SaaS Authorization Management

SaaS Authorization Management Overview

SaaS Authorization Management provides out-of-the-box support to leading SaaS vendors. It enables the Platform to integrate with SaaS vendors to provide standardization and centralized authorization management while supporting distributed deployment across the organization’s technology stack.

Integration with the vendors is accomplished through Policy Orchestration. This service is designed to discover, map, and manage authorization policies of SaaS vendors by utilizing their native capabilities using available APIs.

1. PlainID’s Policy Administration Point connects to the SaaS Application and discovers existing policies.
2. Administrators manage and create access control Policies within PlainID’s dashboard.
3. New and updated Policies are then pushed back to the SaaS application.

Policy Orchestration ensures that different authorization and access policies are implemented, enforced, and coordinated effectively to achieve the desired security controls while maintaining consistency and avoiding conflicts.

Once vendor objects and policies are discovered and represented in the Platform, like all policies available within the Platform, they can be viewed as code in structured Rego or visually represented in the Policy Map.

SaaS Authorization Management Process

A high-level overview of the SaaS Authorization Management process includes:

• Discovery of Policies from the target platform
• Display of Policies in a unified language
• Management of Policies from the platform
• Monitoring of changes in Policies
  

The solution helps streamline the process of policy creation, enforcement, and updates, making it easier to maintain a secure and compliant environment:

• Automate and Streamline: By centralizing policy management and automation, organizations can reduce manual efforts required to enforce policies across various systems.
• Ensure Consistency: Policy orchestration ensures that policies are consistently applied across different parts of the organization, preventing discrepancies and security gaps.
• Compliance and Governance: Helps organizations adhere to regulatory requirements and internal governance standards by automating the enforcement of relevant policies.
• Visibility and Monitoring: Provides monitoring and reporting, allowing organizations to track policy enforcement and identify potential issues or violations.
• Adaptability: Facilitates quick updates and adjustments to policies in response to changing business needs, security threats, or regulatory changes.
• Risk Management: By consistently enforcing security and compliance policies, organizations can better manage and mitigate risks related to data breaches, unauthorized access, and other threats.

Learn Mode vs Manage Mode

In PlainID's Orchestration flows, Learn Mode and Manage Mode serve distinct purposes for the gradual onboarding and management of new Policy Orchestration Points (POPs) to the Platform. This section outlines the workflows, key differences, and the impact of both modes.

Discovery Flows

The diagram below depicts the interaction between the Authorization Workspace, Orchestration Workspace, and the Vendor Tenant in both Learn and Manage Mode:

• Learn Mode

  • Comprehensive Visibility: Provides full visibility into the Policies, Assets, and Identity setup available in the vendor Tenant.
  • Native Representation: Captures data in its original vendor language within the Orchestration Workspace.
  • Standardized Translation: Translates this data into standardized PlainID representation, such as Policy maps and structured language.
  • Consistency: Ensures a clear, consistent view of Policies, Templates, and values across different Environments.

• Manage Mode:

  • Policy Management: Enables the ability to manage and deploy Policies seamlessly from Plain ID to the vendor tenant, ensuring streamlined Policy enforcement.
  • Policy Reconciliation: Supports side-by-side comparisons of Policies to identify discrepancies and ensure alignment between PlainID and the vendor Tenant.
  • Ongoing Maintenance: Focuses specifically on maintaining policies to ensure they remain up-to-date, accurate, and consistent across Environments.

Learn Mode vs Manage Mode: Detailed Comparison

The table below shows how changes in the vendor Tenant are reflected in PlainID's Orchestration and Authorization Workspaces:

Difference Summary

• Identity Templates, Asset Templates, and Values: Fully synchronized in both Learn and Manage Mode across all Workspaces since they are not managed in PlainID.

• Policies:

  • Learn Mode: Full synchronization across Authorization WS and Orchestration WS.
  • Manage Mode: Policies are synchronized only in the Orchestration WS for visibility and reconciliation, ensuring full transparency. In Manage Mode, Policies are not overwritten in the Authorization WS, maintaining control. The Policy panel in the Orchestration WS allows side-by-side comparisons with the vendor Tenant to highlight differences for reconciliation.

By distinguishing between Learn Mode and Manage Mode, PlainID's Orchestration flows enable seamless onboarding and long-term management of POPs. The ability to discover, compare, and reconcile Policies ensures that organizations can maintain alignment and precision as their Environments evolve.

Current Authorizers that support SaaS Authorization Management include:

• Microsoft Power BI
• Zscaler ZPA
• Snowflake

Refer to the relevant documentation or contact PlainID for information on these Authorizers.