Call to Action

Webinar: Take a tour of Sparkling Logic's SMARTS Decision Manager Register Now

Decision Modeling

Technical Series: Authentication and Access Control


Decision Management SystemA key benefit of using a Decision Management System is to allow the life-cycle of automated decisions to be fully managed by the enterprise.

When the decision logic remains in the application code, it becomes difficult to separate access to decision logic code from the rest. For example, reading through pages of commit comments to find the ones relevant to the decision is close to impossible. And so is ensuring that only resources with the right roles can modify the logic.
Clearly, this leads to the same situation you would be in if your business data were totally immersed in the application code. You would not do that for your business data, you should not do that for your business decision logic for exactly the same reasons.

Decision Management Systems separate the decision logic from the rest of the code. Thus, you get the immense benefit of being able to update the decision logic according to the business needs. But the real benefit comes when you combine that with authentication and access control:

  • you can control who has access to what decision logic asset, and for what purpose
  • and you can trace who did what to which asset, when and why

Of course, a lot of what is written here applies to other systems than Decision Management Systems. But this is particularly important in this case.

Roles and access control

The very first thing to consider is how to control who has access to what in the DMS. This is access control — but note that we also use authorization as an equivalent term.
In general, one thinks of access control in terms of roles ans assets. Roles characterize how a person interacts with the assets in the system.
And the challenge is that there are many roles involved in interacting with your automated decision logic. The same physical person may fill many roles, but those are different roles: they use the decision management system in different ways. In other words, these different roles have access to different operations on different sets of decision logic assets.

Base roles and access control needs

Typically, and this is of course not the only way of splitting them, you will have roles such as the following:

  • Administrator
    The administrator role administers the system but rarely is involved in anything else. In general, IT or operations resources are those with this role.

  • Decision definer
    The decision definer role is a main user role: this role is responsible for managing the requirements for the automated decision and its expected business performance. Typically, business owners and business analysts are assigned this role.

  • Decision implementer
    The decision implementer role is the other main user role: this role designs, implements, tests and optimizes decisions. Generally, business analysts, data analysts or scientists, decision owners, and sometimes business-savvy IT resources are given this role.

  • Decision tester
    The decision tester role is involved in business testing of the decisions: validating they really do fit what the business needs. Usually, business analysts, data analysts and business owners fill this role.

  • Life-cycle manager
    The life-cycle manager role is responsible for ensuring that enterprise-compliant processes are followed as the decision logic assets go from requirements to implementation to deployment and retirement.

More advanced needs

There may be many other roles, and the key is to realize that how the enterprise does business impacts what these roles may be. For example, our company has a number of enterprise customers who have two types of decision implementer roles:

  • General decision implementer: designs, implements the structure of the decision and many parts of it, tests and optimizes it
  • Restricted decision implementer: designs and implements only parts of the decision — groups of rules, or models

The details on what the second role can design and implement may vary from project to project, etc.

Many other such roles may be defined: those who can modify anything but the contract between the automated decision and the application that invokes, etc.

It gets more complicated: you may also need to account for the fact that only specific roles can manage certain specific assets. For example, you may have a decision that incorporates a rate computation table that only a few resources can see, although it is part of what the system manages and executes.

Requirements for the Decision Management System

Given all this, the expectation is that the DMS support directly, or through an integration with the enterprise systems, the following:

  • Role-based access control to the decision logic asset
  • And ability to define custom roles to fit the needs of the enterprise and how it conducts its business
  • And ability to have roles that control access to specific operations on specific decision logic assets

This can be achieved in a few ways. In general:

  • If all decision assets are in a system which is also managed by the enterprise authentication and access control system: you can directly leverage it
  • And if that is not the case: you delegate authentication and basic access control to the enterprise authentication and access control system, and manage the finer-grained access control in the DMS, tied to the external authentication

Authentication

Of course, roles are attached to a user, and in order to guarantee that the user is the right one, you will be using an authentication system. There is a vast number of such systems in the enterprise, and they play a central role in securing the assets the enterprise deals with.

Principles

The principle is that for each user that needs to have access to your enterprise systems, you will have an entry in your authentication system. Thus, the authentication system will ensure the user is who the user claims, and apply all the policies the enterprise wants to apply: two-factor authentication, challenges, password changes, etc. Furthermore, it will also control when the user has access to the systems.

This means that all systems need to make sure a central system carries out all authentications. And this includes the Decision Management System, of course. For example:

  • The DMS is only accessible through another application that does the proper authentication
  • Or it delegates the authentication to the enterprise authentication system

The second approach is more common in a services world with low coupling.

Requirements for the Decision Management System

The expectation is that the DMS will:

  • Delegate its authentication to the enterprise authentication and access control systems
  • Or use the authentication information provided by an encapsulating service

Vendors in this space have the challenge that in the enterprise world there are many authentication systems, each with potentially more than one protocol. Just in terms of protocols, enterprises use:

  • LDAP
  • WS-Federation
  • OAuth2
  • OpenID Connect
  • and more

Trace

Additionally, enterprises are interested in keeping a close trace of who does what and when in the Decision Management System. Of course, using authentication and the fact that users will always operate within the context of an authenticated session largely enables them to do so.
But this is not just a question of change log: you also want to know who has been active, who has exported and imported assets, who has generated reports, who has triggered long simulations, etc.

Furthermore, there are three types of usages for these traces:

  • Situational awareness: you want to know what has been done recently and why
  • Exception handling: you want to be alerted if a certain role or user carries out a certain operation. For example, when somebody updates a decision in production.
  • Forensics: you are looking for a particular set of operations and want to know when, who and why. For example, for compliance verification reasons.

A persisted and query-able activity stream provides support for the first type of usage. And an integration with the enterprise log management and communication management systems support the other types of usages.

Requirements for the Decision Management System

The expectation is that the DMS will:

  • Provide an activity stream users can browse through and query
  • And support an integration with the enterprise systems that log activity
  • And provide an integration with the enterprise systems that communicate alerts

There are many more details related to these authentication, access control and trace integrations. Also, one interesting trend is the move towards taking all of these into account for the beginning as the IT infrastructure moves to the models common in the cloud, even when on-premise.

This blog is part of the Technical Series, stay tuned for more!

[Image Designed by security from Flaticon]

DMN and Pencil


DMNBack in my early product management days, I looked at several tools for requirement capture. I found quite a few good solutions for product requirements, but nothing I really liked for capturing source rules. When working on business rules or decision management project, I leaned towards Spreadsheets and Word documents. And then, DMN was created!

With the DMN standard (Decision Model and Notation), we finally have a notation that works with a powerful underlying methodology. I really like that the notation forces you, the business analyst, into thinking about the ultimate decision(s) in a structured way. Instead of thinking exhaustively about all the rules that exist in your business, the methodology encourages you to decompose your big decision into smaller sub-decisions. This iterative process is very friendly, and very easy to share with your colleagues.

In our upcoming webinar, on April 11, we will introduce the DMN methodology. We will illustrate actual use cases using our Pencil Decision Modeler.

Join us on 4/11 at 9am PT / noon ET!

Best Practices Series: Manage your decisions in Production


Managing your decisions in productionOur Best Practices Series has focused, so far, on authoring and lifecycle management aspects of managing decisions. This post will start introducing what you should consider when promoting your decision applications to Production.

Make sure you always use release management for your decision

Carole-Ann has already covered why you should always package your decisions in releases when you have reached important milestones in the lifecycle of your decisions: see Best practices: Use Release Management. This is so important that I will repeat her key points here stressing its importance in the production phase.

You want to be 100% certain that you have in production is exactly what you tested, and that it will not change by side effect. This happens more frequently than you would think: a user may decide to test variations of the decision logic in what she or he thinks is a sandbox and that may in fact be the production environment.
You also want to have complete traceability, and at any point in time, total visibility on what the state of the decision logic was for any decision rendered you may need to review.

Everything they contributes to the decision logic should be part of the release: flows, rules, predictive and lookup models, etc. If your decision logic also includes assets the decision management system does not manage, you open the door to potential execution and traceability issues. We, of course, recommend managing your decision logic fully within the decision management system.

Only use Decision Management Systems that allow you to manage releases, and always deploy decisions that are part of a release.

Make sure the decision application fits your technical environments and requirements

Now that you have the decision you will use in production in the form of a release, you still have a number of considerations to take into account.

It must fit into the overall architecture

Typically, you will encounter one or more of the following situations
• The decision application is provided as a SaaS and invoked through REST or similar protocols (loose coupling)
• The environment is message or event driven (loose coupling)
• It relies mostly on micro-services, using an orchestration tool and a loose coupling invocation mechanism.
• It requires tight coupling between one (or more) application components at the programmatic API level

Your decision application will need to simply fit within these architectural choices with a very low architectural impact.

One additional thing to be careful about is that organizations and applications evolve. We’ve seen many customers deploy the same decision application in multiple such environments, typically interactive and batch. You need to be able to do multi-environment deployments a low cost.

It must account for availability and scalability requirements

In a loosely coupled environments, your decision application service or micro-service with need to cope with your high availability and scalability requirements. In general, this means configuring micro-services in such a way that:
• There is no single point of failure
○ replicate your repositories
○ have more than one instance available for invocation transparently
• Scaling up and down is easy

Ideally, the Decision Management System product you use has support for this directly out of the box.

It must account for security requirements

Your decision application may need to be protected. This includes
• protection against unwanted access of the decision application in production (MIM attacks, etc.)
• protection against unwanted access to the artifacts used by the decision application in production (typically repository access)

Make sure the decision applications are deployed the most appropriate way given the technical environment and the corresponding requirements. Ideally you have strong support from your Decision Management System for achieving this.

Leverage the invocation mechanisms that make sense for your use case

You will need to figure out how your code invokes the decision application once in production. Typically, you may invoke the decision application
• separately for each “transaction” (interactive)
• for a group of “transactions” (batch)
• for stream of “transactions” (streaming or batch)

Choosing the right invocation mechanism for your case can have a significant impact on the performance of your decision application.

Manage the update of your decision application in production according to the requirements of the business

One key value of Decision Management Systems is that with them business analysts can implement, test and optimize the decision logic directly.

Ideally, this expands into the deployment of decision updates to the production. As the business analysts have updated, tested and optimized the decision, they will frequently request that it be deployed “immediately”.

Traditional products require going through IT phases, code conversion, code generation and uploads. With them, you deal with delays and the potential for new problems. Modern systems such as SMARTS do provide support for this kind of deployment.

There are some key aspects to take into account when dealing with old and new versions of the decision logic:
• updating should be a one-click atomic operation, and a one-API call atomic operation
• updating should be safe (if the newer one fails to work satisfactorily, it should not enter production or should be easily rolled back)
• the system should allow you to run old and new versions of the decision concurrently

In all cases, this remains an area where you want to strike the right balance between the business requirements and the IT constraints.
For example, it is possible that all changes are batched in one deployment a day because they are coordinated with other IT-centric system changes.

Make sure that you can update the decisions in Production in the most diligent way to satisfy the business requirement.

Track the business performance of your decision in production

Once you have your process to put decisions in the form of releases in production following the guidelines above, you still need to monitor its business performance.

Products like SMARTS let you characterize, analyze and optimize the business performance of the decision before it is put in production. It will important that you continue with the same analysis once the decision is in production. Conditions may change. Your decisions, while effective when they were first deployed, may no longer be as effective after the changes. By tracking the business performances of the decisions in production you can identify this situation early, analyze the reasons and adjust the decision.

In a later installment on this series, we’ll tackle how to approach the issue of decision execution performance as opposed to decision business performance.

James Taylor’s Recent Update on Sparkling Logic


JamesTaylorJames Taylor, one of the leading experts on decision management, recently wrote an update on his blog featuring Sparkling Logic’s products. James is the CEO and a Principal Consultant of Decision Management Solutions. He is a well-known author and speaker on using decision modeling, business rules, and analytics to improve decision making to enable a more agile, analytic, and adaptive business.

In his recent blog post on Sparkling Logic, James does a great job of summarizing the key features of PENCIL Decision Modeler and the more recent features we’ve added to SMARTS Decision Manager since he last published an update on us. He highlights key features of PENCIL including the DMN decision diagram and glossary, and the ability to generate a project in SMARTS for execution, testing, simulation and deployment.

For SMARTS, he covers features we’ve added since his last update in 2013 including:

  • Cascading or inherited decisions
  • Native PMML support
  • Lookup models
  • Champion/Challenger testing
  • Lifecycle management and task automation

Most of these are unique SMARTS features not found in other decision management products. **Spoiler Alert** He also mentions a feature in our upcoming release, Quebec, which supports graphical investigation of rules fired for specific transaction.

James’ “First Look” product updates are a great source to learn details about product offerings in the decision management space and we appreciate the recent update on our products. His blog and the Decision Management Solutions website are great resources to learn more about decision modeling and management.

Business Rules and Decisions for Any Industry from Bloor


simon hallowayWe recently had the pleasure of meeting with Simon Halloway from Bloor to give him an update on our decision management and business rule products. Bloor is an independent analyst and research company based in the UK and Simon is their Practice Leader on Process Management and Sensory Devices.

Simon’s focus area includes the intelligent automation of processes using sensors, so he was particularly interested to learn about how some of our customers use SMARTS to analyze sensor data to drive automated decisions.

We were happy to see that he wrote a report following our meeting. In the report, called “Sparkling Logic brings SMARTS to Decisions”, Simon covers how PENCIL Decision Modeler and SMARTS Decision Manager work together. He explains that decision models created in PENCIL can be executed and tested with data in SMARTS. PENCIL let’s business analysts capture and document business rules and decisions using the Decision Model and Notation (DMN) standard and the decision model can be tested and validated in SMARTS.

The report also highlights some of the unique features in SMARTS:

  • The SMARTS workbench provides a complete context for business analysts to define, test, simulate and deploy decisions. Environments like this previously had to be set up by IT using an inconvenient assortment of tools.
  • It’s easy for business analysts to write business rules using SMARTS’ visual rule representations.
  • Decisions involving risk or opportunity are becoming increasingly important. SMARTS lets you directly create or use your existing predictive models.
  • SMARTS’ decision analytics keeps you focused on the goal of better decisions with metrics and dashboard reports.
  • He concludes, “Sparkling Logic’s SMARTS is definitely a solution in Bloor’s view that should be considered if an organization is looking at decision management automation across any sector, whilst still providing all the necessary support for business rules management”.

    Thanks Simon, we couldn’t agree more! Get a copy of the report here.

    Understanding the evolution of your decision models


    In What is Lifecycle Management for a Business Rule, Carole-Ann touched upon the usefulness of rule versioning for traceability or backtracking. She also mentioned the power of a release, which basically represents the version of multiple rules (or any kind of item) at a given point in time, effectively giving the ability to travel back in time.

    Such capabilities are essential during the implementation and deployment of decision logic; but they can also be extremely useful during decision modeling time, as we will see here.

    Read More »

    Make your decision models more personal


    The Decision Model and Notation (DMN) provides a number of ways to supply specific content to a model, i.e. some kind of information that is not directly related to the modeling or the decision implementation, but which can be relevant in your context nonetheless:

    • All diagram elements (input data, decision, business knowledge model, knowledge source) can have a description
    • Decisions have additional information such as a question that may characterize them and allowed answers, objectives, performance indicators, decision makers, decision owners, BPMN processes and BPMN tasks
    • Knowledge sources also have additional information such as a location for the source of knowledge, and the type of that source of knowledge, as well as an owner

    Pencil Decision Modeler adds more information to the mix, such as the volume of a decision (how frequently the decision is made), its frequency (how frequently it changes) and its latency (how much time is allowed to make and deploy changes). Finally, glossary categories and entries can also have a description.

    While this is great, this may not be sufficient for your own needs: you may need more information to be provided either in the DMN diagram itself, or in decision logic.

    Read More »

    Why Decision Logic Elicitation Matters


    hello_world_redpenWe were awarded yet another patent on Decision Logic Elicitation.  This is awesome!

    As much as it is an ego boost to receive these acknowledgements, I would like to explain why we have been investing continuously on elicitation.  After all, most of the research happened in the 1980’s and we are part of a very small group that has continued exploring new ways to simplify this task

    Read More »


     2019 SparklingLogic. All Rights Reserved.