The client is a global distributed company with employees, suppliers and customers from different countries. Global distribution of information resources results in necessity to provide entitlements to other applications and information systems. There is a need to evaluate all approved security rules that govern determination of access to data and information systems. These rules include:

• Government laws and regulations.
• Contractual and legal obligations, governing release of intellectual property.
• Administrative policies.
• Internal business requirements.

The Solution:

Luxoft started with the development of Enterprise Authorization Service (EAS) that acts as a common service point for software systems and applications for data access entitlements. The Enterprise Authorization Service is decomposed into three major subsystems to solve three main business objectives: the Authorization Engine subsystem, the Data Management sub-system and the Query-and-Reporting subsystem.

• The Authorization Engine Subsystem (AES) is the primary and most critical subsystem to satisfy the following business objectives: evaluate requests from external information systems for data access decisions, return the corresponding verdicts to calling applications, and to log the verdicts for recordkeeping purposes and audits. Due to the service nature of the subsystem it is subject to advanced performance tuning and performance testing processes.
• The Data Management Subsystem (DMS) is a support subsystem to the AES. It is business objective is to consistently store and make available export authority and intellectual property authority data to the AES subsystem. Data is either entered via a web user interface or loaded directly into the database via batch interface; with both interfaces automatically insure data consistency and integrity. To support audits by client IT or government organizations DMS provides facility for inspecting log entries and performing production diagnostics.
• The Query-and-Reporting Subsystem (QRS) provides facility to extract various advanced reports from EAS (e.g., entitlement reports) for future analysis from both business and IT side. Due to the business requirements and service nature of the system triple automatic failover is implemented with all three sites residing in different geographical locations.