Today's governance and compliance mandates have amplified the importance of user access control. Organizations are now required to verify and provide evidence that user access privileges conform to regulatory and corporate guidelines. Many companies require business and IT managers to periodically certify that user access rights are correct based on the user's job function or role, and to ensure that access rights do not violate business policies, such as separation-of-duty rules.
Role management is a hot topic in identity management circles these days, but the concept is not new. The National Institute of Standards and Technology (NIST) introduced the concept of role-based access control (RBAC) in the early 1990's. The RBAC concept promised to simplify and reduce administrative costs by enabling organizations to assign users to logical collections of access rights called roles. Because users are not assigned access rights directly, but only acquire them through their roles, in theory user administration is greatly simplified with RBAC.
In practice, role management has proved to be a rocky road, especially at the enterprise-level. Many role engineering projects are abandoned or cancelled after significant effort and expense, most often due to inability to meet real-world requirements. Many businesses find it difficult to package up their unique business requirements into a standardized role model, and those that attempt to do so frequently never make it past the role definition phase. Organizations that do manage to complete an enterprise role model often find that the model cannot keep pace with organizational changes and is not practicable in the long run.
Obviously, role management is not for the faint of heart. But there are success stories that demonstrate that organizations can achieve positive results with role management projects. To ensure that your company does not become a casualty on the role management highway, here are some recommended best practices.
Understand your use case
Role management is a means to an end, so it's important to begin with the end in mind. All project stakeholders should explicitly agree on business goals up front. The two most common business drivers for role management are 1) to gain operational efficiencies around user administration and 2) to better address governance and compliance requirements around user access control. Tackling both these goals at once increases project complexity and scope, so it's wise to pick a primary use case or stage projects sequentially to avoid diluting or confusing your focus.
Role management can improve operational efficiency by mapping a large population of users into a smaller number of well-defined roles. By using roles to assign user access, organizations can reduce complexity and speed the process of user administration (for example, on-boarding and off-boarding employees in a more efficient manner). If operational efficiency is your primary business goal, then it makes sense to target those systems and applications with the highest number of users and those with the highest “churn” (the greatest number of changes). Typically, these resources include email applications, enterprise directories, and other widely used applications. It also makes sense to target large, well-understood populations of users with similar access requirements, such as call center representatives or bank tellers. Not coincidentally, these represent the applications and systems usually targeted for automated provisioning.
Governance and compliance
Role management is now recognized as a best practice for meeting governance and compliance requirements. By grouping lower-level access privileges into business roles, role management provides much needed business context to the managers reviewing user access during quarterly or semi-annual access certifications. Roles can also improve the efficiency of corporate oversight by reducing the number of items under review – instead of verifying dozens of access privileges per user, certifiers verify a much smaller number of business roles. When governance and compliance are the primary drivers for role management, organizations should focus on the applications and data that are the focal point of security and privacy mandates. Typically, these resources include all financial systems, IT infrastructure that supports financial systems, and any systems that store sensitive data, such as credit card, personal information, intellectual property assets, or healthcare information.
Incorporate the right people into the process
To ensure the success of either efficiency-based or governance-based role projects, you must get the right people involved during all phases of the project. Collaboration is required across many organizational stakeholders, both business and technical. Role creation requires substantial knowledge about enterprise organizations and business processes; financial, legal, and corporate policies; and systems and application security. Neither efficiency-based nor governance-based projects will succeed without the right groups contributing knowledge and effort to the project.
It is important to communicate the value of role management to all stakeholders. Business users will benefit from the translation of technical IT-oriented data into business-level language when they perform periodic access certifications for governance. They will also benefit by being able to define separation-of-duty policy in business terms. Technical staff will benefit by better understanding the business principles guiding access policy and by spending less time translating IT data for business users. Additional incentives may also come from internal and external auditors, who are increasingly recognizing the value of roles in enforcing user access policy.
Carefully scope projects to show rapid results
Regardless of the ultimate goal, taking an incremental approach to role management is one key to success. It's a common mistake to undertake enterprise-scale role projects that require every department manager and associated IT manager to define a role for every job code as a starting point. Best results are achieved by taking a stepwise approach where the project focus is limited to applications or job functions that are high priorities from an operational efficiency or regulatory compliance perspective.
Organizations should begin by identifying the most critical applications, users, and project tasks based on business drivers, such as support for a provisioning rollout or data privacy or security. This type of scoping will limit the number and type of personnel that need to be involved in the role definition phases of the project, cutting initial definition phases from months to days or weeks. This approach also makes it possible to demonstrate rapid payoff from the role definition work done upfront. For example, defining roles for a set of compliance-relevant applications can speed and simplify quarterly certifications dramatically, in many cases reducing the time spent on the certification process by 50 percent. Performing certifications at the role level also improves the accuracy and reliability of reviewer decisions by making it easier to assess the appropriateness of user access.
Develop a plan to accommodate change
Maintaining a role model over time is as challenging as creating the model in the first place. Employee transfers or promotions, departmental reorganizations, mergers and acquisitions – all represent changes that impact role models. Without a way to accommodate change, the quality and reliability of the role model will deteriorate to the point where role management can no longer accurately support business goals, creating overhead that defeats the original goal of the project.
By consciously scoping role management projects based on prioritized use cases (see point #2 above), organizations can minimize the scale of the change management challenge and grow capabilities and value achieved over time. In some large organizations, there are hundreds of changes made per week to users and their roles. The amount of churn is easier to accommodate if your project is focused on a well-defined subset of the organization. Whatever the scope of the project, it is critically important to review the accuracy of roles on a periodic basis so that you have a process to refine and adapt roles as the business changes. This process can exist in parallel with the access certification process which is designed to audit and verify the appropriateness of access rights and business roles assigned to individual users.
What to look for in role management software
Role management solutions available on the market today can help organizations to incorporate many of the best practices mentioned above into their role deployments. If you're shopping for role management software, here are some important qualities to look for:
- You need choices in how roles get created – look for products that provide multiple ways to capture and define roles. This aspect of the project tends to be one of the most onerous, so ease-of-use and flexibility will help you achieve the desired results.
- You need business-friendly software, so beware of tools that require an IT administrator's skills to use. Both business and technical users will be involved in defining, approving, and certifying roles. Choose solutions that make it easy for the business side of the house to contribute to, and support, the project.
- Tools for change management are critical to a role management project's success. You will need workflow tools that make it easy to approve roles as they are created and to review and verify roles on a periodic basis. Without change management and regular oversight, role proliferation (where the number of roles exceeds the number of users) will be a big problem.
- Look for solutions that make it easy to connect to your IT environment, including identity management products. Packaged integration to provisioning products, for instance, will speed and simplify deployments by providing out-of-box role-to-entitlement mapping, remediation, and policy checking capabilities.
- Rich reporting and analytics are critical to meet audit and compliance requirements. The right product will give you rich capabilities to filter and search identity data, with built-in reports to deliver detailed analyses of users, roles, applications, entitlements and compliance status.