Overview

Role Management for Enterprises (RME) is a continuous process. Role definition is best accomplished incrementally, with feedback from staff in charge of all business entities. Facets of a well-defined role lifecycle are:

Engiweb Security offers its customers RME tools and methodologies based on a structured role lifecycle. Our approach builds on the well-known PDCA model (Plan-Do-Check-Act; typically used in quality control) leading to what we call the IDEAS Role Lifecycle. It is an iterative four-step problem-solving process, as depicted in the previous figure.


The “plan” phase: define a role framework


In this phase, Engiweb Security helps establish objectives and identify the business processes necessary to deliver results according to RME project requirements. The first step is to assess the state of the organization and decide which “role model” to adopt. At this point in the project it is vital to define various factors such as role granularity, the minimum number of users justifying introduction of a new role, policies affecting role assignment, responsibilities (who is in charge of what), etc.

Roles can be rationalized over the whole organization or specialized per line of business. Otherwise, a hybrid approach can be used. Once line of business and business processes are identified, two kinds of roles can be designed:

The “do” phase: build and manage roles


This phase represents the implementation portion of a role management project. Using the IDEAS suite as an RME tool, it is possible to minimize the time to tangible results. IDEAS tools and methodologies help provide meaningful value early in the implementation process. For example, it is possible to simultaneously define roles and implement user provisioning.

An important RME aspect concerns role building, a process in which the IDEAS Role Constructor offers great advantages. It helps address coarse-grained authorizations through role definition. A mixture of top-down and bottom-up role engineering approaches are supported. The IDEAS Role Constructor suggests candidate role-sets based on permissions actually assigned to users. This information is integrated with other higher-level data obtained either from the top-down analysis or derived from business requirements. The tool then proposes candidate roles based on user access and authorization information collected from a variety of sources.
 
Fine-grained authorizations are provided through the IDEAS Profile Manager. This module enables implementation of policy, rules, role attributes and user attributes. The SoD Engine prevents a user from acting in two incompatible roles at the same time. The IDEAS Profile Manager implements candidate roles provided by the IDEAS Role Constructor. It maps roles to the purpose and structure of the organization while offering mechanisms to effectively articulate these characteristics and relationships. Thus, from an IT standpoint, a general mapping of roles to resources is realized.

Finally, roles are assigned to users through IDEAS Profile Provisioning. This module offers many RME-oriented user provisioning functionalities, representing the perfect complement to the IDEAS Profile Manager module.

A data-cleansing tool completes Engiweb Security RME offering. It assists in the initial deployment of the IAM system in organizations. It is essential for periodic auditing, particularly in finding inconsistencies between IDEAS identity repository data and actual authorizations scattered over all target systems.

Role management software, however, is not a panacea. The bigger challenge in a role management project is understanding the importance of business aspects and management involvement. In this sense, Engiweb Security can use their broad experience and tailored industry solutions to meet specific customer needs.


The “check” phase: conduct periodic audits and verify regulatory compliance


Fundamental to the RME process is monitoring and evaluating the role lifecycle process. Reporting the findings allows comparison of the results against established objectives and specifications. Periodic audits must be conducted in order to understand how privileges, owners, policies, exceptions and authorization workflows change. The IDEAS DataMart, IDEAS ALA and IDEAS Profile Manager provide various reports which simplify administration duties such as management review & attestation, regulation compliance, SoD violations, least privilege constraint analysis, etc. Typical reports identify:

Audit frequency must be based on company and, most of all, regulatory needs.


The “act” phase: improve the system


As we previously said, role definition is best accomplished incrementally. Therefore necessary action is taken in response to objective evidence in the check phase. This requires reviewing all steps (“plan”, “do”, “check”, “act”) and improving the process before its next implementation. Role maintenance, new role definition and efficiency analysis of existing roles is supported by the IDEAS Role Constructor. The IDEAS DataMart, IDEAS ALA and IDEAS Profile Manager provide reports indicating what should be modified (i.e. SoD violations to be corrected, inconsistencies to be resolved, unused roles, etc.)