Part 2: Defining Roles for IAM – From the Bottom Up

July 20, 2015

We believe that a two-pronged approach to roles definition is the key to implementing Role Based Access Control (RBAC) successfully. While there are tools that can automate the ‘bottom up’ approach, the old adage “Garbage In, Garbage Out” applies. If the data that you are basing your role definition on are bad, then a bottom up approach has little chance of success. In our first blog on this topic “Defining Roles for IAM – Begin at the Top!”, we outlined a process to meet with business stakeholders and system owners to review access rights vis-à-vis the user’s job responsibilities. In this process, unnecessary access privileges are removed and the access rights for users in a particular job position are harmonized. By cleaning up users’ access permissions by position first, we can reap the full benefits of a role mining tool.

In contrast to the top-down approach, the bottom-up approach is based on an analysis of all users’ existing permission assignments to formulate roles. Having cleaned up existing permissions first, there are a number of software tools that we can now use to scan our environment to detect patterns based on the user’s position/title and their access rights across these systems. By deriving enterprise roles from these patterns, a role mining tool can quickly build coherent roles which support an organized migration to an RBAC model.

Once the roles are defined and implemented, the IDM system assigns users to roles based on their attributes, such as position, job code, and department. Now, instead of managing access on a user by user and system by system basis, the organization is able to assign the proper access to the user based on their role. The benefits to the organization are:

  • Dramatically reduces manual work to manage user access, which also drives cost savings
  • Updates to a user’s access are automated and remain accurate
  • A high degree of consistency in terms of user access rights across functions
  • Gains in end-user productivity and reduced error rate in security administration
  • Improved regulatory compliance and simplified attestation

More News