Call to Action

Webinar: Take a tour of Sparkling Logic's SMARTS Decision Manager Register Now
Home » Uncategorized

Uncategorized

Technical Series: Authentication and Access Control


Decision Management SystemA key benefit of using a Decision Management System is to allow the life-cycle of automated decisions to be fully managed by the enterprise.

When the decision logic remains in the application code, it becomes difficult to separate access to decision logic code from the rest. For example, reading through pages of commit comments to find the ones relevant to the decision is close to impossible. And so is ensuring that only resources with the right roles can modify the logic.
Clearly, this leads to the same situation you would be in if your business data were totally immersed in the application code. You would not do that for your business data, you should not do that for your business decision logic for exactly the same reasons.

Decision Management Systems separate the decision logic from the rest of the code. Thus, you get the immense benefit of being able to update the decision logic according to the business needs. But the real benefit comes when you combine that with authentication and access control:

  • you can control who has access to what decision logic asset, and for what purpose
  • and you can trace who did what to which asset, when and why

Of course, a lot of what is written here applies to other systems than Decision Management Systems. But this is particularly important in this case.

Roles and access control

The very first thing to consider is how to control who has access to what in the DMS. This is access control — but note that we also use authorization as an equivalent term.
In general, one thinks of access control in terms of roles ans assets. Roles characterize how a person interacts with the assets in the system.
And the challenge is that there are many roles involved in interacting with your automated decision logic. The same physical person may fill many roles, but those are different roles: they use the decision management system in different ways. In other words, these different roles have access to different operations on different sets of decision logic assets.

Base roles and access control needs

Typically, and this is of course not the only way of splitting them, you will have roles such as the following:

  • Administrator
    The administrator role administers the system but rarely is involved in anything else. In general, IT or operations resources are those with this role.

  • Decision definer
    The decision definer role is a main user role: this role is responsible for managing the requirements for the automated decision and its expected business performance. Typically, business owners and business analysts are assigned this role.

  • Decision implementer
    The decision implementer role is the other main user role: this role designs, implements, tests and optimizes decisions. Generally, business analysts, data analysts or scientists, decision owners, and sometimes business-savvy IT resources are given this role.

  • Decision tester
    The decision tester role is involved in business testing of the decisions: validating they really do fit what the business needs. Usually, business analysts, data analysts and business owners fill this role.

  • Life-cycle manager
    The life-cycle manager role is responsible for ensuring that enterprise-compliant processes are followed as the decision logic assets go from requirements to implementation to deployment and retirement.

More advanced needs

There may be many other roles, and the key is to realize that how the enterprise does business impacts what these roles may be. For example, our company has a number of enterprise customers who have two types of decision implementer roles:

  • General decision implementer: designs, implements the structure of the decision and many parts of it, tests and optimizes it
  • Restricted decision implementer: designs and implements only parts of the decision — groups of rules, or models

The details on what the second role can design and implement may vary from project to project, etc.

Many other such roles may be defined: those who can modify anything but the contract between the automated decision and the application that invokes, etc.

It gets more complicated: you may also need to account for the fact that only specific roles can manage certain specific assets. For example, you may have a decision that incorporates a rate computation table that only a few resources can see, although it is part of what the system manages and executes.

Requirements for the Decision Management System

Given all this, the expectation is that the DMS support directly, or through an integration with the enterprise systems, the following:

  • Role-based access control to the decision logic asset
  • And ability to define custom roles to fit the needs of the enterprise and how it conducts its business
  • And ability to have roles that control access to specific operations on specific decision logic assets

This can be achieved in a few ways. In general:

  • If all decision assets are in a system which is also managed by the enterprise authentication and access control system: you can directly leverage it
  • And if that is not the case: you delegate authentication and basic access control to the enterprise authentication and access control system, and manage the finer-grained access control in the DMS, tied to the external authentication

Authentication

Of course, roles are attached to a user, and in order to guarantee that the user is the right one, you will be using an authentication system. There is a vast number of such systems in the enterprise, and they play a central role in securing the assets the enterprise deals with.

Principles

The principle is that for each user that needs to have access to your enterprise systems, you will have an entry in your authentication system. Thus, the authentication system will ensure the user is who the user claims, and apply all the policies the enterprise wants to apply: two-factor authentication, challenges, password changes, etc. Furthermore, it will also control when the user has access to the systems.

This means that all systems need to make sure a central system carries out all authentications. And this includes the Decision Management System, of course. For example:

  • The DMS is only accessible through another application that does the proper authentication
  • Or it delegates the authentication to the enterprise authentication system

The second approach is more common in a services world with low coupling.

Requirements for the Decision Management System

The expectation is that the DMS will:

  • Delegate its authentication to the enterprise authentication and access control systems
  • Or use the authentication information provided by an encapsulating service

Vendors in this space have the challenge that in the enterprise world there are many authentication systems, each with potentially more than one protocol. Just in terms of protocols, enterprises use:

  • LDAP
  • WS-Federation
  • OAuth2
  • OpenID Connect
  • and more

Trace

Additionally, enterprises are interested in keeping a close trace of who does what and when in the Decision Management System. Of course, using authentication and the fact that users will always operate within the context of an authenticated session largely enables them to do so.
But this is not just a question of change log: you also want to know who has been active, who has exported and imported assets, who has generated reports, who has triggered long simulations, etc.

Furthermore, there are three types of usages for these traces:

  • Situational awareness: you want to know what has been done recently and why
  • Exception handling: you want to be alerted if a certain role or user carries out a certain operation. For example, when somebody updates a decision in production.
  • Forensics: you are looking for a particular set of operations and want to know when, who and why. For example, for compliance verification reasons.

A persisted and query-able activity stream provides support for the first type of usage. And an integration with the enterprise log management and communication management systems support the other types of usages.

Requirements for the Decision Management System

The expectation is that the DMS will:

  • Provide an activity stream users can browse through and query
  • And support an integration with the enterprise systems that log activity
  • And provide an integration with the enterprise systems that communicate alerts

There are many more details related to these authentication, access control and trace integrations. Also, one interesting trend is the move towards taking all of these into account for the beginning as the IT infrastructure moves to the models common in the cloud, even when on-premise.

This blog is part of the Technical Series, stay tuned for more!

[Image Designed by security from Flaticon]

Thinking Outside the Cube – Almaden Quicksilver


Fast decisions got executed here
Fast decisions got executed here

It has been quite a while since Carlos and I blogged about our hikes.  A quick blog on the topic is long overdue. You can’t blame us though for being more passionate about technology!

If you grew up watching lots of westerns like we did, the view of the hanging tree is likely to bring back a lot of memories.  It makes the place a little more dramatic under the hot sun of summer (it was long overdue too).  People used to throw rocks at the tree as a symbol of disgust for the despicable crimes committed.  As a Decision Management person, my mind was contemplating the fast decisions they made here and the lack of process that lead to some mistakes for sure.

Over a hundred tunnels and shafts gave access to the minerals
Over a hundred tunnels and shafts gave access to the minerals

 

Many tunnels and shafts spring up here and there.  The San Cristobal tunnel is worth stopping by.  You won’t be able to follow the old track very far but that is certainly enough to imagine the boring yet nerve-racking days that constituted the miners’ daily life.  Their version of fun back then was competing on their drilling abilities on the boulder brought there from Sierra Nevada I believe.  It is interesting though that they overcame so much trouble only to have a reliable point of comparison on their mining skills.  Something to inspire us on being Performance-Driven I suppose.

The top of hill overlooks San Jose.  Back in those days, it was a small downtown next to the Santa Clara mission, surrounded by miles and miles of orchards.  How I wish I could see that Spring panorama of fruit blossoms.  It must have been absolutely gorgeous!

A century ago, miles and miles of orchards surrounded downtown
A century ago, miles and miles of orchards surrounded downtown

Thinking Outside the Cube – March 4th 2010


Alum Rock Park

This week, we finally found a park with some elevation. We enjoyed a beautiful day at Alum Rock Park. Weather was gorgeous.  Ideas were sparkling.  View was fantastic.

The first picture was taken from the parking lot.  We started with a hike to the rock up there.  It was a little steep for a change.  Not a stroll around the lake!  It is not as far as it looks though.  It was a quick walk up to a gorgeous view.

Straight ahead we could see downtown San Jose in the valley.  That day was very nice, and hot, but due to rain we have been having this year, it was a bit foggy.

The contrast of the green hills and the blue-ish bay was stunning.  When you look around, you have a hard time believing that you are only minutes away from the legendary  world-wide Technology headquarter.

View of the Bay

We were not alone on the trail.  Besides other hikers and bikers, we met a fair number of ground squirrels and a flock of raptor birds.  I am not sure if they were hawks or vultures.  We only saw them from a distance.  While we walked though, they flew constantly above our heads, closer than I am used to.  The big, wide shadows were quite impressive!

The park is very extensive with loads of trails.  We decided to follow the North Rim Trail to the ancient mineral springs.

Mineral Spring

The geography of the area is conducive to charging water at least 7 different minerals. As a result some of the springs are salted, carbonated or sulfurous — yes, that would be smelly! I did not study too much the geology but I found interesting that the park used to be a beach… a long long time ago…

When the park opened in the late 1800’s, as a nationally renowned health spa. The 27 naturally enriched springs were used to fill up baths and an indoor pool.

Fancy baths and grottoes were constructed back then using rocks from the park itself.  They make a fancy decor for professional pictures.  The area is absolutely gorgeous.

Rapids in the Creek

If you prefer less “constructed” parks, just keep walking down the path…  The stream may not be as wild as it was after the heavy rain we’ve had recently but when we hiked, it was definitely neat with many rapids along the way.

You can tell that we enjoyed that park a lot.  I will definitely come back with the boys.  For pictures or just to go wild on the playground, they would love it.

Fresh air does wonders on an open-mind.  It is amazing how much work, thinking, analysis you can get done when you get out of your office or, in our case, just out of the house.

I wish they still had those sparkling baths, especially in the baths that were a constant 98 F…  Although, it is said that a Midwesterner visiting the springs in the 1890’s sent a post card home with the message that he was sure he’d experienced a taste of purgatory!


Bookmark and Share

Thinking Outside the Cube – Feb 28th 2010


Emma Prusch Farm

So far, we have had a very mild winter but a lot of rain. This is obviously good for the State that has experienced at least 3 years of drought. Good for the land but not so good for our hikes…

We have had a hard time getting one scheduled that week. We had to plan for an outing over the weekend instead of our traditional weekday. That also meant having one of my sons with us and therefore little real hiking.

So we decided to opt for a local park in San Jose that educates city kids on the basics of a Farm. Kids can feed all kinds of farm animals or learn about compost.

The Emma Prusch Farm park is a surprising neat little park on King st, just at the 101 and 280 intersection.

Carlos and I had a lazy hike to say the least but a fun time running after the roosters with Lucas. We strolled in the small animals area and most spent time in the playground. It was very crowded with kids and families but quite pleasant.

Roosters

Definitely not the typical Thinking Outside the Cube outing!

Thinking Outside the Cube – Feb 20th 2010


Rancho San Antonio County Park

This week, we opted for the Rancho San Antonio park in Mountain View.  It is quite an amazing park just a couple of turns away from civilization.  The contrast is absolutely stunning.

When we arrived close to the top of the hill, we could see both the Bay on the left of this tormented tree, and the high-rise of downtown San Jose on the right side.  It makes you want to pause and just watch that fantastic landscape.

Many of the big trees there are Bay trees.  Their aromatic leaves make me want to cook…  Many French dishes make use of it.  One of the landmark ingredients of “Bouquet Garni”.  We saw the third biggest tree in that park too.  I forgot its name but Carlos might remember.

The park is quite extended.  We did not go through the entire park unfortunately but we definitely enjoyed the hike up the hill.  This may be so far the most beautiful park we have been to for our Thinking Outside the Cube hikes.  This is another park were bikes are welcome.  This is becoming quite tempting but I am afraid that we would not be able to talk as much while riding…  I might be wrong.  Maybe we should try one of those days.

Hawk

The park is also full of wild life.  Of course, you will find some more traditional animals in the Deer Hollow farm — hens, ducks, goats, sheep…  We could hear pigs but we did not get to see them though.  The most exciting encounter was with a Hawk.  He was huge and serene.  It did not seem bothered by our presence at all.  What a gorgeous bird, just a few yards from us.  We also met some deers and squirrels.

Near the parking lots, the other type of wildlife — humans — were playing with remote-controlled planes.  I was tempted too by the tennis court, nicely located near that big tree.  What a gorgeous environment to play!

You can find more details on the park there


Bookmark and Share

Thinking Outside the Cube – Feb 5th 2010


Cottonwood Lake

This year has been very rainy so far…  Given the uncertain weather, we opted for a short walk close-by.  We walked along Coyote Creek Trail — the longest creek in Santa Clara county though (over 60 miles).  It would actually been a good place to ride a bicycle instead but that would have prevented us from having the same level of deep conversations…

Despite the name attributed by Juan Bautista De Anza in 1776 to the creek, “Arroyo Del Coyote”, we did not spot any coyote or bobcat.  There was ample wildlife though, mostly birds and squirrels.  I personally enjoyed the gorgeous Scrub Jays with their blue outfit.

Mimosa

As one might expect the park is full of interesting trees.  I reconnected with my Southern French origins as we walked by Eucalyptus and Mimosa.  I love mimosa!  Those happy little exuberant yellow flowers always seem to taunt the coldest of winter.  How can anyone be immune to their effect?

In February, during the Carnaval in Nice, beautiful young ladies throw flowers at the crowd during the “Bataille des Fleurs” (Flower Parade).  Mimosa blooming in January / February has traditionally been  a landmark for the event.

Coyote Creek is certainly not a breathtaking outing but it is pretty and quiet.  The right combo for our walks.  We do need to spice up the hikes though and start going up a mountain somewhere…  Maybe next week!


Bookmark and Share

Thinking Outside the Cube – Jan 2010


Shoreline Park

Carlos and I decided to take advantage of our time off work to allocate some serious time for pure brainstorm.  Product Management gurus do agree that you cannot force innovation simply by allocating time for it but when juices are already flowing, taking a break to bounce ideas outside of a traditional office — or cubicle! — can help nevertheless.  Et Voila!  our “Thinking Outside the Cube” series is born!

The main idea behind this series of posts is to share the many places we are about to discover or simply re-visit.  It might give you some ideas of nice places for a long walk or a hike in the Bay area.

We would be glad to inspire more people to take some time to get out of the code or the daily routine and think more strategically about your business or your life.  Living in California, we have the amazing opportunity to find beauty around the corner year-round of course but we also assume the duty to spread more Green behavior (not that we have any monopoly on that of course).

Sunset on Shoreline Park

This week, we visited Shoreline Park in Mountain View.  The hike was not at all challenging, except for the mud on the path around the lake and the marshes.  It is a nice place to watch the wildlife, mostly birds.  Very accessible for walking or biking.  Very conducive to productive talks — I will not say more about what we talked about though 😉

Carlos recommends the cafe and the boating club for a little pedalo or small boat ride in the summer.

That was definitely a nice and lazy way to start our 2010 hiking resolution!


 2019 SparklingLogic. All Rights Reserved.