Every organization use some model
to manage their resources or assets and RBAC is the most famous & most adopted
model for the same. RBAC i.e. Role Based Access Control simplifies the management
of access to resources and assets. In RBAC model, all the permissions/access
are tied to various roles. Controlling the access through roles reduces the
administrative burden of security practitioners. Here are the few key benefits
of RBAC model:
Key
Benefits:
- · Reduces no of access requests & approvals
- · Improve end user experience
- · Enhance security
- · Very helpful in implementing Birth Right Access
- · Improve Productivity
- · Simplifies the User Access Re-validation (Certification)
- · Build the foundation to implement Separation of Duties
Sometimes it becomes difficult
to implement RBAC in large organizations as every organization has their own
set of resources, permissions, job functions, policies and controls.
Identifying the right roles for an organization is a big & an important
task and this task of identifying roles is known as Role Engineering. Role Engineering is also known as Role Mining or
Role Discovery. Role Engineering is a process to discover relationships between
access permissions and users or job functions which can be grouped together to
form a role.
.
.
There are three types of
approaches which we use for Role Engineering:
.
.
- Top-Down Approach: Roles are defined based on organization business
- Bottom-Up Approach: Roles are defined to meet specific application or system access
- Hybrid Approach: Roles are defined using above two approaches
Earlier Role Engineering was a
manual process. Data Owners used to export the access data in an excel sheet to analyze and define the roles but
nowadays most of the organizations have implemented IDM products like Oracle
Identity Analytics, SailPoint IdentityIQ, CA IDM etc. Because organizations are
using these IDM products, so these products will have the up-to-date access
data which is a must have to perform this Role Mining process. These IDM
products come with OOTB Role Mining capabilities, but custom algorithms can be implemented
based on organization needs. Here’s the process which is used by these products
for defining the roles in any organization:
- · Setting the Role Engineering attributes
- · Creating and Running Role Engineering Process
- · Analyze the Role Engineering Results
- · Configure and Save the Role Definitions
- · Set the metadata for the roles
In the above steps, setting
the role engineering attributes is the key steps because that is going to set
the base or build the logic for the entire Role Mining process. If we want to
perform Role Mining for an application, first we need the access data for that
application. Second, we need to define some parameters like Job Title, Job
Function, Department, User Type, Manager, Job Level etc. to find/discover the relationship.
Once we execute step 1 and 2, IDM products will execute the Role Mining task
and share the results.
Role Engineering is not just a
one-time task or job, rather it’s an ongoing activity which helps organizations
in enabling better control on their resources and assets. It was also proven
that defining just high-level roles with basic access/permissions does not
deliver expected business benefits. Role Engineering with any approach
(Top-Down, Bottom-Up or Hybrid) is a key cornerstone.