Beruflich Dokumente
Kultur Dokumente
Information Security
November 2016
1. Introduction
1.1. Outline:
This document outlines an Access Management system that is capable of supporting a programmatic approach to manage user
access. The future state design leverage several concepts that are not fully developed or mature at State Farm today.
1.2. General Overview:
The design strive to automatically provision pre-defined roles for associates, but also to de-provision those same users if an
associates job change or they leave the company. To ensure the RBAC roles repository remain accurate the workflow pull
together role owners, application stewards and managers to keep roles up to date and systems secure from unauthorized
access.
The concept of an Entitlement Filter and Segregation of Duties (SoD) Engine are also incorporated in the design, this
provides the ability to place additional restrictions on granted access. For instance, an associate with access to sales account
data at 3 p.m. may be restricted by the Entitlement Filter to the same data at 3 a.m. And an associate allowed to get into a
database could be cut short if he tried to download amounts of data that exceeded pre-set thresholds. The SoD Engine users
both a set of pre-defined SoD rules and AI based algorithms to identify toxic combinations of user access and provide real-
time enforcement of access control policies.
2. Design Considerations:
2.1. Design Leverages:
Access Management concepts that are not fully developed or mature at State Farm the design leverages:
2.1.1. Comprehensive Associate Code a code which reflect the department and job role an associate is aligned with. The
ultimate solution would accommodate internal, external and agency associates.
2.1.2. Role Based Access Control (RBAC) a method of regulating access to system resources based on the roles of individual
users within the enterprise.
2.1.3. Separation of Duties (SoD) Engine an automated SoD analysis tool which interegates system access an associate has
and flags existing toxic combinations.
2.1.4. Entitlement Filter the capability to provide refined restrictions on granted access, such as time of day.
2.1.5. Associate User Access Database a signal respository which documents all user access that an associate is assigned.
2.1.6. Entitlement Catalog a comprehensive reposity of enterprise entitlements.
2.1.7. Access Tracking Report System - track and report access to applications and systems to provide data for audit purposes
3. Detailed Design
3.1. Data Flow Diagram:
Following is the data flow diagram of future state:
Associate
Access Assigned
Code Assign Access Roles Filter Access Role
Includes:
Job Role
Database
Apply
RBAC System selected
Access Roles
restrictions to
granted access
3.2. Functioning:
1. The RBAC System determines the appropriate pre-defined access roles to grant to associates.
2. Apply pre-defined Access Filter if applicable and update the Assigned Access Role Database.
3. The SoD Engine applies SoD rules and evaluate user access combinations for toxic
combinations.
4. Associate access system resources permitted by their assigned assess roles.
5. The Access Tracking Report Systems generates logs which provides audit trail of access