When it comes to discussing roles, role management, role mining and role-based access control (RBAC) I do tend to start with Bridgestream and Eurikify. They represent two different approaches to defining roles and so eminently qualify as examples. But there are other companies in the space, and I want to talk about one of them today - Vaau.

Vaau isn’t a complete stranger to this newsletter, having been mentioned twice. Once after this year’s Catalyst conference and once after last year’s conference, when I listed it last in a string of role-related vendors. You might expect that it would be chiding me over this, but the ever so polite EMEA Director of Operations, Mel Holloway, wrote in an e-mail: “Please excuse this approach I am not a spammer, I am a fan (that’s stalker talk!!!).” He did catch my attention and reminded me to take a closer look at Vaau.

Vaau’s RBACx is based, says the company, on “role engineering.” This role and rule engineering engine is used for role mining, rule mining, identity correlation, and access clustering. RBACx also uses advanced data mining algorithms to identify user access correlations across key applications, and uses that information to develop and suggest application and enterprise level roles and rules.

Vaau’s approach is to define multiple processes for roles:

* Role mining engine: A hybrid approach to role engineering, looking at a combination of organizational characteristics, user attributes and characteristics and user’s current accounts and entitlements.

* Rule definition: Ability to generate rules from the role mining engine, assigned when new users are created or when accounts and entitlements are imported into RBACx.

* Roles based on template users: Once the accounts and entitlements of user are imported into RBACx, new roles can be created based on the existing access of some template users.

* Import of existing roles from an authoritative source: RBACx has the ability to import roles from any authoritative source, like ERP, mainframe or an existing identity management system. Once imported, the content of these roles can be refined to obtain enterprise roles.

* Role vs. actual analysis: After the roles are defined in RBACx an analysis can run and RBACx can search for exceptions where user’s actual access does not match his/her role based access. This can be used to refine the role content prior to pushing the roles to the provisioning solution.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.