背景 ( Background )

As a licensed digital Peer-to-Peer Lending platform in South East Asia, Funding Societies | Modalku Group is subject to several regulatory requirements.

作为东南亚授权的数字对等借贷平台， 资助协会| Modalku集团 受制于若干法规要求。

One such requirement relates to the critical security domain of Identity & Access Management (IAM) . As per Gartner :

这样的要求之一涉及 身份和访问管理(IAM) 的关键安全域。 根据 Gartner ：

IAM is the discipline that enables the right individuals to access the right resources at the right times for the right reasons.

IAM是使正确的个人以正确的理由在正确的时间访问正确的资源的学科。

Three fundamental IAM principles for protecting information systems (or simply, systems) are:

保护信息系统(或简称系统)的IAM的三项基本原则是：

1. Never alone principle: Some system functions and procedures may be so critical and sensitive that they should be carried out by more than one person simultaneously, or performed by one person and checked by another.

   绝不孤单的原则： 某些系统功能和过程可能是如此关键和敏感，以至于它们应同时由多个人执行，或者由一个人执行，然后由另一个人检查。

2. Segregation of duties principle: Responsibilities and duties (such as access control administration; systems design and development; operating systems functions; etc.) should be separated and performed by different groups of employees. Job rotation and cross-training for security administration functions should also be established.

   职责分离原则： 职责和职责(例如访问控制管理，系统设计和开发，操作系统功能等)应该由不同的员工组分开执行。 还应该建立工作轮换和针对安全管理功能的交叉培训。

3. Access control principle: Access rights and system privileges should be based only on job responsibility and the need for users to have them in order to fulfil their duties, and not based on users’ rank or position.

   访问控制原则： 访问权限和系统特权应仅基于工作职责和用户具有履行其职责的需求，而不是基于用户的等级或职位。

With these principles in mind, as a FinTech operating on a controlled budget having to comply with regulatory requirements, our challenge was to come up with a cost-effective solution for allowing users to access systems only on a need-to-use basis and within the period when the access is required in an auditable manner.

牢记这些原则，由于金融科技公司在控制预算的前提下必须遵守法规要求，因此我们面临的挑战是提出一种经济高效的解决方案，以允许用户仅在需要使用的基础上且仅在有限的时间内访问系统。以可审核的方式要求访问的时间段。

我们的方法 ( Our Approach )

We were able to address the challenge by firstly, coming up with the Identity & Access Request Process flow below, which ensures that two individuals — viz. the user’s line manager and the system owner — have duly authorised and approved a user’s request to access a system:

首先，我们提出了下面的“ 身份和访问请求流程” ，以确保两个人(即，两个人)应对挑战。 用户的直属经理和系统所有者-已适当授权并批准了用户访问系统的请求：

• While the line manager is the individual responsible for managing the user to achieve specific functional or organisational goals,

  直属 经理 是负责管理用户以实现特定功能或组织目标的个人，

• The system owner is a role adapted from the National Institute of Standards and Technology’s (NIST) definition of an individual responsible for the procurement, development, integration, modification, operation, maintenance, and/or final disposition of a system .

  系统所有者 是根据 美国国家标准技术研究院(NIST) 对 负责采购，开发，集成，修改，操作，维护和/或最终处置的人员的 定义改编的角色。

Depending on how departments / teams are organised, the owner of a system could either be an individual having any of the aforementioned responsibilities for the system, or an individual who holds the owner account for the system (e.g., in the case of a Software as a Service (SaaS) subscription).

根据部门/团队的组织方式，系统所有者可以是对系统承担上述任何职责的个人，也可以是持有系统所有者帐户的个人(例如，对于软件，服务(SaaS)订阅)。

The roles and responsibilities of stakeholders in the process are as follows:

利益相关者在此过程中的角色和责任如下：

Secondly, we leveraged Atlassian’s Jira , which was already being extensively used in the company for issue tracking and project management (hence, no additional cost! ), to implement the Identity & Access Request workflows.

其次，我们利用 Atlassian的Jira (已在公司中广泛用于问题跟踪和项目管理(因此， 无需支付额外费用！ ))来实施“身份和访问请求”工作流。

Jira中的解决方案实施 ( Solution Implementation in Jira )

A new Jira Software project was setup and configured with a new issue type to capture access requests pertaining to:

设置了一个新的Jira Software项目， 并为其 配置了新的问题类型， 以捕获与以下内容有关的访问请求：

1. User Account Provisioning , when there is a need to register and grant access rights for new users of a system.

   用户帐户配置 ，当需要为系统的新用户注册和授予访问权限时。

2. User Account Modification , when there is a need to change and update existing user access rights in a system.

   用户帐户修改 ，当需要更改和更新系统中现有的用户访问权限时。

3. User Account De-provisioning , when there is a need to revoke access rights of users, who do not need to access to a system anymore.

   用户帐户取消置备 ，当需要撤销不再需要访问系统的用户的访问权限时。

Custom fields were created , such as User(s) for whom Access is Required; Type of Access Request; System to which Access is Required; etc., and the create access request screen was defined as per the image below:

创建了自定义字段 ，例如 需要访问权限的用户； 访问请求的类型； 需要访问的系统； 等等，并且根据以下图片 定义 了创建访问请求屏幕 ：

In addition to the fields that can be seen above, the access request form also has some additional custom fields for systems that require them, such as the Duration after which the Requested Access can be Automatically Revoked; Roles for which Access is Required; etc.

除了上面可以看到的字段之外，访问请求表单还为需要它们的系统提供了一些其他自定义字段，例如“ 持续时间”，在此之后可以自动撤消所请求的访问权限； 需要访问的角色； 等等

The System to which Access is Required custom field is the golden source of all systems used in the company.

“ 需要访问 的 系统” 自定义字段是公司使用的所有系统的黄金来源。

For each system, the list of primary and delegate system owners, as well as primary and delegate ticket assignees, are being maintained using user groups . This is to allow the delegate system owners / ticket assignees to take the required action on the access request in case the primary system owner / ticket assignee is unavailable.

对于每个系统，正在使用 用户组 维护主要和委托系统所有者以及主要和委托票证受让人的列表。 这是为了在主系统所有者/票证受理人不可用的情况下，允许代理系统所有者/票证受理人对访问请求采取所需的操作。

Upon creation of an access request by a user:

在用户创建访问请求后：

• An integration, which has been developed internally with the company’s HR platform using Jira REST API , will automatically fetch and populate the user’s line manager details in the access request.

  使用 Jira REST API 在公司的HR平台内部开发的集成，将自动在访问请求中获取并填充用户的直属经理详细信息。

• Automation rules comprising of triggers , conditions , and actions , which have been configured in Jira, will automatically assign the access request to the respective system owner & delegate(s) and ticket assignee & delegate(s) as per the image below:

  已在Jira中配置的包括 触发器 ， 条件 和 操作的 自动化规则 将自动将访问请求分配给相应的系统所有者和委托人以及票证受让人和委托人，如下图所示：

Next, a workflow using statuses and transitions was created to mirror the Identity & Access Request Process:

接下来，创建 了使用状态和过渡的工作流 以镜像“身份和访问请求”过程：

1. When a user submits an access request, it gets created in the BACKLOG status.

1.当用户提交访问请求时，它将以 BACKLOG 状态创建。

2. An automation rule checks that the values for the user’s line manager, system owner and ticket assignee are not empty, and automatically transitions the access request to the PENDING LINE MANAGER’S APPROVAL status:

2.自动化规则检查用户的线路管理员，系统所有者和票证受让人的值不为空，并自动将访问请求转换为“ 挂起的线路经理的批准” 状态：

Additionally, another automation rule notifies the user’s line manager that the access request is pending his/her approval by adding a comment in the request itself as well as by sending an email to him/her:

此外，另一条自动化规则通过在请求本身中添加评论以及向他/她发送电子邮件，来通知用户的直属经理访问请求正在等待他/她的批准：

3a. If the user’s line manager decides to reject the access request, it moves to the REJECTED status. (NOTE: A condition has been added to the Reject transition to ensure that only the user’s line manager, and nobody else, can reject the access request.)

3a。 如果用户的直属经理决定拒绝访问请求，则它将转为 REJECTED 状态。 (注意： 已将一个条件添加到“ 拒绝” 过渡中， 以确保只有用户的线路管理员，而没有其他人可以拒绝访问请求。)

3b. If the user’s line manager approves the access request, it moves to the PENDING SYSTEM OWNER’S APPROVAL status. The same condition as in the above step has been added to the Approve transition.

3b。 如果用户的线路管理员批准了访问请求，它将进入“ 挂起系统所有者的批准” 状态。 与上述步骤相同的条件已添加到“ 批准” 过渡中。

Once the user’s line manager has approved the access request, an automation rule notifies the system owner that the access request is pending his/her approval by adding a comment in the request itself as well as by sending an email to him/her.

一旦用户的直属经理批准了访问请求，自动化规则就会通过在请求本身中添加注释以及向他/她发送电子邮件，来通知系统所有者访问请求正在等待他/她的批准。

4. The Approve and Reject transitions going out from the PENDING SYSTEM OWNER’S APPROVAL status have been configured with a condition that they can be carried out either by the primary or delegate system owner(s) only, and by nobody else:

4.从“ 挂起系统 拥有者 的批准” 状态发出的“ 批准 和 拒绝” 过渡已配置为条件，它们只能由主系统或委派系统所有者执行，并且不能由其他人执行：

Condition to ensure that Either the Primary or Delegate System Owner(s) can Execute the Transition in Jira 确保主要或委托系统所有者可以在Jira中执行过渡的条件

If the primary or delegate system owner(s) decide to:

如果主要或委托系统所有者决定：

• Reject the access request, it moves to the REJECTED status.

  拒绝访问请求，它将变为已 拒绝 状态。

• Approve the access request, it moves to the IN PROGRESS status and Jira automatically notifies the primary ticket assignee about the same.

  批准该访问请求时，它移动到 IN PROGRESS 状态和吉拉自动通知大约相同的主票受让人。

5. Here again, the Done transition going out from the IN PROGRESS status has been configured with a condition that it can be carried out either by the primary or delegate ticket assignee(s) only, and by nobody else. This transition will move the access request into the DONE status.

5.在这里， 完成的 过渡从 IN PROGRESS 状态外出已配置了一个条件，它可以由主或委托票受让人(一个或多个)或者只进行，并且通过其他人。 此转换会将访问请求移至“已 完成” 状态。

6. For an access request that is in the REJECTED status, if either the user who raised the access request and/or the user(s) for whom the access has been requested would like to resubmit the access request (perhaps, after modifying some information in it), they can execute the REOPEN transition to move the access request back into the BACKLOG status, which would kick off the workflow from start again.

6.对于处于“已 拒绝” 状态的访问请求，如果提出访问请求的用户和/或请求访问的用户想要重新提交访问请求(也许，在修改了某些请求后，信息)，他们可以执行 REOPEN 转换以将访问请求移回 BACKLOG 状态，这将重新启动工作流程。

Lastly, a Kanban board was set up , with the columns corresponding to the statuses of access requests, to easily visualise and manage them:

最后， 设置了一个看板 ，其各列与访问请求的状态相对应，以轻松地可视化和管理它们：

Filters can also be added to the board to easily view a required set of access requests, for e.g. the logged-in user’s Requests to Approve as SysOwner or Requests Assigned to him/her:

还可以将过滤器添加到板上， 以轻松查看所需的一组访问请求，例如，已登录用户的 SysOwner批准请求或分配 给他/她的 请求 ：

使用的Jira功能摘要 ( Summary of Jira Features Utilised )

For quick reference, here is a round-up of all the Jira features that have made the Identity & Access Request Workflows possible:

为了快速参考，以下是使身份和访问请求工作流程成为可能的所有Jira功能的汇总：

• Jira Software projects

  吉拉软件项目

• Issues

  问题

• Issue custom fields

  发出自定义字段

• Issue screens

  发行画面

• User groups

  用户群

• Automation rules comprising of triggers , conditions , and actions

  包含 触发器 ， 条件 和 动作的 自动化规则

• Issue workflows using statuses and transitions as well as conditions

  使用 状态和过渡 以及 条件 发布工作流

• Kanban boards

  看板板

• Quick Filters

  快速筛选

• Jira REST API

  Jira REST API

好处 ( Benefits )

Since the Identity & Access Request Workflows were set up in Jira, the process has been diligently followed across the company.

自从在Jira设置了身份和访问请求工作流以来，整个公司都认真地遵循了这一过程。

Importantly, we have been able to not only successfully replace other means of access requests that could not be audited / monitored / reported on (such as Slack channels, Google Forms , etc.), but have also been able to achieve wider productivity gains such as:

重要的是，我们不仅能够 成功替换无法审核/监控/报告的其他访问请求方式 (例如 Slack 频道， Google Forms 等)，而且还能够 实现更大的生产力提升， 例如如：

1. Automating all access requests to all systems across the company.

   自动化对公司所有系统的所有访问请求。

2. Save a lot of productive time for all the stakeholders involved:

   为所有涉众节省大量生产时间：

• People who are requesting for access

  要求访问的人

• People who are approving the access (Line Managers and System Owners)

  批准访问的人员(生产线经理和系统所有者)

• People who are provisioning it (IT Team and/or System Owner/Team)

  调配人员(IT团队和/或系统所有者/团队)

• People who are auditing (Security and Compliance teams)

  审核人员(安全和合规团队)

Finally, as it only takes a few minutes to add / modify / remove a system and/or system owner information in Jira, it is very easy to manage and scale the access request system with the needs of the company.

最后，由于仅需几分钟即可在Jira中添加/修改/删除系统和/或系统所有者信息，因此根据公司的需求来管理和扩展访问请求系统非常容易。

Thank you for reading this post! I hope that this will help you in setting up your Identity & Access Request workflows and/or other such workflows using Jira’s customisable workflow engine with ease. Do let me know your thoughts / suggestions in the Responses section below.

感谢您阅读这篇文章！ 我希望这将帮助您轻松地使用Jira的可自定义工作流程引擎来设置“身份和访问请求”工作流程和/或其他此类工作流程。 请在下面的“回复”部分中让我知道您的想法/建议。

Thanks to Amarnath Ravikumar and Stuart Hammar.

感谢Amarnath Ravikumar和Stuart Hammar。

背景 (Background)As a licensed digital Peer-to-Peer Lending platform in South East Asia, Funding Societies | Modalku Group is subject to several regulatory requirements. 作为东南亚授权的数字对等借贷平台， 资助协会| Modalk... pom文件 <?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi=...