![](\"https:\/\/media.licdn.com\/mpr\/mpr\/AAEAAQAAAAAAAA10AAAAJDhjYTQwZDk3LTI1ZDctNDZlNC04NjYwLTUzOWU3Y2M1Y2RiYQ.png\")
<\/div>\n- \n
- What access a user has on an application?<\/li>\n
- How can requester\/approver\/certifier comprehend that an entitlement assignment, presented individually, correspond to a single business function?<\/li>\n
- How to model an “entitlement” when entitlement definitions are resource-centric ex. user’s access to business application function should be restricted to a region\/locality\/specific datasets. Have as many entitlements as protected application resources? Number of entitlements = Business functions * Number of protected resources<\/li>\n
- As application resources are added\/removed\/modified, how to entitle\/de-entitle access to user.<\/li>\n
- What if application administrator change application security configuration intentionally\/unintentionally and maps sensitive resources\/business function to a “low risk” entitlement?<\/li>\n<\/ul>\n
Entitlement Definition Management should be one of the key component of Identity Governance processes.<\/p>\n
Confluxsys Identity Analytics<\/strong> solution enables business users to manage entitlement definitions in a self-service manner, govern rogue changes to entitlement definitions & assignments, provides additional context information to requester\/approver\/certifier for effective identity governance, and integrates with application’s resource life cycle.<\/p><\/blockquote>\n
![](\"https:\/\/media.licdn.com\/mpr\/mpr\/AAEAAQAAAAAAAA2BAAAAJGEwMjFkMDVjLWI4YzctNDQxNi1iYjdjLWMyMGZhMmViNjhmNg.png\")
One of the biggest challenge is the integration given each application have their own access control model. Organization can implement Entitlement Definition in a phased approach:<\/div>\nPhase 1<\/strong>: Present context. Provide additional context information about entitlement to requester\/approver\/certifier: solution supports collection of entitlement definition “as it exists<\/em>” on the business application. Data is then transformed, validated, co-related within the framework. Information is made available to the users in form of restful webservice and integrated to Identity Governance interfaces.<\/p>\n
Phase 2<\/strong>: Govern entitlement definitions. Reconciliation & Certification. Solution reconciles entitlements into the certification engine for periodic\/event based access reviews. In certification, certifier manage business application function, resources\/datasets association with the entitlement.<\/p>\n
Phase 3<\/strong>: Entitlement definition management. Solution provides an interface to manage entitlement definitions in a business friendly whereby:<\/p>\n
- \n
- Instead of listing specific set of resource\/dataset, business user chooses business metadata of the resource or a “resource profile<\/em>“. Ex. For an insurance company, all datasets that relates to a specific region, division.<\/li>\n
- Operation\/Permissions are expressed as business functions.<\/li>\n<\/ul>\n
Phase 4<\/strong>: Application Resource lifecycle management. As resources are added\/de-commissioned\/modified, system automatically entitles\/de-entitles user access based on the entitlement definition provided by the business users.<\/p>\n","protected":false},"excerpt":{"rendered":"
An application access is generally expressed as a business function\/permission on a set of resources\/assets\/datasets. Each application has its own access control model (ACLs, RBAC, Discretionary\/Mandatory access control etc.). To simplify administration, these fine grained authorization policies are published as a set of “entitlements”. Application…<\/p>\n","protected":false},"author":1,"featured_media":2822,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-15748","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"_links":{"self":[{"href":"https:\/\/www.lastmile.id\/confluxsys\/wp-json\/wp\/v2\/posts\/15748","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lastmile.id\/confluxsys\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.lastmile.id\/confluxsys\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.lastmile.id\/confluxsys\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lastmile.id\/confluxsys\/wp-json\/wp\/v2\/comments?post=15748"}],"version-history":[{"count":1,"href":"https:\/\/www.lastmile.id\/confluxsys\/wp-json\/wp\/v2\/posts\/15748\/revisions"}],"predecessor-version":[{"id":15749,"href":"https:\/\/www.lastmile.id\/confluxsys\/wp-json\/wp\/v2\/posts\/15748\/revisions\/15749"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.lastmile.id\/confluxsys\/wp-json\/wp\/v2\/media\/2822"}],"wp:attachment":[{"href":"https:\/\/www.lastmile.id\/confluxsys\/wp-json\/wp\/v2\/media?parent=15748"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.lastmile.id\/confluxsys\/wp-json\/wp\/v2\/categories?post=15748"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.lastmile.id\/confluxsys\/wp-json\/wp\/v2\/tags?post=15748"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Operation\/Permissions are expressed as business functions.<\/li>\n<\/ul>\n
- Instead of listing specific set of resource\/dataset, business user chooses business metadata of the resource or a “resource profile<\/em>“. Ex. For an insurance company, all datasets that relates to a specific region, division.<\/li>\n