3. Who are we?
● Lead Architect
● Application Platform (IAM)
● Skeptic
● Good food and cooking (it)
● Fine drinks (craft beer, wine..)
● System Architect
● Access Management
● Eager for new technology
● Sports
● Good food, drinking, having fun
4. Visma | Raet
● Provider of HR and Payroll solutions/services
● Fully SaaS/cloud
● Over 10.000 customers (3 million users)
● Big in the Dutch Public sector
● Focusing on international business
● Acquired by Visma in July 2018
6. Requirements & Use cases
● Centralized Access Management for multiple applications/modules
● Provide access to applications, features and actions
● Provide access to a population of people
8. Example
Policy: All managers can do contract management on their reports
Managers
:Group
Pete
:User
Mike
:User
:Assignment
:Direct
Reports
Contract Mgmt
:Permission Set
10. Read optimized architecture
Access Management
Configuration Runtime
Event
Processor
Command
Model
Query
Model
Read and change
configuration
Retrieve access
information
Apply changes
Send events about
changes to the
configuration
11. Performance issues
● Query Model - Be fast to give Authorization information
○ The query model store was recalculated for every functional change:
■ New user added to the User Management system
■ Existing user was modified:
● Move user in the Organizational structure: Manager, simple employee,
Director …
○ Query model store in SQL Server
■ Synchronization/Permissions recalculation was too costly. ( ratio Users/Time
almost exponential) – Ex. 4000 users / 4 hours ++
12. Why use a Graph?
● Queries instead of permissions recalculation
● When a functional change occurs:
○ Authorization will be applied almost instantaneously
○ The authorization queries will be answered fast through API requests. (under 200ms)
● The Authorization system will be able to scale
○ More big customers are coming
○ The size of the customer won’t be an issue. (#users, #authz)
13. Graph data model
User
Group Assignment
Permission
Set
PermissionDepartment
IS_MANAGER
BELONG_TO
IS_ACCESS_GROUP
CONTAINS_PERMISSION
HAS_EMPLOYEE
IS_TARGET
Target Population
IS_TARGET
HAS_REPORTS
IS_ACCESS_USER
16. Current status
● Development largely finished
● Performance testing ongoing
● Targeting release end of Q1 or beginning of Q2
● No clear numbers yet on improvements