessary fuctional extensions to the Novell IDM would have been substantial and expensive.

Solution:
Novell IDM was set as the main system for identity and role assignment. ORG was responsible for the fine grained authorization checks. Novell IDM and ORG were connected via SPML interface. The application development department now uses ORG as an EAM system (Externalized Authorization Management). They now can define complex rules set in order to enable fine-grained access management.

This simplifies the application development and guarantees a consistent authorization model for all business applications.

Feingranulares Berechtigungsmanagement
 
 

ORG - XACML component mapping

The following table provides a mapping of the ORG components to the corresponding XACML components.
(XACML = eXtensible Access Control Markup Language):

ORG terms XACML terms
The ORG Server and administration database

PAP (Policy Administration Point, which is used to define access policies and their component rules)

PRP (Policy Retrieval Point, which is the policy store for all applications)

ORG Runtime database

PRP (Policy Retrieval Point; In ORG it is the de-normalized policy store for at least one particular application in a particular environment)

 

ORG API’s in connection with the ORG Runtime databases

PDP (Policy Decision Point, which evaluates rules to make policy decisions)

Central module in applications which calls "ORG API"

PEP (Policy Enforcement Point, which enforces policy decisions)

In the future, ORG will be enhanced to follow the OpenAz standard in order to provide a standardized model for application and middleware to invoke access control capabilities.

 
 

Data Model

ORG supports a variety of different entities.

The model supports DV-based data collection of the organizational structure, the construction of a role model and the detection of fine-grained detail rights. ORG calls them "competences".

What supported entities are actually used depends on the particular environment of the client. The only requirements are "user" and "role". When fine-grained privileges are used, "competence" and "competence scheme" are also neccessary.

 
 

The ORG SPML interface is a Web service, currently using SPML 1.0. Via the ORG SPML interface ORG objects (e.g. user, position, role, mappings, etc.) can be created, changed, deleted or read by a preceding system (e.g. SAP HR). Every activity is controled and historicized by ORG. An existing IDM system can be upgraded by ORG by defining complex technical authorization rules.

The administrative access to ORG Server is via web or Fat-Client. Upstream systems (e.g. SAP HR) are able to send contracts for the automated administration to the ORG Server via SPML web service.

Links to upstream systems

Use Cases

Company-wide Access Governance: Single Point of Administration and Control

Background:
An authorization request had to be implemented separately for each system by various system administrators. This process took a long time, was error-prone and lead to non-productive times.

Solution:
The centralized and standardized authorization system ORG was the ideal solution for a large insurance company. Access and user rights will now be provisioned automatically to the individual business applications. The central database provides an overview of past, current and future privileges across all platforms at any time. Changes to permissions because of organizational reasons, fluctuation etc. are provisioned by pressing a button.

Auditors and accountants are happy about the centralized, enterprise-wide, current, historicized and valid credentials.

The authorization check runs role based (RBAC) as well as attribute based (ABAC).

Company-wide Access Governance: Single Point of Administration and Control
 
 

 
 

Fine grained Access Management / Externalized Access Management

Background:
The homegrown access control system could not be extended to fine grained access management. The necessary fuctional extensions to the Novell IDM would have been substantial and expensive.

Solution:
Novell IDM was set as the main system for identity and role assignment. ORG was responsible for the fine grained authorization checks. Novell IDM and ORG were connected via SPML interface. The application development department now uses ORG as an EAM system (Externalized Authorization Management). They now can define complex rule sets in order to enable fine-grained access management.

This simplifies the application development and guarantees a consistent authorization model for all business applications.

Fine grained Access Management / Externalized Access Management

"FSP ORG is one of the products that appear to be a 'hidden secret' in the market."

Martin Kuppinger, KuppingerCole

Kuppinger Cole Report: Executive View

Software Customers of FSP

abraxas-logo
dak-logo
 
 
 
deutsche börse logo
ergo direkt logo
 
 
 
fiducia logo
finanzinformatik logo
 
 
 
gad logo
generali informatik services logo
 
 
 
gothaer logo
hanse merkur logo
 
 
 
inter versicherungsgruppe logo
ivv logo
 
 
 
medicproof logo
talanx logo
 
 
 
signal iduna logo
zurich logo
 

News

  • 18.04.2016  Euro 2016: Your Planner

    Euro 2016: Your Planner

    Germany is looking forward to the European Championship 2016 - share the fever and download your Planner for the Euro 2016.

  • 16.03.2016  CeBIT 2016: Business Security Forum

    CeBIT 2016: Business Security Forum

    Frank Boehm, CEO of FSP, held a presentation about digitalization at the CeBIT Business Security Forum on March 15th. Frank explained the necessity of Identity Management for digitalization.