Download presentation
1
Security, Roles and Permissions
Best Practices Security, Roles and Permissions Andrea Allmon Product Management-Sr Director Health Care and Insurance Kevin Harrison FICO Platform February 2010
2
Agenda FICO Platform Architecture Security(LDAP)/SSO (shared portal)
© 2010 Fair Isaac Corporation. Confidential. 2 Agenda FICO Platform Architecture Security(LDAP)/SSO (shared portal) Users Permissions (IFM - screen level) Roles Groups Organizations
3
FICO Platform Architecture
© 2010 Fair Isaac Corporation. Confidential. 3 FICO Platform Architecture
4
FICO Platform Architecture
Business Objectives Faster Application Development Faster Time-to-Value solutions for our clients Faster turn-around for Upgrades to our clients Implementation Standards-based, Service Oriented Architecture (SOA) Integrates with Operating Systems and Middleware Operating System JEE – Java Platform, Enterprise Edition Application Server Database Server LDAP Server Configurable by Application
5
FICO Platform Architecture
Configurations for FICO Applications FICO Platform and shared Strategic Differentiators Third Party Platform Stack Debt Manager Fraud Manager Origination Manager Insurance Fraud DM App DM App FICO Platform FICO Application Business Services Java Platform, Enterprise Edition (JEE) Application Server Database Server LDAP Server Operating System Hardware
6
What is FICO Platform? What functionality does it provide?
Common Data Model Extensible Data Entities Encryption Data Access Layer Audit, Logging, and History License Management Data Acquisition FICO Network + Transformation Bureau + Data Interfaces Decision Management System Characteristic Library Model Deployment Adaptive Control Performance Reporting Transaction Scoring Business Rules Management Blaze Advisor (RMA) Business Intelligence Browser-based reports integration Security Framework Role Based Access Control LDAP Integration + Federation Single Sign-on UI Framework UI Builder (SmartForms) Context Sensitive Help Call Scripting Internationalized (I18N) Double-byte character set (DBCS) Locale aware (Region + Language) Date, Time, Currency, Numeric separators Externalized Translation Configuration Case Management History + Notes Evidence Locker Workflow Document Services Document Templates PDF, , SMS
7
© 2010 Fair Isaac Corporation. Confidential.
7 Security (LDAP)/SSO
8
FICO Platform use of LDAP
What is LDAP and what purpose does it serve? LDAP = Lightweight Directory Access Protocol FICO client needs LDAP integration for Administration and Support Reuse Corporate configuration for Groups, Users, and Password policy Centralized and Delegated Administration FICO Platform products Use standard LDAPv3 integration for Directory Services Have Delegated administration features to write to LDAP Use of LDAP Server Users (with Group membership) only attributes in standard LDAP schema Extended attributes in FICO database Groups (with hierarchy) Password policy
9
Single Sign On FICO application roadmap requirements from clients
Support for Single Sign On environments Support for Federated Security integration Requires centralized authorization server Typically an LDAP server or integrated with LDAP servers Implemented by an authentication token Federation requires trusted relationship Site-deployed Workstation login establishes authentication token No user/password required to access applications supporting SSO ASP/Hosting One user/password in portal/extranet for multiple hosted applications Federation allows trust to auto-provision clients
10
© 2010 Fair Isaac Corporation. Confidential.
Users
11
Users Setting up the Users Creating Users
Tenants are used when you are hosting more than one customer Locales will be used in future releases for localizations (English, Dutch, German) Creating Users Department is a free-form entry for “Primary Group.” In a future release, we will be making this a drop-down selector.
12
Users User Creation User Setup for Additional details
Users are Created in LDAP Username required Validated to be unique First and Last name required for application display address required for sending temporary password A temporary password is generated An is sent to users address Users are also created in Business Objects User Setup for Additional details Some additional LDAP details available for reference Emp #, phone, mobile, title Remaining details are user details in the database Settings: Tenant, Locale, Time Zone Associations: Groups, Roles, Queues User is made member of Groups in LDAP User locale and time zone settings are updated in Business Objects
13
© 2010 Fair Isaac Corporation. Confidential.
13 Roles
14
Roles Roles should be configured by job function
Contain a set of permissions to access a resource Typically assigned to a Group of users that do that job Ease roles administration for large number of users Ensure backup resource with 2 or more users in each group IFM ships with the following default Roles: Full Administrator Manager Investigator Medical Management Claims Reviewer Claims Supervisor Information Only Triage/Case Administrator
15
Roles Hierarchy example
16
Permissions and Roles Permissions Roles – Job Function
Allows access to system-level features Roles – Job Function Group of access permissions Roles hierarchy lower-level roles contain subset of upper-level role’s permissions Users and Work Groups may have one or more Roles Role administration can be delegated By Role with Role Permissions (Add, Manage, Change, Modify) Users are limited to Scope of Authority (their lower-level Roles) Roles are not bound by organization or operational areas Allows shared job functions across the organization and operation ie: Delegated Administration: User Administration, Group Administration Unless defined that way in the hierarchy
17
Role Based Access Control (RBAC)
Separation of Duties Role Type: Security Administrator Top-level access control to all security objects and audit logs Defines primary roles and groups Establishes System Administrators and Delegated Administrators Role Type: System Administrators Manages System Configuration options Monitors System Function and maintains operational environment Role Type: Delegated Administrators Manages Business or Departmental Operations Allows configuration changes to respond quickly to business needs Best Practice* Define top-level roles as superset for job functions Create lower-level child roles as permission subsets Allows sharing some permissions for staff in cross-functional roles Typical that some users do two jobs or cover tasks of other staff as needed (out-of-office, vacation, sick) *Best Practice note – limit use of Organization groups and Operational groups such as Department, Product, or Team in Roles hierarchy. Try to use the Work Groups for that, otherwise the Roles hierarchy becomes very wide and/or very deep and typically will have duplicate roles in different Organizations or Operational groups. Strive to define Roles as job functions that are cross-functional and can be used across the organization and operational groups.
18
© 2010 Fair Isaac Corporation. Confidential.
18 Permissions
19
Permissions IFM Permissions are at the detailed functional level
Permissions are defined as Action and Resource pair Permissions can be assigned to multiple roles Authorization service checks user’s Roles for permissions Permissions can control access to various User Interface elements Menus Menu Items Screens/Page Screen Elements Navigation items (buttons, hyperlinks) Controls (textbox, drop-down list, grid, etc) Work in Progress Renaming permissions to provide better clarity Next release includes permission category Ability to filter list of permissions by category examples: Users, Groups, Roles, Queues, Menu, Grid, Domain Values
20
© 2010 Fair Isaac Corporation. Confidential.
Groups
21
Groups Work Groups/Departments Work Groups
set of users that are grouped represent operational groups or teams. Work groups simplify administration of large number of users roles and queues associated to group apply to all members of the group Administration for lower level user groups can be delegated to users or user groups associated to upper level user groups. Next release changing to User Group nomenclature Common name for container for number of users Better represents the alignment with LDAP User Groups New attribute in user details for Tenant-specific Primary Group
22
Work Groups are defined by
Tenant Each tenant may have different users and operational needs User with appropriate permission in Roles Create Work Groups (add) Maintain Work Groups (edit) Business Managers or Supervisors Define group and team structure for their business operations area Hierarchy (inheritance) to define Managers, Supervisors, Teams Scope of Authority limited to the groups they are in Maintaining users and assignments in “my work groups” Maintain configuration for lower-level work groups
23
© 2010 Fair Isaac Corporation. Confidential.
23 Organization
24
Organization Coming Soon – Organization lets you have better control of Document Templates, etc. Optional – Default organization is used until configured Authorization to certain system resources can be based on an organizational hierarchy and RBAC. Roles determine if user can access the screen and perform actions Organization hierarchy determines what data the user can act upon What resource is listed as available to act on Organization hierarchy models division, departments, and teams Work groups are associated to one or more organizations Users can also be associated individually to organizations Administration for lower level organizations can be delegated to users or user groups associated to upper level organizations.
25
Organization Example Organization resources
A role permission allows user to update document templates The user is a member of one or more organizations Certain document templates are associated to organizations The document templates available to the user are limited to document templates that belong to the user’s organization(s) Organization resources document templates business calendars Scripts other entities defined by FICO products For backward compatibility, these resources are part of the Default Organization available to All User and All Groups
26
Delegated Administration
Of Users, Work Groups, and Roles managed by individual clients, divisions, departments Such as directors, managers, and supervisors hierarchal structure allows Scope of Authority limits to Roles they have been associated to and the child roles of those roles Work Groups they have been associated to, the child groups of those groups Users within those work groups. Organizations they have been associated to and the child organizations of those organizations Role permissions determine which maintenance has been delegated Users are always limited to Scope of Authority User cannot change hierarchy without permission to act on resource Create, Edit, or Delete For specific hierarchy (Roles, Work Groups, or Organizations)
27
Tenant with Delegated Administration
28
Open Discussion What have you found that works best?
What don’t you like? What would you like to see differently?
29
THANK YOU
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.