Ensuring that customers have properly deployed access controls across the enterprise is a top priority today. Regulatory mandates such as the Sarbanes-Oxley Act in the United States, Combined Code and the Turnbull Report in the United Kingdom, and KonTraG in Germany require organizations to prove that they have strong, effective access and authorization controls in place. In general, access control to an information resource is based on a reference monitor evaluating an access request against a static set of access rights associated to a principle or role. However, context information may also be taken into consideration to decide whether access should or should not be granted. Such context may be the operations a user has already executed in a workflow, the business objects he accessed in the past but also more abstract context like temperature or location. This, however, raises a set of problems that no current system appears to address satisfactorily.
To address this need, vendors offer access control applications for monitoring, testing, and enforcing access and authorization controls across the enterprise. One vendor known as SAP provides these applications as part of the SAP GRC solutions for governance, risk, and compliance (SAP solutions for GRC), include Virsa Compliance Calibrator, Virsa Access Enforcer, Virsa Role Expert, and the Virsa FireFighter application for SAP. These solutions require customers to deploy the software correctly and adjust it to fit the organization's own regulatory and industry-specific needs. The enterprise may have thousands of access rights-related rules and interdependencies across the enterprise application systems.
United States Patent Application 20070203881 to SAP describes an access control system that provides access control to at least one information resource associated with at least one application within a computer network. The system includes a plurality of context sources being relevant for at least one application and providing context information, a constraint specification console providing an interface to specify application specific constraints based on the context sources, a rule engine capable of handling facts and applying inference rules on those facts, an application specific constraint enforcement point configured for receiving access requests, hence querying facts and further being responsible for making access decisions regarding the information resource based on those facts and on application specific constraints and a rule engine adaptor acting as intermediary in communication of the rule engine with the context sources, the constraint specification console and the enforcement point, respectively, so as to allow access control to the at least one information resource based on specified application specific constraints with regard to context information originating from the context sources. However, these capabilities exist in new versions of the software, leaving older versions of the software without the capability to enforce real-time access control due to missing adapter framework/connectivity.