Technology

With extensive background of data management and business intelligence, Spatiq has developed a methodology and metaphors for data access management that are business oriented and system agnostic. Our unique technology represents a leap in the accessibility of data access management to the enterprise.

Architecture

Repository

At the heart of the of Spatiq’s architecture is the repository. The repository is a Database schema that is used by Spatiq to maintain all the data required for the Access Management process. At the end of the Entitlement Process the repository holds a “map” that describes what each role and user have access to in the organization.

Supported Databases are: Oracle Microsoft SQL Server DB2

Contributor Interface Layer

Any application that contributes data or content to the entitlement definition is considered a contributor. The Contributor interfaces layer abstract the access to contributor by the system. The actual access to the contributors is performed by a number the contributor interfaces. The contributor interfaces are developed for each individual application. A contributor is typically one of the following: ERP, CRM, HR system – These system are probed for company structures as well as current access definition. The structured are acquired by the Spatiq system in real time (with caching capabilities), this assures that the structured reflected by the product are the current corporate structure. MDMs Data warehouse – company structure as well as user information can be acquired from an MDM or a data warehouse. Directories – Users and groups can be acquired from a Directory.

Dependants Interface Layer

The dependents are the target applications for the entitlements. We grossly divide the dependents into three groups

1. Offline dependents – these are applications that contain their own entitlement control mechanism, in such case our system populates the entitlements from our repository into the target system entitlement repository. Examples: SAP, Cognos
2. Decision Points – in this case our system interfaces directly with the target application and provide real time access to entitlement information.
3. Directories – Identity information gathered by the system can be populated into a directory, such as LDAP or Active directory.

The rule engine

Spatiq’s rule engine is utilizing the “DROOLS” rule engine (an open source rule engine) to provide rule and governance option. The rules are maintained in the repository. The rule engine has two main functions. Entitlement Generation The entitlement generation rules are processed periodically and generate the entitlement map for users based on a given set of rules. The entitlement generated by the rule engine can be then overridden by an administrator. An example of such a rule will be, all the salesmen that are in the EMEA area cannot access any US data. Compliance Check The compliance check rules run over the generated access maps and make sure they comply with the company rules and regulations. These rules either generate a warning or notification or they can prevent saving the entitlement altogether. A sample rule can be, every sales region can have one and only one user defined as a manager. Trying to define a user as a manager for that sales region will trigger the exception.

Workflow engine

The workflow engine allows the organization to define internal workflow for approving entitlements. The entitlement requests can be generated by business administrators and sent to approval by other administrators higher in the organization. Or there may be a scenario in which the requester is the user (a self serve scenario) and the approver is an administrator. The workflow engine supports workflows with multiple steps as well as rule based workflows.