Information Technology Reference
In-Depth Information
them a new one. The administrators are also the only ones who can unlock a
user's account after it has been locked out because of a number of incorrect
login attempts. It's assumed that they will have already verified the user's
bona fides out of band before unlocking the account.
Fine-grained authorisation
:
In the LIMA model, we delegate fine-grained authorisation to the respective
business applications themselves because these rules are best defined close
to where they are used. The rate of change of such detailed information also
militates against their management at an enterprise level.
However, we do have some options to make an administrator's life easier.
We can loosely couple the administration screens of IAM and the business
applications, so that when the administrator is finished creating a user on
IAM, they can follow a hyperlink to the business application's own user
administration screen and continue the fine-grained provisioning from there.
Since the business application is protected by IAM's SSO regime, and since
the administrator has a suitable role within the application that gives them
access to this screen, the navigation will be seamless, uninterrupted by any
login screen or other access challenge. There may be a change in the look-
and-feel of the two applications, but this is cosmetic rather than functional.
To be truly loosely-coupled, each user must store their own browser
bookmarks to the different user provisioning screens, but to sweeten the pill
of having to cross application boundaries to perform this function, it may be
desired to provide hyperlinks to the business applications' user admin
screens from within the IAM user admin screen. Since it's not expected that
the URIs of these admin screens will change frequently, it may not be a bad
compromise.
Role Type, Application-Role and User-Application-Role associations
:
Arguably the most important part of user administration is the grant and
revocation of access rights to applications. Keeping in mind that IAM only
manages coarse-grained authorisation, you will need screens to define
generic enterprise roles, associations between generic roles and applications
to create application-specific roles (coarse-grained, of course), and finally
the mapping of users to these application-specific roles.
All grants and revocations should be two-phase (request/authorise), and
they must be logged.
