Categories

Contact Us

+1 877 769 8938

Email

Links Business Group, LLC

Own the Book!

Own the powerful must-read title:

IAM Success Tips: Volume 1.

Own the Audio Book!

Join us today!

Receive a bonus copy of our podcast:

"Five Things the Big IAM Vendors Do Not Want You to Know"
 
Plus: exclusive member book discounts, newsletter, & bonus podcasts
 
Email:
First Name:

Syndicate Us

Recent Posts

Blogroll

Mayonnaise, roles, and just getting started

November 8th, 2007 by Corbin H. Links

Hello Everyone:

A major topic within our industry is Role Management/Engineering/Modeling/etc. So much has been written on the subject, that it can be difficult for true enterprise-grade organizations to separate fact from fiction, and find a starting point. What we tend to see all too often, is clients that feel that they are being compelled down the road to Separation of Duties (SoD), Role Based Access Control (RBAC), Role Based Management Frameworks, et al by external forces. Coupled with the deluge of available vendor documentation, the process of developing and using a roles framework can seem daunting or outright unachievable. Which model to use? Top down? Bottom up? Hybrid? Automated mining and mapping? In this article, I will attempt to share a few guidelines which may prove useful to organizations struggling to take control of their role infrastructure..

Why Roles?

To answer in the negative “why not roles,” roles should not be created in response to pressures external to your organization. If an outside auditor has to tell you that you need roles, compliance, and separation of duties, then you have bigger organizational challenges to worry about. On the bright side, organizations do have this in place already. The real issue is mapping the relationships between people and roles, roles with other roles, and roles to the organization.

To answer in the positive, use roles to model and understand your business. Use roles to manage appropriateness of access. Use roles to streamline process, reduce time to market, and reduce risk. Use roles to standardize your business. Use roles to manage application entitlements.

What is a role?

A group of tasks that can achieve a consistent result or results. For example, an HR Administrator has a certain set of tasks that she performs every day, which result in people being hired or right-sized. These tasks can be collectively grouped into a role, or role definition which can be assigned to an individual, or a grouping of people. Roles should be thought of as collections of business tasks, irrespective of access control requirements. (We’ll get to that later.)

What is a group?

A group is a collection of people or objects (printers, computers, etc.) that are grouped together for the purpose of host or system-specific permissions controls. Examples include Microsoft Active Directory groups, UNIX groups and group files, and permissions groups in Database Management Systems. Groups, or large collections of groups, are often used to implement quasi-role definitions within host devices, applications, and operating systems. NOTE: Most organizations use large collections of groups to define singular roles.

Types of Roles

Links Business Group LLC recognizes two broad categories of roles:

  1. Business/HR Roles (May be referred to as functional roles or coarse-grained roles as well)
  2. Application/Resource Roles (May be referred to as structural roles)

Business/HR Roles are generally defined by classifications from the business HR system, such as SAP or Oracle. Examples might include “Payroll Clerk” or “Investments Analyst” These roles can be viewed as the “top” in the “Top Down” role modeling approach. “Top Down” is considered strategic.

Application/Resource Roles are generally defined as collections of policies or permissions which determine access to applications or systems. These roles may be also viewed as the “bottom” as in the “bottom up” role engineering approach. “Bottom Up” is considered tactical.

Hybrid is used in different ways. In role modeling, it refers to a combination approach toward achieving an enterprise-wide Role Framework. Role information can be extracted from applications, operating systems, and other sources, while HR-based Roles are used as broad categorical definitions. Between the two, a middle ground is achieved.

Hybrid is also used to define individuals who may serve completely disparate roles within an organization. For instance, someone that is a Production Systems Administrator Monday through Thursday, and a QA Administrator Friday through Sunday.

Approaches To Role Modeling

The following diagram depicts three primary role discovery and engineering practice models.

role_modeling_bottomup_topdown

In our view, the hybrid model is the best for most situations. It really depends on how far along your organization is in the role discovery, and engineering process. If you have clean data to work with, then you can start mining upwards, while strategically defining roles downwards. On the other hand, if the process has not yet begun, then you may have to start at the bottom and “mine upwards” for a while to understand the true relationships between people, tasks, systems, and data. (Hint: Links Business Group LLC can help you with this…)

The Good News: You may be farther along than you think

Audit reports can be disheartening, daunting, and discouraging (not to mention extremely time-consuming and expensive.) The key is to not let this temporary pain drive you toward more tactical solutions and one-off tool purchases. In general, tactical solutions will only lead you further away from a cohesive role framework, while ensuring that your audit pains will be ongoing. The good news is that most of your role information already exists. It exists in your HR databases and various sources of identity such as databases and directory servers. Make plans today to go after the data in any way possible, while realizing that it may be necessary to break some existing processes to connect your data stores to one another and begin the extraction. This often results in two separate project threads: one thread to create a role model for today, the other thread to create a role for tomorrow. You will need both, so plan accordingly.

What Do Enterprises Need to Do?

  • Start with the end in mind. With role modeling, the end goal is to understand and improve your business, and how your employees, partners, suppliers, and clients interact with it. (Notice how I did not say “comply with an audit finding”)
  • Centralize and clean your data. There are many strategies for this, but the primary thing is to get started, and build a repository for understanding roles and role relationships. There are some great tools in the IAM Space which can help make shorter work of this task (we can help you there too..), but in the end it still must be viewed as a business process exercise, not a technical tools exercise. The data gleaned from this exercise, will serve as the input to your future IAM-related projects, such as enterprise business process management (BPM), and centralized directory services.
  • Start the top-down portion with your job titles, job codes, or related terms as they pertain to your HR classifications. This helps get you to the “To Be” or desired “Future State.” These coarse-grained roles, will help define the finer-grained roles and application entitlements required by your software and computer systems.
  • Be strategic when mining from the bottom up. Role mining, mapping, and reporting is a significant endeavor (read: thousands of hours and potentially dozens of resources) for the larger enterprises. Make the effort count, and plan to do it only once, while building in the flexibility to accommodate the constantly changing business climate. There are some great tools which can dramatically reduce the work required for role mining, engineering, and management.
  • By all means implement short-term tactical solutions to solve current audit emergencies, but do not build in new reliance on these tools. Remember, most organizations have issues because they have too many role tools, not too few.
  • Once the models are discovered, designed and ready for implementation, stop and understand what your existing IAM Infrastructure can provide — and what it cannot. The gap between provisioning, auditing, compliance, role mining, integration, and access management tools can be quite significant. Provisioning and Access Management solutions can help spread the mayonnaise (see below,) but may not help you to extract and build a solid enterprise role model.
  • Design your roles hierarchy into a centralized Directory Service. In most cases, enterprise roles come long after the initial Directory Service has been designed and implemented. Take this opportunity to build a role-centric model into a new enterprise directory service.
  • Publish the roles, and make them easily accessible, relevant, and reusable. See the previous point. Publishing roles in the form of Directory Services, databases, and web services (just to name a few,) will help ensure longevity of the new model while promoting consistent security frameworks within the organization.

But what if I do need to comply with audit findings and enforce Separation of Duties…right now…today…?

The answer: Role Mayonnaise. No…not the food. It is one of the terms we use to describe the approach of putting role management in place by super-imposing (i.e. spreading) a role management framework over the top of your existing systems and applications, while masking the flavor of existing current security and role models. Similar to the virtual directory approach. Spreading the mayonnaise is where provisioning tools come in. The best provisioning tools out there today can help make (relatively…) short work of spreading role mayonnaise over your existing infrastructure. Remember though: this is only a first tactical step to satisfy very short-term requirements. Longer term, your provisioning tools will become part of the implementation platform for your entire IAM Strategic Framework.

Conclusion

Role discovery/mining, engineering/design, and implementation are critical exercises in the life of your IAM Program. Though this article just scratches the surface, following the time-tested guidelines above can propel your organization far ahead of those that are deep in the trenches and struggling with roles. Strong, useful, auditable, and reusable role frameworks are highly achievable for organizations that are committed to achieving them.

Still have questions or want additional perspective on IAM Success? Please send email, or call us at +1 877 769 8938. Thanks for reading, and until next time: All the Best, of Identity Management Success.

Corbin H. Links, President
Links Business Group LLC

©2003-2007 Links Business Group LLC. All rights reserved.

Posted in Identity and Access Management |

Leave a Comment

You may either log in directly with your OpenID to post a comment, or complete the boxes below. If you choose to complete the form in the "Anonymous" section, your feedback will appear in your browswer, but will not appear on the main blog until approved by a moderator. Please allow between 12 and 24 hours for comment moderation. Please visit the registration link if you would like create an account.

OpenID

Anonymous

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.