ID management fuels roles, rules growth

In these days of distributed networks, user management is not for the faint of heart, and that is increasing interest in two techniques for streamlining the process.

Roles and rules are two approaches that promise automation and efficiencies in provisioning resources to users, and consistency in granting and revoking access rights. The goal is to replace the error-prone manual process of performing those tasks one user at a time with what amounts to batch processing.

Using roles- and rules-based models can help tighten security of network resources and ensure compliance with federal regulations such as the Sarbanes-Oxley Act, Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In these days of distributed networks, user management is not for the faint of heart, and that is increasing interest in two techniques for streamlining the process.

Roles and rules are two approaches that promise automation and efficiencies in provisioning resources to users, and consistency in granting and revoking access rights. The goal is to replace the error-prone manual process of performing those tasks one user at a time with what amounts to batch processing.

Using roles- and rules-based models can help tighten security of network resources and ensure compliance with federal regulations such as the Sarbanes-Oxley Act, Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act.

Roles are predetermined sets of access privileges that are associated with a group of users on a network. Users are assigned to roles. The National Institute of Standards and Technology (NIST) developed the model, called Roles Based Access Control (RBAC), more than a decade ago. The Massachusetts Institute of Technology, Stanford University, Sun and PricewaterhouseCoopers are among those that have developed their own roles-based models.

In comparison, rules were introduced recently with the advent of provisioning systems. They are more flexible and act as "if/then" expressions that are executed within software when a user attempts to access a network resource. For example, a rule might state "if" the user has the title "sales manager" and works in Division A "then" he is entitled to access System B.

Combo pack

Experts say that a combination of the two might be the best approach in meeting today's requirements for identity management.

"We found that just using roles would not be enough to provision users," says Steve Linstead, directory services architect for Johnson Controls, a Milwaukee supplier of automotive parts and building controls, such as heating/cooling.

Johnson Controls is finishing a pilot project with provisioning software from Netegrity that will be implemented next year. "Roles left too many gaps, and we needed rules to further define the user. We can have a supervisor role, but supervisor of what? The rule then determines how the role operates," Linstead says.

Interest in roles and rules is accelerating, especially with the number of networked applications growing along with the internal and external users seeking access. Corporate users are seeking options, and vendors such as Beta Systems, Business Layers, IBM, Microsoft, Netegrity, Novell, OpenNetwork Technologies, RSA Security, Siemens and Waveset Technologies are listening.

"Most companies today are under pressure to do more with roles- and rules-based user management," says Christy Hudgins, president of Hudgins Group, a research firm. "I see differing motivators among different types of businesses. Some retailers are very cost-reduction-driven, while others are most interested in relieving the administrative load on IT staff. Regulatory compliance is a big factor with regulated financial institutions, as well as medical groups. Security tends to be the big driver with retail banks."