4 FICO Platform Architecture Business ObjectivesFaster Application DevelopmentFaster Time-to-Value solutions for our clientsFaster turn-around for Upgrades to our clientsImplementationStandards-based, Service Oriented Architecture (SOA)Integrates with Operating Systems and MiddlewareOperating SystemJEE – Java Platform, Enterprise EditionApplication ServerDatabase ServerLDAP ServerConfigurable by Application
5 FICO Platform Architecture Configurations for FICO ApplicationsFICO Platform and shared Strategic DifferentiatorsThird Party Platform StackDebtManagerFraudManagerOriginationManagerInsuranceFraudDMAppDMAppFICO PlatformFICO Application Business ServicesJava Platform, Enterprise Edition (JEE)Application ServerDatabase ServerLDAP ServerOperating SystemHardware
6 What is FICO Platform? What functionality does it provide? Common Data ModelExtensible Data EntitiesEncryptionData Access LayerAudit, Logging, and HistoryLicense ManagementData AcquisitionFICO Network + TransformationBureau + Data InterfacesDecision Management SystemCharacteristic LibraryModel DeploymentAdaptive ControlPerformance ReportingTransaction ScoringBusiness Rules ManagementBlaze Advisor (RMA)Business IntelligenceBrowser-based reports integrationSecurity FrameworkRole Based Access ControlLDAP Integration + FederationSingle Sign-onUI FrameworkUI Builder (SmartForms)Context Sensitive HelpCall ScriptingInternationalized (I18N)Double-byte character set (DBCS)Locale aware (Region + Language)Date, Time, Currency, Numeric separatorsExternalized Translation ConfigurationCase ManagementHistory + NotesEvidence LockerWorkflowDocument ServicesDocument TemplatesPDF, , SMS
8 FICO Platform use of LDAP What is LDAP and what purpose does it serve?LDAP = Lightweight Directory Access ProtocolFICO client needsLDAP integration for Administration and SupportReuse Corporate configuration for Groups, Users, and Password policyCentralized and Delegated AdministrationFICO Platform productsUse standard LDAPv3 integration for Directory ServicesHave Delegated administration features to write to LDAPUse of LDAP ServerUsers (with Group membership)only attributes in standard LDAP schemaExtended attributes in FICO databaseGroups (with hierarchy)Password policy
9 Single Sign On FICO application roadmap requirements from clients Support for Single Sign On environmentsSupport for Federated Security integrationRequires centralized authorization serverTypically an LDAP server or integrated with LDAP serversImplemented by an authentication tokenFederation requires trusted relationshipSite-deployedWorkstation login establishes authentication tokenNo user/password required to access applications supporting SSOASP/HostingOne user/password in portal/extranet for multiple hosted applicationsFederation allows trust to auto-provision clients
11 Users Setting up the Users Creating Users Tenants are used when you are hosting more than one customerLocales will be used in future releases for localizations (English, Dutch, German)Creating UsersDepartment is a free-form entry for “Primary Group.” In a future release, we will be making this a drop-down selector.
12 Users User Creation User Setup for Additional details Users are Created in LDAPUsername requiredValidated to be uniqueFirst and Last name required for application displayaddress required for sending temporary passwordA temporary password is generatedAn is sent to users addressUsers are also created in Business ObjectsUser Setup for Additional detailsSome additional LDAP details available for referenceEmp #, phone, mobile, titleRemaining details are user details in the databaseSettings: Tenant, Locale, Time ZoneAssociations: Groups, Roles, QueuesUser is made member of Groups in LDAPUser locale and time zone settings are updated in Business Objects
14 Roles Roles should be configured by job function Contain a set of permissions to access a resourceTypically assigned to a Group of users that do that jobEase roles administration for large number of usersEnsure backup resource with 2 or more users in each groupIFM ships with the following default Roles:Full AdministratorManagerInvestigatorMedical ManagementClaims ReviewerClaims SupervisorInformation OnlyTriage/Case Administrator
16 Permissions and Roles Permissions Roles – Job Function Allows access to system-level featuresRoles – Job FunctionGroup of access permissionsRoles hierarchylower-level roles contain subset of upper-level role’s permissionsUsers and Work Groups may have one or more RolesRole administration can be delegatedBy Role with Role Permissions (Add, Manage, Change, Modify)Users are limited to Scope of Authority (their lower-level Roles)Roles are not bound by organization or operational areasAllows shared job functions across the organization and operationie: Delegated Administration: User Administration, Group AdministrationUnless defined that way in the hierarchy
17 Role Based Access Control (RBAC) Separation of DutiesRole Type: Security AdministratorTop-level access control to all security objects and audit logsDefines primary roles and groupsEstablishes System Administrators and Delegated AdministratorsRole Type: System AdministratorsManages System Configuration optionsMonitors System Function and maintains operational environmentRole Type: Delegated AdministratorsManages Business or Departmental OperationsAllows configuration changes to respond quickly to business needsBest Practice*Define top-level roles as superset for job functionsCreate lower-level child roles as permission subsetsAllows sharing some permissions for staff in cross-functional rolesTypical that some users do two jobsor cover tasks of other staff as needed (out-of-office, vacation, sick)*Best Practice note – limit use of Organization groups and Operational groups such as Department, Product, or Team in Roles hierarchy. Try to use the Work Groups for that, otherwise the Roles hierarchy becomes very wide and/or very deep and typically will have duplicate roles in different Organizations or Operational groups. Strive to define Roles as job functions that are cross-functional and can be used across the organization and operational groups.
19 Permissions IFM Permissions are at the detailed functional level Permissions are defined as Action and Resource pairPermissions can be assigned to multiple rolesAuthorization service checks user’s Roles for permissionsPermissions can control access to various User Interface elementsMenusMenu ItemsScreens/PageScreen ElementsNavigation items (buttons, hyperlinks)Controls (textbox, drop-down list, grid, etc)Work in ProgressRenaming permissions to provide better clarityNext release includes permission categoryAbility to filter list of permissions by categoryexamples: Users, Groups, Roles, Queues, Menu, Grid, Domain Values
21 Groups Work Groups/Departments Work Groups set of users that are groupedrepresent operational groups or teams.Work groups simplify administration of large number of usersroles and queues associated to group apply to all members of the groupAdministration for lower level user groups can be delegated to users or user groups associated to upper level user groups.Next release changing to User Group nomenclatureCommon name for container for number of usersBetter represents the alignment with LDAP User GroupsNew attribute in user details for Tenant-specific Primary Group
22 Work Groups are defined by TenantEach tenant may have different users and operational needsUser with appropriate permission in RolesCreate Work Groups (add)Maintain Work Groups (edit)Business Managers or SupervisorsDefine group and team structure for their business operations areaHierarchy (inheritance) to define Managers, Supervisors, TeamsScope of Authority limited to the groups they are inMaintaining users and assignments in “my work groups”Maintain configuration for lower-level work groups
24 OrganizationComing Soon – Organization lets you have better control of Document Templates, etc.Optional – Default organization is used until configuredAuthorization to certain system resources can be based on an organizational hierarchy and RBAC.Roles determine if user can access the screen and perform actionsOrganization hierarchy determines what data the user can act uponWhat resource is listed as available to act onOrganization hierarchy models division, departments, and teamsWork groups are associated to one or more organizationsUsers can also be associated individually to organizationsAdministration for lower level organizations can be delegated to users or user groups associated to upper level organizations.
25 Organization Example Organization resources A role permission allows user to update document templatesThe user is a member of one or more organizationsCertain document templates are associated to organizationsThe document templates available to the user are limited to document templates that belong to the user’s organization(s)Organization resourcesdocument templatesbusiness calendarsScriptsother entities defined by FICO productsFor backward compatibility, these resources are part of the Default Organization available to All User and All Groups
26 Delegated Administration Of Users, Work Groups, and Rolesmanaged by individual clients, divisions, departmentsSuch as directors, managers, and supervisorshierarchal structure allows Scope of Authority limits toRoles they have been associated to and the child roles of those rolesWork Groups they have been associated to, the child groups of those groupsUsers within those work groups.Organizations they have been associated to and the child organizations of those organizationsRole permissions determine which maintenance has been delegatedUsers are always limited to Scope of AuthorityUser cannot change hierarchy without permission to act on resourceCreate, Edit, or DeleteFor specific hierarchy (Roles, Work Groups, or Organizations)
Your consent to our cookies if you continue to use this website.