Authorization Center (CA) is a modern, comprehensive and scalable platform for a centralised
management of processes linked with authentication, authorization of operations,
access rights control, digital certificates and PKI services handling.
CA can be applied to control customer access to enterprise services, as well as verify personnel privileges (i.e. Contact Center agents or Back Office operators). It can also manage access of technology components to various services or resources.
In the processes of authentication and athorisation, CA uses the concept of access channels. In general, an access channel is identified with applications (and their user interface) or a location, where we need to proceed with user authentication. As example, the following channels are often available:
Transactional WEB interface
Transactional mobile interface
With support for double-authentication
Mobile advisor application
The list of supported access channels depends on the structure of the organisation and is one of the key elements
of system parameterization. CA allows to apply various authentication and authorization methods for the channel.
In the same way, different channel attributes, such as status or validity are serviced independently.
At the level of channel access, CA audits and controls incidents of unsuccessful authentication or authorization. A set of rules can be parameterized to block access to the given channel after a number of mistakes. It is also possible to block access temporarily, without the need to unlock manually.
The main functionality of CA is to service an authorization account.
The authorization account allows for verification of user
identity, as well as user's access control to various resources and functions.
CA can perform it in two ways:
Basic - 1st level or extended - 2nd level.
Both ways differ by the sort of tools used for authorization. The choice of which one to apply in a given situation stems from business logic and is part of system parameterization.
First level authorization is used mainly to authenticate the user and his identity. Information about authentication is kept during the session and is used to control passive operations, i.e. read information by the user. CA supports following methods for 1st level authorization:
For financial operations authorization, in particular for new beneficiaries or for large transaction amounts, 2nd level mechanism is applied. It involves an additional authorization tool, such as:
CA supports algorithms required to work with authorization devices working in CAP/DPA and Radius standards and manufacturers like Gemalto, VASCO, RSA and others. It also offers life cycle support services for these authorization devices.
Each user, depending on his role, should have a set of specific entitlements.
In case of an individual customer a simple model is satisfactory in most of cases, but in case of a corporate
client we need much more sophisticated and extended one.
CA allows to support these both types of clients due to the mechanism of ACL (Access Control List). ACL allows to define all activities, that can be performed by the client on a given object.
System has also the function to change and adjust parameters, what can also be done by the client himself. In addition to that, it allows to define profiles (groups of access rights) what facilitates management of distinct sets of clients.
Multi-signature is an acceptance mechanism, that requires a set of user approvals to accept a given
operation, as it is defined in a given scheme in CA. Multi-signature is used mostly in
corporate internet banking.
Each operation needs to have named users that have to authorise the operation. Each user of multi-signature uses an appropriate for him authorization tool for the access channel.
Each set of rules referring to the number of required signatures can also have limits for maximum amount of operation. A typical example of such schema would be a use case to sign a bank transfer for 30 000 PLN, which requires only the signature from Chief Accountant, but all transfers with amounts above this limit need a signature of the Board of Management Member, as well as from the Chief Accountant.
Logging-in a user into CA can also be integrated with a session initiation. Using session mechanism, CA can play the SSO (Single Sign-On) role, allowing for an unified process of user's athentication for a group of integrated services or applications. This integration can be done in two ways:
If in a given organisation SSO mechanism is implemented, CA can also be integrated with it, following SSO’s own protocol.
Many logging-in identifiers
Support for work schedule
Access control based
Can be managed by the users themselves
Access and authorization mechanisms described above, can also be applied for internal staff members i.e. authorising access based on IP address or with use of token device or Smart Card.
This can be applied for staff involved in customer service (Call Center agents or Back Office staff) or for all other groups of employees for whom CA can be used as a control mechanism for access to various enterprise resources or to staff dedicated services.
CA makes available a mechanism, that allocates so-called Pass to customers accounts (composed of an identifier + password). This passes enable access to additional systems that operate in the enterprise. We can use such a pass, if a given system’s API requires a dedicated user authentication to call a function.
Passes replace an execution of an operation in an external system, done by „technical account”. As a result, the operations are not anonymous, what enables audit of all operations, executed by each staff member. We can also set up all entitlements in one central point, even if they are related to many different core systems in the enterprise.
CA offers three-level mechanism of employees access rights approval i.e. from the level of the Manager, IT Specialist and Security Officer.
At each stage full auditability is implemented, including also paper based documentation, which often is required by internal enterprise legislation.
CA can also be used for management of access to VPN services. It includes authorization to the service with tools such as token device using challenge-response mechanism or Smart Card.
Employee access to given systems can be defined in directory services supported by Active Directory or LDAP.
CA can be integrated with these platforms and unifies access management process for the company.
In addition to that, CA can also provide stand-alone directory services what gives an opportunity to integrate CA with external systems on as-needed basis.
CA gives you temporary allocation of the role to a given authorization channel by asigning a set of dates (starting and ending access dates). In the same way, you can also delegate access rights, what can be used for temporary employee substitution.
Softax’s Authorization Center provides an Administration Console.
Key management functions include:
PKI (Public Key Infrastructure) is a portfolio of services that in conjunction with procedures can be used to create, keep, verify, use or revoke digital certificates.
CA makes available PKI services including following domains:
Softax solutions in the area of PKI are compliant with the following standards and norms:
CA functions are available as webservices in SOAP standard including WS-Security. It allows other systems and applications for access and use of authorization functions. The scope of functions covers practically all CA available functionality:
CA supports integration with external authorization systems based on protocols such as RADIUS, LDAP, SAML, Active‑Directory. Integrated systems can provide hardware based token generation (i.e. RSA, Vasco, Gemalto). In addition to that, local or network based HSM can be used or HSM services can be emulated within CA.
CA can be put in place with full range of features or just with a subset of its functionality. The way of implementation depends on the context of a given enterprise and client requirements.
An additional solution building block, increasing the level of organisation security, can be fraud detection system, for example Softax IFD. CA has functions allowing integration with IFD, what can be performed by passing information to IFD or collecting it from IFD.