What's hot and what's not for role management

The foundation for security and enterprise management

Roles are not necessary for governance, risk, compliance and entitlement (GRCE) management, just as roads aren't necessary in order to drive cars. And just as it would be foolish to consider driving from, say, San Francisco to New York without using roads so too would it be foolish to consider implementing GRCE management without roles. I was reminded of this when a press release crossed my desk a couple of weeks ago.

The release touted an agreement for CA to resell Eurikify’s Enterprise Role Manager which, according to the document, was a good thing for CA’s customers because: “One of the most complex and time-consuming aspects of identity management (Compare Identity Management products) deployments is getting the corporate roles defined within the system. Manually defining hundreds of roles with thousands of users assigned to them is a time intensive project and today’s business regulations demand more. Eurikify’s can help with the role management and role mining needs, while CA delivers a leading identity management solution to automate smart user provisioning and audit duties.” Remove some of the hyperbole, and that’s what I’ve been saying, right?

Eurikify founder Ron Rymon goes even farther. At the recent European Identity Conference, he told the audience that you cannot run provisioning, nor GRCE, without clear models and, by models, he meant well defined (“modeled”) roles. He went so far as to say that roles and compliance (Compare Network Auditing and Compliance products) are “intertwined” and “you cannot have one without the other.”

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Roles are not necessary for governance, risk, compliance and entitlement (GRCE) management, just as roads aren't necessary in order to drive cars. And just as it would be foolish to consider driving from, say, San Francisco to New York without using roads so too would it be foolish to consider implementing GRCE management without roles. I was reminded of this when a press release crossed my desk a couple of weeks ago.

The release touted an agreement for CA to resell Eurikify’s Enterprise Role Manager which, according to the document, was a good thing for CA’s customers because: “One of the most complex and time-consuming aspects of identity management (Compare Identity Management products) deployments is getting the corporate roles defined within the system. Manually defining hundreds of roles with thousands of users assigned to them is a time intensive project and today’s business regulations demand more. Eurikify’s can help with the role management and role mining needs, while CA delivers a leading identity management solution to automate smart user provisioning and audit duties.” Remove some of the hyperbole, and that’s what I’ve been saying, right?

Eurikify founder Ron Rymon goes even farther. At the recent European Identity Conference, he told the audience that you cannot run provisioning, nor GRCE, without clear models and, by models, he meant well defined (“modeled”) roles. He went so far as to say that roles and compliance (Compare Network Auditing and Compliance products) are “intertwined” and “you cannot have one without the other.”

He ended up his talk by trying to show where we are vis-à-vis roles at this point in time by listing those things which no longer apply and what should replace them. Sort of a “what’s hot” and “what’s not” for roles in mid 2008. His list includes:

What’s not:
• IAM projects without a clear business case and careful planning.
• Role modeling at “business level” only, based on preconceptions, whether or not they fit.
• Delegation of role modeling to the business through nice interfaces.
• Lets start with few roles covering most obvious 10% of access.
• Delegation of compliance to the business through dumb certification.
• Separate solutions for certification vs. role modeling (vs.) IT controls vs. privileges cleanup.

What’s hot:
• Quick gap analysis to identify most important needs and easy wins.
• Identify the “right” modeling for each business unit; work in all levels; use data to guide and corroborate.
• Role modeling requires expertise, and cooperation of all stakeholders.
• Quickly create role models that cover 70%-80% of all access rights.
• Automated IT controls + decision supportive certification.
• Cohesive solutions for Privileges, Roles, and Policies.

I don’t agree 100%, but you won’t be far wrong if you adapt his list. Roles can make the rest of the identity management installation go more smoothly, quickly and efficiently – but only if you choose the right way to model those roles.

Read more about security in Network World's Security section.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.