The Top Five Mistakes in Defining Identity Management Roles

The Top Five Mistakes in Defining Identity Management Roles

Identity management bloopers on the rise.

One of the most critical parts of implementing your Identity and Access Management System is to define roles correctly. An identity management system with a poorly designed role structure is like owning a Ferrari, but running it on space-saver spare tires. Therefore, avoid these 5 common mistakes when embarking on identity management role definition when creating identity and access governance rules.

1. Poor planning
Some companies get an IdM system and just start using it for one department without giving it much thought. Then, they try to expand it to company-wide use without further analysis and discover a whole host of issues. In the end, they just throw out all the existing role definitions and start over costing time and money. So even if you are doing a small identity and access governance deployment initially, it is worth spending some time thinking about how to properly define roles and how the structure is going to grow into an enterprise-wide identity and access management system.

2. Manual research of role assignments vs. leveraging software
If you try to manually compile a list of all the needed roles in your organization, you are going to miss many. Meanwhile, your HR system probably has some of that data already in it. A good way to pull data from the HR system and start figuring out what roles you need to consider for your identity and access management system is to use Role Mining tools. Avatier has some role mining utilities built into both Identity Enforcer and Balanced Scorecard to help you with this process.  However, be aware that this is useful input for identity management roles, but not the ideal set of information as we will see in the next two items.

3. Assumption that existing access assignments are accurate
A very common and useful approach to figuring out identity management roles in an organization is to look at the user access provisioning roles that employees currently have. The danger of this is many employees will have excess access that they don’t really need. If you just copy it over to your IdM system, the problem is only going to affect even more users and your security is even weaker than before. Therefore, while implementing roles, it is the perfect time to audit what is the proper access they really need. Then trim down people’s access to the proper levels.

4. Position/title-based roles vs. functional roles
A common but poor way to define identity management roles is by using people’s titles as roles. In most environments today, a job title does not uniquely reflect the access rights required since HR departments are trending to use more generic job titles. In some situations, everybody with the same title may truly need the exact same user access provisioning roles, but this is not typically the case. For example, housekeepers in a hotel chain all most likely need the same access. If you design access certification roles at the functional level, you can successfully address both position and functional access requirements, but you will limit future capabilities if roles are only aligned to job titles. Reorgs and business process changes will routinely break position-based roles.

5. Lack of auditor involvement
Due to Sarbanes-Oxley, the auditors and officers are going to need to certify that your company has proper access and security controls. Related to this, they are going to need to certify that the Separation of Duties between roles is handled correctly. Therefore, it is critical that they agree that the access certification role setup and related reporting is going to give them enough visibility into the process to do this.

If you can avoid the above mistakes when creating identity and access governance roles for your organization, you most likely will end up with a good, functioning, and flexible model of your organization in your IdM system. If you don’t, you are going to eventually need to do much redesign and rework costing potentially hundreds of thousands of dollars while having your organization out of compliance.

Watch the Avatier Identity and Access Management Time to Value Gwinnett Medical Center Customer Testimonial

Get the Top 10 Identity Manager Migration Best Practices Workbook

top 10 identity manager migration best practicesStart your migration from legacy software with the Top 10 Identity Manager Migration Best Practices Workbook. Use this workbook to think through your information security risk before you transition to next generation identity manager software.

Request the Workbook

Written by Billy Barron