Implementing roles-based access control is invaluable, when implemented correctly. Roles simplify access management for employees, contractors, and external users by incorporating the business policies and rules necessary to grant appropriate access; allowing the Identity Management solution to grant, modify and revoke access automatically. Just as importantly, roles simplify compliance as well, making it easier to pass security audits and easily demonstrate what systems a user can access.
The challenge with roles is in defining them properly. This blog is the first in a four-part series on helping organizations define roles to reach their ‘Target End State’, where roles accurately reflect the entitlements and access that users should have based on their relationship to the organization. While role-mining tools can help us on the journey to understanding the required user access to define a role, the old adage “garbage in, garbage out” applies. To avoid this problem, we recommend beginning with a top down approach to clean up user access before applying a mining tool to crunch the user access data.
We have outlined a process to define roles below, beginning with a top down approach that cleans up user access. The process is described below:
- Begin by reaching out to the system owners to understand the applications, how access is granted, and who should have access
- Meet with managers in each department to understand what applications their people need to do their jobs. This is a greenfield approach, where you ask managers to define what access is needed, by job description, for each of their direct reports.
- Evaluate access to the Higher Risk/Higher Priority applications with the system owner and review the roles used by the department. They key question to answer is, “Should the department have those roles?” At this point the system owner can remove users who should not have access to their application(s). Following the evaltuation:
- Remove departments and users who should not have any access
- Eliminate users from applications who should no longer have access (e.g., the position they are in now no longer requires access to the application)
- Meet with the business line managers and review the approved applications. Business owners will have to approve their users’ access to applications going forward.