1 Introduction
Managing access to corporate resources remains an underestimated challenge for many businesses. Traditional approaches leverage the concept of roles and role hierarchy as an implementation of Role Based Access Control (RBAC). Alternative access management concepts extend and complement this approach by relying on the interpretation of attributes and context data for assigning access rights (like group memberships or individual entitlements) at admin time or for making access decisions within the individual applications at run time. So, augmenting authorization models like Attribute Based Access Control (ABAC), Policy Based Access Control (PBAC) and Dynamic Authorization Management (DAM) are becoming increasingly important.
Most organizations opt for an enterprise-wide role design that breaks down existing complexity into manageable roles. The definition, implementation and maintenance of an enterprise role model demands mature business processes and strong tool support. Providing these processes as user-friendly, easily modifiable, and traceable workflows is becoming increasingly important. However, comprehensive, and adaptable administration capabilities for all types of authorization management paradigms in a uniform manner are a key requirement in today's enterprises.
Furthermore, to benefit from existing expertise within an organization, it is also becoming more and more important to involve a variety of business stakeholders in the management, verification and maintenance processes of entitlements, their set-up and allocation. As processes become increasingly digitized and employees, teams and their areas of responsibility continue to specialize, while the processes required for managing authorizations and identities are also constantly changing. Their proper implementation calls for the involvement of many kinds of subject matter experts in different types of organizational units, for clearly defined and efficient administrative processes and for appropriate tool support.
Modern IAM environments thus require new management tools that can implement the described aspects of modern and user-friendly authorization management. This is done by providing a variety of capabilities along the lifecycle of both managing and assigning different permissions. The majority of IAM and IGA systems and suites are now equipped with functionalities that can be categorized as delegated administration. The breadth and depth of available functionality varies between the systems of different vendors, while the effort to be spent on implementing required functionality sometimes can exceed months. In general, typical user interfaces for this type of delegated administration are not necessarily aimed at non-technical, business users.
For a comprehensive analysis and modeling of roles, but also for the provision of all workflows for the implementation of role lifecycle management in companies, a small, highly specialized market segment exists as a complementary offer to traditional IAM systems. Dedicated entitlement management tools mostly originated as comprehensive role mining and identity analytics tools. Today's leading tools further demonstrate their capabilities by providing a wide range of services and capabilities between automation, maintenance processes and governance.
This goes far beyond a unique approach to identifying initial role definitions, a point at which many initial role projects stop. Defining or reviewing the appropriate role portfolio with each role containing the right set of underlying individual entitlements for the required set of systems, infrastructures and applications must not be a one-time exercise. These serve as a framework for the administration, maintenance, and ongoing refinement of role definitions and for the assignment of the associated individual authorizations to identities.