CONNECT  2017  CORE  ROLE  DESIGNER

L E A R N M O R E

Michael  MarksProduct  Manager,  Core  Security

Alessandro  Colantonio  Data  Scientist,  Core  Security

AGENDA

• What  is  Core  Role  Designer?• How  does  it  work?• Demo• What’s  coming  in  future  releases?• Q&A

What  is  Core  Role  Designer?

Discover Interpret Communicate

Identity  Governance  and  analytics  are  merging.

Discover Interpret Communicate

Today’s  analytics  fail  to  communicate  effectively.

Analytics  +  Visualizations

RBAC  can  lead  to  greater  business  enablement

Current  Role  Mining  Solutions  Make  the  Wrong  Choice

Black  Box

Role  A

Role  B

Role  C

Issues  with  this  approach:

• Are  these  roles  even  right?

• How  do  you  know  you  haven’t  over-­‐ or  under-­‐ provisioned?  

• Are  the  people  getting  these  roles  similar  enough?

Core  Role  Designer  Works  with  ANY  target  system  or  provisioning  platform

How  does  it  work?

Everything is an  integer…§ Entities can  be  represented with  ordinal numbers• Users:  0=Alice,  1=Bob,  2=Carl,  3=Daniel,  …

• Entitlements:  0=SU01,  1=FB03,  2=F-­‐91,  3=MIGO,  …

§ Subsets of  entities are  represented by  integer sets• A  role  made  up  of  transactions  FB03 and  MIGO  assigned  to  Bob  and  Carl  is  represented  by  the  sets  {1,  3}  and  {1,  2}

Set  operations

Union

Symmetric  Difference

Intersection

Difference

What is the  best  algorithm for  set  intersection?

5 7 10 34 35 51 76

7 34 51 76 90 97∩

=

What is the  best  algorithm for  set  intersection?

5 7 10 34 35 51 76

7 34 51 76 90 97∩

5  =  7  ?

=

What is the  best  algorithm for  set  intersection?

5 7 10 34 35 51 76

7 34 51 76 90 97∩

7  =  7  ?7

=

What is the  best  algorithm for  set  intersection?

5 7 10 34 35 51 76

7 34 51 76 90 97∩

=7 10  =  34  ?

What is the  best  algorithm for  set  intersection?

5 7 10 34 35 51 76

7 34 51 76 90 97∩

=7 34 51 76

• It  is  “optimal”  because  you  iterate  (at  most)  over  all  elements  of  the  two  sets  only  once

• BUT  ONLY  FROM  THEORETICAL POINT  OF  VIEW!

Compressed bitmaps§ Bit arrays (bitmaps) significantly speed up integer set operations

• Exploits bit-level parallelism in hardware to speed up operations• {3, 7, 8, 15} = 1000000110001000• {0, 7, 8, 10} = 0000010110000001• {3, 7, 8, 15} ∩ {0, 7, 8, 10} = 1000000110001000 AND 0000010110000001

§ However, bitmaps usually use a large storage space.• Bitmap compression algorithm that trades some space to allow for fast bitwise

operations without decompressing bitmaps• Colantonio, A., Di Pietro, R. (2010). CONCISE: COmpressed ’N’ Composable

Integer SEt. Information Processing Letters, 110(16), 644-650.

How  CONCISE  works

How  to  perform  set  intersection?

32 00100001000101010010101010000101 128 00000000000000011111111111111111

128 00100001000101010010101010000101 160 00100001000101010010101010000101

∩

=128 00000000000000010010101010000101

§ It is a mix of the two approaches:• Use sorted-array intersection to identify two words with the same offset• Use bitwise AND to intersect bits in the words

Memory  footprint§ Close  to  best  approaches  based  on  data  density  (self-­‐adaptive!)

Computational complexity§ Intersection  of  pairs  of  10k  random  integers§ AGAIN,  self-­‐adaptive!

Main  algorithms  in  Sonar§Most  of  the  data  mining  algorithms  are  based  on  set  operations  àyou  can  boost  the  performance  of  all  of  them

§ Algorithms  implemented  in  Sonar  that benefit  from  Concise• Role  mining  (pattern  enumeration  +  optimal  set)• Matrix  visualization• Segregation of  Duties• Missing &  Outlier detection• Role Matching• Minability index• Category Marginality/Variance• Overlapping and  role refactoring• AHP  (Analytic  Hierarchy  Process)

Binary matrices§ Relationships  between  entities  can  be  represented  by  binary  matrices§ A  binary  matrix  can  be  seen  as  a  set  of  rows,  each  row  represented  by  a  compressed  bitmap

§Only non-­‐zero  rows need to  be  represented§Matrix  operations (e.g.,  multiplication)  can  be  easily reduced to  a  sequence of  set  operations (mainly intersections)  on  the  compressedrepresentations of  rows

§Most matrix operations can  be  naturally parallelized by  “distributingrows”  across all the  available cores

Multiplication  of  BMs  =  indirect  relationships

1 1 0 0 0

1 1 0 1 1

1 1 0 1 1

1 1 1 1 0

1 1 1 1 0

1 0 0

1 1 0

1 1 0

1 0 1

1 0 1

1 1 0 0 0

0 0 0 1 1

0 0 1 1 0

email

spen

d  >$500  

teach  stud

ents

supe

rvise

 thesis

Basic  UserFull  ProfessorExternal  Teacher

internet

email

spen

d  >$500  

teach  stud

ents

supe

rvise

 thesis

internet

Basic

 User

Full  Professor

External  Te

ache

r

Back  to  authorization models…

Profiles Accounts Groups ResourcesOrgUnit

1 0 0

1 1 0

1 1 0

1 0 1

1 0 1

1 0 0

1 1 0

1 1 0

1 0 1

1 0 1

1 0 0

1 1 0

1 1 0

1 0 1

1 0 1

1 0 0

1 1 0

1 1 0

1 0 1

1 0 1

1 0 0

1 1 0

1 1 0

1 0 1

1 0 1

1 0 0

1 1 0

1 1 0

1 0 1

1 0 1

1 0 0

1 1 0

1 1 0

1 0 1

1 0 1

Parent

OrgUnit

Child  OrgUnit

OrgUnit

Profile

Profile

Account

Accoun

t

Group

Parent

Grou

p

Child  Group

Grou

p

Resource

Accoun

t

Resource

Resources  assigned  to  users  belonging  to  each  OU…

1 0 0

1 1 0

1 1 0

1 0 1

1 0 1

1 0 0

1 1 0

1 1 0

1 0 1

1 0 1

1 0 0

1 1 0

1 1 0

1 0 1

1 0 1

1 0 0

1 1 0

1 1 0

1 0 1

1 0 1

1 0 0

1 1 0

1 1 0

1 0 1

1 0 1

1 0 0

1 1 0

1 1 0

1 0 1

1 0 1

Parent

OrgUnit

Child  OrgUnit

OrgUnit

Profile

Profile

Account

Accoun

t

Group

Parent

Grou

p

Child  Group

Grou

p

Resource

1 0 0

1 1 0

1 1 0

1 0 1

1 0 1

1 0 0

1 1 0

1 1 0

1 0 1

1 0 1

1 0 0

1 1 0

1 1 0

1 0 1

1 0 1

1 0 0

1 1 0

1 1 0

1 0 1

1 0 1

Child  OrgUnit

OrgUnit

Profile

Profile

AccountAc

coun

tResource

1 0 0

1 1 0

1 1 0

1 0 1

1 0 1Org

Unit

Resource

1 0 0

1 1 0

1 1 0

1 0 1

1 0 1Org

Unit

Resource

+1 0 0

1 1 0

1 1 0

1 0 1

1 0 1Org

Unit

Resource

OrgUnits which contain profiles thathave resources assigned to  theiraccounts  through groups

OrgUnits which contain profiles thathave resources directly assigned to  their accounts

OrgUnits which contain profiles thathave resources assigned to  theiraccounts,  directly or  indirectlythrough groups

Odata  API§Open  Data  Protocol (OData)  enables the  creation and  consumptionof REST APIs• allows resources,  identified by  URLs and  defined in  a  data  model,  to  be  published• uses simple HTTP  messages

§ producers are  services that expose their data  using the  ODataprotocol

§ consumers are  simply applications that consume data  exposed usingthe  OData  protocol

§More  info:• http://www.odata.org/getting-­‐started/understand-­‐odata-­‐in-­‐6-­‐steps/• http://www.odata.org/getting-­‐started/basic-­‐tutorial/

Example:  requesting an  entity§ GET  http://ODATA_SERVICE/Roles  § Response:

{…'value':  [

{'@odata.id':  'http://ODATA_SERVICE/Roles(‘rid1’),'@odata.etag':  'etag_rid1',…'ID':  'rid1','property1':  'value11','property2':  'value12',…

},{

'@odata.id':  'http://ODATA_SERVICE/Roles(‘rid2’),'@odata.etag':  'etag_rid2',…'ID':  'rid2',                'property1':  'value21','property2':  'value22',…

},…

]}

Demo

What’s  coming  in  future  releases?

Core  Role  Designer  Tactical  Roadmap

2017 2018Jul Aug Sep Oct Nov Dec 2018

Initial  Launch

Q3 Q4 Q1 Q2

SaaS SOD Multi-­‐level  Entitlement

Core  Role  Designer  Strategic  Roadmap

Core  Role  Designer Core  Role  Lifecycle  Manager

Q & A

THANK  YOU