An excellent article on role management was published last week in CSO Online.    Business drivers, benefits and challenges were listed from a Burton Group study:

“In its 2007 survey of 35 organizations, Burton Group found that the number of role management initiatives has grown significantly since 2003, especially in the financial services industry. The top business drivers include:

• Administrative efficiencies for access management
• Ease of audit and compliance
• Improved security controls for access and authorization

“The payoff? In return for your efforts, expect the following benefits:

• Simplified number of managed entities
• Improved visibility into available resources
• Better enforcement of policy
• Improved relationship of IT with the business

“The Burton Group says major challenges for these projects include:

• Establishing the relationship of roles to business and administrative processes
• Setting guidelines for defining and establishing roles
• Determining who should participate and in what capacity
• Determining how to maintain roles over time
• Associating roles with resources
• Determining how to associate business process and policy with roles”

A variety of customers, using several role management software tools, were quoted in the article in support of a good list of recommended Do’s and Don’ts for role mangement projects:

• DON’T select a tool until you’ve defined your process.
• DO take a combined top-down, bottom-up approach.
• DO take a combined top-down, bottom-up approach.
• DO create links between IT roles and business roles.
• DO go beyond access control when communicating business benefits.
• DO look for a tool that mirrors your organizational approach.
• DON’T underestimate the time commitment.
• DO manage scope.
• DO consider getting a quick start with role mining.
• DON’T create too many roles.
• DO look for reporting capabilities and a strong certification process.
• DON’T assume you need a suite to integrate role management with your provisioning system.

Although no vendors were directly quoted, many observations were favorable for the Sun Role Manager product.

I thought it interesting that Kevin Kampman, senior analyst at Burton, recommended the role discovery process directly supported by the Sun product:

“DO take a combined top-down, bottom-up approach. According to Kampman, role management typically combines a top-down (or business responsibility-driven) perspective, and a bottom-up (or system resource-oriented) approach. Top-down reflects the needs of the business, while bottom-up reflects the application privileges and permission sets to satisfy those business responsibilities.”

Craig Cooper, senior project manager at Thrivent Financial for Lutherans, a Vaau/Sun Role Manager customer, offered some interesting practical insights:

“Cooper sees role management as an integral part of enhancing Thrivent’s trusted reputation with customers. ‘We want to be able to demonstrate that we have the controls in place related to access, and this process has allowed us to do that,’ he says.

“The most time-consuming piece, according to Cooper, is the communication, analysis and research required to get business people on board and ensure your initial design is correct. The good news, he says, is that the learning curve drops off, and you can leverage process improvements and reuse definitions. While it took 12 weeks to set up roles for Thrivent’s first business unit, the team is now completing units in six weeks.”

“It’s important to keep the number of roles you create down to keep your management burden low. ‘It’s a lot easier to manage 1,000 roles than 5,000 or 7,000 individual access profiles,’ Cooper agrees. It’s good practice to use an 80/20 rule, he says, where you assign groups of users a base set of access and then use auxiliary roles and exceptions to cover additional access needs.

Technorati Tags: Sun Microsystems, Identity, Identity Management, Digital Identity, Sun Role Manager, Role Management, Burton Group