Identity Management (IDM) is a continuous process of all the tasks required to create, manage, and delete user identities in an organization. The core objective of an Identity management system is “One Identity per Individual”. IDM begins with the creation of the user account and the assignment of appropriate attributes or permissions to the account on IT resources.
In simple terms a role is a bucket of entitlements that a user might be assigned. Use of Roles to define a user’s access to IT resources is called Role Based Access control (RBAC). A role can either be engineered within the IDM system or outside IDM by use of Role mining tools. These roles are then used for allowing users access to IT resources by assigning a role to a user rather than an entitlement to a user. Roles determine what operations a user can and cannot perform which in turn reduces the burden of system administration.
Implementing RBAC comes with its challenges and benefits. It takes time and effort to determine the permissions each role will be assigned. A static template for rolling out RBAC cannot be used for all organizations because business needs tend to differ. On the other hand, Separation of Duties reduces an organization’s exposure to fraud and conflict of interest. It also ensures that critical business functions do not rely on a single person. RBAC supports two type of separation of duties; static separation of duties (SSD) and dynamic separation of duties (DSD). Static Separation of Duties defines role memberships that are mutually exclusive. For example, RBAC can ensure that users cannot be members of both the purchasing role and the approving role and hence has control either to purchase or to approve the purchase. Dynamic Separation of Duties allows the same person to be in the purchasing role and the approving role, but they would be prohibited from approving their own purchase.
Access controlled via RBAC by provisioning roles to users through IDM rather than direct entitlements have the following advantages:
- Protect key assets & information
- Be compliant
- Improve Efficiencies
- Support new Business Initiatives
It is very challenging for enterprises to solve the puzzle where both the employee headcount and range of resources is exceptionally large and unwieldy to administrate. Organizational security needs and requirements change frequently and it becomes extremely important to manage identity and roles with a 360 degree approach. Hence having a well-planned identity management system will not only help improve performance and productivity for employees, but will also result in decreased help desk costs and improved compliance.
Subhash is a former Happiest Mind and this content was created and published during his tenure.