We are keeping things random here on the Blog (by design) but we knew at some point this would become a great place to answer some oft-asked questions from our users and even people seeing Visual KPI for the first time.
Today we’ll start off with an easy one: “What do we mean when we mention the Security Inheritance Model?”
In simple terms, it means that Visual KPI conforms to our customers’ security model and/or requirement without any work on their (or our) part. It just “inherits” the requirements from the host environment at the customer site.
Simple, right? Yes, but we know you want details.
The design team at Transpara make all kinds of design choices when building and updating the product. Some are feature-oriented, some are focused on usability, and some are there specifically to make the lives of your IT staff easier! OK, in the interest of full disclosure everything we do to make things easier also makes things easier on us (easier to deploy, easier to maintain and support, etc.). Add this all up and you will see why security inheritance benefits everyone involved.
Here are some basic facts about almost every customer environment:
- They each have their own security requirements
- None of them look the same, and some of them are incredibly sophisticated (even crazy at times)
- They, and only they, really understand who should have access to what applications or data
- This information is usually kept in a directory and most often it is Active Directory
Here’s your worst-case scenario: Often, enterprise-class software applications require you to create and maintain a dedicated “user database” of the people who will have access to the software and which features they are allowed to use. Let’s say you have a CRM system from Vendor A. It needs a list of users and their access rights so the CRM system knows which users can access which pages and functions in the system. Next, you buy an HR system from Vendor B and again you have to create and manage the list of users and their associated permissions for the HR system. This pattern gets old and fails to scale very quickly.
Now that we know the facts along with what we don’t want to do, Security Inheritance becomes a system that is quite easy to describe.
- Visual KPI is an enterprise-class software application and of course needs to know who in your organization is allowed to create, modify, delete and view the various KPIs, scorecards and trends (among other things). This is critical, because so is the data we deliver.
- By designing Visual KPI as a web server-based application, and specifically using Internet Information Server (IIS) as the platform, we get to leverage the existing authentication and rights-assignment subsystem within the platform, including the directory and all related security policies.
- Want the tech-heavy version of #2, here you go (consider yourself warned): Visual KPI is an in-memory IIS application whose component parts all run as part of a virtual directory structure in IIS. One of the many benefits of IIS is that each virtual directory has a set of “permissions” which govern who which users may see or execute functions contained and managed by the virtual directory. Since each of our feature sets (website, Excel Editor, interfaces) have unique virtual directories we have complete flexibility and access to the power of Active Directory as our NATIVE user authentication and rights assignment engine!
Summary: No one gets access to our system until the customer’s existing environment says its ok.
Only then do we allow editing and delivering of KPIs, trends, scorecards, etc to mobile devices, laptops and desktops.
Because of this design, Visual KPI requires NO additional user database and NO additional rights assignment functionality beyond that which is built into the Windows Server operating system. Our users already have a well-defined collection of Active Directory Users & Groups, and we simply “assign” one or more of each to the virtual directories which govern each of our components. It is an elegant and IT-friendly way to leverage all the work a company has put into defining their AD Forest and reduces the added complexity of locking down visibility and editing to near zero.
We are extremely proud of this architecture and our users have benefitted from it since the day Visual KPI 1.0 shipped in 2006. If you want to speak to one of them, just let us know.
Comments? Questions? Please enter them below or contact us directly