Call to Action

Webinar: Take a tour of Sparkling Logic's SMARTS Decision Manager Register Now


Technical Series: Authentication and Access Control

Decision Management SystemA key benefit of using a Decision Management System is to allow the life-cycle of automated decisions to be fully managed by the enterprise.

When the decision logic remains in the application code, it becomes difficult to separate access to decision logic code from the rest. For example, reading through pages of commit comments to find the ones relevant to the decision is close to impossible. And so is ensuring that only resources with the right roles can modify the logic.
Clearly, this leads to the same situation you would be in if your business data were totally immersed in the application code. You would not do that for your business data, you should not do that for your business decision logic for exactly the same reasons.

Decision Management Systems separate the decision logic from the rest of the code. Thus, you get the immense benefit of being able to update the decision logic according to the business needs. But the real benefit comes when you combine that with authentication and access control:

  • you can control who has access to what decision logic asset, and for what purpose
  • and you can trace who did what to which asset, when and why

Of course, a lot of what is written here applies to other systems than Decision Management Systems. But this is particularly important in this case.

Roles and access control

The very first thing to consider is how to control who has access to what in the DMS. This is access control — but note that we also use authorization as an equivalent term.
In general, one thinks of access control in terms of roles ans assets. Roles characterize how a person interacts with the assets in the system.
And the challenge is that there are many roles involved in interacting with your automated decision logic. The same physical person may fill many roles, but those are different roles: they use the decision management system in different ways. In other words, these different roles have access to different operations on different sets of decision logic assets.

Base roles and access control needs

Typically, and this is of course not the only way of splitting them, you will have roles such as the following:

  • Administrator
    The administrator role administers the system but rarely is involved in anything else. In general, IT or operations resources are those with this role.

  • Decision definer
    The decision definer role is a main user role: this role is responsible for managing the requirements for the automated decision and its expected business performance. Typically, business owners and business analysts are assigned this role.

  • Decision implementer
    The decision implementer role is the other main user role: this role designs, implements, tests and optimizes decisions. Generally, business analysts, data analysts or scientists, decision owners, and sometimes business-savvy IT resources are given this role.

  • Decision tester
    The decision tester role is involved in business testing of the decisions: validating they really do fit what the business needs. Usually, business analysts, data analysts and business owners fill this role.

  • Life-cycle manager
    The life-cycle manager role is responsible for ensuring that enterprise-compliant processes are followed as the decision logic assets go from requirements to implementation to deployment and retirement.

More advanced needs

There may be many other roles, and the key is to realize that how the enterprise does business impacts what these roles may be. For example, our company has a number of enterprise customers who have two types of decision implementer roles:

  • General decision implementer: designs, implements the structure of the decision and many parts of it, tests and optimizes it
  • Restricted decision implementer: designs and implements only parts of the decision — groups of rules, or models

The details on what the second role can design and implement may vary from project to project, etc.

Many other such roles may be defined: those who can modify anything but the contract between the automated decision and the application that invokes, etc.

It gets more complicated: you may also need to account for the fact that only specific roles can manage certain specific assets. For example, you may have a decision that incorporates a rate computation table that only a few resources can see, although it is part of what the system manages and executes.

Requirements for the Decision Management System

Given all this, the expectation is that the DMS support directly, or through an integration with the enterprise systems, the following:

  • Role-based access control to the decision logic asset
  • And ability to define custom roles to fit the needs of the enterprise and how it conducts its business
  • And ability to have roles that control access to specific operations on specific decision logic assets

This can be achieved in a few ways. In general:

  • If all decision assets are in a system which is also managed by the enterprise authentication and access control system: you can directly leverage it
  • And if that is not the case: you delegate authentication and basic access control to the enterprise authentication and access control system, and manage the finer-grained access control in the DMS, tied to the external authentication


Of course, roles are attached to a user, and in order to guarantee that the user is the right one, you will be using an authentication system. There is a vast number of such systems in the enterprise, and they play a central role in securing the assets the enterprise deals with.


The principle is that for each user that needs to have access to your enterprise systems, you will have an entry in your authentication system. Thus, the authentication system will ensure the user is who the user claims, and apply all the policies the enterprise wants to apply: two-factor authentication, challenges, password changes, etc. Furthermore, it will also control when the user has access to the systems.

This means that all systems need to make sure a central system carries out all authentications. And this includes the Decision Management System, of course. For example:

  • The DMS is only accessible through another application that does the proper authentication
  • Or it delegates the authentication to the enterprise authentication system

The second approach is more common in a services world with low coupling.

Requirements for the Decision Management System

The expectation is that the DMS will:

  • Delegate its authentication to the enterprise authentication and access control systems
  • Or use the authentication information provided by an encapsulating service

Vendors in this space have the challenge that in the enterprise world there are many authentication systems, each with potentially more than one protocol. Just in terms of protocols, enterprises use:

  • LDAP
  • WS-Federation
  • OAuth2
  • OpenID Connect
  • and more


Additionally, enterprises are interested in keeping a close trace of who does what and when in the Decision Management System. Of course, using authentication and the fact that users will always operate within the context of an authenticated session largely enables them to do so.
But this is not just a question of change log: you also want to know who has been active, who has exported and imported assets, who has generated reports, who has triggered long simulations, etc.

Furthermore, there are three types of usages for these traces:

  • Situational awareness: you want to know what has been done recently and why
  • Exception handling: you want to be alerted if a certain role or user carries out a certain operation. For example, when somebody updates a decision in production.
  • Forensics: you are looking for a particular set of operations and want to know when, who and why. For example, for compliance verification reasons.

A persisted and query-able activity stream provides support for the first type of usage. And an integration with the enterprise log management and communication management systems support the other types of usages.

Requirements for the Decision Management System

The expectation is that the DMS will:

  • Provide an activity stream users can browse through and query
  • And support an integration with the enterprise systems that log activity
  • And provide an integration with the enterprise systems that communicate alerts

There are many more details related to these authentication, access control and trace integrations. Also, one interesting trend is the move towards taking all of these into account for the beginning as the IT infrastructure moves to the models common in the cloud, even when on-premise.

This blog is part of the Technical Series, stay tuned for more!

[Image Designed by security from Flaticon]

Technical Series: Decision Management Platform Integrations

DMNDecision Management and Business Rules Management platforms cater to the needs of business oriented roles (business analysts, business owners, etc.) involved in operational decisions. But they also need to take into account the constraints of the enterprise and its technology environment.

Among those constraints are the ones that involve integrations. This is the first series of posts exploring the requirements, approaches and trade-offs for decision management platform integrations with the enterprise eco-system.

Why integrate?

Operational decisions do not exist in a vacuum. They

  • are embedded in other systems, applications or business processes
  • provide operational decisions that other systems carry out
  • are core contributors to the business performance of automated systems
  • are critical contributors to the business operations and must be under tight control
  • must remain compliant, traced and observed
  • yet must remain flexible for business-oriented roles to make frequent changes to them

Each and every one of these aspects involves more than just the decision management platform. Furthermore, more than one enterprise system provides across-application support for these. Enterprises want to use such systems because they reduce the cost and risk involved in managing applications.
For example, authentication across multiple applications is generally centralized to allow for a single point of control on who has access to them. Otherwise, each application implements its own and managing costs and risk skyrocket.

In particular, decision management platforms end up being a core part of the enterprise applications, frequently as core as databases. It may be easy and acceptable to use disconnected tools to generate reports, or write documents; but it rarely is acceptable to not manage part of core systems. In effect, there is little point in offering capabilities which cannot cleanly fit into the management processes for the enterprise; the gain made by giving business roles control of the logic is negated by the cost and risk in operating the platform.

In our customer base, most do pay attention to integrations. Which integrations are involved, and with which intensity, depends on the customer. However, it is important to realize that the success of a decision management platform for an enterprise also hinges on the quality of its integrations to its systems.

Which integrations matter?

We can group the usual integrations for decision management platforms in the following groups:

  • Authentication and Access Control
  • Implementation Support
  • Management Audit
  • Life-cycle management
  • Execution
  • Execution Audit
  • Business Performance Tracking

Authentication and access control integrations are about managing which user has access to the platform, and, beyond that, to which functionality within the platform.
Implementation support integrations are those that facilitate the identification, implementation, testing and optimization of decisions within the platform: import/export, access to data, etc.
Management audit integrations enable enterprise systems to track who has carried out which operations and when within the platform.
Life-cycle management integrations are those that support the automated or manual transitioning of decisions through their cycles: from inception to implementation and up to production and retirement.

Similarly, execution integrations enable the deployment of executable decisions within the context of the enterprise operational systems: business process platforms, micro-services platforms, event systems, etc. Frequently, these integrations also involve logging or audit systems.
Finally, performance tracking integrations are about using the enterprise reporting environment to get a business-level view of how well the decisions perform.

Typically, different types of integrations interest different roles within the enterprise. The security and risk management groups will worry about authentication, access control and audit. The IT organization will pay attention to life-cycle management and execution. Business groups will mostly focus on implementation support and performance tracking.

The upcoming series of blog posts will focus on these various integrations: their requirements, their scope, their challenges and how to approach them.

In the meantime, you can read the relevant posts in the “Best Practices” series:

Make your decision models more personal

The Decision Model and Notation (DMN) provides a number of ways to supply specific content to a model, i.e. some kind of information that is not directly related to the modeling or the decision implementation, but which can be relevant in your context nonetheless:

  • All diagram elements (input data, decision, business knowledge model, knowledge source) can have a description
  • Decisions have additional information such as a question that may characterize them and allowed answers, objectives, performance indicators, decision makers, decision owners, BPMN processes and BPMN tasks
  • Knowledge sources also have additional information such as a location for the source of knowledge, and the type of that source of knowledge, as well as an owner

Pencil Decision Modeler adds more information to the mix, such as the volume of a decision (how frequently the decision is made), its frequency (how frequently it changes) and its latency (how much time is allowed to make and deploy changes). Finally, glossary categories and entries can also have a description.

While this is great, this may not be sufficient for your own needs: you may need more information to be provided either in the DMN diagram itself, or in decision logic.

Read More »

Talking about decisions (part 2)

In part 1, we talked about a number of ways to formalize knowledge, one being the Decision Model and Notation (brought to us by the OMG). Here we will look at some of the concepts used in DMN, and how they can be used to collaborate around the decisions of an organization.Read More »

Talking about decisions (part 1)

talk_decisions_1Every IT project has a number of stakeholders that need to collaborate to make the project a reality. This is of course also true of projects that have a Decision component, or of projects that are strictly Decision-based. And like any project they risk, depending on the organization, falling into the silo effect, where each group of stakeholders lives in its own little island, and very little communication takes place between the silos. This spells almost certain doom for the success of the project…Read More »

Shaping Serendipity on the Job

The announcement of the acquisition of SocialCast by VMware caught my eye last week.  This is not surprising since we have been very interested VMware Logoin the dynamics of Social and Collaboration for over a year as you know.  Let me point you to a very good blog post by Mike Fauscette from IDC that describes the value-add of SocialCast to VMware’s portfolio and I will then share my own thoughts on the subject.

I view Social as several waves of capabilities that are gradually penetrating the Enterprise with increasing value.

Social = Communication

The early Enterprise 2.0 companies / capabilities have focused primarily on the social updates to keep the user’s entourage aware of his / her status.  Facebook excels at sharing, tagging and commenting on pictures between friends.  Twitter allows small pieces of news to travel the world in record time.

Applying those technologies to the Enterprise required some thinking.  When I visited the Enterprise 2.0 conference last year, I was only partially surprised that large companies were still struggling to find the right use case for this technology.

The obvious first step was to leverage it with the current users, the “consumers”, for marketing or public relations.  The success stories we kept hearing about back then was about Comcast trying to turn around its image by servicing its customers via Twitter — looking out for angry and loud customers and proactively giving them red carpet treatment –, or Dell creating a new sales channel for refurbished equipment.  I must admit that the early mover and creative thinking here gave them extra credits and (more importantly) exposure.  It is refreshing to see marketing dollars routed to a value-added service rather than pure advertisement.

Product Management / Marketing also started creating some inbound traffic by allowing their customers to express themselves in their communities and share ideas on what they like / dislike in the current offerings as well as ideas on how to make them better.  With voting capabilities, you can filter a lot of the noise that could be generated on mass market products.

Social = Serendipity

The next move with the likes of Moxie or Jive has been to shape serendipity.  I do not recall who coined this expression but I love it.  By communicating at large to an available audience, you can increase your odd of come across the right information at the right time.  In our Encounter with Geoffrey Moore post, he amusingly referred to “the serendipity of the guy with chocolate running into the guy with peanut butter”.

The typical Salesforce example is for Sales automation of course.  As a sales guy (or gal), you may be looking for nuggets of information in your ecosystem at the time you need it — which is inevitably minutes before a sales call.  You certainly do not care to know about every single call into tech support in real-time, but when you meet this important customer, it is invaluable to know that he/she has a dozen open tickets including 2 critical ones that have been pending for over a week now with very little activity, possibly some angry language was exchanged.  If you do not have the time and energy to look for it, you may want to post a quick note asking if anyone has anything to report on that very important customer.  The answer, happy or not, may come from tech support or fulfillment or training or professional services or legal or marketing, etc.  The beauty of the social platform is that only those who are available will look into it and feel compelled to share what they know and think is relevant.  Company-wide emails was the old way of doing it but they tends to be pooh-pooh’d if not ignored by most of the employees.

Social software allows employees to connect and get those conversations going.  Employee communication is for me a much greater animal than the Voice-of-the-Customer initiatives I referenced earlier.  Having a Product Management background, and a relatively niche market (B2B), I feel quite comfortable about getting the meat of what my customers want.  Corporate efficiency is a real challenge though.  Optimizing one division is hard enough but breaking the silos between those divisions is extremely complicated.  Whatever can be done to improve that situation has the potential to reach very high ROIs with little efforts given where we are starting from.

At Enterprise 2.0, a large insurance company asked a great question though.  How do you make those tools effective?  Having the ability to engage others is great but you still need some guidance to drive conversations with more value-add than comments on the cafeteria food…

Social = Serendipity on the Job

Granted you can post tweets to let your ecosystem know that your plane is late and serendipitily discover that you are stranded with an old buddy and meetup for a drink but you would get great value-add, at least in the corporate sense, if you could mary the social “icing” to the corporate “cake”.  Michael Fauscette points out that the ability to bring those activity streams and collaboration tools in the context of actual applications is critical to the enterprise adoption.  This is what we call “serendipity on the job” and I agree that those capabilities will enable Social software to soar throughout the enterprise bringing tremendous value.

The raw capability of exchanging information puts the burden on the users to self-organize and find a sense of purpose.  When those capabilities are intrinsically integrated with day-to-day tasks, they have the opportunity to be used without excessive thinking or learning curve by the stakeholders.

When Salesforce released Chatter in the context of the Sales Automation application, it unlocked something big: the ability to work collaboratively, to leverage the collective in the context of day-to-day activities.  As the Sales exec, I can look at my portfolio of customers and post information that is targeted to a captive audience.  Only service reps in charge of my account or for some other reason interested in this account will subscribe to the status updates and will be notified.  This reduces the chatter (no pun intended) that goes around in company-wide emails.  It also captures the thoughts and contribution of the involved stakeholders on the spot — eliminating unnecessary follow-up discussions as well as capturing tacit knowledge.

Do not underestimate the value of being in the context of your application.  I love Twitter but I don’t have the time to read all the tweets from my friends.  Nobody does.  It serves a purpose of communication and trend-watching.  Integrated Social / Collaborative capabilities serve a different purpose of connecting “doers” for a well-defined purpose.

It is not rare to hear about the “intangible” value of Social Software.  I would argue that, when it is clearly applied for a given purpose, its value is much more obvious and measurable in terms of productivity and eventually bottom-line results.

I believe that this acquisition is a brilliant move from VMware and we shall hear about more Social Software acquisitions from the platform players that are building the “next generation”.

Crowdsourcing Predictions

E.T.Remember a decade ago when we were running SETI@home on our computers all night?  I was guilty of lending my off-hours CPU time for this fun Berkeley experiment.  My husband and I would join forces to help detect little anomalies…  We did not take it seriously of course but we enjoyed being part of the program!  It was also technically intriguing as the first large-scale grid deployment we participated in…

Time has passed since then.

Grid architecture turned into Cloud deployments for elasticity.  The idea to join forces grew stronger though, manifesting itself in various ways.  Collaboration and Social capabilities are revolutionizing the way people can work together.  Some success stories involve better teamwork within the enterprise; others are about customer ideation.  In this post, I will focus on those crowdsourcing initiatives that push the innovation outside of the enterprise, not for feedback but for actual work.

The Netflix Prize

We have all heard of the Netflix Prize but let me remind you of the premise.  Netflix launched a competition in 2006 with an appealing $1M prize for the best predictor.  Being a movie rental business, they differentiate from the established brick-and-mortar players by offering the service over the mail as a subscription rather than a per-day rental.  The business model was a great way to break into the space quickly but they needed increased differentiation since all players could (and did) adapt to the new way of renting movies.  Consumers want to watch movies but they do not necessarily know what is out there…  Have you ever stared at the wall of movies at Blockbusters without a clue as to what you will bring home?  With a powerful Recommendation Engine, Netflix can predict the list of movies that you are the most likely to love, based on your previous ratings.  Improving the precision of this recommendation engine increases Netflix’s value-add and therefore competitiveness.

On September 21, 2009, the $1M Grand Prize was awarded to a team that could improve by more than 10% the accuracy of the incumbant Cinematch.

Academics have had opportunities to research algorithms forever of course but, in this case, Netflix made data freely available to the participants.  This enabled a pragmatic effort to take place rather than just theoretical.  The business objective was clearly stated in the rules: improve the prediction by 10% or more on the provided quiz sample.

This 3-year journey involved a lot of hard work from many teams around the world.  It was impressive to see how close the race got, with another submission reaching the stated goal arriving just 24 minutes after the winning project.  What was most impressive was the collaboration that took place.  The leading teams realized that they could achieve more by working joining than competing.  At that point in time, dramatic improvements were achieved.  This is a beautiful lesson learned that testifies of the value of collaboration!

The secret sauce for both BellKor’s Pragmatic Chaos and The Ensemble was collaboration between diverse ideas, and not in some touchy-feely, unquantifiable, “when people work together things are better” sort of way. The top two teams beat the challenge by combining teams and their algorithms into more complex algorithms incorporating everybody’s work. The more people joined, the more the resulting team’s score would increase.
— Eliot Van Buskirk, Wired

This prize was a stroke of genius by Netflix who realized very early on the potential offered by crowdsourcing.  Not only could they achieve an incredible performance improvement to their algorithm, which they may not have been able to come up with ever, but they only spent $1M!  It may seem like a nice price tag but if you consider that a team of 7 people works for 3 years on it, that is ridiculously cheap…  What would have been the odds of hiring the right people, with the right motivation and ideas?  It would have cost a lot more I am sure, and would have led to less tangible results.

More crowdsourced projects for recommendation / prediction engines?

With the success of the Netflix project, some new similar projects have bubbled up.  The chances of FICO outsourcing their FICO score are pretty slim of course.  Companies that use a prediction engine but do not live off of it are more likely to launch those initiatives.

Similar to Netflix, wants to provide better recommendations to their consumers, hoping to increase their sales at the end of the day.  They have just started a new competition with the now “standard” $1M prize.  Following the Netflix footsteps, they also target a 10% improvement or better.

If you are on the lookout for a bigger prize you can also check out this other competition.  Heritage Provider Network is offering a $3M Grand Prize for the best predictive algorithm can identify patients who will be admitted to the hospital within the next year, using historical claims data.  In that case, data is obviously provided but no hard-and-fast objective is provided.  The team with the best prediction will win the prize at the 2 year mark.

I find this trend very exciting for the Decision Management space.  Collaboration can lead to great results with or without the carrot those companies are offering here.  It may take a little while for companies to embrace collaboration outside of the boundaries of the enterprise for harvesting and fine-tuning Business Rules but I have hope that we are not talking about decades.

Outlook Series: Carole-Ann interviewed by Michael Lippis

Following up on Carlos’s explanation of Social Logic, I had the pleasure to be interviewed by Michael Lippis as part of his Decision Management campaign for the Outlook Series.  Michael drilled me with challenging questions on Social Logic of course.

Outlook Series Listen to the podcast now

Decision Management can deliver fantastic ROI but its adoption is limited by a steep learning curve.

Business rules requirements need to be specific, clear and actionable.

By doing so, business rules implementations converge quickly to high quality and accurate business rules, significantly reducing uncertainty and project risk.

Decision Management technologies provide agility; but you can make DM more Performance-Driven by leveraging business data and analytics in context at authoring time.

A wealth of tacit knowledge resides in the heads of Customer Service personnel or Call Center Agents.

The key to gaining a competitive advantage is capturing that tacit knowledge out of the collective.

That tacit knowledge can then support Case Workers making manual decisions, providing insights on the impact of those decisions in real-time.

Furthermore, at decision time, collaboration between skilled workers allows you to crowd-source the most educated decision, keeping track of the reasoning behind that decision for consideration to be eventually automated.

We interview Carole-Ann Matignon to gain Sparkling Logic’s perspective on social logic.

Carole-Ann is CEO and Founder of Sparkling Logic.

… or right-click & save target to download the podcast and listen to it on the go…

or visit the Outlook Series page

© 2022 SparklingLogic. All Rights Reserved.