Role-Based Access Control – Where to Begin - Part II

In Part I of this series we discussed the benefits of implementing Role-Based Access Control. In order to realize these benefits, we need to understand what applications their employees use to be productive in their jobs.

Question: How does someone go about developing a coherent and consistent definition of Roles across the information systems?

Answer: Application Portfolio Management (APM) and Application Rationalization

Application rationalization can help address the following:

• Identify users that do not need access to the application
• Establish a baseline for each position and how they use the information in applications
• Identifies types of access required for each job/position
• Prioritizes applications and identifies best candidates for RBAC implementation

Application Rationalization Step 1 - Eliminate the obvious

A good starting point to cleaning up this mess is to reach out to the application owners for the most sensitive/risky applications and show them the departmental positions that use the application and ask if those positions have the appropriate access. The application owners provide the first cut, eliminating those users in positions (and departments) who should never have access to the application.

Application Rationalization Step 2 -Identify the real needs

The next step is to go to the business managers in each respective department and get their approval as to which information and applications are required for each position.

• Remove user from applications they no longer need access to or use.
• Align information access with job responsibility/position.
• Prioritize applications that will benefit the most from RBAC automation

At the end of this exercise, you will have cleaned up the application environment – having both removed departments and users who are in job functions that should never have access, and having eliminated users who should no longer have access based on their current job responsibilities.

Application Rationalization Step 3 - Final Step

• Obtain buy-in from stake holders: Managers, Application owners and users.

Now all people in the same position will have access to the same applications. Determining the access each position requires makes it much easier to define roles and determine what applications a person should have access to and at what level. And that will be the focus of Part III of our RBAC series.

Coming soon: Role Based Access Control – Building your Role Library - Part III

Key Takeaways from The Burton Group’s Catalyst Conference, Part 2.

At first glance, the term “social networking” seems to have no place in the work environment. After all, “social” activities are all those things that take place after the work day has ended, right? Actually, what you’ll find now is that companies are beginning to leverage the power and insight social network maps provide. Craig Roth and Chris Howard, both from the Burton Group, gave a good presentation on the current uses of social networks in organizations. If you think about it, a social network just describes the connections between people. Those connections could be shared interests or collaborative relationships. Within an organization, hierarchies such as org charts and reporting changes are built but networks happen. Networks develop based on friendship, work interests / requirements, tasks, etc. The challenge for organizations is not how to artificially build networks, but how to leverage the organic networks that naturally happen. Some organizations are mapping those social networks using data mining techniques. By doing so, organizations can identify key subject matter experts, individuals who are collaborators, information owners, etc. By having these social maps, organizations can actively improve their operations through the encouragement of positive behaviors and individuals. For organizations wanting to leverage social networking in the work place, there are a few recommendations:

• Deemphasize issues of age or “coolness” – social networks happens regardless of age and aren’t necessarily linked to present technology such as Facebook or Twitter.
• Don’t dismiss the human dimension of the organizational environment – Any organization that consists of people, is a social organization. Accept it.
• Engage early with IT departments – Develop appropriate tools to determine and build the network.
• Be mindful of issues of privacy and security – Mine only data that is valuable and be transparent with your organization about what you are doing.