We've just released RASON V2021 with support for new Organization Accounts. This isn't for every RASON user, but it's quite important for two common use cases:
- A company has a group of modelers, creating multiple analytic models, who may need to collaborate on the same model. Models move from development to testing to deployment for production use.
- A company has a need for "isolation", or it just doesn't like the idea of using a multi-tenant cloud-based system like RASON; they think "maybe we should run a private copy of RASON ourselves".
These concerns are often felt by the IT department, or an "Analytics Center of Excellence" that is seeking to improve the use of analytic methods and modeling throughout the firm.
RASON Without Organization Accounts
Like most cloud-hosted, multi-tenant systems, RASON manages accounts for users from many different organizations in a common Azure Storage Account, isolating each user’s models and data from other users based on their RASON sign-on credentials. Models are solved using Frontline’s Azure virtual CPUs or “App Services”, which Microsoft bills to Frontline Systems. The cluster of CPUs is “auto-scaled” based on demand from all RASON users that varies over time; users don't have to worry about "provisioning" CPU resources, and they benefit from economies of scale.
Each user account is independent of, and isolated from every other user account; this independence is enforced by the RASON Server, which acts as the “master identity” using Azure resources whenever a model is created, updated, solved or deleted. Since user accounts are isolated, users cannot see other user’s models, or collaborate on the same model. A user logs in to RASON.com with an email address and password, or using their “Microsoft account”.
RASON With Organization Accounts
When a company uses a RASON Organization Account, each RASON user within the company “belongs to” the Organization Account; users must login to RASON.com using the Microsoft Identity Platform (they simply click a button to do this) and are authenticated using the company’s own Azure Active Directory, i.e. their “work or school account”.
The RASON Server still provides the virtual CPUs or “App Services” used to solve models and decision flows, which Microsoft bills to Frontline Systems. But the company’s models and data are maintained privately in the company’s own Azure Storage Account, isolated from all other RASON users. Within this Azure Storage Account:
- Each user has a unique “container” for their personal models and data (automatically created by RASON), but the company’s IT staff or central analytics group can create additional Azure containers for models and data that should be shared among users for collaboration purposes, treated as “development” or “production”, etc.
- Further, using standard Azure Role-Based Access Control (RBAC), the company can assign “roles” to different users that give them selective access to these containers and their models and data. Users will then be able to “see” the containers they can access (read-only or read/write) in the RASON Model Editor, and easily create, update or delete models within those containers in accordance with their roles. Roles may be assigned using Azure Portal, Azure Powershell, or even Azure CLI and REST endpoints.
- Role-Based Access Control is enforced every time a RASON model is created, updated, solved or deleted. For example, when models are solved, or results are accessed from a running application, the request includes an Authorization header with an API token, created in RASON.com by a properly authenticated user. On each new REST API request, the RASON Server will access the company's Azure Storage Account, using the Azure identity (and limited access rights) of the user and role used to create the API token.
We frequently see analytic modeling projects started by "line of businesses users" who aren't part of IT or a central analytics group. These users are focused on (and have the business domain knowledge to recognize and solve) their own problem with an analytic model -- but issues such as model versioning and maintenance over time, monitoring model performance, and ensuring information security are often not part of their focus or expertise.
The good news is that if the project uses RASON, all the software support needed to deal with those issues is already present. So if and when IT becomes involved later, they won't have to "do it over": As long as IT is comfortable using Azure, they'll find RASON not only powerful and easy for model creation and testing, but also powerful and easy for model deployment, maintenance, monitoring, and security.
Indeed, for model deployment using "low-code / no-code" tools like Power BI, Power Apps, Power Automate, Teams, and Dynamics 365, we believe RASON is "best in class". Contact us to learn more.