BSidesSLC 2015 - RBAC is Dead. So now what? - Adam Fisher

i guess i should stand in front of the mic over here

all right so my name is adam fisher i've been in the security industry now about uh eight years have focused a lot uh on identity and access management hence the uh topic here that we're going to discuss today um i spent a lot of time in the enterprise space so i've dealt with a lot of large companies a lot of fortune 500 uh fortune fortune 150 whatever you want to call it and uh i have had an opportunity to work abroad so i've lived in england for 18 months and so not only learned about how access control was managed here in the states but also how emea and other countries look at it as well

and what i want to cover is uh going to kind of give us a background here a little bit on why access control kind of the history of what we see kind of how we got to where we are today and some of the decisions that were made that kind of put us where we're at uh we're going to take a look here then about how where it's going right so we have the traditional security model and then what's going to take for us to really move ahead in the new world of business kind of look at the difference difference between roles and attributes and especially um kind of how security has always taken a no answer to things

right we're going to secure things the answer is no but really we need to have more of a knowledge idea about who our users are and how they're interacting with our with our organization with our business so one of the the key points here uh and this is kind of a growing trend that we see right in the world of uh enterprise in the world of business security isn't just a tool it's not just an organization but it's something that needs to be leveraged to increase the way that businesses interact with their customers and how they're going to really protect not only their brand but the data that their customers hold with the open enterprise that's that's a

that's around us um we're sharing more data now than we ever have and we still have to be able to control that and secure that and so an indication of this is some of uh the new reality some of these numbers here that we that we see in front of us here so we've got you know 79 of organizations are are using secure cloud applications sas application services in the cloud um you know we see that the growing social trend um the number of devices um uh that are that applications now a business not create for mobile devices especially look at apis not going to talk about apis today but especially around how that is uh you know

increasing the amount of data that we share across the business lines um and then and all it's going to continue right so this is what we're facing this is kind of the the growth here and so with this right we've seen um you know kind of a proliferation then of awesome solutions like lifelock and you know password um storage things whatever you know if you use like lastpass and things like that because we we have such a prolific digital identity it's you know we need to secure that now um and so why are we here we're here because there's products that exist um like this uh so we're let me get over here see if i can't swing this maybe some of

you seen this maybe some of you haven't um but because of our digital identity we get products like this and exactly

what's this oh we're going to see this right here because of this you get products like this oh no we're not it's give me a sec somebody's gonna get on the internet to show this to you

so i was almost there

yes

hmm

all right

come on

is there a play there at the top

all right you played

oh i'm trying i'll jump out to youtube and show this here in a second

there we go all right

we're getting there marshalls i don't know if you love them as much as i do but i found one it's a new product that i want to share with you you know if you have a hard time remembering your online passwords a lot of people have a lot of different passwords this is going to solve your problems online passwords there's just too many and who can remember all those tricky combinations so you stick them on your monitor or you hide them in a drawer but not anymore introducing password minder the personal logbook that takes the hassle out of passwords forget about sticky notes or scraps of paper because password finder has been specifically designed to organize and safely store

passwords you'll find them in an instant and never lose a password again guaranteed need to make a password just add it to your password minder the alphabetical listing organizes all your usernames and passwords for instant recall and easy reference i don't have to worry anymore about security or identity theft i now have all my passwords in one place it's great if you have passwords you need password minder so call now and get your very own password binder book for just ten dollars that's real that's real wait you're telling me i can keep all my passwords in one place in this right here and it's only ten dollars for half the price you could write all

your passwords on a five dollar bill this is insane does this seem safe to keep all your passwords in one place in a place that's labeled internet password

i don't think they thought this through fully i mean what if someone gets their hands on your password minder so i came up with this it is ellen's internet password minder protector and what you do

you close it and then it has a built-in domination lock right there you see on the side and i know you're thinking ellen what if i forget my combination well if you order now you can put it in there it's the password miner protector minder it's the one place to keep your password minor protector combination and i have one more special offer if you don't feel like writing down your passwords send them to me and for ten dollars i'll write them down for you don't worry about sending me your credit card information i'll figure it out

so what's funny about that right is that it's real okay and that's an actual product that existed is about 2011 2012 um and it's real right and so that's the environment that our um our users you know that's the environment the public lives in right believe it or not and people buy that kind of crap yeah i'll get one for you just send me give me a five dollar bill i'll ram down for you right and so this kind of this is this is where we're at so you know and moving through then right so we have to we we're looking here as a ways to secure our access uh to control it in ways better than

this and so what were some of the uh you know what are what are ways here that we're moving forward then all right just to set the stage here then we're going to talk a lot about moving forward here as an access control model all right and this is simply a framework that detects how us how users access an object all right it's that simple some of the first ones here that we that we came across right was discretionary access control all right we see this a lot on linux unix um it's decentralized owner discretion right so this is kind where the term data owner came from right so i own a file i can then

determine who gets access to that file okay read write control access control lists permission rules are attached directly to the object all right so pros of this easy to implement great flexibility it's built into nearly every operating system but the cons and this is definitely a big one here we see around enterprise level where they have thousands two thousand four thousand i worked at an organization that had 250 000 unix servers okay that doesn't scale well right when you're doing everything is assigned on the object across all those servers right there's no central implementation hence what we have now the unix a d integration active directory integration ldap kerberos all of that is to centralize uh those

logins and because there is so much manual task in there it's not centralized i mean i don't know about you but how many people have changed the permissions across their whole you know root file structure or thought they did it in one folder but there went your whole etsy directory or um and so here we go right so that those types of things prone for mistakes another thing that came out around early on was uh mandatory access control then right so mac stuff and so we're getting the data classification all right and this is obviously something that the government um uses defense department uses we're all familiar with the top secret secret classified unclassified level here of the of the of

the data uh and so what's good about this right is uh subs with clearance uh the same or above the object has access to the object so if i've got top secret level clearance i get everything down below right i can read i can read everything down below and i can write top secret but from level 2 unclassified i can't read above and i can only write unclassified information that's where the mandatory access control comes in so it's more secure it scales easier but limited user functionality expensive to implement and obviously there's a high administration overhead because you're constantly looking at that data that's classified and you're updating that classified information okay and now this brings us to uh really

where we're at here with uh role based access control all right roll based access control came around um really kind around whenever directory uh information came around so first was dap around 89.90 maybe even earlier than that um and which was the directory access protocol and then ldap came around with a lightweight directory access protocol um and what that brought into the brought into the realm here was really the ability for us to start classifying almost like an intermediary layer with groups okay so groups became very influential in in the ldap infrastructure right so we're able to classify users not just by um you know perhaps their name but we were able to classify them by a role

and we were able to centralize this information easier role permissions are enforced as well through an acl but the big the big ticket number here right was that the user could be a member of more than one role more than one group at a time right so it was easy for us to then add just add the user to the group he's got the access we don't need to think about it further okay another higher level layer of abstraction so we kind of go through here and take a look at this and when we look to build out a role model right we're looking to find patterns between our users and so you know starting with this type

of uh type of a scale here simply have users on the left and the system's on the right and i gotta get my users over there okay so if i was to do it without you know much much fanfare kind of go through what does he need what does he need and perhaps he needs ivory system perhaps you need just a few uh but if we were to do this normally right kind of what we're seeing here through um you know a discretionary model this is kind of what it would look like we kind of can see um that doesn't look too pretty right we've got so we've got some issues there and so we need we need another layer

classification so if you want to do a general employee bam we have a general employee model right we hear this referred to an industry as birthright access right i hire a new employee what what basic access does he need corporate network access to the directory email okay bam that's what he gets all right but perhaps you have other classifications of users and what else are they going to need all right so we start looking at the finance role right so few people are specifically in the finance department moving forward same thing with the sales department okay so we can start segregating our users a little bit better we kind of can see where this goes

we get to a point here where now we have a higher level higher level layer abstraction um and this worked great this worked great for a lot of instances and security whenever everybody was in-house whenever everybody pretty much came to the office sat down and that's where they accessed the data right there was no none of this mobile interaction there was none of this uh partnership federation i don't have contractors that need my data i don't have partners that i need their data from right everything is is in our tight little data center and uh this is working great and you can see here right so the everything from the roll to the right is

nice and clean you know not a lot of mess over there it's fairly it's it's well defined i know exactly what access each role is going to give over on the left i still have my thousands of users but that's okay right because once i get into the role everything's clean and so what does this give here so um you know the pros is scalable to some degree um and you know the second point here for the pro right was really really kind of nice great for organizations with high turnover um gone are the days or items at least at least for us we we move around between companies kind of more frequently uh definitely more than uh

you know the my my father's generation and i'm sure yours as well and so organizations are experiencing more of this turnover and simply stated right usage to roll membership changes frequently but role to object permission does not and because of that the role our back has has taken a a big spot a big place in organizations and in access control but simply sitting here on the con side there's a possibility of roll explosion all right and roll explosion is simply the case where we become so dependent on roles that we defeat the purpose okay there's too many exceptions to the role rule right so you're part of a finance department oh but but he's an admin in

the finance department oh okay so now we have a finance admin role oh but we have we have a finance dev role now now we have a finance test role and i've i've worked in organizations where five thousand users 10 000 rolls wait a second right how does that work what's the purpose of a role model if that's what we're creating i've been in organizations where literally they've broken active directory you didn't think it'd be possible but yes active directory can no longer function because a user has so many group memberships that the kerberos ticket is too large to pass to the network and they change to the tcp port 88 to handle that right

and that's what we're talking about roll explosion so there's not enough admin oversight there's enough planning but we see that and that's exactly why things are limiting things are going this direction we're no longer in a traditional security model right so we have the bad guys when we build up this big wall right we dig a moat we put up our castle walls we have a nice big firewall it's sitting there everything is secure but how does that enable the business is that business agility or stagnation right how are we going to work with our customers how are we going to market how are we going to partner how are we going to have any type of influence in the marketplace

if that's what we continue to move with now this is okay right because you know coming this way pretty much everybody came down it was a lot easier to say no here right nope you're not gonna have uh your corporate email on your tablet on your smartphone when you're blackberry right we all went through the blackberry stage people started getting these fancy new blackberry devices they wanted email on them the wall starts coming down and that's where we're at now right that wall is down so how do we secure it now now that the business is open how do we secure what's inside how do we secure our data how do we protect the company image

i can tell you right now it doesn't work like this

and there we go

hey

ah i just blew it do that again intruder in sector 12 intruder in sector 12. hey

can your security software protect your whole business sector 12 now secure not just pieces ours can see it all right so a little you know that's funny we laugh at it but uh it's not the truth it's not kind of how we look at things right as long as it's outside of the perimeter as long as it's outside of where i focus is it still my concern you know i guarantee target probably said that right my perimeter is secure i don't care about my hvac vendor i'm good right but those days are gone right okay we see what happens when we take that stance right so we have to look beyond just what we control what our data controls

we see this happening because where we're at now um and so i really like this graph and i think this uh you know indicates here what we're seeing as far as our digital footprint and what's happening uh and and so really here over the last um couple years there's you know we're up to 93 now of information stored on stored digitally as opposed back to 1988 when information is 0.7 was stored digitally think about everything that we access now is either internet based uh is is you know it's stored on a hard drive somewhere right i mean when was the last i mean at least for me um you know i that that's pretty much exactly how how

everything is going when we see what the healthcare record is now right everything healthcare has got to be stored electronic healthcare information hipaa um that's exactly what we're seeing this spike here in all of this and so with that we need an access control model that isn't focused uh that is more focused on digital information okay what still information digital information is attributes we're looking for information on the digital data that's where the access control needs to reside and so that's why we're here talking now about what's coming next which is an attribute based access control model okay why is this good okay because we're able to apply controls on subjects that are not associated with the organization

okay it's much easier for me to apply an attribute based control an incoming user from external to my organization then for me to look at a role and say oh he's not enrolled he's not going to get access you know i'm not going to expose my active directory group infrastructure to my partners and to my external users to my customers who still might need to get access to parts of my internal applications abac is more expensive i'm sorry more expressive and can support multi-factor decisions physical location and strength of authentication and this is kind of key here as well right it avoids the need to assign explicit authorizations before the access is attempted right so it's more real time when i

access that object i can look at what that you just bringing with him you know the whole by b-o-y id bring your own identity whatever he brings with him whatever system he's coming in with i can then authenticate that user or give him access to whatever he's requesting same thing we see right when we see this web page signing on facebook signing with google it's all that kind of stuff what's he bringing in from google what access is he bringing it allows me to get access to what i'm requesting all right so real time context segregation of duty right now the big cons is disruptive okay we're getting away from this directory we're getting away from this

role-based mindset where i have to have explicit control of what users are coming in and accessing my stuff it's not open enough and then the key thing here though right then it becomes more of i really have to manage the attributes of my users more so than uh perhaps with a group membership and so we kind of look at the abac timeline that's really sort of kicking off around 2009 with the first phi kim road map implementation version 1.0 i'm going to pull a lot of the information that you're going to see on the subsequent slides from version 2.0 that came out in 2011 and this is where abac was recommended as the access control model for

promoting information sharing between diverse and disparate organizations and from there it continues to grow last year there was the nist guide to abac which is very good if you're a identity junkie like me i found it interesting uh but then even now it's gained enough traction in five years since 2009 or three years since 2011 to where gartner is now predicting that by 2020 70 of all businesses will use abac all right and we can see that shift in the amount of digital identity that's stored and how we have to control access to the digital identity uh and same thing from cooping or cole who released the compass report on dynamic authorization is the most exciting area in identity

and access management today so for me that's exciting if you're identity junkie hopefully is exciting for you as well and so let's take a look at some of the hindrances some of the things that ficam brought out that said this is where we're seeing roadblocks okay traditionally access control has been based on the identity of the user requesting execution of a capability to perform an operation on an object either directly or through predefined attribute types such as roles or groups we know that practitioners have noted this that this approach to access control is often cumbersome to manage given the need to associate capabilities directly to users or the roles or groups that's absolutely true absolutely true especially when you have

you know a number of users in a complex environment the complexity of the environment makes the r back process complex as well as where oppose an access control model should make it simple it makes it complex it has also been noted that the qualifiers of identity groups and roles are often insufficient in the expression of real-world access control policies and uh so here right the alternative is to grant or deny user requests based on arbitrary attributes of the user and arbitrary attributes of the object and so here we're talking right right again about it's the attributes of the user and the attributes of the of the of the object that should determine how we gain access

how we access that information and so often this approach is a back and so this is going to be some advantages here of abac then right so access control policies that can be implemented in abac are limited only by the computational language and witness of the available attributes abac enables precise access control it allows for higher number of discrete inputs providing a bigger set of possible combinations of those variables to reflect larger and more definitive set of possible rules to express policies basically it's more scalable okay it's more scalable it allows for the for us to simplify an environment as it gets more complex this flexibility enables the greatest breadth of subjects to access the

greatest breadth of objects without specifying individual relationships we don't have to be so fine-grained and but we still gain that ability to implement fine-grained controls and so i voted this here under abac access decisions can change between requests by simply changing attribute values without the need to change the subject object relationships to find the underlying rule sets and so why is that important because it's a lot easier for me to change an attribute why because that usually comes from an hr system usually comes from a job change right so if i change jobs my department changes immediately my access changes so i don't know about you guys but when i work at a lot of customer sites that's

the biggest thing i see a job change happens and what happens he maintains his last 10 years worth of access because nobody takes him out of the freaking group right now there's no group to change he changes his attribute his access changes it's that simple we don't have to change the rule set that implements this either right the rule set is static we set the rule you're in this department you get this access now my department changes the access is gone it's that simple right and so just because he has another um layer of access inside a department all that is we're going to take a look at this a little bit later another line in the

rule set okay all right and so kind of what brought us here right so now traditional security and we're moving into an attribute based identity security model and why so take a look read these i think these are you know i don't like using dilbert as proof points but these really really relate to what i have to say right so i think they're pretty effective you know and we and we joke about it um but i think it's because we've all experienced this right you know um back in like 0.203 i lived in uh you know i was i was working in an environment like the first one here right people were coming to us

and saying hey we want to get an email on this new blackberry that i got you know i want to i want to be able to access you know this from home i've got a broadband connection it's up all the time i want to access it from home right and now everything's gone mobile you know and and really you know i mean my son right he he goes he's my laptop he's four years old does he reach for the mouse or does he reach to touch the freaking screen on my laptop he looks looks to touch the screen right and that's exactly how we're going so we're in an open business and so now that wall is gone

right so how do we protect it we can't have a big you know a big massive um castle in front of our business anymore we've had too many holes through it to call it a firewall to begin with um and so now that the security has to be on the identity okay and that's and that's what we're talking about attribute security right and the beauty part about about this is even now from an insider threat perspective i'm supposed to have a desk in the office i'm supposed to walk in there and but now you know i don't like you anymore take sony for instance right i don't like it i'm going to screw up your

systems but even from an insider threat perspective from from a perspective of least privilege um this covers the insider threat basis as well okay so we're protecting the shared account passwords we're controlling the privileged identities um where you can record the access and so what this allows us to do is implement least privilege reduce the risk um and improve accountability to our administrators and so forth and that's what we're after here with an identity perspective this brings us to where we find security now where you know less is more that's the common thing we still face the same type of requirements right we still have to enable the business while we protect the business and that's really kind of with

the open enterprise everything we hear about an open business now security's responsibility to enable the business to perform to increase revenue is really taking a different view right it's taking a different um look at security and so we've gone from a situation where we say no to everything or we protect the business no you can't have your blackberry or or you know when iphones came out and everything everybody got an iphone they wanted this and to how are we going to enable our users enable the business in a situation of security okay how are we going to secure the data so that they can use it on their phone so they can be more productive

so we can interface with our partners so we can interface with our contractors and have secure relationships okay and so let's take a look here then a little bit on a fine a fine grain level here of of abac from attribute based control what are the what are the pieces in place to implement an attribute based control system um i'm not going to follow the terms on the left i'll just follow the diagram here the terms are in alphabetical order but first we have a policy enforcement point this is simply an endpoint all right so this is something i'm going to log into that has um you know either an agent a connector or a tie-in to the pdp there's a number of

ways there's no solutions commercial solutions that will implement that but a higher level of pep is simply an endpoint policy enforcement point it's someplace that's implemented abac control whether it's a file server the windows share web server whatever it may be uh the decision point is the rules right so this is what's storing the rules uh that evaluates my access request so it looks for my attributes it looks for the objects attributes and whatever other additional parameters that we've set in the rule we'll take a look at that and so this really then ties back the decision point i mean kind of look at the decision point as a service you're just going to be sitting there running

looking for requests and it's going to process those it's basically a tie and then to a policy repository this is a database or an information point that can that can contain a number of different environment variables polish repository is a database that holds the rules okay in the in the pap the administration point i think it was a web gui that helps me create the rule set okay and so now instead of me going to active directory and saying you know make me a member or a member of or or whatever i would go to the pap and create a new policy rule okay create a new create a new attribute rule uh maybe we do have a

new department coming on we just had an m a activity acquired a new company and a couple new rules we'll create those that's really good to do that now we leave those groups along all right and so coming coming back to this slide now instead that middle really becomes one big box it becomes the policy decision point okay and in there i'm going to have those decisions title equals sales user has an employee id department equals finance it all sits right there i have one place to go to make the change i have one place to go to address the attribute needs of my organization and then that is pushed out to the endpoint systems i go there for the

request the request is granted i'll gain my access okay so the standard that is implementing attribute-based access control is referred to as exactable okay extensible access control markup language at a high level it just defines it defines the the the xml right defines the rule set what format the xml needs to begin to be consumed okay and so to look at here this is a simple access control rule okay you know and there's a key thing here though and it's it's what kind of gets referred to and this is a primary attribute the policy so policy role equals manager action equals view resource type equals a document rule one deny if the document owner is

not this user id so we're saying whoever's user id is specifically that's who can get it rule two is permit um but what's the first line here right roll it was manager that's a common misconception when we say we're moving to an attribute-based access control is that roles are gone obviously we're not going to be deleting groups they became they become what we call a a primary attribute so it may still be easier for me to put you know a group of 10 managers that span over a course of 10 departments into a specific role and then i could say role equals manager right so if i'm in the manager role i can still get there

really i see this going away eventually i don't think roles will be in there um because then what happens well now we have a generic term that refers back to groups okay but for sake of migration purposes and so people that like our back don't get offended we allow them to find a role in there okay and i think that's how we see this uh migration process moving forward by by just leveraging currently what's deciding there by roles okay so what happens uh if there's two or more roles um i wanted to cover this because this is a common thing where you might have you know now instead of roll explosion you have rule explosion

there's always going to be some level of complexity out there um but this is a another example here of we'll refer to as permit overrides so we can be able to define um you know specific rules that have higher priority than others to implement those and so that makes it uh you know makes it easy to be able to limit the amount of uh you know i guess rule explosion that we that we would expect to see and so a couple of the abac implementations currently out there we see a lot of this coming on board so microsoft windows server 2012 was implemented a form of it and claim claim-based access control all right where essentially they're

passing around a claim that they refer to as an acl which is really an attribute rule fedora 3-3 which is nice you can read up on on that implementation as well and there's lots of third-party companies such as axiomatics avatier that have you know commercial off-the-shelf type solutions that you can make him leverage uh so with that um open up any questions or or comments that we have um

right so so not so much with the claim but what we see here the policy decision point is going to validate the insertion against what we see from the policy repository so it's going to have a you know it has the list it has the information in the repository that we've defined sort of that rule set is and bases off of that

correct

yeah very good point here we're not talking about users and passwords here they can get authenticated somewhere else this is another step further down on that chain of authorization where and what we refer to this is almost like fine-grained authorization so we get very specific on on who's accessing what so you may be authenticated but not authorized

yes

yeah very good so samwell 2.0 via the federation standard we see currently well it has those attributes in there we can put a lot in that insertion a good point other questions um

so okay good question good question so dynamic authentic authorization is more based because it's coming from me so from a static perspective roles are static i have to manually be added to that role whereas for me my my attributes changes that can be a that can be a dynamic process as soon as it happens it's already updated on the endpoint right right my authorization is already updated so there's no there's no middle step there i don't have to go to a rule like so my attributes can change but my my authorization will be the same right somebody has to go to an app go to a role and pull me out remove me from from a group

is that answering your question

i mean most likely not but possibly i don't i don't see that happening now but usually you have a comment on this okay no so yeah no i i wouldn't expect a user to to initially go in and change their job title to ceo and then have that happen um so but it still takes human intervention right to make a change so you know i'm the user and i change departments you know somebody an admin is

dynamic perspective the way i the way i viewed attribute based is that there once that change happens on my user attributes there is another change so from a from a role perspective my attributes can change but then i also have to go and make a change of the role whereas from an attribute perspective i change the my attributes it's done there isn't that second step to go to a rule and then also make a

we've change said oh we used to do things here as well that affected so what we're going to do is here instead of managing 20 groups we're going to match 10 000 people and either or worse yet the administrative

so i mean there's still there's still going to be a data owner um we're still going to have um you know access to to information that's going to be stored um i i would say kind of how it probably currently is so whatever whatever business process you currently have in place that that manages your sharepoint files it manages your document of installation whoever gets read write and create access that's you know that's that's still going to be there but what this is going to allow us to do is basically have that call out that says should i have this access or not so perhaps we don't leverage the internal mechanisms there and we and we implement an access model

like this so um i mean that's that's kind of how i see that going forward

yeah i agree with that so you know when we look at from man from a manual perspective you know if we have somebody sitting there typing on a keyboard that enters in the data we have to assume a three percent error rate which is not going to help help at all so from an automation perspective they're the um you know for for so i mean i work for a company that has a solution that does this automation for us so it can manage the the attributes that change it can manage that that information there's lots of um i would say options out there that provide for the automatic changes of these attributes and so forth

so i mean there's still going to be a level of human um interaction with any system right we have to put the data in there we can't create it magically right we have to we have to put in the fields but there's there's obviously options we can make it more static so somebody's not typing in a manager they have to select it right stuff like that okay so is no no so sam was a federation standard so whenever i want to federate with another company another partnership that is that saml insertion has my user attributes exactly is the standard that would facilitate okay what are those attributes and is he allowed do we have do they match up do they meet the role

that we have here yeah so

right so this is this is a little higher level i didn't put i didn't put the other stuff in there yeah but i mean it's it's similar to this so um there's a good uh fedora site that has a lot of the good a good write-up on it

um so from in the enterprise space definitely axiomatics has been in the forefront of the attribute based access control um they they've been around since probably about 2010 um and then i would say probably microsoft with the claims-based access and fedora around you know shortly after that is when they came in yeah but yeah so i i think uh probably the leader right now is axiomatics is

mhm

so um not getting into the complexity of of you know the rules that we can configure it's easier to configure the exceptions i would say an exact way to handle those than than in a role-based scenario and i think if we come back and look at this slide here right even if there is more complexity there's still one place that we're but we can put that there's still one location where that can be stored all in the policy decision point we're not increasing the number of groups we're not increasing the number of you know objects in our directories to handle the exceptions um i think from any standpoint we usually look at having about an 80 to 20

coverage with any access model right um but uh you know that being said uh you know for any type of extreme one offs right we just put we have to do it uh statically and put it on the put on the actual object but from what i've seen definitely from this this eliminates that that incidence of of having a role explosion scenario where we have double the amount of groups that we have our users because we've tried to capture all the exceptions

yeah good question so i mean personally i haven't uh you know i haven't implemented this per se to any customer site but i will say that for those organizations you know i'm i'm working with a large chip manufacturer in boise if you guys are familiar with the company like that in boise but they i mean that's a common example where they've had it's the massive uh overhaul of groups and why is that because i mean lots of companies like this then they provide to the end user the ability to request a group and have that be created and so then you have duplicate groups left and right all over the place and whenever unfortunately you can't just drop a bomb

and start over but that's almost what it takes whenever you get into a really bad role situation because there's no oversight there's no management across at all yeah okay one last question

correct so really really it all depends on the logging system right so if i'm logging in with you know integrated windows authentication i'm going to bring some attributes with me there so then maybe that is just an active directory attribute change a directory change whatever it may be wherever the attribute is coming from and that's the other thing we don't care where it comes from as long as we get it um but from an i.t perspective it would either it would either be that either we need to change the attribute so maybe we've added another attribute to the user that determines what system he should get access to or we set up another rule that catches that

so instead of creating a role maybe we create a rule um but from what i've seen from i've seen before i've read the the rule-based scenario allows us to create much more of a static rule that then we might add an attribute onto the user you know and and from my perspective there's there's there's plenty of attributes that we can add or that we can change on the user to modify it