Slide 1

Slide 1 text

Information Classification: Public Beyond Entitlements for Cloud Native Scalable Responsibility Management with Spring Boot and Open Policy Agent C h a n d r a G u n t u r Bank of New York Mellon August 2020

Slide 2

Slide 2 text

Information Classification: Public 2 Disclosure BNY Mellon is the corporate brand of The Bank of New York Mellon Corporation and may be used as a generic term to reference the corporation as a whole and/or its various subsidiaries generally. Products and services may be provided under various brand names in various countries by duly authorized and regulated subsidiaries, affiliates, and joint ventures of The Bank of New York Mellon Corporation. Not all products and services are offered in all countries. BNY Mellon will not be responsible for updating any information contained within this material and opinions and information contained herein are subject to change without notice. BNY Mellon assumes no direct or consequential liability for any errors in or reliance upon this material. This material may not be reproduced or disseminated in any form without the express prior written permission of BNY Mellon. ©2020 The Bank of New York Mellon Corporation. All rights reserved.

Slide 3

Slide 3 text

Information Classification: Public 3 About :: Chandra Guntur • Technologist in the financial services industry since 2003 and is programming with Java since 1998. • Chandra Guntur is a Director and Sr. Principal Architect in Java Platform Engineering, BNY Mellon. • BNY Mellon representative in the Java Community Process (JCP) Executive Committee. • Java Champion • JUG Leader, at NYJavaSIG (New York Java Special Interest Group) and NJ Java SIG. • Frequent speaker at: Oracle CodeOne, Oracle Code NY, QCon New York, Devnexus and GIDS India.

Slide 4

Slide 4 text

Information Classification: Public 4 Agenda • Responsibility Management • Technology Choices • HOCON, Open Policy Agent, Spring Boot, Eclipse Collections • Architecture • Code Samples • OPA Policy Authoring Plugin for IntelliJ IDEA

Slide 5

Slide 5 text

Information Classification: Public Responsibility Management for the Enterprise - A Rationale

Slide 6

Slide 6 text

Information Classification: Public Responsibility Management System Scenarios

Slide 7

Slide 7 text

Information Classification: Public 7 Why Responsibility Management – Scenario 1 • Service A needs to know if a user is a member of an enterprise LDAP Group • Access may be granted based on membership. • Access may be denied based on membership. • Access may be granted based on lack of membership. • Access may be denied based on lack of membership. LDAP Group

Slide 8

Slide 8 text

Information Classification: Public 7 Why Responsibility Management – Scenario 1 • Service A needs to know if a user is a member of an enterprise LDAP Group • Access may be granted based on membership. • Access may be denied based on membership. • Access may be granted based on lack of membership. • Access may be denied based on lack of membership. Then … LDAP Group • Service B needs to know if a user is a member of an enterprise LDAP Group

Slide 9

Slide 9 text

Information Classification: Public 7 Why Responsibility Management – Scenario 1 • Service A needs to know if a user is a member of an enterprise LDAP Group • Access may be granted based on membership. • Access may be denied based on membership. • Access may be granted based on lack of membership. • Access may be denied based on lack of membership. Then … Questions • How about Service/Application C, D or E ? • Who manages employees who move/leave/join the department/org/company (Movers/Leavers/Joiners) LDAP Group • Service B needs to know if a user is a member of an enterprise LDAP Group

Slide 10

Slide 10 text

Information Classification: Public 8 Why Responsibility Management – Scenario 2 Email/AD Group • Service M needs to know if a user is a member of an enterprise Email/AD Group • Access may be granted based on membership. • Access may be denied based on membership. • Access may be granted based on lack of membership. • Access may be denied based on lack of membership.

Slide 11

Slide 11 text

Information Classification: Public 8 Why Responsibility Management – Scenario 2 Email/AD Group • Service M needs to know if a user is a member of an enterprise Email/AD Group • Access may be granted based on membership. • Access may be denied based on membership. • Access may be granted based on lack of membership. • Access may be denied based on lack of membership. Then … Questions • How about Service/Application O, P or Q ? • Who manages employees who move/leave/join the department/org/company (Movers/Leavers/Joiners) • Service N needs to know if a user is a member of an enterprise Email/AD Group

Slide 12

Slide 12 text

Information Classification: Public 9 Why Responsibility Management – Scenario 3 More complex evaluations occur as well. LDAP Group 1 LDAP Group 2 Email Group 1 $$$$ ≥ USD 200,000 Direct Reports Service X needs to check if all of the below are true for a user:

Slide 13

Slide 13 text

Information Classification: Public 9 Why Responsibility Management – Scenario 3 More complex evaluations occur as well. • is member of LDAP Group 1 LDAP Group 1 LDAP Group 2 Email Group 1 $$$$ ≥ USD 200,000 Direct Reports Service X needs to check if all of the below are true for a user:

Slide 14

Slide 14 text

Information Classification: Public 9 Why Responsibility Management – Scenario 3 More complex evaluations occur as well. • is member of LDAP Group 1 • is not member of LDAP Group 2 LDAP Group 1 LDAP Group 2 Email Group 1 $$$$ ≥ USD 200,000 Direct Reports Service X needs to check if all of the below are true for a user:

Slide 15

Slide 15 text

Information Classification: Public 9 Why Responsibility Management – Scenario 3 More complex evaluations occur as well. • is member of LDAP Group 1 • is not member of LDAP Group 2 • is member of Email Group 1 LDAP Group 1 LDAP Group 2 Email Group 1 $$$$ ≥ USD 200,000 Direct Reports Service X needs to check if all of the below are true for a user:

Slide 16

Slide 16 text

Information Classification: Public 9 Why Responsibility Management – Scenario 3 More complex evaluations occur as well. • is member of LDAP Group 1 • is not member of LDAP Group 2 • is member of Email Group 1 • is allowed to request an order of the amount USD 200,000 LDAP Group 1 LDAP Group 2 Email Group 1 $$$$ ≥ USD 200,000 Direct Reports Service X needs to check if all of the below are true for a user:

Slide 17

Slide 17 text

Information Classification: Public 9 Why Responsibility Management – Scenario 3 More complex evaluations occur as well. • is member of LDAP Group 1 • is not member of LDAP Group 2 • is member of Email Group 1 • is allowed to request an order of the amount USD 200,000 • has at least two direct reports LDAP Group 1 LDAP Group 2 Email Group 1 $$$$ ≥ USD 200,000 Direct Reports Service X needs to check if all of the below are true for a user:

Slide 18

Slide 18 text

Information Classification: Public 10 Why Responsibility Management – Scenario 3 - Continued LDAP Group 1 LDAP Group 2 Email Group 1 $$$$ ≥ USD 200,000 Direct Reports Questions • What if each request is for different sets of groups and/or amounts? • What if other services have similar functional constraints with different values? • Where are such policies maintained, are they auditable and follow Config Management guidelines ? • Who manages Mover/Leaver/Joiner employees?

Slide 19

Slide 19 text

Information Classification: Public 11 Why Responsibility Management – Scenario 4 Service Y needs to check responsibility privileges for a user/subject: Domain organization environment action resource

Slide 20

Slide 20 text

Information Classification: Public 11 Why Responsibility Management – Scenario 4 Service Y needs to check responsibility privileges for a user/subject: • in a given domain (Infra or Shared - service or tool) Domain organization environment action resource

Slide 21

Slide 21 text

Information Classification: Public 11 Why Responsibility Management – Scenario 4 Service Y needs to check responsibility privileges for a user/subject: • in a given domain (Infra or Shared - service or tool) • for a given cost code identifier or org. business unit ($) Domain organization environment action resource

Slide 22

Slide 22 text

Information Classification: Public 11 Why Responsibility Management – Scenario 4 Service Y needs to check responsibility privileges for a user/subject: • in a given domain (Infra or Shared - service or tool) • for a given cost code identifier or org. business unit ($) • for a given environment (e.g. ‘PROD’, ‘QA’, ‘DEV’ …) Domain organization environment action resource

Slide 23

Slide 23 text

Information Classification: Public 11 Why Responsibility Management – Scenario 4 Service Y needs to check responsibility privileges for a user/subject: • in a given domain (Infra or Shared - service or tool) • for a given cost code identifier or org. business unit ($) • for a given environment (e.g. ‘PROD’, ‘QA’, ‘DEV’ …) • for a given action (e.g. EDIT, DELETE, CREATE …) Domain organization environment action resource

Slide 24

Slide 24 text

Information Classification: Public 11 Why Responsibility Management – Scenario 4 Service Y needs to check responsibility privileges for a user/subject: • in a given domain (Infra or Shared - service or tool) • for a given cost code identifier or org. business unit ($) • for a given environment (e.g. ‘PROD’, ‘QA’, ‘DEV’ …) • for a given action (e.g. EDIT, DELETE, CREATE …) • for a given resource (e.g. org.databases.prod.instance1.schema1) Domain organization environment action resource

Slide 25

Slide 25 text

Information Classification: Public 12 Why Responsibility Management – Scenario 4 - Continued Domain organization environment action resource Questions • What if each request is for different sets of values for the given domain? • What if other services have similar functional constraints with different values? • Who manages Role-Responsibility per domain and User-Role Mappings? • Who manages Mover/Leaver/Joiner employees ?

Slide 26

Slide 26 text

Information Classification: Public Responsibility Management System Common Solutions

Slide 27

Slide 27 text

Information Classification: Public 14 Responsibility Management – Common Solutions – For Data DATA - External Services / Persistence • LDAP/Active directory queried by the application/service via direct connections. • User approver/manager is queried via proprietary corporate directory services. • Role-Responsibility mappings are usually stored in local persistence of the domain. • User-Role mappings usually stored in any of: local persistence, proprietary systems.

Slide 28

Slide 28 text

Information Classification: Public 15 Responsibility Management – Common Solutions – For Functions LOGIC - Calculations / Functions • Complex functions/calculations are coded into the application/service. • Newer applications/services may separate such as an independent microservice. • Some applications/services utilize embedded rule engines such as Drools. • Some applications/services utilize proprietary entitlement systems for evaluations.

Slide 29

Slide 29 text

Information Classification: Public Responsibility Management Service A solution to manage dynamic privileges and entitlements

Slide 30

Slide 30 text

Information Classification: Public 17 Responsibility Management Cycle Responsibility Management is performed via policies Policies have a lifecycle Policy Administration (Authoring & Storage) Policy Distribution (Dissemination) Policy Decision (Evaluation) Policy Enforcement (Usage) Policy Reconciliation (Maintenance) More detailed flow: Appendix

Slide 31

Slide 31 text

Information Classification: Public 18 Responsibility Management System (RMS) – The Right Solution A Responsibility Management System that: • federates the calls to LDAP, Active Directory, and other services as integrated services • provides appropriate mapping of roles and responsibilities, per domain • provides for user to role mapping, per organization per domain • provides proper SDLC and audit mechanism for policies per domain, to author and deploy . . .

Slide 32

Slide 32 text

Information Classification: Public 19 Responsibility Management System (RMS) – The Right Solution - Continued A Responsibility Management System that: • provides for a built-in policy engine to evaluate complex calculations/functions using: • data provided as inputs by service-consumer • data queried from integrated services • policies provided by the domains • caters to applying a mover/leaver/joiner logic to all controlled datasets • provides horizontal scaling and thus, high availability for varying request volumes

Slide 33

Slide 33 text

Information Classification: Public 20 Before RMS Custom Service DROOLS APP a APP b APP n Entitlement System URM DB RRM Roles System RRM App Logic App Logic App Logic APP m App Logic LDAP Client User Svc Client User Svc Client AD Client User Svc Client LDAP Client AD Client LDAP AD User Svc URM via service, RRM via persistence URM via persistence, RRM via service Custom Service for policies URM via persistence, RRM via persistence Batch job to manage Users. URM via persistence, RRM via persistence Drools rules for policies DB URM DB URM RRM DB URM RRM . . . RRM URM Role Responsibility Mapping User Role Mapping

Slide 34

Slide 34 text

Information Classification: Public 20 Before RMS Custom Service DROOLS APP a APP b APP n Entitlement System URM DB RRM Roles System RRM App Logic App Logic App Logic APP m App Logic LDAP Client User Svc Client User Svc Client AD Client User Svc Client LDAP Client AD Client LDAP AD User Svc URM via service, RRM via persistence URM via persistence, RRM via service Custom Service for policies URM via persistence, RRM via persistence Batch job to manage Users. URM via persistence, RRM via persistence Drools rules for policies Decentralized Policies. Auditing is per-app. Bespoke User Mgmt. DB URM DB URM RRM DB URM RRM . . . RRM URM Role Responsibility Mapping User Role Mapping

Slide 35

Slide 35 text

Information Classification: Public 21 Post-RMS visualized APP a APP b APP n App Logic App Logic App Logic APP m App Logic LDAP AD User Svc R M S RMS Client RMS Client RMS Client RMS Client DB DB DB DB . . . Policy Policy . . . Policy Policy Custom Service DROOLS Entitlement System URM Roles System RRM RRM URM Role Service RRM URM Role Responsibility Mapping User Role Mapping

Slide 36

Slide 36 text

Information Classification: Public 21 Post-RMS visualized APP a APP b APP n App Logic App Logic App Logic APP m App Logic LDAP AD User Svc Centralized Policies. Centralized Auditing. Centralized User Mgmt. R M S RMS Client RMS Client RMS Client RMS Client DB DB DB DB . . . Policy Policy . . . Policy Policy Custom Service DROOLS Entitlement System URM Roles System RRM RRM URM Role Service RRM URM Role Responsibility Mapping User Role Mapping

Slide 37

Slide 37 text

Information Classification: Public Technologies Used Technology choices for building the Responsibility Management Service

Slide 38

Slide 38 text

Information Classification: Public 23 Payload format: HOCON: Use case A Case for using Human-Optimized Configuration Object Notation • Intent is to expose GET/POST operations. • POST operations allow for a request body but do not support meaningful caching. • Policy decisions should be queried (non-mutating), thus logically GET operations. • GET operations do not support a request body. • GET operations may be exposed to character limits, large parameter content not possible. • JSON and individual query parameters are quite verbose. • HOCON * trims the parameter verbosity by a significant amount. https://github.com/lightbend/config/blob/master/HOCON.md

Slide 39

Slide 39 text

Information Classification: Public 24 Payload format: HOCON: Benefits Benefits of using Human-Optimized Configuration Object Notation https://github.com/lightbend/config/blob/master/HOCON.md HOCON (see link below) • syntax is quite simple and has low ambiguity. • is a superset of JSON. JSON is parsed properly by HOCON parsers. • allows the use of comments. • allows multi-line strings. • allows for includes and substitutions. • has built-in durations (5d or 100ms)

Slide 40

Slide 40 text

Information Classification: Public 25 Payload format: HOCON: Features Human-Optimized Configuration Object Notation - using includes and substitutions https://github.com/lightbend/config/blob/master/HOCON.md generic.conf {x: 10, y: ${x}, z: 5s} my.conf {a : { include “generic.conf” } } a.x = 10 a.y = 10 a.z = 5s https://github.com/lightbend/config/blob/master/HOCON.md Substitution Inclusion

Slide 41

Slide 41 text

Information Classification: Public foo : { bar : { baz: myvalue } } employee: { firstname: ”Jane" lastname: ”Doe" nested: { loginTimeoutInMilliSeconds: 5000 } fullname: “Jane Doe” } standard-policy: { developer: "yes" operator: false } 26 Payload format: HOCON: Comparing to JSON Human-Optimized Configuration Object Notation - sample comparisons to JSON Sample JSON Sample HOCON foo.bar.baz: myvalue ---- Or ---- foo { bar { baz: myvalue}} employee { firstname: ”Jane" lastname: ”Doe" nested { loginTimeout: 5s } fullname: ${employee.firstname} ${employee.lastname} } standard-policy { developer: "yes" operator: false }

Slide 42

Slide 42 text

Information Classification: Public 27 Java Collections Library: Eclipse Collections Key highlights Eclipse Collections (see link below) • Rich, concise and readable APIs. • Clear mutable and immutable hierarchies for collection types. • Memory efficient containers. • Optimized eager APIs instead of Java Collection Framework’s lazy APIs. • Improved code readability. • Ease of learning thanks to several Code Katas. https://www.eclipse.org/collections/

Slide 43

Slide 43 text

Information Classification: Public 28 Policy Engine: Open Policy Agent Key highlights • Open Policy Agent (OPA) (see link below) is an open source general purpose policy engine. • Uses “rego” (inspired by Datalog) as a declarative native query language. • Policies are written as rulesets (similar to functions). • Policies can be queried as RESTful POST operations. • Data and policy publishing is via RESTful PUT operations. • Can be launched as a library for a service, an independent daemon or as a sidecar. • Decision in RMS was to use OPA as a sidecar. https://www.openpolicyagent.org/

Slide 44

Slide 44 text

Information Classification: Public 29 Open Policy Agent: Usage Pattern Open Policy Agent Service 1 Query + Data Decision [ { "name": "bucket1", "clients": [ { "name": ”client1", "access": ["READ”, “WRITE”] }, { "name": ”client2", "access": ["WRITE"] } ] }, { "name": "bucket2", "clients": [ { "name": ”client1", "access": [”READ"] } ] } ] package domain1.policy1 import data.domain1.policy1.buckets default allow = false allow { buckets[i].name == input.bucket buckets[i].clients[j].name == input.client buckets[i].clients[j].access[k] == input.access } { input { bucket: "bucket2", client: ”client1", access: "READ" } } http://localhost:8181/v1/data/dom ain1/policy1/allow Policy Data Sidecar Query Payload data.json policy.rego

Slide 45

Slide 45 text

Information Classification: Public Architecting the Responsibility Management System A platform solution for Responsibility Management

Slide 46

Slide 46 text

Information Classification: Public Responsibility Management System Architecture (Version 1) A Federated Responsibility Management Service

Slide 47

Slide 47 text

Information Classification: Public 32 RMS Architecture - Version 1: Federated Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule Repository RRM URM Role Responsibility Mapping User Role Mapping

Slide 48

Slide 48 text

Information Classification: Public 32 RMS Architecture - Version 1: Federated Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule Repository User Service LDAP AD RMS Service Policy Information Points (PIPs) RRM URM Role Service RRM URM Role Responsibility Mapping User Role Mapping

Slide 49

Slide 49 text

Information Classification: Public 32 RMS Architecture - Version 1: Federated Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule Repository Responsibility Management User Service LDAP AD RMS Service Policy Information Points (PIPs) RRM URM Role Service RRM URM Role Responsibility Mapping User Role Mapping

Slide 50

Slide 50 text

Information Classification: Public 32 RMS Architecture - Version 1: Federated Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule Repository Open Policy Agent Responsibility Management User Service LDAP AD RMS Service Pull Policy Information Points (PIPs) RRM URM Role Service RRM URM Role Responsibility Mapping User Role Mapping

Slide 51

Slide 51 text

Information Classification: Public 32 RMS Architecture - Version 1: Federated RMS Service Consumers Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule Repository Open Policy Agent Responsibility Management User Service LDAP AD RMS Service Pull Policy Information Points (PIPs) Service 1 . . . Service 2 Service x RRM URM Role Service RRM URM Role Responsibility Mapping User Role Mapping

Slide 52

Slide 52 text

Information Classification: Public 33 Federated Architecture: Issues Faced Key issues • Segregation and information-barrier needs implied more work. • A rogue policy script could lead to loss of service for all domains. • RM Service became the gatekeeper for testing and coverage. • RM Service had to establish a release-train model to pick up new policies. • Out-of-band policy changes lead to intermittent service-unavailability. • Observation: Policy changes were more frequent when a new domain onboards.

Slide 53

Slide 53 text

Information Classification: Public Responsibility Management System Architecture (Version 2) A Distributed Responsibility Management Service

Slide 54

Slide 54 text

Information Classification: Public 35 RMS Architecture - Version 2: Distributed RMS Service Consumers Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule Repository Service 1 . . . User Service LDAP AD RMS Service Policy Information Points (PIPs) Service 2 Service x RRM URM Role Service RRM URM Role Responsibility Mapping User Role Mapping

Slide 55

Slide 55 text

Information Classification: Public 35 RMS Architecture - Version 2: Distributed RMS Service Consumers Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule Repository Policy Administration Service (PAS) Service 1 . . . User Service LDAP AD RMS Service Policy Information Points (PIPs) Service 2 Service x RRM URM Role Service RRM URM Role Responsibility Mapping User Role Mapping

Slide 56

Slide 56 text

Information Classification: Public 35 RMS Architecture - Version 2: Distributed RMS Service Consumers Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule Repository Policy Administration Service (PAS) Service 1 . . . User Service LDAP AD RMS Service Policy Information Points (PIPs) Role/Resp., User/Role Mappings Service 2 Service x RRM URM Role Service RRM URM Role Responsibility Mapping User Role Mapping

Slide 57

Slide 57 text

Information Classification: Public 35 RMS Architecture - Version 2: Distributed RMS Service Consumers Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule Repository Policy Administration Service (PAS) Service 1 . . . User Service LDAP AD RMS Service Policy Information Points (PIPs) Role/Resp., User/Role Mappings Role/Resp. (RR), User/Role (UR) Mappings Service 2 Service x RRM URM Role Service RRM URM Role Responsibility Mapping User Role Mapping

Slide 58

Slide 58 text

Information Classification: Public 35 RMS Architecture - Version 2: Distributed RMS Service Consumers Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule Repository Policy Administration Service (PAS) Service 1 . . . User Service LDAP AD RMS Service Policy Information Points (PIPs) Publish Policy Role/Resp., User/Role Mappings Role/Resp. (RR), User/Role (UR) Mappings Service 2 Service x RRM URM Role Service RRM URM Role Responsibility Mapping User Role Mapping

Slide 59

Slide 59 text

Information Classification: Public 35 RMS Architecture - Version 2: Distributed RMS Service Consumers Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule Repository Policy Administration Service (PAS) Service 1 . . . User Service LDAP AD RMS Service Policy Information Points (PIPs) Policy Bundles Repository Publish Policy Role/Resp., User/Role Mappings Role/Resp. (RR), User/Role (UR) Mappings Policy Bundles Policy + RR & UR Mappings Service 2 Service x RRM URM Role Service RRM URM Role Responsibility Mapping User Role Mapping

Slide 60

Slide 60 text

Information Classification: Public 35 RMS Architecture - Version 2: Distributed RMS Service Consumers Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule Repository Policy Administration Service (PAS) Service 1 . . . User Service LDAP AD RMS Service Policy Information Points (PIPs) Policy Distribution Service (PDS) Policy Bundles Repository Publish Policy Role/Resp., User/Role Mappings Role/Resp. (RR), User/Role (UR) Mappings Policy Bundles Policy + RR & UR Mappings Service 2 Service x RRM URM Role Service RRM URM Role Responsibility Mapping User Role Mapping

Slide 61

Slide 61 text

Information Classification: Public 35 RMS Architecture - Version 2: Distributed RMS Service Consumers Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule Repository Policy Administration Service (PAS) Service 1 . . . User Service LDAP AD RMS Service Policy Information Points (PIPs) Policy Distribution Service (PDS) Policy Bundles Repository Publish Policy Role/Resp., User/Role Mappings Role/Resp. (RR), User/Role (UR) Mappings Policy Bundles Policy + RR & UR Mappings Service 2 Service x RRM URM Role Service RRM URM Role Responsibility Mapping User Role Mapping

Slide 62

Slide 62 text

Information Classification: Public 35 RMS Architecture - Version 2: Distributed RMS Service Consumers Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule Repository Policy Administration Service (PAS) Service 1 . . . User Service LDAP AD RMS Service Policy Information Points (PIPs) Policy Distribution Service (PDS) Policy Bundles Repository Publish Policy Role/Resp., User/Role Mappings Role/Resp. (RR), User/Role (UR) Mappings Policy Bundles Policy + RR & UR Mappings Service 2 Service x Open Policy Agent Open Policy Agent Open Policy Agent Sidecar Sidecar Sidecar RRM URM Role Service RRM URM Role Responsibility Mapping User Role Mapping

Slide 63

Slide 63 text

Information Classification: Public 35 RMS Architecture - Version 2: Distributed RMS Service Consumers Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule Repository Policy Administration Service (PAS) Service 1 . . . User Service LDAP AD RMS Service Policy Information Points (PIPs) Policy Distribution Service (PDS) Policy Bundles Repository Publish Policy Role/Resp., User/Role Mappings Role/Resp. (RR), User/Role (UR) Mappings Policy Bundles Policy + RR & UR Mappings Service 2 Service x Open Policy Agent Open Policy Agent Open Policy Agent Policy Bundles Policy Reference Data Sidecar Sidecar Sidecar RRM URM Role Service RRM URM Role Responsibility Mapping User Role Mapping

Slide 64

Slide 64 text

Information Classification: Public 36 Benefits of a Distributed Policy Management Architecture Comparing Version 1 (federated single policy engine) with Version 2 (distributed policy engines) V1 Federated Policy Engine V2 Distributed Policy Engine Segregation and Information Barriers Requires additional work Is implicit, no additional work Impact of a rogue policy script Outage for all domains Outage only for the specific domain Gatekeeping for testing and coverage Requires RMS to be the gatekeeper Requires domain to be the gatekeeper Strategy for new and updated policies Needed a Release Train model A domain can push policies on-demand Impact of ad-hoc policy changes RMS Downtime for all domains RMS Downtime for the changed domain Implicit RBAC Support - Available

Slide 65

Slide 65 text

Information Classification: Public 37 Policy Bundles Repository Policy bundles repository stored enriched policy archives. Enriched policy bundles are archives that contain: • Policy file(s), specific to the domain. • Policy static data, specific to the domain. • Standard RMS OPA policy rego files common across all domains.

Slide 66

Slide 66 text

Information Classification: Public 38 Policy Bundles Repository Folder structure in policy bundles repository : - - - - Example: - domain1 - policy1 - 1.0.0 - enriched-opa-bundle.tar.gz

Slide 67

Slide 67 text

Information Classification: Public 39 RMS Architecture - Version 2: Distributed RMS Service Consumers Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule Repository Policy Administration Service (PAS) Service 1 . . . User Service LDAP AD RMS Service Policy Information Points (PIPs) Policy Distribution Service (PDS) Publish Policy Role/Resp., User/Role Mappings Role/Resp. (RR), User/Role (UR) Mappings Policy Bundles Policy + RR & UR Mappings Service 2 Service x Open Policy Agent Open Policy Agent Open Policy Agent Policy Bundles Policy Reference Data Sidecar Sidecar Sidecar RRM URM Role Service RRM URM Role Responsibility Mapping User Role Mapping

Slide 68

Slide 68 text

Information Classification: Public 39 RMS Architecture - Version 2: Distributed RMS Service Consumers Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule Repository Policy Administration Service (PAS) Service 1 . . . User Service LDAP AD RMS Service Policy Information Points (PIPs) Policy Distribution Service (PDS) Publish Policy Role/Resp., User/Role Mappings Role/Resp. (RR), User/Role (UR) Mappings Policy Bundles Policy + RR & UR Mappings Service 2 Service x Open Policy Agent Open Policy Agent Open Policy Agent Policy Bundles Policy Reference Data Sidecar Sidecar Sidecar RRM URM Role Service RRM URM Role Responsibility Mapping User Role Mapping Policy Bundles Repository

Slide 69

Slide 69 text

Information Classification: Public 40 Policy Agent: Setup •Open Policy Agent (the executable) •Open Policy Agent – Configuration •Open Policy Agent – Dockerfile command

Slide 70

Slide 70 text

Information Classification: Public 41 Policy Agent: Setup: Configuration Files OPA Configuration file (located at ${configPath}) services: - name: domainPolicies url: policyDistributionServiceUrl/ allow_insecure_tls: true bundle: name: policyDomain/policyName/policyVersion service: domainPolicies polling: min_delay_seconds: minDelaySeconds max_delay_seconds: maxDelaySeconds

Slide 71

Slide 71 text

Information Classification: Public 42 Policy Agent: Setup: Dockerfile Commands OPA launch command (used in the Dockerfile) exec ./opa run --server --log-level=debug –c ${configPath}

Slide 72

Slide 72 text

Information Classification: Public 43 RBAC Policy Library package rbac user_has_responsibility(userId, action, resource) {
 role := roles[_]
 
 responsibility := role.responsibilities[_]
 does_resource_match(resource, responsibility)
 
 responsibility.actions[_] = action
 
 is_user_a_member(userId, role)
 } is_user_a_member(userId, role) { ...
 } package application1
 
 default allow = false
 
 allow {
 data.rbac.user_has_responsibility(
 input.userid, input.action, 
 input.service)
 } {
 "name": ”App User",
 "responsibilities": [
 {
 "resource":
 "service.1",
 "actions": [
 "provision"
 ]
 },
 {
 "resource": 
 "service.2",
 "actions": [
 "provision"
 ]
 }
 ],
 "members": [
 "EVERYONE"
 ] } { "name": ”App Admin", "responsibilities": [ { "resource": 
 "regexp:service\\..*", "actions": [ "create", "update", "delete", "view" ] } ], "members": [ "org:abc" ] } Application Policy Sample Role Data Excerpts rbac.rego policy.rego data2.json data1.json

Slide 73

Slide 73 text

Information Classification: Public OPA IntelliJ Plugin A development tool for the Open Policy Agent file authoring

Slide 74

Slide 74 text

Information Classification: Public 45 Open Policy Agent: IntelliJ Plugin • OPA IntelliJ Plugin is functional work-in-progress policy editor. • The editor parses and validates OPA policy. • Relies on the OPA language reference linked * below. • Can be customized for editor color schemes in IntelliJ. • Work continues on indentation, run configurations and variable tracking. https://www.openpolicyagent.org/docs/latest/language-reference/

Slide 75

Slide 75 text

Information Classification: Public 46 Open Policy Agent: IntelliJ Plugin: Before and After

Slide 76

Slide 76 text

Information Classification: Public 47 Open Policy Agent: IntelliJ Plugin: Syntax Validation

Slide 77

Slide 77 text

Information Classification: Public 48 Open Policy Agent: IntelliJ Plugin: Syntax Validation - Continued

Slide 78

Slide 78 text

Information Classification: Public 49 Open Policy Agent: IntelliJ Plugin: Settings Select • Preferences – Editor > Color Scheme ▪ Open Policy Agent

Slide 79

Slide 79 text

Information Classification: Public 50 Summary • Responsibility Management as a Service can resolve issues on several fronts. • Choice of a payload format (HOCON over JSON or XML) can help control verbosity. • Choice of architecture (federated versus distributed) can help determine resilience. • Distributed policy engines can alleviate back-pressure and volume demands. • Distributed policy engines can reduce outages and maintenance-related downtimes. • Creating a policy editor plugin can help boost productivity.

Slide 80

Slide 80 text

Information Classification: Public 51 Links • HOCON https://github.com/lightbend/config/blob/master/HOCON.md • Eclipse Collections https://www.eclipse.org/collections/ • Open Policy Agent https://www.openpolicyagent.org/

Slide 81

Slide 81 text

Information Classification: Public 52 ?

Slide 82

Slide 82 text

No content

Slide 83

Slide 83 text

Information Classification: Public 54 Appendix: Responsibility Management Cycle Enterprise Roles and Responsibilities Policy Authoring Policy & Static Data Policy & Static Data User/App/Service Input Data Policy Access Review/Certification Reference Data Updated Reference Data Access Fulfillment Reference Data Policy Administration Point • Policy Authoring • Policy Storage • Policy Audit/Report Privileged Business Functions Policy Distribution Point • Policy Bundling • Policy Distribution Policy Evaluation Point • Policy Procurement • Policy Evaluation Policy Enforcement Point • Policy Invocation • Policy Application • Policy Dynamic Inputs Policy Information Point • Policy Reference Data • Policy Entitlements • Policy Identities Access Reconciliation Review & Certification • Entitlements Discovery • Access Reconciliation • Access Certification Managed Provisioning • Workflows • Downstream Fulfillment 1 2 3 3 3 Back to referrer slide: Slide 15