312 lines
8.5 KiB
Org Mode
312 lines
8.5 KiB
Org Mode
:PROPERTIES:
|
||
:ID: 6b389575-42a7-4f0d-a7eb-e9bf6795a718
|
||
:END:
|
||
#+Title: XDR Monetization
|
||
#+Author: Yann Esposito
|
||
#+Date: [2023-07-12]
|
||
|
||
* Intro
|
||
|
||
** What?
|
||
|
||
- *Entitlements*: What the customer is paying for.
|
||
- *Access Rules*: What services should allow, restrict.
|
||
|
||
** Example
|
||
|
||
*** Entitlements:
|
||
|
||
- Tier: Essentials for 1000 /users/ (number of [[https://cisco.sharepoint.com/sites/SecurityPersonas/SitePages/prime-employee.aspx?csf=1&web=1&e=LcTwTp][Lees]]).
|
||
- Extra Data Retention "add-on": 180 /days/
|
||
- Extra Ingest "add-on": 2 /GB/
|
||
|
||
*** Access Rule example:
|
||
|
||
- *Total Ingest*: 4000GB (1000 user × (2GB + 2GB))
|
||
- *Time to Keep Data*: 180 days (yes, *extra* might not mean what we could expect)
|
||
|
||
ref: https://wwwin-github.cisco.com/cisco-sbgidm/docs/blob/master/provisioning/xdr/xdr-ga.md#entitlements
|
||
|
||
** How?
|
||
|
||
Entitlement represent what the customer pays for.
|
||
PIAM creates and updates them.
|
||
|
||
#+begin_src plantuml :file xdr-monetization-piam-entitlements.png
|
||
PIAM -> IROH : enterprise_id,Entitlements
|
||
Any -> IROH : /iroh/profile/entitlements
|
||
IROH -> Any : Entitlements
|
||
PIAM -> IROH : update Entitlements
|
||
Any -> IROH : /iroh/profile/entitlements
|
||
IROH -> Any : Entitlements
|
||
#+end_src
|
||
|
||
#+RESULTS:
|
||
[[file:xdr-monetization-piam-entitlements.png]]
|
||
|
||
** Also Entitlement Summary
|
||
|
||
IROH exposes an API to retrieve an ~EntitlementSummary~.
|
||
A data structure easier to consume than the list of entitlements.
|
||
|
||
#+begin_src plantuml :file xdr-monetization-piam-entitlement-summary.png
|
||
PIAM -> IROH : enterprise_id,Entitlements
|
||
Any -> IROH : /iroh/profile/whoami
|
||
IROH -> Any : enterprise_id,EntitlementSummary
|
||
PIAM -> IROH : update Entitlements
|
||
Any -> IROH : /iroh/profile/whoami
|
||
IROH -> Any : enterprise_id,EntitlementSummary
|
||
#+end_src
|
||
|
||
#+RESULTS:
|
||
[[file:img/piam-entitlement-summary.png]]
|
||
|
||
* Entitlements (technically)
|
||
|
||
Example of a list of ~Entitlements~ sent by PIAM to IROH:
|
||
|
||
** Just the Tier, no add-on:
|
||
|
||
#+begin_src js
|
||
[{"name" "tier",
|
||
"value" "advantage",
|
||
"quantity" {"value" 1000, "unit" "users"},
|
||
"enforce-quantity" true}]
|
||
#+end_src
|
||
|
||
|
||
** Tier with add-ons
|
||
|
||
#+begin_src js
|
||
[{"name":"tier",
|
||
"value":"essentials",
|
||
"quantity":{"value":1000, "unit":"users"},
|
||
"enforce-quantity":true},
|
||
{"name":"extra_ingest",
|
||
"value":"",
|
||
"quantity":{"value":2, "unit":"GB"},
|
||
"enforce-quantity":true},
|
||
{"name":"extra_data_retention",
|
||
"value":"",
|
||
"quantity":{"value":180, "unit":"days"},
|
||
"enforce-quantity":true}]
|
||
#+end_src
|
||
|
||
** PIAM Doc
|
||
|
||
From [[https://wwwin-github.cisco.com/cisco-sbgidm/docs/blob/master/provisioning/xdr/xdr-ga.md#entitlements][Paul Chichonski's doc]]
|
||
|
||
https://wwwin-github.cisco.com/cisco-sbgidm/docs/blob/master/provisioning/product-spec.md#multi-valued-attributes
|
||
|
||
*** Entitlements
|
||
|
||
- ~entitlements~ -- A list of entitlements the tenant is allowed to use. Each item in
|
||
the list is an object with the following fields:
|
||
|
||
#+begin_src js
|
||
[{"name":"tier",
|
||
"value":"essentials",
|
||
"quantity":{"value":1000, "unit":"users"},
|
||
"enforce-quantity":true},
|
||
{"name":"extra_ingest",
|
||
"value":"",
|
||
"quantity":{"value":2, "unit":"GB"},
|
||
"enforce-quantity":true}]
|
||
#+end_src
|
||
|
||
*** name
|
||
|
||
- ~name~ -- The name of the entitlement (defined as part of the entitlement
|
||
controlled vocabulary between PIAM and the product)
|
||
|
||
*** value
|
||
|
||
- ~value~ -- Some entitlements will have a string value that serves to qualify the
|
||
entitlement. For example an entitlement with ~name=tier~ may have three
|
||
different manifestations if there are three different tiers (e.g., ~{"name":
|
||
"tier", "value": "essentials"}~, ~{"name": "tier", "value": "primary"}~,
|
||
~{"name": "tier", "value": "advantage"}~)
|
||
|
||
*** quantity
|
||
|
||
- ~quantity~ -- Some entitlements will have numeric quantity associated with the
|
||
entitlement, this represents the amount of this entitlement the tenant is
|
||
permitted to consume. Each quantity field will contain an object with the
|
||
following values:
|
||
- ~value~ - The number holding the actual quantity.
|
||
- ~unit~ - A string representing what unit to use when interpreting the quantity.
|
||
|
||
*** quantity_enforced
|
||
|
||
- ~quantity_enforced~ -- A boolean field, if ~true~ it means that the product
|
||
should enforce the allocated quantity of the entitlement for this tenant. It
|
||
is up to the product to determine how to do this. Cases where this will be
|
||
~false~ are if the customer purchased via a buying program that supports a
|
||
"pay as you go" pricing model.
|
||
|
||
* Entitlement Summary
|
||
|
||
The Entitlement Summary provides a data-structure easier to consume
|
||
than the entitlements list.
|
||
|
||
- A JSON Object instead of list.
|
||
- Additional technically useful entries.
|
||
|
||
** Structure
|
||
|
||
The main structure of the ~EntitlementSummary~ is:
|
||
|
||
#+begin_src
|
||
{<entitlement-name>: <entitlement-details>}
|
||
#+end_src
|
||
|
||
Where ~<entitlement-details>~ looks like:
|
||
|
||
#+begin_src js
|
||
{"title": "something", // <- optional instead of value:""
|
||
"quantity": Integer,
|
||
"unit": "human-readable-unit",
|
||
"enforce?": Boolean}
|
||
#+end_src
|
||
** Tier-only Entitlement
|
||
|
||
When PIAM send this list of ~Entitlements~:
|
||
|
||
#+begin_src js
|
||
[{"name" : "tier",
|
||
"value" : "advantage",
|
||
"quantity" : {"value" : 32000,
|
||
"unit" : "users"},
|
||
"enforce-quantity" : true}]
|
||
#+end_src
|
||
|
||
** The ~EntitlementSummary~ will look like this:
|
||
|
||
#+begin_src js
|
||
{"tier" : {"title" : "advantage",
|
||
"quantity" : 32000,
|
||
"unit" : "users",
|
||
"enforce?" : true}}
|
||
#+end_src
|
||
|
||
** With Add-ons
|
||
|
||
If PIAM send a list of ~Entitlements~ with add-ons:
|
||
|
||
#+begin_src js
|
||
[ {"name" : "tier",
|
||
"value" : "premier",
|
||
"quantity" : {"value" : 1000, "unit" : "users"},
|
||
"enforce-quantity" : true},
|
||
{"name" : "extra_ingest",
|
||
"value" : "",
|
||
"quantity" : {"value" : 2, "unit" : "GB"},
|
||
"enforce-quantity" : true},
|
||
{"name" : "extra_data_retention",
|
||
"value" : "",
|
||
"quantity" : {"value" : 180, "unit" : "days"},
|
||
"enforce-quantity" : true}]
|
||
#+end_src
|
||
|
||
** The ~EntitlementSummary~ will be:
|
||
|
||
#+begin_src js
|
||
{"tier": {"title": "premier",
|
||
"quantity": 1000,
|
||
"unit": "users",
|
||
"enforce?": true},
|
||
"extra_data_retention": {"quantity": 180,
|
||
"unit": "days",
|
||
"enforce?": true},
|
||
"extra_ingest": {"quantity": 2,
|
||
"unit": "GB",
|
||
"enforce?": true}}
|
||
#+end_src
|
||
|
||
** ~Entitlements~ consumption in js
|
||
|
||
#+begin_src js
|
||
function get_entitlement_tier (entitlements) {
|
||
for (entitlement in org.entitlements) {
|
||
if (entitlement.name == "tier") {
|
||
return entitlement.title;
|
||
}
|
||
}
|
||
}
|
||
let tier = get_entitlement_tier (entitlements);
|
||
#+end_src
|
||
|
||
** EntitlementSummary consumption in js
|
||
|
||
#+begin_src js
|
||
let tier = whoami.org["entitlement-summary"].tier.title;
|
||
#+end_src
|
||
|
||
** More to come
|
||
|
||
*** IROH Internal
|
||
|
||
But we plan to add more technical specific values so it helps every Entitlement consumer.
|
||
That way it would make possible to share between product specific technical values.
|
||
|
||
For example, we plan to add:
|
||
- a list of allowed modules.
|
||
- an optional list of additional scopes
|
||
- rate limits
|
||
|
||
*** XDR global values
|
||
|
||
If you want us to add some information, so we could centralize some logic
|
||
related to entitlement into IROH just ask us to add it.
|
||
Ideally, this should only contain data that could be shared between different modules.
|
||
For example:
|
||
|
||
- allowed workflows, or allowed properties for workflows
|
||
- specific limitations for a specific module (read-only, etc…)
|
||
|
||
*** Example
|
||
|
||
#+begin_src js
|
||
{"tier": {"title": "premier",
|
||
"quantity": 1000,
|
||
"unit": "users",
|
||
"enforce?": true},
|
||
"extra_data_retention": {"quantity": 180,
|
||
"unit": "days",
|
||
"enforce?": true},
|
||
"extra_ingest": {"quantity": 2,
|
||
"unit": "GB",
|
||
"enforce?": true},
|
||
// ---- SUMMARY OF TECHNICAL LIMITS
|
||
"summary" {...}}
|
||
#+end_src
|
||
|
||
*** Summary
|
||
|
||
|
||
#+begin_src js
|
||
{// ---- SUMMARY OF TECHNICAL LIMITS
|
||
"summary" {
|
||
// PIAM Logic
|
||
"data-retention-in-days": 180, // use extra_data_retention + tier
|
||
"data-maximal-size-in-GB": 4000, // use extra_ingest + tier quantity
|
||
// IROH Internal
|
||
"additional-scopes": [ ... ], // depends on the tier
|
||
"allowed-modules": [ ... ], // depends on the tier
|
||
// XDR Shared Global Rules
|
||
"restricted-workflows": [...], // depends on the tier (or something else)
|
||
"rate-limits": // can change depending on the tier
|
||
{"sca": {"queries-per-minutes": "100"},
|
||
"sxo": {"queries-per-minutes": "80"},
|
||
"csc": ...},
|
||
...
|
||
}
|
||
}
|
||
#+end_src
|
||
|
||
* Conclusion
|
||
|
||
- tier? ~GET /iroh/profile/whoami~
|
||
then ~whoami.org["entitlement-summary"].tier.title~
|
||
- Summary only: ~GET /iroh/profile/entitlement-summary~
|
||
- raw entitlements: ~GET /iroh/profile/entitlements~
|