In Part 1, we discussed the reasons why role management is important as part of IAM, and also discussed why we believe you have to embrace role management, it is already part of your IAM initiative, whether you like it or not. In this piece, we want to provide some suggestions and advice on how to go about managing roles.

Massive and Complex UndertakingSome Unsolicited Advice?

So, how do you go about chipping away at this complex and seemingly massive undertaking of managing roles?

Our belief is this problem should not be made more complex than need be.  So, take a practical approach: Don’t boil the ocean. Divide and conquer.  Define basic principles, execute and iterate – this is a lifecycle, not a one-time pill.

Here are some of our suggestions on how to approach this issue:

  • State your goals – Many role management initiatives lack specific direction due to generalized objectives.  Before you embark on a role management initiative, identify and define what you want to achieve with it, such that you have a stated direction to recalibrate against. Are you undertaking role management to:
    • Provide separation of duties – enforce policies that prevent access to information or processes that, when aggregated, may cause a control violation
    • Improve your audit posture - Provide the ability to answer the question "who has or had access to what information?"
    • Simplify IT access audits - support IT access audit procedures including reporting and certification of access by organization managers
    • Increase IT automation – Automate the enforcement of access policies by applications enforcing or making access control decisions such as provisioning systems, web access control systems, and IT access audit processes.
    Although you might have more than one goal for your initiative, chances are that one of the goals is your primary goal.  Do your best to steer away from generalizing your objectives by putting most of your efforts into detailing your primary goal.
  • Define your process – you will need to have a process in place for how roles are created, how they are assigned to people, and how they are used to grant access into systems and applications. Make sure you have this defined early on.  Role management is a lifecycle process (similar to the identity lifecycle process), so you need to ensure you account for maintenance of roles.  As we explained in a prior blog article, you will need to have a governance model (a role governance model) that allows the organization to continuously derive value from appropriate role definitions over time.
  • Pace yourself – while you will need to spend time mining and analyzing data to define roles (i.e. role engineering) do not make this activity a critical path item.  Do not enter into role engineering paralysis.  Keep role engineering activities off of the critical path by defining an effective permissions management process and limiting role engineering paralysis.
  • Put a safety net – Define an exception process based on access requests to manage access not explicitly granted via roles.
  • It should be manageable – you need to think of roles as an approach to help you simplify your IAM processes, not to complicate them.  Hence, you should think in terms of hierarchies, and ensure at the top, you have a small number of high-level business roles.  What is small? It is relative to the complexity of your access infrastructure, but we tell our clients to aim for the 50-100 business roles range as a benchmark, although you may require more or less.  Kuppinger Cole provides good viewpoints on this topic. Role HierarchyThink of roles as a pyramid, with the more granular definitions at the bottom (often referred to as singular entitlements or permissions), and the business level definitions (i.e. business roles) at the top.
  • Follow the “least privilege” rule – the goal of IT access control, and of role management, is to provide the right access to the right information to the right people at the right time.  The “least privilege” rule advocates your roles should provide the most restrictive set of access rights needed by users (or processes acting on behalf of users) for the performance of specified tasks.

Adopting a Practical Approach to Role Management

So, how do you ensure a balanced approach to role management?

We need a process and a framework that can be reused across the organization to ensure each stakeholder and user of corporate information has the appropriate access to appropriate information in a timely manner.  Furthermore, we want to ensure appropriate and consistent access is granted across various departments, applications, and information types.

Role Management LifecycleSo, you need to establish a Role Management Lifecycle process. Here are the elements of this process we recommend:

Role Governance

  • Define access control goals
  • Define or verify data and process owners
  • Manage and coordinate procedures and policies across applications and departments
  • Analyze and approve proposed role or policy changes or additions

Role Engineering

  • Define a framework with which to organize access control data (i.e., Role Based Access Control model) according to approved policies
  • Define a repeatable process that enables stakeholders to create and modify roles to work within the framework
  • Conduct role mining/discovery activities
  • Define access control policies
  • Assign risk, volume, and other priority scores

Role Management

  • Maintain an information system to catalog the defined roles and their associated policies
  • Define operational processes to create, modify, and disable roles
  • Effect efficient and appropriate assignment of roles to individuals

Access Review & Certification

  • Review role assignments for appropriateness
  • Review roles for adherence to policies
  • Gather and archive management approval for role assignment appropriateness
  • Provide a process for remediating inappropriate access assignments
  • Provide a process for remediating inappropriate role definitions

So there it is, our stance of Role Management in two blog articles; ambitious without a doubt, but hopefully pragmatic and feasible as well.

I would like to thank my friend Steve Curtis for his contribution. His practical knowledge in the topic of role management significantly improved the article, making it that much more valuable.

We recognize this topic is particularly challenging to a lot of organizations, and at the same time, very important, so in response, we have introduced a unique offering that we believe will help provide a great deal of practical insight on role management, in a cost-effective and easy-to-digest way, we call it the Role Management Primer, the first of our recently-announced IAM Primer Series.

We welcome your comments and feedback as always.


IAM Program Data Sheet


Frank Villavicencio

Frank Villavicencio