All ContentUsing a Role-Based Approach to Permissions Management
Using a Role-Based Approach to Permissions Management
(department and report
structures) is defined (although
often no up-to-the-minute master
source is reliably maintained).
The hierarchy is needed
mainly to construct approval
workflows: who is the supervisor
authorized to make approvals
for this employee? Roles derived
from these structures include
“department manager” and
“department member.”
• Scope – For example, a “branch
manager” role can have the
scope “branch X” because the
branch manager is responsible
for several branches and needs
specific permissions for branch X.
• Cost center – Cost centers
do not always map to the
official hierarchy, so individuals
have roles such as “cost
center manager“ and “cost
center member.” Budgetrelated functions and approval
workflows depend on these role
assignments.
• Geographical location –
Location affects many IT
resource assignments. This
includes not only regional and
national characteristics, but also
physical factors such as the ideal
location for a user’s
home directory.
Identity Manager
enables you to
implement an
effective rolebased approach
for managing
your complex
permission
structures.
3
The ideal way to represent
all these parameters and the
resulting roles is by using trees,
since they are free from circular
references. Specifically, roles
were often constructed as follows:
each combination of basic roles
(such as “department manager,”
“location – Munich” and “project
leader for ABC Project”) was
defined as one role, which was
assigned a specific set of IT
permissions, resource permissions
and so on. However, this method
is doomed to failure because the
number of possibilities grows
exponentially with the complexity
of the organization (and not
with the number of employees),
as illustrated in Figure 1.
Theoretically, every possible
combination would have been
taken into consideration.
The RBAC method
The ground rules
However, role-based permissions
management does not have
to result in an unmanageable
number of roles. Along with a
definition of the concept of role,
NIST’s RBAC standard contains
the following ground rules:
• IT resources are “attached”
to tree structures – For
example, data in SAP systems
can be attached to the hierarchy
of departments in the enterprise,
so that the entitlements assigned
to the “department manager”
role grant read access to all
data in SAP systems that a given
department manager needs for
his or her job.
• Permissions can be inherited
within trees – For example,
certain policies valid in a given
country are also valid for each
individual location in that
country (top-down inheritance),
and a project leader can see all
the data in the directory set up
for his or her project (bottomup inheritance).
• Inheritance can be cut off
at any point – This allows
certain data from sub-projects
to be marked as confidential and
concealed, even from the top
project leader.
• Role assignment is dynamic –
Assignments are calculated using
dynamic roles that evaluate
certain attributes. For example,
a branch manager can receive a
specific class of permissions that
have specific local characteristics
(such as access permissions for
the local VPN connection point),
or all employees of a particular
department can be permitted to
access a specific shopping cart.
Assigning permissions to
employees and ensuring SoD
Company employees are normally
present in several of these
parallel tree structures. They
receive all the permissions that
are linked to their “structures” in
a role-based, cumulative manner.
Proper segregation of duties can
be achieved in two basic ways:
Identity Manager
covers the entire
lifecycle for each
role, from
creation and
activation through
modifications to
eventual deletion.
Figure 2. Role modeling is easy with Identity Manager.
• All areas in the design of tree
structures are separated so
cleanly that it is not possible to
assign combinations of rights
that are not permitted by using
the inheritance mechanism.
The servicing and maintenance
effort for this option—in
particular, for quality assurance
measures—is maintainable
in small and mid-sized stable
organizations but definitely not
in complex enterprises with high
internal dynamics.
• Before any change is made
to company roles or the
assignment of IT resources,
the consequences are checked
automatically. This can easily
be done with timed workflow
processes, such as those
in Identity Manager. These
processes uncover any potential
infringements of compliance
and implement the appropriate
corrective measures, such as
requesting exception approval or
rejecting the access rights.
Approaches to role modeling
When you begin to model roles
in your organization, you will
likely have to start from a largely,
undocumented landscape of
individual permissions assignments.
There are two ways to turn this
source material into documented
permission assignments based on
role membership:
4
• The top-down method – The
business roles and permissions
necessary to complete the tasks
are created from the company’s
viewpoint. Therefore, this method
requires significant preparation,
a detailed concept phase that
details your organizational
structure, processes and role
definitions. From there, you
start building role hierarchies,
assigning permissions to roles,
and identifying the individuals that
should be assigned each role. This
method regularly fails in its pure
form because the organizational
complexity of the company is too
high—the bigger the company, the
more difficult the task.
• The bottom-up method
(role mining) – Role mining
involves analyzing your existing
permission assignments and
grouping them into roles. One
challenge of role mining is
“garbage in, garbage out”—you
may find that your current
permission assignments are a
mess that needs to be cleaned
up before you can proceed. In
addition, this IT-based method
runs the risk of concealing
the business purposes behind
permission assignments.
Often, the best option is to
combine the two methods.
Role management with
Identity Manager
Identity Manager enables you to
implement an effective role-based
approach for managing your
complex permission structures.
Its particular strength lies in the
transparent manner that each
employee’s business roles are
mapped to technical roles.
The solution supports the RBAC
Standard. Business roles can be
selectively imported from existing
management solutions (such
as SAP OM) or maintained in
Identity Manager itself. Business
roles can contain any number of
values, such as the position within
the hierarchy, functional roles
and even regional assignments.
Various system permissions
are gathered into one role—for
example, a “department manager”
role might include permissions
in different SAP systems with
access to certain directories
and corresponding applications.
With Identity Manager, your
organization can achieve and
prove compliance with regulations.
Role modeling
Identity Manager provides
hierarchical role development—
Please complete the form to gain access to this content
