Posts
Obviously, Role Based Access Control is all about the roles that people will be assigned to for their system and application access, but there’s so much more involved in a successful RBAC implementation. Often times it seems like we start to lose sight of the main ingredient!
You’ve got a role management system purchased or custom developed. The application environments are up and available. The software is loaded and operational. You’re receiving access data feeds from all of the system and application teams within your enterprise, or you have built automated connectors to source systems to retrieve that data on your own (ideal situation). The role management solution is synched up with the HR system for all of your identity information. Provisioning data for every access entitlement is stored and accessible by your provisioning engine. It’s time to fuel up with the main reason for all of this effort and create the roles that people are going to be referencing and using in the business, so that they have the appropriate access they need to do their jobs.
Roles, Roles, Roles...
As much as I’d like to say there is one perfect way to create the functional, or business, roles that the users will be assigned to, I can’t. What I’ve learned is that you have to inspect and adapt (subtle Agile reference…) to the business you’re working with to include as many people in the most efficient roles as possible. Some organizations are already going to have HR roles assigned to people that may or may not translate accordingly into the type of functional roles we want to base access around. Furthermore, employees might be in specific departments or divisions which would seem like good candidates to build roles around, but again, it’s not always meant to be when it comes to access. What am I getting at? Those roles were created for reasons other than giving people the access they need to do their jobs, so you have to approach the creation of functional roles for RBAC as a unique, focused activity.
Top Down Approach - The Overhaul:
If your company is like most, you won’t be able to hitch your functional roles to pre-existing corporate roles; you’ll need to create them on your own. The job title can be a good place to start, however, access for people with the same job title can vary wildly from department to department, be mindful of that. Some businesses will take a top down approach and decide that there are really x number of job roles being performed, so we’re going to categorize the people and their access into those roles. This is what I’ll call the overhaul method. The pros with this tactic are that it’s faster and easier to implement since you’ll get your role definitions from one person or committee. Another positive is that most likely the number of roles created will be less than with other approaches, so role management will be simplified. The cons with this are that the roles are going to be more generalized for a larger population, meaning that more people are more likely to have more access than they require. Without paying special attention to that, you could be increasing risk instead of decreasing it!
Bottom Up Approach:
Other organizations won’t be able to even begin thinking about doing it that way because their job roles are so differentiated. They will need to follow more of a bottom up approach, where you’ll pick small groups of individuals who are designated as requiring similar access for their jobs and then analyze the access those people already have to form roles. This step will need to be repeated many times as you work your way through the organization. The plus side of this approach is that the roles you create will be specifically tailored to the people assigned to them. The negative side of this approach is that it’s more time consuming and requires many points of contact as you move through the business. You’re also likely to create separate roles for different subsets of employees that have very similar access. However, you won’t know it until you get into role management lifecycles and role comparisons where you’ll want to try and combine those roles if possible.
To sum it up quickly, there isn’t a silver bullet approach that will magically create your perfect roles fast and easy, you’ll need to explore the business functions within your organization to determine what type of approach is needed, top down or bottom up within your functional roles. The good news is that there’s always plenty of time to polish the roles over time and with user feedback!
0 comments:
Post a Comment