Skip to end of banner
Go to start of banner

About EmpowerID PBAC

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

In the rapidly evolving landscape of digital security, organizations face increasing challenges in managing access to sensitive data and critical systems. Traditional access control models often lack the flexibility and granularity needed to address complex authorization requirements. EmpowerID addresses these challenges by offering a robust Policy-Based Access Control (PBAC) model that enhances traditional access management approaches. By integrating PBAC with its unified platform for Access Management, Identity Governance and Administration (IGA), and Privileged Access Management (PAM), EmpowerID provides a comprehensive solution for modern access control needs.

Understanding Policy-Based Access Control

What is PBAC?

Policy-Based Access Control (PBAC) is an advanced access control model that determines user permissions based on dynamic policies rather than static roles alone. Unlike Role-Based Access Control (RBAC), which assigns permissions based on predefined roles, PBAC evaluates multiple factors—including user attributes, resource properties, and environmental conditions—to make real-time access decisions. This approach incorporates elements of Attribute-Based Access Control (ABAC), providing a more flexible and precise authorization mechanism.

EmpowerID’s PBAC Model

EmpowerID's PBAC model integrates the structured control of RBAC with the dynamic flexibility of PBAC, enabling organizations to manage access rights efficiently while adapting to complex and changing authorization requirements. By using applications as the central elements of authorization, EmpowerID allows for tailored security configurations specific to each application's needs.

Core Components of EmpowerID PBAC

Applications as Central Elements

In EmpowerID PBAC, applications serve as the core around which authorization is structured. Each application can have its unique security configuration, ranging from simple RBAC implementations to complex PBAC setups that incorporate ABAC-style attributes and policy conditions. This application-centric approach ensures that security settings are finely tuned to the specific requirements of each application.

Authorization Models In EmpowerID

EmpowerID offers several authorization models, allowing administrators to select the appropriate level of complexity and flexibility for each application:

  • Not PBAC and not Azure: The application does not use PBAC features and is not associated with Azure.PBAC App: No App Resources, No Field Types

  • PBAC App: No App Resources, No Field Types: A basic PBAC application without additional resources or attributes.

  • PBAC App: Yes App Resources, No Field Types: A PBAC application with defined resources but without additional attributes.

  • PBAC App: Yes App Resources, Yes Field Types: A PBAC application with resources and ABAC-style attributes for fine-grained control.

  • PBAC App: No App Resources, Yes Field Types: A PBAC application without specific resources but utilizing attributes.

  • Azure App: An application integrated with Azure, utilizing Azure-specific features.

  • Azure Applications with PBAC: An Azure-integrated application that also uses PBAC features.

  • Azure Applications with App Resources and PBAC: A comprehensive model combining Azure integration, resources, and PBAC attributes.

These models define how applications handle rights, roles, and ABAC-style attributes (Field Types), and determine the extent to which they integrate with external systems like Microsoft Entra ID (formerly Azure AD).

The Universal PBAC Data Model

As organizations integrate diverse systems and applications, managing permissions across different platforms becomes increasingly complex. EmpowerID addresses this challenge through its Universal PBAC Data Model, which provides a consistent framework for representing and managing permissions from various systems within the PBAC model.

Integration with Diverse Permission Models

EmpowerID's Universal PBAC Data Model is designed to integrate diverse permission models from both internal and external systems, ensuring coherent cross-application access and risk management. By cataloging roles and rights from different systems, EmpowerID enables administrators to manage permissions in a unified manner.

For example, systems like Microsoft Entra ID and SAP S/4HANA have their own complex permission models. EmpowerID integrates with these systems by representing their permissions within the Universal PBAC Data Model, allowing for consistent management and analysis.

Resource System Types and Modules

Within the Universal PBAC Data Model, EmpowerID utilizes Resource System Types and Resource System Type Modules to represent external systems and their services:

  • Resource System Type: Defines the connector type used for integrating with specific systems. For example, "Azure AD SCIM" is the Resource System Type used for integrating with Microsoft Entra ID.

  • Resource System Type Module: Enumerates the services or modules available within the systems. For Microsoft Entra ID, modules might include "Microsoft Graph," "Power BI Service," or "Microsoft Teams."

By representing external systems and their services within the PBAC model, EmpowerID enables administrators to manage rights and roles from these systems as part of a unified framework. This approach simplifies management and enhances the organization's ability to enforce consistent access control policies.

Rights and Roles

Rights and roles are fundamental components of the PBAC model in EmpowerID, representing the permissions and groupings that determine what actions users can perform within applications.

Rights

Rights represent specific permissions within an application, specifying what actions a user is allowed to perform. They can be categorized into Global Rights and Local Rights.

  • Global Rights: Standardized permissions consistent across all instances of a service or system. For example, a Global Right might be "Manage Users," applicable across multiple applications.

  • Local Rights: Specific to a particular system or application, linked to Global Rights for consistency. This linkage ensures that while rights are tailored to specific contexts, they maintain alignment with organizational standards.

Rights Management in the Universal PBAC Model

In the context of the Universal PBAC Model, rights from external systems are integrated and managed consistently:

  • Integration of External Rights: Rights from systems like Microsoft Entra ID or SAP are inventoried and represented within the PBAC model.

  • Global and Local Rights Mapping: External rights are mapped to EmpowerID's Global Rights and Local Rights, allowing for consistent management and risk analysis.

For example, roles and permissions from SAP S/4HANA are registered under Resource System Types like "SAP-ECC" or "S4/HANA," with modules representing services such as "SAP_UI" or "SAP ABAP."

Roles

Roles are collections of rights that simplify permission assignments by grouping related permissions together. They can be Global Roles or Local Roles, depending on their scope and applicability.

  • Global Roles: Standardized roles consistent across all instances of a service or system, including identical Global Rights.

  • Local Roles: Specific to an application or system and composed of Local Rights.

Field Types

Field Types in EmpowerID represent attributes used in policies to enable fine-grained authorization. They allow for the creation of dynamic policies that consider real-world data and conditions, enhancing the flexibility and precision of access control.

Types of Field Types

Field Types can be associated with different aspects of access control:

  • Assignee Attributes: Attributes related to the user requesting access, such as department, job title, or security clearance level. For example, a policy might grant access to certain financial records only if the user is part of the "Finance" department.

  • Resource Attributes: Attributes that describe characteristics of the resource being accessed, like data classification, region, or project code. A policy might restrict access to documents tagged with "Confidential" unless the user has the appropriate clearance.

  • Environmental Attributes: Contextual factors such as time of day, location, or device type. For instance, access to sensitive systems might be permitted only during business hours or from specific network locations.

Assignment Points and Assignment Point Types

To ensure that permissions are granted appropriately and precisely, EmpowerID uses Assignment Points and Assignment Point Types to define the scope and reach of PBAC assignments.

  • Assignment Points: Exact locations or entities within a system, such as tenants, subscriptions, or resource groups.

  • Assignment Point Types: Categories that define the scope of assignments, such as:

    • Tenant Root: Rights applied globally across a tenant.

    • Management Group: Rights scoped to specific management groups.

    • Subscription: Assignments at the subscription level.

    • Resource Group: Rights limited to specific resource groups.

Examples in External Systems

Microsoft Entra ID Integration

In the context of Microsoft Entra ID, EmpowerID recognizes resources like Tenants, Management Groups, Subscriptions, and Resource Groups as Assignment Points. Rights and roles are scoped appropriately within these environments.

For example, an administrator might assign the "Contributor" role to a user at the Subscription level, granting them permissions within that specific subscription but not at the tenant level.

SAP Systems Integration

In SAP systems, Assignment Points are represented through Field Type Values rather than explicit entities. This allows for granular control based on attributes like company code, cost center, or plant.

By utilizing Assignment Points and Assignment Point Types, EmpowerID provides a flexible and powerful mechanism for scoping permissions across various systems and applications. This ensures that access is granted precisely, enhancing security and compliance.

PBAC Policies

PBAC policies in EmpowerID define the conditions under which access is granted or denied. They combine rights, roles, Field Types, and Assignment Points to create comprehensive authorization rules that are both precise and auditable.

Design of PBAC Policies

EmpowerID's PBAC policies are designed to be clear and manageable, adhering to a specific structure:

  • Single Right or Role Assignment: Each policy assigns one Local Right or Local Role to an assignee. This ensures clarity in what permission is being granted and simplifies auditing and compliance efforts.

  • Single Assignee: The assignee can be any EmpowerID Assignee Type, such as Person, Group, Management Role, Business Role and Location, or Query-Based Collection. This flexibility allows for precise targeting of policies to the appropriate users or groups.

  • Conditions and Constraints: Policies can include conditions based on Field Types and specify Assignment Points and Assignment Point Types to define the scope of the assignment. This enables fine-grained access control.

Incorporating Assignment Points in Policies

When creating PBAC policies, administrators specify Assignment Points and Assignment Point Types to define where the policy applies. This allows for precise control over access rights, ensuring that permissions are granted only within the intended scope.

For example, a policy might grant the "Manage Resources" right to a group of users but limit it to a specific Subscription or Resource Group by specifying the appropriate Assignment Point and Assignment Point Type.

Implementing EmpowerID PBAC

mplementing PBAC within EmpowerID involves several key steps that collectively enable organizations to establish robust and flexible access control mechanisms. To assist you in understanding and executing these steps, we've prepared a comprehensive demo video that walks you through the process of onboarding and managing a PBAC application in EmpowerID.

Demo Video: Onboarding and Managing PBAC Applications in EmpowerID

Before diving into the detailed steps, we recommend watching the following video tutorial. It provides a practical demonstration of the concepts discussed in this section, offering visual guidance and real-world examples.

ResAdminForApplicationOwners.mp4

In this video, you'll learn:

  • How to create or inventory a PBAC application.

  • Configuring rights and roles specific to your application.

  • Applying Field Types for fine-grained access control.

  • Assigning rights and roles to users and groups.

  • Utilizing the Universal PBAC Data Model.

  • Defining Assignment Points and Assignment Point Types.

  • Setting up PBAC approval routing.

  • Navigating the EmpowerID interface for PBAC management.

By watching this tutorial, you'll gain practical insights into the implementation process, which will enhance your understanding and make the subsequent steps smoother to follow.

Onboarding PBAC Applications

When onboarding applications, particularly external systems like Microsoft Entra ID or SAP, administrators utilize the Universal PBAC Data Model to integrate these systems into EmpowerID. This involves defining the appropriate Resource System Types and Modules, ensuring that permissions and resources from these systems are represented accurately within the PBAC model.

Configuring Rights and Roles

Administrators configure rights by mapping permissions from external systems to EmpowerID's Global Rights and Local Rights, using the Universal PBAC Data Model. This allows for consistent management and analysis across different systems.

They also develop roles by grouping related rights, simplifying the assignment process. Roles can be assigned at appropriate scopes using Assignment Points and Assignment Point Types.

Applying Field Types

To enable fine-grained access control, administrators apply Field Types to policies. This involves creating Field Types that represent relevant attributes and adding Field Type values used in policy conditions.

Configuring Field Types for App Rights

Field Types are configured for app rights to enforce policies effectively. Administrators associate Field Types with specific rights, establishing conditions under which the rights are granted. They set properties for each Field Type, such as whether a value is required and the scope of the Field Type (Assignee, Resource, or Environment).

Assigning App Rights and Roles

When assigning rights and roles, administrators specify Assignment Points and Assignment Point Types to define the scope of the assignment. This ensures that permissions are granted within the correct context and do not inadvertently extend beyond the intended scope.

For example, when assigning the "Database Administrator" role to a user, the administrator might specify an Assignment Point of a particular database instance, with an Assignment Point Type of "Resource Group."

Setting Up PBAC Approval Routing

For access requests that require approval, EmpowerID provides mechanisms to configure approval processes. Administrators create Approval policies that define how access requests are routed for approval, incorporating resolver rules that determine approvers based on assigned Approval Rights.

They also define Approval Rights, which are assigned to users responsible for approving specific types of access requests.

Benefits of EmpowerID PBAC

Implementing PBAC through EmpowerID offers significant benefits that enhance an organization's security posture and operational efficiency.

Unified Permission Management

By utilizing the Universal PBAC Data Model, EmpowerID allows organizations to manage permissions from diverse systems within a single framework. This unification simplifies administration, enhances consistency, and improves risk management across the enterprise.

Precise Access Control

The use of Assignment Points and Assignment Point Types provides precise control over where permissions apply, reducing the risk of over-provisioning and ensuring compliance with organizational policies.

Enhanced Security

By evaluating multiple attributes and conditions, PBAC provides precise access control, reducing the risk of unauthorized access. Dynamic policies adapt to changing circumstances, ensuring that access remains appropriate over time.

Flexibility and Scalability

EmpowerID's PBAC model allows organizations to easily adjust policies to meet changing business needs or regulatory requirements. The use of Field Types and dynamic policies enables fine-grained control without the need for extensive role management.

Efficient Administration

User-friendly interfaces, automated workflows, and REST API support reduce administrative overhead. Administrators can efficiently manage access rights, policies, and approvals.

Conclusion

EmpowerID's Policy-Based Access Control (PBAC) model offers a robust and flexible solution for modern access control challenges. By integrating the structured control of RBAC with the dynamic flexibility of PBAC, and incorporating the Universal PBAC Data Model and Assignment Points, EmpowerID enables organizations to implement fine-grained, context-aware access policies that enhance security and compliance.

With applications at the center of the authorization model and the ability to incorporate user, resource, and environmental attributes into policies, EmpowerID's PBAC model provides the precision and adaptability required in today's complex digital environments. The use of Assignment Points and Assignment Point Types ensures that permissions are granted precisely, reducing risks and ensuring compliance.

By leveraging EmpowerID's PBAC model, organizations can achieve a balance between robust security measures and efficient administrative processes. This alignment ensures that access rights are managed effectively, supporting business objectives while maintaining the highest standards of security and compliance.

Next Steps

Configuring PBAC Applications

IN THIS ARTICLE

  • No labels