1 Introduction
Managing access to corporate resources remains an underestimated challenge for many businesses. Traditional approaches leverage the concept of roles and role hierarchy. Alternative access management concepts rely on the interpretation of attributes for assigning access rights (like group memberships or individual entitlements) at admin time or for making access decisions within the individual applications at run time.
A majority of organizations still opt for an enterprise-wide role design that breaks down existing complexity into manageable roles. Although role lifecycle management has proven to be a complex set of tasks with lots of obstacles and a high potential of failure, this approach can serve both for efficient security management and as a tool for organizational processes. The definition, implementation and maintenance of an enterprise role model demands mature business processes and strong tool support. Providing these processes as user-friendly, easily modifiable and tracable workflows is becoming increasingly important.
KuppingerCole considers Enterprise Role Management (ERM) to be a possible strategic approach to the structuring of complex companies, in addition to a well-defined policy management, which can simultaneously serve to improve administrative efficiency and compliance with legal, regulatory and internal requirements. This goes far beyond a unique approach to identifying initial role definitions, a point at which many initial role projects stop. Defining or reviewing the appropriate role portfolio with each role containing the right set of underlying individual entitlements for the required set of systems, infrastructures and applications must not be a one-time exercise. Instead, ERM aims to define and implement a sustainable, continuous set of clearly defined role management processes. This usually has to be an ongoing process, continuously adapting the defined set of roles:
- by adjusting the contained access rights;
- by adding newly required roles;
- by onboarding new applications and their newly defined entitlements; and
- by retiring or disabling obsolete roles.
These serve as a framework for the administration, maintenance and ongoing refinement of role definitions and for the assignment of the associated individual authorizations to particular identities.
Regulatory and legal requirements, as well as corporate guidelines and security frameworks, represent a variety of demands: The least privilege principle requires that only minimal access rights be granted, while the requirements for Segregation of Duties (SoD) require that a single user not have excessive access rights to perform more than one contradictory step within a single business transaction or process flow.
ERM requires the expertise of various organizational stakeholders, grouped together in an enterprise-wide process framework. It calls for the involvement of many kinds of subject matter experts in different types of organisational units, for clearly defined and efficient administrative processes and for appropriate tool support.
Basic mechanisms for modeling tasks in role management are built into common IAM (Identity and Access Management) and IGA (Identity Governance and Administration) products and suites. For a comprehensive analysis and modeling of roles, but also for the provision of all workflows for the implementation of role lifecycle management in companies, a small, highly specialized market segment exists as a complementary offer to traditional IAM systems. Nexis Controle 3.4 is a mature representative of the second group, designed to run stand-alone or interact with existing Identity and Access Management systems while adding what the vendor refers to as Identity and Access Intelligence.