Next Generation Authorization and Entitlements Services

Challenge

Businesses have complex organizations and a wealth of information assets to protect and share in order to conduct operations in an agile, performant and secure manner.

Authorization to access and operate on the information assets is currently managed by a tangled nest of isolated systems and individual applications which inhibit an enterprise’s ability to perform simple operations that span the business in an effective manner. It also presents challenges to the business’s ability to comprehend how and when the information assets are shared and accessed by users or systems required to execute effective security, regulatory compliance and risk management audits.

An idealized conceptual model of the Enterprise Authorization domain may be represented like this:

The Party, Identity, Application and Resource entities (along with the multiple intersections between them) must be modeled and managed carefully in order to effectively enforce a business’s authorization policies.

Authorization Master Data

The desired state is for Authorization Data to be managed in a cohesive way across the Organization as Enterprise Master Data. This will provide both the enterprise and users a consistent and uniform data set that can be harvested, cleansed, and back-propagated to source applications to enforce authorization. This process is known as Master Data Management or MDM.  

Master Data Management is typically approached as a relational problem resulting in managed data tables with cleansed properties, managed primary keys and possibly foreign key references to other data tables. Master Data governance is performed by a data management team responsible for the curation of the data sets managed. In many cases, a data manager will be responsible for curation of a single data set or unrelated datasets. This approach is appropriate for lists of Customers, Products, Part Lists, Applications, Identities, Roles and Assets. Explicit relationships between data entities can be managed and enforced using foreign key relationships. Recursive and many-many relationships can be easily defined and queried in a relational MDM system. However, the SQL queries required are complex, error prone and generally not performant, often resulting in use of data denormalization views and materialized snapshots to deliver manageable interfaces and meet performance requirements.

Managing master data in a relational manner has been a critical enabler for companies to maintain consistent representations of master data across the applications used by the business to conduct operations. The relational solution isn’t ideal because it introduces unnecessary complexities into the master data model for managing complex relationships that can be represented succinctly using a graph model.

Business Requirements

• Enable management of Authorization master data and relationships in proper business context
• Enable self-service administration
• Enable rapid staff on/off boarding and organizational changes
• Enable self-service provisioning
• Enable self-service authorization management and approvals by the data owner or assigned delegates
• Support for administering fined-grained access control policies (row, cell)
• Provide contextual search by property
• Approvers have visual and analytic context for what they are approving rather than entries in an IT ticketing and workflow system
• Realtime policy compliance can be tested and enforced at the time of assignment or authorization
• Provide an integrated and unified 360° view of the authorization domain suitable for analytics, risk management, audit and compliance. This view may expose unexpected and novel uses of your data resources that you want to encourage or eliminate.
• Unintended authorization patterns can be identified in data and addressed before they become an issue
• Utilize the diverse semantic relationships used by the business to describe the interactions between these entities to enforce authorization policies
• Globally accessible
• High Availability/Fault tolerant
• Scalable
• Performant
• Replicated
  

Solution

A graph model implemented using a graph database is ideally suited for managing, enforcing and navigating the rich semantic relationships required for Authorization Master Data in a concise way that is familiar to business stakeholders and is difficult to accomplish with relational model mapping. A graph model also supports managing semantic relationship changes in real time cadence to business needs not possible with a relational model.

Graph Model

A simplistic graph model for the Authorization domain

Graph Databases

There are several graph databases on the market to consider:

‍

Benefits

This approach has many benefits:

• A graph database allows us to effectively model the complex and networked relationships inherent between organizations, individuals, identities, applications, roles, resources, resource groups and permissions. It is the relationships (edges) and associated properties between the entities which impart authorization rather than the properties of particular domain entity (vertex).
  

• A graph database provides a comprehensive 360° view of the authorization domain suitable for analytics, risk management, audit and compliance.

• Graph query languages such as Gremlin, Cypher, GSQL. SPARQL are designed to be highly performant in traversing highly connected networked and recursive relationships.
  

• Graph visualization provides tools for the approver to understand the context of an approval by providing a 360° view of the authorization in context.

• Data managed in the graph database can be used in several ways to enforce authorization each with differing degrees of integrity between the master authorization data and the enforcing system.
  

• Transactionally - The graph can be traversed transactionally to answer authorization requests on demand. One can expect to achieve transactional performance of less than 50ms under operational load for most authorization requests in our experience. You also have the ability to scale the graph cluster based the data scale and operational load.
  

• Cached - Authorization traversals can be executed pre-emptively and results cached if the transactional performance is insufficient for the application use case.
  

• Projection of authorization metadata into downstream systems enforcing access can be automated and applied transactionally, in batch or in the worst case as instructions that are manually provisioned by IT personnel in the target system.  Minimal latencies can be achieved between the authorization master and the enforcing system if the downstream system has a defined API or data store for managing authorization data.

Implementation

In a recent engagement we had the opportunity to implement a property graph database solution for authorization for an enterprise desiring to accomplish these goals. The system supports authorization to access and manage owned assets by the customer or on behalf of the customer where assets may be owned by more than one customer.

The property graph database selected for this engagement was one of those listed earlier. Containerized microservices were designed and built using the Command Query Response Segregation pattern as Java Spring Boot applications.  

One of the challenges that we had was meeting or beating a performance requirement currently being achieved querying a write-once in memory cache used for authorization. The performance requirement was that 95% of the authorization requests had to complete in 50 milliseconds or less.

We used Gatling to simulate observed load characteristics and access patterns derived from log data metrics produced and gathered from the current production system. The Gatling tests were executed against the REST authorization APIs.

The performance testing and logging exposed issues with our test data, graph traversals, serialization and other code hot spots that could be tuned. The tuned system exceeded our expectations. We were able to meet the performance requirement at 10x the operational load specified.

Outcome

The resultant solution has significantly better availability characteristics to the prior memory cached relational solution it is replacing and it can successfully deliver the business requirements outlined above for Authorization management.

The new graph based Authorization system is scheduled to be integrated with all customer facing applications of the business which will allow the final decommissioning of several legacy systems that were expensive to license, difficult to extend and support.

The fully integrated graph will serve as an analytical platform to the business used to enable Customer 360° insights, audit and fraud detection not possible in the legacy system.