Introduction to administering Microsoft BHOLD Analytics
Updated: August 1, 2013
Applies To: Forefront Identity Manager
A major challenge facing information technology (IT) professionals is the need to design IT systems that express the internal business policies and external legal requirements that an organization must abide by. Role-based access control (RBAC) makes this process easier by providing a mechanism for designing roles that instantiate those policies by controlling access to sensitive applications and data. These roles can then be assigned to users individually or as part of a group, thereby eliminating the need to assign each access control to specific users on an individual basis. Microsoft BHOLD Suite Service Pack 1 (SP1) provides a set of tools that let you design, implement, manage, and audit a normalized role model that represents your organization’s rules.
In all but the smallest organizations, however, such a role model is likely to become as complex as the organization itself. As a result, it can be a significant challenge to be able to verify that the role model effectively enforces the organization’s policies and legal requirements. Microsoft BHOLD Analytics, one of the modules of BHOLD Suite, gives you the ability to analyze your role model by creating rules that instantiate those business constraints and viewing how those rules are actually enforced by the role model. For example, you can create a set of rules that express a requirement for separation of duties (SoD) among employees with financial responsibilities and then examine how those rules are enforced within the role model. If BHOLD Analytics reveals a deficiency in SoD enforcement, you can use the BHOLD Core portal to correct those deficiencies before they can be exploited, whether inadvertently or maliciously. You can also use the results from BHOLD Analytics to design a BHOLD Attestation campaign to determine whether any deviation from your policies can be corrected without impacting users’ ability to perform their duties.
Rules can be grouped into rulesets, making it easier to classify rules according to policy categories. For example, you can create rulesets to combine rules pertaining to financial SoD policies, IT SoD policies, and so on. You can also design a global filter that optionally can be applied to all the rulesets. For example, if you are only interested in how the rulesets apply to a particular class of user, you can create a filter that excludes all other users from the analysis.
As you are designing the rules and rulesets, you can immediately view the impact of those rules (that is, how they are being enforced by the role model) to make it easier to refine those rules or to make ongoing corrections to the role model to mitigate any lapses in enforcement. When you are satisfied that a particular rule or ruleset properly reflects the business policy it represents, you can generate a report that shows the results of applying the rule or ruleset. This report can be saved either as a Microsoft Excel file or as a text file in comma separated–value format.
For more information about the Microsoft BHOLD Suite, see Microsoft BHOLD Suite Concepts Guide. For information about installing the BHOLD Suite SP1, including the BHOLD Analytics module, see Microsoft BHOLD Suite SP1 Installation Guide.