Skip to content
Platform Strategy

Enterprise strategy for Identity and Access Management

Author(s): Siva Soundarapandian, Trimble Distinguished Engineer

Last Reviewed: February 2024

Introduction

Identity and Access Management (IAM) is a foundational construct required at the platform level to achieve our goal of connecting customer data and increasing data access transparency and governance. In the realm of Identity and Access Management, relying solely on application-level strategies poses inherent challenges. This document examines the shortcomings associated with implementing an IAM strategy at the application level and underscores the significance of adopting a platform-level enterprise strategy for Identity and Access Management/Authorization. It also delves into the critical aspects that must be addressed to formulate a comprehensive solution for these challenges.

Challenges with Application-Level IAM

At the application level, authentication and authorization focus on specific functionalities or services within an application. Policies are often tailored to the specific features of each application, and access control is managed independently within the application. As users traverse multiple applications within Trimble in a connected workflow, the absence of a shared enterprise context like account and password policies can lead to a fragmented user experience.

This not only introduces inefficiencies but also heightens the risk of errors and security vulnerabilities. Additionally, the lack of centralized coordination makes it challenging to enforce consistent access policies across the entire organizational ecosystem. Users navigating multiple applications, encounter inconsistencies in permissions and data access, leading to potential compliance issues and security breaches.

Platform-Level IAM

Platform-level authentication/authorization spans across multiple applications and services within the Trimble ecosystem. Policies at this level govern the overall access control, ensuring consistency and security across all interconnected applications. The key elements that need to be addressed for a successful platform-level IAM are:

Multi-Tenancy

Trimble Identity’s multi-tenancy so far has been non-existent; TID has emphasized an individual subject-centric construct, e.g. where the user is the center of tenancy rather than the Customer Organization. Utilizing the Customer Organization as a fundamental unit for structuring multi-tenancy is essential for enterprises in addressing a range of concerns, including data isolation, access management, and governance.1 Operating within a multi-tenancy context is crucial for enabling the establishment of varying security levels of password policies that effectively meet the needs of large customers.

An Organization serves as a container for accounts that hold orders and entitlements, thus functioning as the pivotal link bridging the sales with the operational side of IAM. Currently, the relationship between the Customer Organization, sales Account and users are managed separately within distinct applications. Lacking a common Customer Organization context within IAM makes it impossible to establish connections between user workflows across various services/applications.

We will be incorporating the required features into Trimble Identity, facilitating enterprise support, and ensuring a smooth integration with the Account experience. It will address the query of how, as a developer at Trimble creating an application/API, I can effortlessly access the shared context of the Authentication Subject, the corresponding Tenant, Account, and the permissions associated with the requested resource. This understanding is crucial to tailor the data and access provided to the protected resource within a multi-tenanted system and to provide a seamless connection between different Trimble applications in a workflow.

Prompt: Is the need to link Users to Customer Organizations, and for the platform to provide that context to Trimble’s applications clear and appreciated?

Field User Experience

Trimble Field users rely heavily on mobile-based devices to access critical information and perform essential tasks. It is crucial to provide a secure yet seamless authentication process for field users that supports accessibility, efficiency, easy device handoff, and offline usage. Passwordless authentication was introduced in TID as a core element to support this. The platform team is looking at creating a mobile identity component that abstracts authentication concerns and offline access, balancing security and usability. This can significantly improve the field-to-cloud connectivity.

The implementation of a unified approach that combines device authentication with user authentication within Trimble’s interconnected workflow allows for a more flexible and user-friendly experience. This approach enables us to adopt a more lenient stance on policies and retries for field users, ensuring that individuals operating in dynamic environments can seamlessly access Trimble applications without sacrificing the paramount importance of security.

Prompt: Do you agree that improving Field User Experience is a top priority for the platform IAM strategy to tackle?

Access Management

A holistic approach to authorization sets the foundation for a robust and scalable security framework. Authorization is spread across individual products today within Trimble, which results in a disjointed customer experience. The Trimble Access Management (TAM) appliance was released to perform decentralized shared authorization decisions on the edge based on policies. Authorization through declarative policies offers the advantage of providing a clear, transparent, and easily understandable framework, empowering teams in Trimble to efficiently manage access controls.

Policies are rules, and these rules, in turn, are applied to data. The data, a blend of globally shared context encompassing authentication subject (User, Device, Application), the Account to which the Identity is associated with, groups the Identity is a part of, roles and permissions along with locally stored information within individual resource servers, forms the basis for policy execution. Trimble’s IAM offering will hold this shared global context and work with decentralized authorization.

Centralized governance and management of platform-level policies are essential to ensure uniformity, consistency, and comprehensive oversight where access control measures align seamlessly with Trimble’s security objectives and standards across the entire spectrum of applications and services. Centralized user management and access policies are key components of platform-level IAM.

Prompt: Is the position in the final paragraph here understood and appreciated? While TAM provides the ability to perform authorization checks, Trimble requires common governance of authorization policies in order to create uniform behaviour and consistency across Trimble’s ecosystem.

Benefits

By adopting a comprehensive platform approach, Trimble can provide:

Connected User Experience: A platform strategy ensures a seamless and connected user experience across Trimble’s applications and services. Customers benefit from a consistent and user-friendly authentication and authorization process, enhancing overall satisfaction.

Efficient User Lifecycle Management: Enterprise-level IAM allows our customers to streamline user onboarding, offboarding, and role changes. This efficiency is critical for a large organization where employees may move between departments or require different levels of access over time.

Reliable Security and Compliance: Centralized control and governance over IAM and Authorization on the platform enable Trimble to uphold rigorous security standards and comply with industry regulations. Customers can trust that their data and operations are protected according to the highest security standards.

Efficient external integration: If Trimble’s platform involves collaboration with external partners or integrates with third-party services, a well-defined IAM strategy facilitates secure and efficient collaboration. Customers can enjoy the benefits of integrated services without compromising on security.

Adaptability to Diverse User Roles: The platform can cater to the diverse roles and responsibilities of Trimble’s customers, ensuring that each user has the appropriate level of access. This adaptability simplifies user management and allows customers to tailor their experience based on their unique needs.

Improved Self-Serviceability: It enhances self-serviceability by empowering customers to independently manage and control their access permissions promoting efficiency and reducing administrative burden.

Summary

Trimble’s platform strategy for IAM not only simplifies the user experience but also elevates the overall value proposition for customers. It ensures security, compliance, and adaptability, allowing Trimble’s customers to focus on their core operations with confidence in the reliability and efficiency of the platform.

Footnotes

  1. Furthermore, Trimble’s multi-national customers may require finer-grained controls than at the Customer Account level, or will be required to extend the most restrictive cases to all of their users, regardless of geography.