Role-Based Access Control – Where to Begin - Part II

In Part I of this series we discussed the benefits of implementing Role-Based Access Control. In order to realize these benefits, we need to understand what applications their employees use to be productive in their jobs.

Question: How does someone go about developing a coherent and consistent definition of Roles across the information systems?

Answer: Application Portfolio Management (APM) and Application Rationalization

Application rationalization can help address the following:

• Identify users that do not need access to the application
• Establish a baseline for each position and how they use the information in applications
• Identifies types of access required for each job/position
• Prioritizes applications and identifies best candidates for RBAC implementation

Application Rationalization Step 1 - Eliminate the obvious

A good starting point to cleaning up this mess is to reach out to the application owners for the most sensitive/risky applications and show them the departmental positions that use the application and ask if those positions have the appropriate access. The application owners provide the first cut, eliminating those users in positions (and departments) who should never have access to the application.

Application Rationalization Step 2 -Identify the real needs

The next step is to go to the business managers in each respective department and get their approval as to which information and applications are required for each position.

• Remove user from applications they no longer need access to or use.
• Align information access with job responsibility/position.
• Prioritize applications that will benefit the most from RBAC automation

At the end of this exercise, you will have cleaned up the application environment – having both removed departments and users who are in job functions that should never have access, and having eliminated users who should no longer have access based on their current job responsibilities.

Application Rationalization Step 3 - Final Step

• Obtain buy-in from stake holders: Managers, Application owners and users.

Now all people in the same position will have access to the same applications. Determining the access each position requires makes it much easier to define roles and determine what applications a person should have access to and at what level. And that will be the focus of Part III of our RBAC series.

Coming soon: Role Based Access Control – Building your Role Library - Part III

Burton Group Catalyst Conference: Roles-Based Access Control Highlights

Today was the first day of the Catalyst Conference general sessions and a number of the sessions that I attended were focused on Identity Management and in particular RBAC. At Big Sky we have always asserted that Identity Management begins with defining the core business processes behind on-boarding and off-boarding users (employees, contractors, etc.) It’s nice to hear from the Catalyst presenters that organizations that have experience in implementing RBAC have a similar point of view; successful implementations start with the process and not by mapping system privileges. Begin at the top and drill down to the details. A summary of the key areas that need to be understood when defining roles:

1. What does each person do in their position? (e.g., DILO study of work processes)
   
2. How do we optimize the processes for that position? (What are the value-added decisions and activities), and then
   
3. Understand what applications that person needs to be effective within that process. (Determine how to best accomplish tasks and share information)

The roles definition will naturally fall out of this exercise and allow the business need to drive the IT implementation. After all, the effectiveness of the roles you define depends on properly matching the right entitlements with the right user in the right position.