Capability-Centric Governance - Redefining Access Control

What Happened

In the realm of legacy systems, particularly on platforms like z/OS and IBM i, access governance has faced significant challenges. Traditional entitlement-centric models often fail to reflect the actual business actions that users perform. This has led to a mismatch between how access is granted and the operational realities of these systems. A new approach, called capability-centric governance, is proposed to redefine access control by focusing on concrete business actions rather than abstract permissions.

Why It Matters

Legacy systems are still crucial for many organizations, handling sensitive financial and operational tasks. However, the way access is governed can lead to significant security risks. When approvers certify permissions without understanding their implications, it creates a culture of defensive approvals and persistent standing privileges, which can normalize risk. The capability-centric model aims to address these issues by providing clarity and context to access governance.

The Flaw

Entitlement-centric models assume that permissions can be grouped meaningfully and that segregation of duties (SoD) can be evaluated statically. This assumption breaks down in legacy environments, where risks often emerge from sequences of legitimate actions over time. For example, a user might enter payroll exceptions and later approve them, creating a conflict that static role analysis fails to capture.

Defining Access as Capability

The capability-centric model shifts the focus to what access actually allows users to do. It defines capabilities in terms of specific business actions, expressed in the platform's native authorization language. This approach allows for better governance by enabling approvers to certify understandable actions rather than vague collections of permissions.

Segregation of Duties as Behavior

Instead of treating SoD violations as static conditions, the new model views them as behaviors that emerge over time. For instance, a user submitting payroll cannot also release exceptions for the same entity within the same cycle. This dynamic evaluation of actions at runtime enhances risk management significantly.

A Thin Overlay for Context and Control

The capability model does not replace existing enforcement mechanisms. Instead, it introduces a thin policy overlay that evaluates context and enables just-in-time elevation for rare tasks. This overlay helps enforce sequence-based controls without modifying existing application code, thereby maintaining operational integrity.

Evidence from Native Telemetry

Legacy systems generate valuable telemetry data that can be used to enhance governance. By converting this data into concise usage summaries, organizations can shift from inference-based approvals to evidence-based certifications. This change improves accountability and reduces ambiguity in decision-making.

Practical Illustrations

Organizations can implement the capability-centric model by defining specific capabilities for critical processes. For example, in accounts payable, instead of granting broad access, capabilities can be defined for transactions under a certain dollar amount, ensuring that users cannot approve invoices they previously entered.

Conclusion

The transition to capability-centric governance is not just about adopting new tools; it requires a fundamental shift in thinking. By focusing on what users can actually do within legacy systems, organizations can regain control over access governance, enhance security, and align technical controls with business intent. This approach not only clarifies access but also restores accountability in the governance process.