Managing access to corporate resources remains an underestimated challenge in many organizations. Many of them choose to create an enterprise role design breaking down existing complexity into manageable roles as both a tool for organizational processes and to achieve efficient security management. However, defining, implementing, and maintaining an enterprise role model requires mature processes and strong tool support.
KuppingerCole understands Enterprise Role Management (ERM) as a strategic approach to structuring complex organizations, while improving administrative efficiency and compliance with legal, regulatory and internal requirements. This goes far beyond a one-off approach towards identifying initial role definitions. Instead it aims at defining and implementing a sustainable, ongoing set of well-defined role management processes. These serve as a framework for managing, maintaining and constantly refining role definitions as well as for the assignment of associated entitlements to individual identities.
From the business perspective, the requirements are clear and obvious: The role portfolio implemented within an IAM system has to be designed to assign every access right that is required for each individual employee. Regulatory and legal requirements, but also corporate policies and security frameworks, present a very contrary set of demands: The principle of least privilege requires that only the minimum set of access rights are assigned, while Segregation of Duties (SoD) requirements demand that any one user should not have excessive access rights to execute more than one conflicting step within a single business transaction or process flow.
Getting towards true Enterprise Role Management (ERM) is both an organizational and a technical task. ERM requires expertise from various organizational stakeholders combined into a corporate process framework. It demands the involvement of many types of subject matter experts in diverse types of organizational units, well-defined and efficient administrative processes, and adequate tool support.
In the case of an organization just initiating the definition of appropriate business roles, but also in the process of reviewing or justifying existing role compositions, these tools are typically referred to as role mining tools. In the case of roles which are already defined, the family of tools required is typically referred to as role engineering or access analytics tools as part of GRC efforts.
Defining or reviewing the appropriate role portfolio with each role containing the right set of underlying individual entitlements for the required set of systems, infrastructures and applications must not be a one-time exercise. This usually has to be an ongoing process instead, adapting the defined set of roles:
- by adjusting the contained access rights
- by adding newly required roles
- by onboarding new applications and their newly defined entitlements; and
- by retiring or disabling obsolete roles
Currently, there are mainly two different product approaches on the market covering the segments of role management and role mining. Several IAM vendors provide basic support for this kind of task as part of their IAM suites. In parallel, a separate highly specialized market segment has evolved, which is focused on providing efficient role mining functionalities, role engineering facilities, access analytics and clean-up workflows as an add-on to an existing IAM infrastructure system, independent of vendor or design. Nexis Controle 3.0 is a mature representative of the second group, designed to run stand-alone or interact with existing Identity and Access Management systems while adding what the vendor refers to as Identity and Access Intelligence.