Role-based Access Control in Large Organizations
By Hanno Ekdahl
As organizations grow, their ability to accurately and efficiently manage access for their users to the systems and applications they need to be effective becomes increasingly difficult. To offset this complexity, most organizations invest in an identity management solution to automate user provisioning and provide a central location to administer users and access. As organizations mature their IDM solutions, they look to enable role-based access control (RBAC) to further automate user access and better support their audit and compliance requirements.
The benefits of role management for user identity includes simplified administration, scalability to handle large communities, and improved security integrity across the enterprise. Establishing roles sets the foundation for automating additional identity and access management tasks, such as resource provisioning as well as simplifying access reviews and compliance tasks. For RBAC to be successful, a complete and correct set of roles needs to be created which requires a significant investment of time and resources to get correct. The burning question is: are roles realistic in a large company?
A large organization decided to build roles by following both a top-down and bottom-up role engineering approach. They started by assessing business roles in a top-down fashion based on organizational structures and business functions. The top-down role engineering process focuses on job functions and any other characteristics considered to be relevant for access control. In addition to job functions, other role sources included information on job responsibilities, organizational position, and authority based on HRIS data (i.e., job family, job code).
The organization went through several iterations of their Top-Down analysis and found that the most effective method was to bring the system owner into the fold when creating the role and asking: What applications do your employees use? What application roles do your people need to do their jobs? They would document what they learned and then move on to the next business line.
In order to validate the roles they had identified, they took the following steps:
- They went to the owners of the riskiest applications and showed them the roles used by the department and asked them if it was appropriate for the department to have those roles. Based on the feedback they approved or removed access to those applications. [Application Owner validation]
- Then went to managers in business lines and said, “it’s okay for you to use these applications; however, you as a business owner have to approve their access to these applications and assume some of the risk”. This approach drove a sense of ownership to the business and required them to formally acknowledge and accept the risk. [Business access review/acceptance of risk]
- Last, they cleaned up the application environment – removed departments/users who should not have access ever; eliminated users who should no longer have access. [Final access clean up]
At this point, the organization hasn’t built any roles yet, they have just cleaned up the applications and who has access. The business roles (aka job responsibilities) help simplify the process of determining what users should have access to, based on who they are and what they need to be able to do in their business function. The next step was to initiate the role engineering process by developing a set of roles from existing user-permission assignments after the Top-Down analysis and clean up was complete. This bottom-up approach required mining existing user permission assignments across different access control repositories.
Are Roles Realistic In A Large Company?
Once they are created and have to sustain mergers, changes, and the like. This leads to the following open questions:
- What’s the value of these Roles?
- Do they help with compliance? Provisioning?
- Can they be maintained?
Resulted in change to creation, maintenance of roles and the certification of access
The Value of Roles
- Access certifications are much simpler because only access outside the role is the concern
- Coming into compliance and demonstrating compliance to many regulations is easier
- Drastic reduction in risk associated with accounts. Managers now understand what people should have access to and they helped define the roles themselves. The system owner and the business managers work together and have a similar view.
- Account lifecycle is better controlled across the entire digital identity lifecycle – “joiners, leavers, and movers”
Simplified Compliance and Provisioning with Access Control
RBAC simplifies audit compliance by providing a structured and centralized approach to access control, facilitating auditing and compliance reporting, and helping organizations to better manage their access control activities. The certification process is faster, because there are only a few items to review for almost every individual, because certifications only need to occur for access that is outside of the role. Managers review access outliers that appear as individual application accesses that are not part of the role.
Maintaining Roles in a Large Organization
- Conduct attestation reviews on schedule approved during role creation
- Report role attestation status to governance team
- Update roles based on changes to organization, permissions/applications, audit requirements or other reasons and create new candidate for ID Governance to review and approve (this includes retiring the role if appropriate)
- Review IAM organization processes and identify areas to improve leveraging Roles and/or automation
- Review and monitor business and technical role structure/layers
- Monitor and update Role Segregation of Duties
- Conduct formal reviews through ID Governance structure/process and approve or refine
- Deploy updated roles and retire roles that are no longer needed
Maintaining accurate roles is critical to having a successful of Role-Based Access Control (RBAC) capability in large organizations. To maintain accurate roles, it is essential to conduct regular reviews of roles and associated permissions, as well as to ensure that all changes to roles and permissions are properly documented and communicated to the relevant parties. It is also important to monitor user activity and access to identify any anomalies or potential security threats.
Additionally, it is essential to involve stakeholders from various departments to ensure that roles reflect the needs of the organization and are aligned with the overall business objectives. By following these best practices, organizations can maintain a healthy and effective RBAC solution that promotes security, enhances efficiency, and minimizes the risks associated with data breaches and unauthorized access.
You can always contact Idenhaus to see what RBAC can bring to your large organization. Talk to us today!