Wednesday, October 7, 2009
This post is the fifth in a series of eleven posts I am writing about trends in the Identity Management industry.
The use of roles for identity provisioning and audit compliance has seen growing acceptance in production systems. Enterprises are getting more value in both operational efficiency and streamlining compliance efforts by leveraging business roles. Role management can support compliance efforts even if full automated provisioning is not in place.
Experience has shown that using a fairly modest number of roles relative to the size of the user population is most effective, rather than engineering and trying to maintain a large number of roles to take care of all circumstances. A blend of role- and rule-based provisioning appears to strike the right balance.
As roles are implemented, good governance methods are essential to oversee the entire role management life cycle, just as governance over the complete Identity management life cycle in needed. The governance structure over both life cycles should be closely integrated.
Some companies are finding a broader use of roles than realized at first. Roles may have been first engineered to drive role-based access control and compliance enforcement, but can also be used for such things are evaluating organization and infrastructure effectiveness.
Attribute-based access control (ABAC) is emerging as a possible alternative to role-based access control (RBAC), particularly for large, complex organizations such as government entities. This has led some people to predict that ABAC will replace RBAC. However, if we consider that roles are really a form of attributes attached to Identities, we could predict that the two methods will converge – with the best approach being a balance that leverages roles where appropriate, and attribute-driven rules where that approach makes sense.
Consider questions such as the following:
- Where can roles be leveraged to improve the effectiveness of your Identity provisioning and compliance system?
- What is the right balance for your organization in the number of roles and the rules that complement the roles?
- How can you effectively govern both the Identity life cycle and role life cycle in your organization?
- Are there ways you can leverage the role infrastructure you have adopted in other ways besides RBAC and compliance?
- Can emerging methods such as ABAC bring further efficiencies to your operation?
By the way, the stack of hats shown above served to represent different roles or personae a person may possess in a tongue-in-cheek blog post I posted earlier this year: Have a Token: ID Hats and Personae. I liked Dave Kearn’s perceptive comment to that blog: “Good analogy Mark, but I’m afraid that those of us who understand the phrase ‘to wear different hats’ are getting grayer, plumper and more forgetful every day! People just don’t wear a good homburg, Stetson or Panama any more….”