Introduction to Access Risk Controls

Access Risk Controls (ARC) module enforces segregation of duties (SoD) checks, based on an innovative relation established between two different layers: the business activities layer and the role-based access control (RBAC) model.

One of the major difficulties that a real organization encounters when implementing an RBAC-based IAG system, is mapping the entities planned within its business model, such as processes, activities, and permissions, with the entities outlined by the RBAC model, such as roles, users, and segregation of duties (SoD) rules.

This problem is particularly evident when transitioning from an existing authorization model, in which authorization profiles have been layered over time with a business-driven vision, to a RBAC model, which requires uniform organizational planning and centralized management of the entire authorization flow.

The Access Risk Controls engine is the tool capable of connecting these two models -- Business and RBAC. More specifically, the ARC module extends features of the RBAC model by introducing the "at-risk activities" concept.

It is always desirable, if not necessary, to prevent a member of the organization from taking on operational privilege that might cause a conflict of interest, and possibly have a detrimental effect on the organization.

For example, consider an employee whose task is to analyze the market searching for new products to add to the company production process.

For obvious reasons, the organization strongly advises that this person should not be simultaneously entrusted with signing of product purchase orders.

The general principle is that an individual employee should not be authorized to perform tasks which might damage the organization.

This aspect is one of the main elements that lead to the implementation of an IAG system.

In the RBAC model, this problem is modeled and managed using the segregation of duties (SoD) concept.

SoD imposes constraints so that a user with a certain role cannot take on another role whose nature conflicts with the one already assigned.

ARC embeds the management of SoD aspects into the more general concept of risk.

The ARC module provides a set of functions that enable:

  • Definition of the entire set of activities necessary to complete each specific business process.
  • Tracking the risks aggregated to a generic set of activities.
  • Aggregation of each activity with the necessary set of authorization entitlements to perform the activity.
  • Tracking the entire set of conflicts among the different authorization entitlements.
  • Tracking a set of at-risk roles registered in the system.
  • Tracking a set of illegal users registered in the system.