Role Models in IGA
Role models come in all shapes and sizes. They can be parents, teachers, managers, athletes, musicians and more. Just about everyone has role models they look to that act as guideposts for desired successes, behaviors, achievements, or accolades. In identity security, a proper role model is similarly an aspirational tool.
Role modeling is an integral part of working towards best practices for organizations to keep identities in conformance with ‘least-privilege‘ to perform their jobs. When done properly, a role-based approach can help grant access and establish a role governance process, but if the role model is not sufficiently developed, the entire Identity Governance & Administration (IGA) project will be delayed. While role models can be difficult to define and maintain, they are critical for an organization’s ability for oversight into who is doing what, and why – not to mention the efficiency gains from automating granting and revoking default access rights to joiners, movers and leavers. Here’s how to get buy-in and kickstart an efficient and effective role model.
What is a Role
First, a role is an aggregate of policies, entitlements and business contexts that coalesce as a named function that groups similar types of identities. Ideally, roles would relate to certifiable traits like job titles, or organizational responsibilities, but it isn’t always this simple. Roles can range from abstract to completely opaque if not defined properly. In either case, roles are easier to manage than individual access rights, as similar identities can be assigned the same roles depending on what they need to perform their daily functions. This can mean grouping application-specific entitlements like LDAP, email, or application privileges.
The most common role types tend to be application roles that grant access to a single application or system, technical roles for people that need to perform administrative tasks, and business roles that relate to one’s position or work responsibility. While these do seem like easy buckets to characterize role modeling, roles are challenging to design, harder yet to maintain, and hardest to delete. This is due to the complex web of entitlements that are woven throughout every organization.
Role modeling is a constant exercise that requires an iterative approach supporting the introduction of new roles, modification of existing roles, and the decommissioning of existing roles; all of which vary in complexity. However, before getting into the weeds, in any project, the first checkpoint is to determine the goals and scope. Questions asked will range from, what are we trying to accomplish from a compliance, security and efficiency perspective? What are the applications, identities and contexts that are in scope? And plenty more.
Then, figuring out the big question of ‘what does good enough look like?’ Ideally the ratio of identities: roles is as far away from 1:1 as possible so that roles can be fit to purpose and scale, and that each identity is not its own role. Roles should include baseline access rights (sometimes referred to as ‘birthright’) as well as other commonly required access, but as roles become more bespoke, it becomes more challenging to fit them to scale. Any good role model will need to be fit for growing and evolving business needs.
After defining what the initiatives are, defining the role model by principles, role types, model hierarchy, and use cases (like request and approval scenarios), it is important to set guidelines for how the role model will take form. Then, before diving in to design the roles themselves, verifying the role model by identifying the stakeholders and getting their buy-in is critical. Typical stakeholders that should be included are application owners, data owners, IT administrators, Auditors, and Security Team leads, among others. Now that the groundwork and project plan has been laid, we can look at how to create the roles and role model.
Creating, Modifying, and Decommissioning Roles
In this phase, we look at designing role management processes, including how to create a new role, change or revise roles, delete old ones and constantly evaluate role quality. In producing new roles, organizations are encouraged to both mine and design roles. Mining tools support the analysis and establishment of roles and privileges when it is run on live production entitlement data to determine roles that fit each individual organizational hierarchy. Please note, however, that you cannot just plug in a mining tool and suddenly have role modeling complete. This tool needs to be married with processes that fit the business needs of your organization including things like how this meets various compliance measures, and why certain entitlements are aligned with specific jobs. The desired data gathering can be based on identity types, templates, organizational attributes and more to help craft the role. After these roles have been created, they are validated by the appropriate stakeholders and listed out with potential assignment policies.
After roles have been defined and vetted, we can then integrate them into access management processes. These include access requests and approvals (i.e. a business user raising their hand to request access and then the request is automatically routed to their manager for approval), mitigation of risk and other business descriptions that help quickly fit roles to more and more identities. Having processes in place to audit roles, and recertify those roles are being used, are critical to maintaining good role model quality. They also help to flag compliance exemptions for when there are combinations of access rights that do not seem to make sense. Role modeling can also help by reducing the number of questions asked in a recertification, simply by bundling entitlements into a role and inherently dropping some questions.
An effective role modeling approach should also aid in the effort of assigning and unassigning roles automatically, manually, or based on rules. The goal is to implement a role model that makes sense for each organization, where business users maintain business productivity, and IT teams maintain governance and visibility into who has access to what, and why. Most roles should be assigned using access request process so that as access requirements come up, they can easily choose from a list of roles that are easy to comprehend with smooth approvals processes for administrators, but each business has different ways of maintaining productivity. The goal is to come up with a role model that meets their needs.
Omada is a market leader in modern IGA and has been helping organizations implement foundational role modelling principles to help enhance efficiency, meet compliance mandates, and increase security.
For more information, check out our page on: