Defining Role Management – Part 3
I received a very interesting observation from Mark MacAuley (http://identitystuff.blogspot.com) in response to my last post about role management.
Another thought here – how does an organization engineer out laziness? In a
former position I was doing implementations of (unnamed) product and
inevitably when the topic of roles came up I saw just about everything from a
10,000 user account with 30,000 roles (literally) to so many authoratative
sources, I recommended that they just start over. In any case, what drives a lof
the dirty data is laziness, in my opinion. It is far easier (in labor and
political capital) to just create a new role than to map to an existing role or
worse take it to committee to get set up.
Mark’s experience points to one of the top reasons why role management projects fail – role proliferation. And what he attributes to laziness, I attribute to the lack of a well defined role management process. This is where the role definition process I brought up in my last post, and the role lifecycle tools become critical.
The role definition process adds discipline to the act of creating roles by making sure that roles are being defined correctly and are being kept up to date. It does this by using the right mix of tools, data and procedure.
A good role mining tool will not only suggest new roles, but also suggest enhancements to existing roles as new business needs are added into the mix. And elements of role lifecycle management bring in additional discipline. Role attestation ensures that appropriate individuals are tasked with making sure that the roles in existence are still relevant and valid. Role re-factoring analysis looks for possible convergence points and synergies across different roles. Good role mappings between enterprise, departmental and application roles allows for the creation of a scalable model that does not push the problem (and numbers) up to a higher level than necessary.
One thing that Mark also points out is the politics involved in roles (an d identity management in general). While a good role architecture that takes the various strata of roles – enterprise, department and application – does help a little, it is ultimately a problem that can only be solved through a combination of teamwork, business rules and corporate standards. And an understanding of the benefits that good role management will bring to all.