Abstract
Identity and particularly access control present various challenges, particularly for larger organisations. The combined complexity of users from various communities, accessing multiple systems and applications in the context of business processes can be significant. The US MIST proposed the Role- Based Access Control model in order to effectively and efficiently manage authorisations. While this model certainly also has its drawbacks, it gave rise to various interesting software solutions. One particularly relevant one is the Sage tool. This tool builds a model of the actual authorisations across platforms by consolidating and enriching them in its own database. Subsequently, the built-in pattern- matching engine can identify a number of less desirable patterns in the data and can recommend solutions, e.g., for role structuring (role-mining). Furthermore, business constraints can be expressed in so-called business process rules, which can, e.g., reflect segregation of duty requirements.
In the pilot project described here as case study, we combined both role-mining and compliance verification. The case study organisation is subject to both national competition regulation and the US Sarbanes-Oxley act. They employ approximately 25,000 employees. Analysing existing access controls through a unified approach and applying compliance rules to them has shown to be a quick and reliable way for them to demonstrate compliance (or identify actions where compliance was not yet achieved). The fact that the control library is available both at the level of principles and at the level of specific business process rules makes the approach transparent, repeatable and affordable. Furthermore a number of observations were made that allowed to remove undesired authorisations through data cleaning. As a result of the pilot project the client decided to implement BPR-based compliance verification for all applications that are subject to Sarbanes-Oxley.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Rymon, Ron: An SE-tree based Characterization of the Induction Problem. In: Proceedings Machine Learning Conference, Amherst, MA, 1993.
ACM Transactions on Information and System Security, Vol. 4, No. 3, August 2001, pages 224–274.
Rights and permissions
Copyright information
© 2006 Friedr. Vieweg & Sohn Verlag | GWV-Fachverlage GmbH, Wiesbaden
About this chapter
Cite this chapter
Sel, M., Van Rompay, B. (2006). Identity and Access Control — Demonstrating Compliance. In: ISSE 2006 — Securing Electronic Busines Processes. Vieweg. https://doi.org/10.1007/978-3-8348-9195-2_20
Download citation
DOI: https://doi.org/10.1007/978-3-8348-9195-2_20
Publisher Name: Vieweg
Print ISBN: 978-3-8348-0213-2
Online ISBN: 978-3-8348-9195-2
eBook Packages: Computer ScienceComputer Science (R0)