1. Technical Field
This disclosure relates generally to computer-implemented techniques for designing, configuring and managing security policies within an organization.
2. Background of the Related Art
Managing security policies within an organization is often a difficult task. Many organizations have some understanding of their employees' roles within their organization and the information technology (IT) functions a user in a given role needs to access to conduct his or her daily job. Translating these access requirements to security policies within a given security framework, however, can be tedious and complicated.
More specifically, the existing processes and techniques for designing and configuring security policies often suffer from the following problems. First, the security administrator must have in-depth knowledge of the technology for which policy will be configured. For example, if one is to implement a security policy within a known system, one needs to understand how to use access control lists, object policies and authorization rules, as well as understanding the full application scope at issue. Acquiring such knowledge can be very time-consuming and costly. Second, translating a business security requirement for access control to a technology-specific design is often an inexact activity, especially in cases where the available security framework cannot represent that requirement precisely.
While there are known solutions (such as IBM® Tivoli® Security Policy Manager) that attempt to address these problems by separating a business security view from IT systems implementation, they still require the security administrator to understand various policy configuration items even if vendor-neutral or standards-based.
There remains a need to provide a security framework that can translate role-based access requirements directly to security policies.