Overview#

Roles and Entitlements are hard and complex.

We typically strive to utilize the Access Control Model called Adaptive Policy-based Access Management (APAM).

In our simplified Example we will try to put together an Entitlement Example that will hopefully help.

Think about how the day to day Business Functions. We will use a bank, but the concept is common across all businesses.

"Bank Teller"#

For a "Bank Teller" to do their job, the "Bank Teller", for each branch they work in, needs:
  • Access to the Building they work in
  • Use Coffee Machine
  • Use Teller Machine
Each of these individual Entitlements make up the "Bank Teller" Role

"Bank Manager"#

Likewise the "Bank Manager" of the Bank Branch needs:
  • Access to the Building they work in.
  • Use Coffee Machine
  • Use Teller Machine
AND
  • Able to lock and un-lock Building door
  • Able to Arm and Dis-Arm Security
  • Able to lock and un-lock safe
  • Administer Teller Machine
  • Spend <=$500
  • Manage Key Cards for Building
Each of these individual Entitlements make up the "Bank Manager" Role

The Big Question#

In day-to-day operations we are always trying to answer the question, can this user have access to this resource?

In our Bank teller example, Alice shows up at the bank's door and the "door system" needs to know should I let Alice (Alice is a Digital Identity) in?

The "door system", in this example, is the Policy Enforcement Point (PEP), sends:

  • Alice's UserID
  • building Number
  • door number
to the Policy Decision Point (PDP) asking: can I let Alice in?

The Policy Decision Point (PDP) runs the rule check (Policy) to determine if Alice is allowed to have "Access to the Building they work in" and returns Yes or No.

The Policy Decision Point (PDP) may use any Entitlement parameter values and other data such as Adaptive Risk data. For example, is Alice, at the geolocation?

In our example above, the Role might be "Bank Teller" or "Bank Manager". Each Role consists of one or more Entitlements which may have Zero or more Entitlement parameter values.

Entitlements typically have Entitlement parameter values. As an example the entitlement:
"Access to the Building they work in" might have a multi-valued attribute to Identity which Buildings the entity "Works In" These values are typically driven from an attribute form the Digital Identity.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-10) was last changed on 16-Jun-2016 19:20 by jim