Martin Kuppinger: Who is suitable for attesting entitlements?

Of course, the range persons that could be entrusted with this task is wide. And there are also various levels on which attesting can be carried out – bearing in mind that not every group of persons is suitable for every type of attesting. Dealing with defined entitlements of a user group or system role, this is no longer the job for a department manager. What we need is a detailed concept of differentiation with regard to the process levels and the responsible persons.

The following types of entitlement should be discerned, from a more technical to a more business-oriented perspective:

• assignment of defined access authorizations to groups, roles and other concepts used on system level, for example the ACLs linked to a group in Active Directory, or the SAP transactions used by a profile or a role
• direct assignment of persons to such groups or roles
• assignment of system roles to defined business roles and the control of access authorizations linked to these roles
• assignment of persons to these business roles

In an expedient review, those in charge of attesting a correct assignment must also have the knowledge to do so. On the lowest level, it should be the system or data owners from the business who are suitable to do this job. In many cases, these will persons operating at the interface between IT and business.

The same persons should be able to cope with the assignment of persons to groups, roles and other models as used in Provisioning approaches without supplementary Business Role Management.

As to the assignment of system roles with a sufficiently clear description of their size to business roles, a typical selection of people in charge of attesting would be those responsible for these business roles, in short department managers. However, these managers will successfully carry out attesting only if the system and business roles are sufficiently well defined to be understood by non-IT staff.

Finally, assignment of business roles will definitely be the job of the above mentioned managers.

From the above said it becomes obvious that in order to achieve comprehensive control, we will have to consider more than one level of attesting. Even if we decided to focus just on the two more technical levels there would be no guarantee that the persons assigned actually are in charge of the supposable task. In many cases, the persons attesting might know these tasks, for example if the of file releasing process is run per division or project, or with applications used by a small number of users. But in other cases as in complex applications they would not. To solve this problem by distributing the job among different persons would not really make the whole thing any easier.

Finally, the attesting issue should make us pay more attention to Business Role Management when it comes to a comprehensive control of Entitlements from business perspective up to details in different systems. No matter if you tackle the problem “from the bottom” or “from the top” – it is time to put this topic on the agenda, least but not last to improve IT reporting to auditing and company management.

Created: 22.11.07, modified: 04.02.08