myDRE and IAM

myDRE and IAM

Current implementation

Every user will get their own @mydre.org username.

Security - every user is subject to the same policies
  1. No guest-accounts
  2. Minimally every 24h Multi-Factor Authentication (MFA) is required
  3. Trusted devices cannot be created

Access - to myDRE and to a Workspace is segregated
  1. A @mydre.org username allows access to myDRE
  2. A @mydre.org username allows being invited into a Workspace, without explicit invitation Workspaces are not accessible

Authentication - federated per Workspace
  1. An Accountable can invite people with their @mydre username in the role Privileged Member/Owner or Member
  2. Privileged Members/Owners can invite and manage, on behalf of the Accountable, other people
  3. In effect, the Accountable and Privileged Members/Owners are empowered to Identify and Authorize for their Workspaces
    1. In effect, the authentication is federated per Workspace
Scope - only myDRE
  1. The @mydre.org username is a username, not an (email) account and cannot be used beyond myDRE.org


Explaining why federated access currently is not supported

anDREa uses its own AAD and security settings to ensure:
  1. A smooth and predictable user experience
    In a previous version we used Microsoft's B2B solution, however, this resulted in the following issues:
    1. Some organizations mask the UPN and effectively the B2B solution cannot work with the deeper Microsoft Azure functionalities leaving users no choice but to use a private email address (hotmail, gmail, etc)
  2. Unburding HR and IT
    1. To collaborate in a Workspace it is not necessary to have a Tenant account
    2. No lifecylce management needed on 'guest' accounts with respect to collaborating in a Workspace
  3. Each Workspace is protected with the same level of security with respect to user access
    1. We have found that the security requirements on account access greatly differs, some organizations:
      1. Do not require MFA
      2. Allow the creation of trusted devices

The ability to collaborate is key in what anDREa offers. Having an account on anDREa is a requirement to collaborate.  However, it is the Owner(s) of a Workspace that determine who has access to their Workspace in what role and for how long.  

Future 

anDREa is looking into federated solutions like SRAM. When considering solutions like these, anDREa evaluate the ideas/solutions on being:
  1. Sustainable (including dev team commitment)
  2. Affordable
  3. Scalable (organizational implementation/configuration does not impact working of anDREa services)
  4. Minimally compliant with Security Policy of anDREa



    • Related Articles

    • myDRE Highlevel Architecture

      Introduction This article describes the myDRE High-level Architecture. Note: Development, Acceptance, and Production are separated environments. Description Compute Infrastructure. myDRE.org Portal serves as the frontend for the solution offering ...
    • myDRE - pencilling out the Shared Tenant

      First version: 2021-05-27 Last updated: 2021-05-27 Introduction The following short videos give a quick mental picture of myDRE as a Shared Tenant. The view point taken is that how the enrolment takes place; the technical process on how to make myDRE ...
    • myDRE as a SaaS

      Introduction myDRE is a product developed and maintained by anDREa BV that allows a Service Provider to offer services to Tenants. Each Tenant is able to self-service create Workspaces for storing and processing data. The Service Provider operates ...
    • anDREa / myDRE standard services

      Introduction This is an overview of the standard services that can be expected.  Functionalities can be added or changed as part of the ongoing development of myDRE. Local Support Team Support Team Onboarding Training of local Support Team Support ...
    • A.9 Access control

      Version: 3.0 Valid until: 2025-04-10 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-23 1.1 Edward Robinson Additions to align more with anDREa’s ...