These days “role management” or “identity and access governance” has taken the limelight for anything related to Identity and Access Management projects. IT organizations are eager to understand what these technologies provide, and want to ensure that these functions are covered in any of their identity management project bids. Role management is really only a portion of Identity and Access Governance, but its underlying benefits are clear and compelling: better handling over access assignment growing demands, facilitating compliance efforts, and simplifying access assignment operations. However there are misconceptions on how and when to approach these projects. In the rush to realize the benefits of the latest role management technology, many practical concerns are overlooked, and IT organizations gravitate towards role modeling and mining as a panacea. In the following paragraphs we will discuss a more pragmatic approach at role management that puts ROI at the forefront by realizing role management as a cycle and not a monolithic function.
First, some IT organizations put much emphasis on role discovery, modeling, mining, and lifecycle management. Not that these processes are not important, but they should be addressed in the context of the current identity and access management implementation, and with sights set in getting the best immediate benefit. To start with, role discovery and lifecycle management are part of a complete cycle of role management functions, including other stages such as access data clean up, access validation, RBAC access provisioning, SOD checks, and compliance reporting. These stages should be addressed first, both because they provide quicker ROI, or because they are necessary as a base for the following stages.
Second, the results generated by a role modeling exercise are as good as the data used as input. The rule of “garbage-in-garbage-out” applies squarely in this case. In order to model roles, either in the bottom-up or top-down approach, it is essential to use clean and validated access and user data. Many of the sources of access data from IT resources have out of date or wrong attributes, are not tied to a unique person, and most probably are vestiges of access no longer valid. Therefore it is critical to start role modeling projects after a good cleanup and validation stage for the user and access data. These cleanup and recertification projects take north of six months into themselves. Fortunately, the benefits from this project are not only readiness for role modeling, but also a clear understanding and control over what access is provided to users, which is a key measure for successful audits.
Third, many IT organizations believe that in order to have a successful identity management deployment, they need to start with a sound and complete role structure. In reality and practically speaking, role discovery, modeling, and lifecycle management techniques are more art than science –even with the use of automation tools -, and these project take a long time and a lot of internal political interaction before they bear fruit. In the meantime, operations and audits are still going on, generating costs, risk, and effort if not addressed effectively. Therefore, it makes more sense to address the compliance and operational cost concerns first, before embarking in a restructuring of a role and access structure. Implementing a sound repeatable access data clean up and validation efforts first, will pay back on quick compliance success. Following with a automated user provisioning project with a basic RBAC structure will ensure that the IT organization eliminates undue risk and reduces operational cost on an on-going basis. The role modeling project can be done afterwards to fine tune the efficiency of the identity management system.
IT organizations should consider their identity management readiness and needs when determining the rightful approach to identity and access governance. Role Management is not a monolithic endeavor and it involves many stages. Addressing user access data clean up and validation, followed by a basic RBAC user provisioning project can provide a more practical and effective way to obtain fast ROI. Role modeling, mining, and lifecycle management can be the final stage to fine tune a controlled access structure.