Last week, I let Bridgestream Vice President of Marketing Ed Zou speak to you directly about the need for roles in an enterprise identity project. More to the point, Zou talked about the need for the business side of the house to delineate and define the roles that are important to the way the enterprise does business. Somehow, I knew when I finished writing that piece that one of the first people to respond to it would be Ron Rymon. Rymon is the founder of Eurekify, often described as a "role mining" company (see "Rules and policies vs. actual practice"). Here's what Rymon had to say:

"First, I totally agree with Ed's words. The identity management scene has transformed in the past year or so, and most sophisticated customers, integrators and vendors now realize that role management is an essential piece of any identity management project. In Eurekify's projects, we also find that Ed's examples are very typical. Many customers start with a 'simple' [identity management project], and then realize that they should have invested more in the planning and preparation phase, and this is especially true in the areas related to role management. To Ed's observations, I would like to add a few more that we have discovered in the 2-3 years that we are working in this new and emerging market."

Rymon went on at great length to elaborate on role mining as a tool to use in conjunction with top-down role definition. The major point he made was that in most organizations it is close to impossible to create roles with only an authoring tool and a business-analysis approach. You also need to "mine" existing privileges in order to arrive at role definitions that reflect your actual business practices. He noted that this bottom-up approach does not replace top-down and business analysis, but he believes the role-engineering project can only succeed if the two are combined.

He added that an investment in role management can quickly pay off in the compliance area, one of today's hotbeds of identity management activity. He noted that if you structure good business roles, you can easily state the business process constraints, such as segregation of duty, access right limitations, etc. In fact, in many cases the same pattern-recognition technology can be used to automate verification of compliance with policies and regulations even before creating and approving the roles (the approval is what usually takes longest if you really want to do it right and in collaboration with the business unit). In the current atmosphere, if your project can help the organizational compliance project (and don't tell them it took you very little time), your project will score big with top management, and needless to say will help you when you need more support during a very hard identity management project.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.