Putting Context to Roles

  • TYPE: Combined Session DATE: Thursday, May 07, 2009 TIME: 11:30-12:30 LOCATION: GALAXIS

Managing the Complexity of Entitlements

The idea of using business roles to manage the entitlements of IT users is appealing and widely accepted. The ANSI/INCITS standard for RBAC (role-based access control) provides a reference model for grouping entitlements into roles and assigning roles to users. The challenge for role engineering is to maximize role usability and to minimize the number of roles so that users do not get more entitlements than needed. The goal is to end up with substantially less roles than users. Experiences from typical IT environments show, however, that the number of existing entitlements is magnitudes higher than the number of users and the number of roles is not much less than the number of users. How can the complexity of entitlements be managed and at the same time the number of roles be kept to a minimum? Standard RBAC does not provide adequate means to achieve this goal.

The solution is to define generic business roles that are shaped by additional context information. Examples for such generic roles are employee, account manager, project member and project lead. Employees work in different departments and locations and their entitlements might differ for that reason. Therefore, the department and the location can be used as context information to tag the entitlements in the role definition. When the generic employee role is assigned to – for instance – Ms Moneypenny it is dynamically shaped to a London-MI5-employee role with the relevant entitlements only.

Putting context to roles helps to reduce the number of roles and thus makes user management easier. It pays off in higher security, increased efficiency and reduced administration costs.

Log in to download presentations:  


Alberto Ocello is a CrossIdeas founder and Chief Executive Officer. He was formerly the General Manager at Engiweb Security where he designed and led the product innovation of the IDEAS platform. Prior to Engiweb, Alberto served as Chief Architect on application security and military security...

Deepak Taneja is the Founder and CTO of Aveksa, a security compliance software company. Prior to founding Aveksa, he was CTO and VP of Engineering at Netegrity. In this role, he was instrumental in growing the company into the market leader in Identity and Access Management. Previously he...


Session Links


European Identity Conference 2009

Registration fee:
€1980.00 $2475.00 S$3168.00 21780.00 kr
Mastercard Visa American Express PayPal INVOICE
Contact person:

Ms. Bettina Buthmann
+49 211 23 70 77 23
  • May 05 - 08, 2009 Munich