Comments on: Role Based Access in the Enterprise http://identity-focus.com/2007/10/09/role-based-access-in-the-enterprise/ Identity Management in the Real World (and other random stuff) Mon, 21 May 2012 06:42:19 +0000 http://wordpress.org/?v=2.2.1 By: Ron Rymon http://identity-focus.com/2007/10/09/role-based-access-in-the-enterprise/#comment-227 Ron Rymon Fri, 25 Jan 2008 13:54:44 +0000 http://identity-focus.com/2007/10/09/role-based-access-in-the-enterprise/#comment-227 You point to quite a few very important aspects of role modeling, which I obviously agree to. I would like to comment on one of your points re 80-20. It is important that the roles cover 80% of the PRIVILEGES, not of the USERS. In every organization, there are many users that get "trivial" access rights. If you ONLY cover them then you have done nothing for provisioning automation. Unfortunately, in our experience, the 10-20 roles are enough to cover 80% of people, but by no means 80% of the access rights. I would also like to strengthen your point that there is no one-size-fits-all recipe for roles. Hence, you should indeed be suspicious of any vendor that comes and tells you that they can create the roles for you and in a hurry. Consider this: even if two organizations had exactly the same access rights, it may still be beneficial to create different roles structure for them. This is because an effective roles structure depends on the organizational structure, processes, practices, and even culture. Instead, we find it useful to precede role engineering with simulations of 10-20 different combinations of role engineering methodologies. We then see which methods are (a) intuitive to the organization, and (b) result in a good coverage of the privileges. Such simulation, supported by our pattern recognition technology, provides us with very important intelligence that tells us which role engineering approach is likely to be successful for this company. Enjoy... Dr. Ron Rymon Founder Eurekify - Privileges, Roles, and Policies http://www.eurekify.com You point to quite a few very important aspects of role modeling, which I obviously agree to.

I would like to comment on one of your points re 80-20. It is important that the roles cover 80% of the PRIVILEGES, not of the USERS. In every organization, there are many users that get “trivial” access rights. If you ONLY cover them then you have done nothing for provisioning automation. Unfortunately, in our experience, the 10-20 roles are enough to cover 80% of people, but by no means 80% of the access rights.

I would also like to strengthen your point that there is no one-size-fits-all recipe for roles. Hence, you should indeed be suspicious of any vendor that comes and tells you that they can create the roles for you and in a hurry. Consider this: even if two organizations had exactly the same access rights, it may still be beneficial to create different roles structure for them. This is because an effective roles structure depends on the organizational structure, processes, practices, and even culture.

Instead, we find it useful to precede role engineering with simulations of 10-20 different combinations of role engineering methodologies. We then see which methods are (a) intuitive to the organization, and (b) result in a good coverage of the privileges. Such simulation, supported by our pattern recognition technology, provides us with very important intelligence that tells us which role engineering approach is likely to be successful for this company.

Enjoy…

Dr. Ron Rymon
Founder
Eurekify - Privileges, Roles, and Policies
http://www.eurekify.com

]]>