'Conditions of Life' in Very Large Business Applications

The idea of individualization and opportunities for its realization are increasingly discussed. Being originally a topic of social sciences, individualization now catches on in business informatics and in interdisciplinary projects dealing with cognitive technical systems.

The need for individualization appears in different forms and is illustrated by the following use case, which is part of authorization management: A user has to access specific IT resources in order to accomplish a task in a business process, but the required privi-leges are not assigned to the role the user takes on.

In general, a role is either a formal (business role) or an informal (functional role) organizational item that represents  the user’s tasks or a formal technical item (technical role) that corresponds to a user’s access privileges.

Two problem areas can be identified within authorization man-agement. On the one hand, there is no end-to-end process for accessing heterogeneous IT resources that is user-driven and technically supported, despite existing automatic provisioning of IT resources, e.g., with GRC (Governance, Risk & Compliance) techniques only for SAP systems. On the other hand, it is almost impossible to spontaneously meet a user’s needs for IT resources when he or she steps out of „his or her role“. The idea of individualization is an enhancement of existing formal role concepts by subjective information demand that results from a particular condition of life (or life situation) of a user. Conventional role concepts, which belong to personalization, grant access to IT resources that are needed for the accomplishment of tasks, e. g., in a business process.

Figure 1 illustrates the difference between personalization and individualization as it is understood in this work.

Objective of this dissertation is to develop a concept for an automated synchronization of organisational and technical roles. Two subordinate objectives exist:

1. Opportunities to automate the application for and the provisioning of IT resources, based on the idea of personalization (via conventional roles).
   -> static role transformation
    
2. The opportunity to additionally allow extra role behavior (via functional roles) for achieving individualisation with context-awareness.
   -> dynamic role transformation

The foundation for either subordinate objective is the definition of user context and the design of an appropriate UML model. The model represents the context of a user, i.e., the information de-mand of a user (more precisely, the demand for IT resources) and is complemented by a variety of authorization concepts. By show-ing the compliance between organizational and technical roles it is validated that individualization on IT level can be achieved by applying our definition of ‘user context’.

According to the first subordinate objective, more authorization concepts are investigated on the basis of a sample system landscape that consists of the operating system, an ERP system, a content management system, a document management system, a wiki etc. Finally, the application of domain-specific languages (DSL) for accessing IT resources (possibly) automatically is elaborated, in particular in the context of configuring existing IT systems. Regarding the SAP field, the Blue-Ruby project (SAP Research, Palo Alto and Shanghai) might be a starting point for designing a DSL in order to dynamically access technical roles or create new ones.

Figure 2 shows the procedure for achieving the first subordinate objective ‚Automation of application for and provisioning of IT resources’ in the context of authorization.

The starting point for the second subordinate objective is literature in the field of GRC and Identity Management, e.g., SAP NetWeaver IdM and GRC Access Control Suite. Further investigations with respect to extra role behaviour include expert interviews and document analyses in the context of so-called pilot projects. The results shall give information about how many roles and authorization concepts have to be synchronized with, to what degree extra role behaviour occurs, and how this is dealt with. The additional introduction of the user context approach shall reveal opportunities for its realization and its potential deltas. Finally, the approach is evaluated.