Role management provides the necessary framework for enterprises for effective access governance of sensitive data and it is also recognized as the best practice for strict control of employee’s lifecycle. The problem comes when people change roles and gain access to additional systems, so corporations are good at getting people what they need, but poor at taking away what is no longer required.
As an IAM company, PATECCO uses several key solutions such as provisioning, governance, multifactor authentication, user and role management. All they contribute for ensuring full-featured business process workflow capabilities, easy to use and secure self-service for password management, sophisticated roles mining, discovery and analysis functionality, true platform independence and multi-level "segregation" of duties management and reporting. And in all that management process, roles are the core component of Identity Management. Now they need to support new business-oriented functions, and are subject to a request and approval procedure.
In that relation, we will share the 10 key Steps to Role Based Access Control who provide successful Access Governance in the enterprises:
- Step 1: Create an identity warehouse > Leverage purchase by quick-win – password self- service functionality > Platform coverage should be a key purchasing decision > You will still need to build custom feeds – Legacy systems – Externally hosted systems – Proprietary security systems > Move to directory services whenever possible > Don’t just buy an IAM suite for “automated provisioning”. Focus on role management.
- Step 2: Establish enterprise role management > Either design/build or purchase a role management product > Ensure product can meet business requirements > Include role management, role mining, and role attestation as bare-bones minimum requirements > Plenty of choices now on the market.
- Step 3: Define application roles > Create application roles – Don’t attempt enterprise roles on day one – Don’t attempt to link roles to HR > Map one or more access groups into application roles. Leverage documentation, group comments, and group description fields > Add entitlements to provide flexibility > Combine like entitlements that have been applied on multiple platforms
- Step 4: Conduct online role attestation > Validate the assignments of application functionality to users > Must be in business terms – No acronyms – No technical terms – No security specific terms > Provide timely adjustments.
- Step 5: Adjust request system > Change your request system to request via application roles instead of “IT technical lingo” > Immediate business value > Generate processes to keep role management in synch > Can show what access is in place, and they can add checks, or remove checks > My advice – do not make automated provisioning your goal just yet.
- Step 6: Create enterprise roles > Go to each line of business with a plan > Assign role ownership – usually the manager > Allow for multiple enterprise roles per person > Advice – don’t try to align with HR job codes > KISS - Don’t focus on keeping roles to a minimum – you have role management software to deal with the complexity. > Adjust your role approval processes.
- Step 7: Transparency - Conduct online role attestation > Validate the assignments of enterprise roles to users > Must be in business terms – No acronyms – No technical terms – No security specific terms > Provide drill-down capabilities to application roles.
- Step 8: Adjust request system (again) > Change your request system to request a enterprise roles instead of application role > New request type – grant access of an enterprise role to an application role. > Tremendous business value > Generate processes to keep role management in synch > Again, show what access is in place, and they can add checks, or remove checks > Automation of provisioning is best done at this phase.
- Step 9: Segregation of Duties Analysis > Solicit from internal audit > Solicit from risk management > Provide mutually exclusive application roles and do not allow an enterprise role to have both.
- Step 10: Leverage and Measure > Apply role management from internal employees to address customers, suppliers, business partners, etc.
Author: Dr. Ina Nikolova