Implementing Application-Based Permissions and Centralized Authorization in Zero Trust (Activity 1.2.1) 

Zero Trust Activity 1.2.1, “Implement Application-Based Permissions per Enterprise,” marks a big step in shifting from broad network-based access to fine-grained, identity-centric authorization. This activity focuses on standardizing how user attributes are used to control access to specific application functions and data across the entire enterprise. It emphasizes integrating this process with identity lifecycle management, empowering application owners with self-service capabilities for attribute management, and consolidating privileged access activities within a dedicated PAM solution. 

Achieving the outcomes of this activity requires a coordinated effort involving people, processes, and technology: 

Solutions for Achieving Activity 1.2.1 “Implement App-Based Permissions per Enterprise”: 

First, as a policy, establish Enterprise Roles and Attributes for Authorization: 

• Define a Standard Attribute Taxonomy – The enterprise must define a standardized set of user attributes and roles relevant to authorization across various applications. This goes beyond basic identity information to include attributes reflecting job functions, departments, security clearances, projects, and other context-specific data points. 

• Identify Authoritative Sources –  Determine the authoritative source for each attribute (e.g., HR system for department and job function, training system for certifications). 

• Implement Attribute Directory Services –  Utilize a central identity store or directory service (often part of the ICAM solution) to consolidate and manage these enterprise attributes. This could involve synchronizing data from authoritative sources. 

• Attribute-Based Access Control (ABAC) Principles –  Design access policies based on combinations of these attributes rather than static roles, allowing for more dynamic and granular access decisions. 

Integration with Enterprise Identity Lifecycle Management (ICAM): 

• Automated Provisioning and Deprovisioning –  Ensure that the enterprise ICAM solution automates the creation, updating, and deletion of user accounts and their associated attributes as users join, move within, or leave the organization. This ensures that authorization attributes are always current. 

• Workflow Integration –  Integrate attribute updates into identity lifecycle workflows (joiner, mover, leaver) to automatically adjust user permissions based on changes in their roles or status. 

Enabling Self-Service Attribute/Role Registration for Application Owners: 

• Delegate Administration Interfaces – Provide application owners with secure, easy-to-use interfaces or portals within the enterprise ICAM solution. These interfaces should allow them to: 

• View and register the specific attributes or roles their applications require for authorization. 

• Map application-specific permissions to standardized enterprise attributes or roles. 

• Request the addition of new enterprise attributes if existing ones don’t meet their application’s needs, subject to a governance process. 

• Attribute Governance Workflow –  Establish a clear workflow for reviewing and approving requests for new enterprise attributes to maintain the integrity and consistency of the attribute taxonomy. 

Migrating Remaining Privileged Activities to a PAM Solution: 

• Discover Unmanaged Privileged Accounts –  As discussed in the previous activity, identify all privileged accounts not yet under PAM control (local accounts, service accounts, application-specific privileged users). 

• Onboard Accounts into PAM –  Bring discovered privileged accounts under the management of the enterprise PAM solution for secure storage, access control, and monitoring. 

• Implement Just-In-Time (JIT) and Just-Enough-Administration (JEA) –  Configure the PAM solution to enforce JIT access and JEA for privileged activities, minimizing the time privileged accounts are active and limiting their permissions to only what is needed for a specific task. 

• Session Monitoring and Auditing –  Ensure the PAM solution monitors and records privileged sessions for auditing and forensic analysis. 

FRC Recommends Okta 

Okta, as a leading Identity Provider, is a critical component in achieving Activity 1.2.1, particularly concerning centralized identity management and attribute handling. With its dedicated Privileged Access offering, it also directly addresses the PAM migration requirement. However, its capabilities around self-service attribute registration for application owners require careful consideration and potential augmentation. 

• Centralized Identity and Attribute Management –  Okta serves as a central repository for user identities and a wide range of attributes through its Universal Directory. It can synchronize attributes from various sources (like HR systems or Active Directory) and supports custom attributes. This directly supports the establishment and management of enterprise roles and attributes. 

• Attribute-Based Access Control (ABAC) Capabilities –  Okta’s policy framework and Expression Language allow for the creation of granular access policies based on user attributes, group memberships, device context, and other factors. This enables the implementation of attribute-based authorization for applications integrated with Okta. 

• Identity Lifecycle Management –  Okta provides robust Inbound and Outbound Provisioning capabilities, automating the creation, updating, and deactivation of user accounts and their attributes in connected applications based on changes in authoritative sources. This aligns with the need to integrate with enterprise identity lifecycle processes. 

• Privileged Access Management (PAM) Capabilities –  Okta’s dedicated Okta Privileged Access product directly addresses the requirement to migrate privileged activities to a PAM solution. It offers features for discovering and managing privileged accounts (including local server accounts), enforcing JIT/JEA, securing credentials, and monitoring sessions. This allows organizations to consolidate their PAM efforts within the Okta ecosystem. 

• Self-Service Attribute/Role Registration for Application Owners –  Administrators can delegate the process to business application owners by specifying a workflow composed of users or groups who can approve and grant access to requested app integrations. 

Pillar: User 

Capability: 1.2 Conditional User Access 

Activity: 1.2.1 Implement Application-Based Permissions Per Enterprise 

Phase: Target Level  

Predecessor(s): None 

Successor(s): None