The idea of using business roles to manage the entitlements of IT users is appealing and widely accepted. The ANSI/INCITS standard for RBAC (role-based access control) provides a reference model for grouping entitlements into roles and assigning roles to users. The challenge for role engineering is to maximize role usability and to minimize the number of roles so that users do not get more entitlements than needed. The goal is to end up with substantially less roles than users. Experiences from typical IT environments show, however, that the number of existing entitlements is magnitudes higher than the number of users and the number of roles is not much less than the number of users. How can the complexity of entitlements be managed and at the same time the number of roles be kept to a minimum? Standard RBAC does not provide adequate means to achieve this goal.
The solution is to define generic business roles that are shaped by additional context information. Examples for such generic roles are employee, account manager, project member and project lead. Employees work in different departments and locations and their entitlements might differ for that reason. Therefore, the department and the location can be used as context information to tag the entitlements in the role definition. When the generic employee role is assigned to – for instance – Ms Moneypenny it is dynamically shaped to a London-MI5-employee role with the relevant entitlements only.
Putting context to roles helps to reduce the number of roles and thus makes user management easier. It pays off in higher security, increased efficiency and reduced administration costs.
