CA GovernanceMinder implements RBAC standards without affecting an organization's ongoing operations. The product implements the concept of a sandbox to separate product operation from the organization's ongoing security environment (production server). The assumption is that when working with the product, existing access definitions must first be imported into a sandbox. A sandbox is system where CA GovernanceMinder is installed, and where role discovery and audit activities are performed without affecting current operations of the organization. All work on discovering new or refining existing access definitions is performed in the product environment.
CA GovernanceMinder defines roles as a group of users that have a common set of entitlements. Users are people or functions: employees, customers, suppliers, representatives, and so on. An entitlement is a specific right of access that may be an operation or object in formal RBAC terms. Thus, an entitlement can be as specific as a particular access right (Read/Write/Execute) to a specific file in a specific file system on a specific system, and it can also be used to provide a model for access to a computer system (such as, a user group on that system). A link is a connection between a user and an entitlement, indicating that this user possesses a specific access right. A role can include a set of users and a set of entitlements, with the semantics being that all users in the user set are allowed access to all entitlements in the entitlement set.
Most of the work is performed within a product configuration file that is automatically created when access data is imported into CA GovernanceMinder. A configuration is a data structure that holds a snapshot of the definition of users, entitlements, and roles (if already defined) and the relevant relationships (links) between them.
In a typical implementation, the Role Engineer first imports current access data from the security administration server. Source documents would include a users database file, resources database file, roles file (if existing) and possibly one or more files describing the relationship between one or more entities (users, resources, roles). Using a direct communications link to the production server, CA GovernanceMinder enables the importing of data from many formats including: CSV, SQL, and RACF. CA GovernanceMinder creates its own CA GovernanceMinder “configuration” document, which contains the known user, role, and resource information.
The role discovery process enables the discovery of roles that were not explicitly defined in the source data and the refining of existing roles. CA GovernanceMinder's role discovery tools include searching for and proposing basic roles, obvious roles, roles that are almost perfect matches of other roles, and identifying role hierarchy. These options contain sub-menus that enable fine-tuning CA GovernanceMinder's discovery algorithm to adapt it to the specific configuration that is being analyzed. The results of running these CA GovernanceMinder options are CA GovernanceMinder's proposals for role definitions. These roles are individually examined to determine their appropriateness and validity for the organization.
CA GovernanceMinder's basic auditing tools apply CA GovernanceMinder's internal logic and built-in algorithms to an existing configuration to analyze and identify many types of non-conformities or suspicions related to users, roles, and resources. The Role Engineer can apply individual tools to analyze a configuration or can run a comprehensive audit. The output of an audit is the AuditCard, which contains a list of all suspicious records and the type of suspicion involved (currently about 50 different types). The AuditCard also contains a built-in mechanism for tracking progress until resolution is achieved.
The Policy Compliance module is an additional audit tool that enables formulating a unique set of Business Process Rules (BPR) that represent various constraints on privileges. These rules are formulated independently of a specific CA GovernanceMinder configuration and can then be applied to different configurations.
Before uploading a processed CA GovernanceMinder configuration to the organization's production server, the differences between the original source data and processed CA GovernanceMinder configuration are examined using a built-in CA GovernanceMinder option. After verifying the differences and making any necessary changes, the configuration data is directly exported from the CA GovernanceMinder interface to the production computer's format. The export eliminates cross-platform conversion problems.
|
Copyright © 2014 CA.
All rights reserved.
|
|