Open in app

Sign in

Write

Sign in

Oracle Access Governance with Cloud and On-Premises Environments

Ricardo Gutierrez
8 min readJul 17, 2023

--

A general overview with examples, July 2023

Overview

The larger an organization becomes, the higher the chances of losing visibility into its users’ access and privileges with applications, systems, and cloud resources. Furthermore, with hybrid cloud environments becoming a common denominator, spreading disparate systems across the company is inevitable.

Imagine enforcing access privileges in such scenarios or getting insight into who can access a particular application or resource. These are just basic examples of what a security administrator, a manager, or an auditor would ask.

Access Governance, also known as Identity Governance or Identity Governance and Administration (IGA), enables customers to manage user identities and access across the enterprise. It uses policies, tools, and services to tackle unnecessary permissions and enforce appropriate access to resources, and in today’s world, these must include cloud and on-premises environments.

Implementing Access Governance in organizations without proper governance tools could be daunting, so using the right tool is critical to gain substantial benefits. Some of the more relevant features to look for should include:

  • Relying on a governance and monitoring model to continuously supervise access entitlements across multiple cloud tenancies, applications, and disparate systems.
  • Offer detection and response management capabilities to reduce potential attack vectors by identifying and removing unnecessary privileges.
  • Enforce the principle of least privilege, granting users only the access they need to perform their job functions.
  • Help maintain compliance with regulatory requirements.
Figure 1. Modern Access Governance

Consider the above features augmented with modern analytics assisted by machine learning, powered by an identity data orchestration engine and access control model, which is what Oracle Access Governance (OAG) encompasses, resulting in enhanced capabilities like:

  • Periodic gathering of access privileges and identity data from cloud and on-premises environments and correlating the data to a unique global identity.
  • Evaluate the data to discover resources and entitlements across multiple environments, empowering customers with fast and accurate insights.
  • Access reviews that focus on identity and access control policies to help manage access privileges through intelligent insights-driven analytics.
  • Generation of recommendations to guide reviewers to accept automated remediations or manually review to approve or revoke entitlements.
  • Codeless, machine learning (ML)-aided workflows to enforce approvals and alignment with regulatory compliance.
  • Access control model supporting different authorization methods, including attribute-based access control (ABAC), role-based access control (RBAC), and policy-based access control (PBAC).
Figure 2. Oracle Access Governance

Governance with Cloud Environments

OAG is designed to integrate with several cloud service providers. To understand this better, let’s review its integration with Oracle Cloud Infrastructure (OCI) which includes support for multiple OCI tenancies, regions, and IAM domains.

OCI Policies control access to tenancies and cloud resources, where access is granted at the group and compartment levels. E.g., you can write a policy that gives a group a specific type of access within a particular compartment. Moreover, policies contain statements to specify the grantee, type of access (verb), resource, and compartment or tenancy.

E.g., consider the following policy statement:

Allow group Group_ITProjectManager to use buckets in compartment InformationTechnology

When an OCI tenancy is integrated with OAG, an initial full data load gathers all tenancy information, including policies, IAM domain objects (users, groups), and existing cloud resources, including SaaS applications like Oracle Analytics Cloud, Oracle Content Management, etc. OAG keeps this information updated thru periodic data loads.

One crucial aspect to understand in this integration is that OAG evaluates effective permissions based on existing resources only. Taking the previous policy statement as an example, OAG will consider the use permission with group Group_ITProjectManager only if actual storage buckets exist in compartment InformationTechnology. Otherwise, OAG will ignore the permission, group, and its members.

The above is essential as OAG and OCI integration departs from this base understanding.

Another essential aspect around the orchestration hub supporting integration with multiple systems, cloud service providers, and applications is the correlation of identities’ access privileges across all resources, which materializes on a unique global identity in OAG.

Imagine a simple scenario where OAG is integrated with two OCI tenancies holding common user names. On data loads, OAG consolidates similar users from these tenancies and correlates access privileges under a unique OAG user profile or global identity.

Furthermore, this results in two things to be aware of, first, your billing counter for active users won’t increase if OAG determines that users from two or more systems are the same, and second, access permissions on cloud resources will be listed by tenancy under the user’s identity.

The following schematic describes our scenario.

Figure 3. Multi-tenancy Enterprise-wide Access

Overall, OAG integration with multiple OCI tenancies provides cross-cloud access correlation of identities’ access privileges.

Governance with On-Premises Environments

OAG can integrate with applications and Identity Management systems deployed in the cloud or on-premises environments through its identity orchestration hub. Depending on the system or application type, integration can be established thru agents or agent-less connections.

For instance, the integration with Oracle Identity Governance (OIG) is done thru a wizard-based interface that automatically generates a preconfigured and containerized agent. Once the agent is deployed, preferably in the same subnet where the OIG system is running, a secure connection with OAG is established, starting a validation and full data load.

Taking our previous scenario as an example, let’s assume that in addition to OCI resources and SaaS applications, OAG is integrated with Oracle Identity Governance, which has target applications Oracle Unified Directory (LDAP) and Oracle Database. At the identity level, OAG consolidates permissions under three groups or categories: Application, Cloud resources, and Roles, with each category listing the corresponding access permissions or privileges.

Figure 4. 360-Degree View in Who has Access to What

We can see the previous schematic, a 360-degree view that OAG offers via the Who Has Access to What feature, giving customers visibility into organization resources, identities who can access these resources, and assigned permissions.

Although this section mentions how OAG reconciles access privileges thru integration with OIG and its target applications, OAG can also connect directly with applications or systems to perform reconciliations and access provisioning, the latter, through a powerful access control model, revised in the next section.

Manage Identity Access across the Enterprise

Understanding how OAG manages identities and access controls requires familiarization with its access control model. Let’s review some of its inherent terms like identity collections, access bundles, roles, policies, and approval workflows.

An Identity Collection is a way to group users by their attributes. E.g., users with the same Job Code and Location.

An Access Bundle is the basic unit for representing accesses in OAG. It contains one or more permissions derived from one application. Access Bundles can be used to build more elaborated access controls like roles and policies.

A Role is defined by selecting one or more Access Bundles, allowing to combine permissions from multiple applications.

A Policy is defined by associating one or more Identity Collections with Access Bundles or Roles. Automation is built-in with policies, e.g., imagine a user being transferred from Finance to the Marketing department and consequently having access privileges adjusted automatically.

Codeless Approval Workflows can be used to define approvals for access requests in sequence or parallel, along with escalations and notifications.

From the previous descriptions, we can infer that using Identity Collections is akin to ABAC when it is leveraged by roles and policies to provision access. Similarly, using Roles and Policies to manage access control is analogous to RBAC and PBAC.

Figure 5. OAG Access Control Model

Along with its access control model, OAG provides a self-service interface where users can participate in approvals, submit and monitor access requests to others or themselves, and view their accounts and privileges across the enterprise.

Assisted Reviews with Machine Learning

As highlighted at the beginning of this article, access governance must rely on a monitoring model to continuously supervise access entitlements across multiple cloud tenancies, enterprise applications, and disparate systems.

Certification campaigns are available through the Access Reviews feature in OAG, offering detection and response management to reduce potential attack vectors. E.g., managers can run access certification campaigns to review user access privileges across cloud resources and enterprise applications and remediate high-risk access accordingly.

Access reviews can be done through identity and access control tasks, the first focusing on permissions, roles, and accounts while the latter on access policies. Intelligent insights-driven analytics offer ways to analyze permissions and policies with suggested recommendations in both cases.

An example of insights-driving analytics is the recommendation for review depicted in Figure 6, where David Walker’s permissions align only with one (1) of his seven (7) peers reporting to the same manager.

Figure 6. Intelligent Insights-Driven Analytics

OAG also provides Event-Based Access Reviews, which are triggered when one or more predefined event types occur. E.g., consider an event like a Job Code or Location change; the event-based access review feature helps reviewers to check, certify or remediate the impacted user’s application roles, permissions, or entitlements.

Across the board, OAG can help enforce the principle of least privilege, granting users only the access they need to perform their job functions while helping meet governance and compliance requirements in the organization.

Conclusion

Customers have an excellent opportunity to regain control of governance across the enterprise with Oracle Access Governance which is determined to become a leading cloud-native IGA solution in the market.

Learn more about OAG at the following link: Oracle Access Governance Documentation

About the Author

Ricardo Gutierrez is a Cyber Intelligence Lead at Oracle with over 15 years of experience in Identity and Access Management and Cloud Security. Ricardo does research and software development using new technologies in his spare time. He is the creator of the E-Business Suite Asserter (EBS Asserter), a component for SSO bundle with Oracle Identity Cloud Service, and the Dynamic Authenticator, an MFA solution for Oracle databases.

--

--

Ricardo Gutierrez

Written by Ricardo Gutierrez

37 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams