Last month, Thor Technologies announced a partnership with Bridgestream to integrate Thor’s Xellerate with Bridgestream’s SmartRoles business roles automation package. Though I mentioned the news in a previous newsletter, Bridgestream Vice President of Marketing Ed Zou thought I needed a better explanation of SmartRoles - so he gave it to me, and now I’m passing it on to you.

What follows are Zou’s words:

* * *

Role and group management are critical to the success of provisioning projects. Vendors want to punt the role/group management problem, because it gets in the way of their sales cycle. But it's becoming very difficult for them to do so.

To be fair, provisioning systems do bring value to companies without getting into roles or groups. In a typical provision project, the first six months are spent on consolidating request workflows. Consolidated workflows bring significant savings to an organization as well as consistency in user/resource provisioning.

At the six-month point, that's when the provisioning system hits the efficiency wall. Workflows become unmanageable. Even the workflows for e-mail provisioning can be difficult, as the approvers can vary based on business units, geographies, cost center, etc. We have a customer in the financial service sector that has over 400 workflows with hard-coded approvers just for e-mail provisioning. Can you imagine what happens when an approver is transferred? How is that information propagated to a provisioning system or administrator? What does it take to keep those workflow updated?

This is when people ask for a better way to manage resources-to-users mapping and a better way to automate ‘automated provisioning.’ This is when Bridgestream comes to play. Bridgestream provides provisioning systems with three key pieces of information to overcome their problem: role/group information, role/group membership information, and finally approver information.

To understand how we do it, here are some important clarifications:

* The problem of roles is that they are misunderstood and poorly defined. Today, roles and groups are used to describe a class of access privilege by IT organizations. They are also used by business units to represent some aspects of organization structure. A role is often defined to encompass both meanings and becomes immediately unmanageable.
* It's not the fault of roles that they are difficult to define and manage; rather, there needs to be a separation of business roles from IT roles and separation of responsibilities and privileges. When business roles are defined to capture only the responsibilities, span of control and other characteristics of business operation, and when IT roles are used to describe only privileges, then both roles become manageable, and both can be managed by people who understand those roles the best. A mapping between those two types of roles determines the access right of users.
* Business roles are not the starting point, but are the outcome of calculations against organization data of relationships between entities within and between organizations. Each individual plays multiple parts and has many relationships within an organization: I am part of the marketing organization; I report to the CEO; I support key sales initiatives at major accounts; I am part of the revenue recognition team; and on, and on. This multiplicity of organizational data is what is difficult for existing applications and directories to capture and manage. None of them have the data schema to do so. Bridgestream has a proprietary repository to capture these complex relationships and a robust engine to calculate roles, approvers and other provisioning attributes based on these relationships.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.