Company “A” wishes to use services provided by a cloud service provider. There is a strong need to know what entitlements User has during Entitlement Assignment, Provisioning, Access Runtime, and Access Review phases of IAM.
Entitlements Catalog service returns a list of Business Tasks a user can perform. Entitlements should be portable from one service provider to another.
At any point in time it should be possible to find out what entitlements user has.
Since Entitlements are to be portable from one CSP to another:
User entitlements should not be system specific but rather be based on Business Tasks as defined by business architects
User entitlements should be expressed in a standard format that is based on a pre-defined and agreed upon access control vocabulary that enables one to express entitlements syntax as well as entitlement meaning.
GetEntitlementSyntax – retrieve Entitlement Type Syntax.
GetEntitlementMeaning – retrieve the meaning of the particular entitlement.
An Access Control Vocabulary exists to provide syntax and meaning for each entitlement.
CSPs agree to use the above Access Control Vocabulary to express entitlements in a portable format.
Business Process Framework is provided as input to the Entitlements Model.
The process flow is as follows:
A company uses the services provided by the Cloud Service Provider.
The Cloud Service Provider exposes various services representing entitlements for the users from the company.
The company calls GetUserEntitlements service to receive a list of entitlements for a particular user.
The company calls GetEntitlementSyntax service to receive the syntax of an entitlement.
The company calls GetEntitlementMeaning service to receive the meaning a particular entitlement.
1.11Use Case 4: Segregation of Duties based on Business Process
1.11.1Description / User Story
A company for whom a CSP is providing services needs to implement corresponding Segregation of Duties Policies. There is a strong need to know what conflicting entitlements a user could be assigned, prevent such assignment, augment the conflicting assignment with runtime controls, and as a last resort detect the use of conflicting entitlements.
1.11.2Goal or Desired Outcome
Provide a policy-based mechanism to design, implement, test, and access review simple and complex Separation of Duties scenarios.
Leverage XACML standard for expressing the conditional logic of SoD policies. Leverage Access Control Vocabulary to express the syntax and meaning of attributes used in SoD Policies.
Business Tasks is to be the core attribute for designing and registering “Duties” of Segregation of Duties.