Putting Context to Roles

  • TYPE: Combined Session DATE: Thursday, May 07, 2009 TIME: 11:30-12:30 LOCATION: GALAXIS
Track

Sessions:


Speakers:

Markus Groh joined Deutsche Bank 1991, since 2001 he is working in the IT Security Domain, with focus on IT Security Architecture and Security Governance. In 2008 he joined the project Gatekeeper, Deutsche Bank’s global initiative for recertification of user accounts and user access...

André Kudra is project manager of Deutsche Bank's project "Gatekeeper", a global initiative that coordinates the user account and access rights recertification of more than 500 business-critical applications. Since 2006, he has been supporting Deutsche Bank in different project...


The idea of using business roles to manage the entitlements of IT users is appealing and widely accepted. The ANSI/INCITS standard for RBAC (role-based access control) provides a reference model for grouping entitlements into roles and assigning roles to users. The challenge for role engineering is to maximize role usability and to minimize the number of roles so that users do not get more entitlements than needed. The goal is to end up with substantially less roles than users. Experiences from typical IT environments show, however, that the number of existing entitlements is magnitudes higher than the number of users and the number of roles is not much less than the number of users. How can the complexity of entitlements be managed and at the same time the number of roles be kept to a minimum? Standard RBAC does not provide adequate means to achieve this goal.

The solution is to define generic business roles that are shaped by additional context information. Examples for such generic roles are employee, account manager, project member and project lead. Employees work in different departments and locations and their entitlements might differ for that reason. Therefore, the department and the location can be used as context information to tag the entitlements in the role definition. When the generic employee role is assigned to – for instance – Ms Moneypenny it is dynamically shaped to a London-MI5-employee role with the relevant entitlements only.

Putting context to roles helps to reduce the number of roles and thus makes user management easier. It pays off in higher security, increased efficiency and reduced administration costs.


Speakers:

Alberto Ocello is a CrossIdeas founder and Chief Executive Officer. He was formerly the General Manager at Engiweb Security where he designed and led the product innovation of the IDEAS platform. Prior to Engiweb, Alberto served as Chief Architect on application security and military security...

Deepak Taneja is the Founder and CTO of Aveksa, a security compliance software company. Prior to founding Aveksa, he was CTO and VP of Engineering at Netegrity. In this role, he was instrumental in growing the company into the market leader in Identity and Access Management. Previously he...



Log in to download presentations:  

Moderator:

Session Links

Quick Links

Stay Connected

Information

Congress

European Identity Conference 2009

Language:
English
Registration fee:
€1980.00 $2475.00 S$3168.00
Mastercard Visa American Express PayPal INVOICE
Contact person:

Ms. Bettina Buthmann
+49 211 23 70 77 23
bb@kuppingercole.com
  • May 05 - 08, 2009 Munich

Partners

The European Identity Conference 2009 is proud to present a large number of partners
Learn more

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00