Separation of Duties and Entitlement Analyzer

A set of policy analysis functions for IBM Tivoli Access Manager and IBM Tivoli Identity Manager that supports "separation of duties" and entitlement reporting.

Date Posted: June 5, 2008

Overview

Requirements

Update: October 9, 2008

Version 2.0 adds analysis of Tivoli Identity Manager; log analysis for Tivoli Access Manager; a sample system; minor improvements; bug fixes.

What is Separation of Duties and Entitlement Analyzer?

This technology analyzes separation of duty in role assignments, authorization policies, and log files. Static separation-of-duty constraints can be specified and evaluated on Tivoli® Access Manager for E-Business 6.0 as well as on Tivoli Identity Manager 5.0. Entitlement and accessor reports provide further insight into resource access. Log file analysis evaluates separation-of-duty constraints on Tivoli Access Manager native audit logs. Separation of Duties and Entitlement Analyzer was developed by IBM research teams in Tokyo and Zurich.

How does it work?

The analyzer is implemented in Java™ and is packaged as a Java Enterprise Edition (JEE) Web application containing the analysis functions, reports, and a Web-based console, which includes an editor for creating basic separation-of-duty constraints. The analyzer can be deployed into any JEE 1.4 container. After deployment, Tivoli Access Manager and Tivoli Identity Manager systems are configured in the console. Note that the analyzer and the target systems can reside on different computers.

The separation-of-duty and entitlement policy analysis operates internally on XACML, the OASIS standard for authorization policy. When an analysis function is performed, policy information is first extracted from Tivoli Access Manager and then translated into XACML. The analysis functions are then performed on the XACML policy.

About the technology author(s):

Christopher Giblin is a software engineer in the Security and Assurance Group at the IBM Zurich Research Laboratory, where he is involved in security and compliance management projects.

Satoshi Hada, Ph.D., is a researcher at the IBM Tokyo Research Laboratory, Japan. At IBM, he has worked on XML security, enterprise privacy, and compliance technologies. He is a contributor to Web Services Security 1.0 and XACML 1.0.

G�nter Karjoth, Ph.D., is a researcher at the IBM Zurich Research Laboratory, Switzerland. At IBM, he has worked on enterprise privacy, middleware and mobile agent security, secure electronic commerce, and RFID security and privacy.

Andreas Schade, Ph.D., is a researcher at the IBM Zurich Research Laboratory, Switzerland, where he currently works in the Security and Assurance Group. At IBM he has worked on pervasive computing and e-business systems, as well as distributed systems and applications and their management.

Yukihiko Sohda, Ph.D., is a software engineer at the Tivoli Development of IBM Yamato Software Development Laboratory in Japan. Previously, he was at the IBM Tokyo Research Laboratory and worked on Web service caching, enterprise privacy, compliance technologies, and the Separation of Duties Analyzer.

Els Van Herreweghen, Ph.D., is a research staff member in the Security and Assurance Group at the IBM Zurich Research Laboratory, where she works on research projects related to security and privacy.

Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Tivoli is a trademark of IBM Corporation in the United States, other countries, or both.
Other company, product, or service names may be trademarks or service marks of others.

View screenshots:

Download now

Related technologies

For platform(s):
Java

For topics:
Administration, analysis, authorization, configuration, J2EE, Java technology, Privacy, security

About IBM

Privacy

Contact