Role management software enables the creation and lifecycle management of enterprise job roles, according to Forrester Research. It does this by discovering and logically grouping application-level, fine-grained authorizations and entitlements into enterprise job roles, which can then be assigned to people by rule-based provisioning or request-approval workflows. See Capabilities of a Full-Fledged Role Management System for a description of the feature set and Who's Who in Role Management for a representative vendor list. In its 2007 survey of 35 organizations, Burton Group found that the number of role management initiatives has grown significantly since 2003, especially in the financial services industry. The top business drivers include:
- Administrative efficiencies for access management
- Ease of audit and compliance
- Improved security controls for access and authorization
The payoff? In return for your efforts, expect the following benefits:
- Simplified number of managed entities
- Improved visibility into available resources
- Better enforcement of policy
- Improved relationship of IT with the business
All of this comes at a price, of course. Burton Group warns that role management requires a significant investment in up-front effort. In its survey, it found the average annual budget for these efforts was about $1.2 million. Project funding was widely variable, says Kevin Kampman, senior analyst at Burton, and was sometimes embedded in other initiatives such as ERP or identity management implementations, with investments ranging from nothing (in one case) to between $10 and $1,000 per user. Small and midsize businesses can plan to implement role mining and design projects for $300,000 to $500,000, while large, complex organizations will face $500,000 to $1 million price tags, according to Forrester.
The Burton Group says major challenges for these projects include:
- Establishing the relationship of roles to business and administrative processes
- Setting guidelines for defining and establishing roles
- Determining who should participate and in what capacity
- Determining how to maintain roles over time
- Associating roles with resources
- Determining how to associate business process and policy with roles
In Burton Group's survey, nearly 70 percent of participants indicated this was their first attempt at a role management implementation, while the rest had attempted a previous initiative. Of that population, 40 percent were successful and 60 percent were unsuccessful. The reasons for failure were consistent, Kampman says, including:
- An exclusively technical focus
- Little or no business sponsorship and participation
- Lack of an overall organizational strategy, methodology and deployment approach
Key differentiators of existing systems, according to Forrester, include integration with leading ERP systems' role structures (SAP, Oracle), management of versioning and temporality of roles and integration with provisioning and identity audit products.
Do's and Don'tsDON'T select a tool until you've defined your process. Implementers warn that the system should support the role management process, not the other way around. That was clear to Martin Kruit, a vice president at ABN Amro, who knew that the wholesale business unit in which he worked needed to improve the way it handled access management. At the time, access requests were sent to whichever administrator had implemented the application. Essentially, Kruit says, "If you needed something you could get it. There was no rationale behind it."
So, in 2004, Kruit and his team worked to create a centralized system that not only streamlined the process but also met the needs of internal auditors to prove employees had access only to needed resources.
The team worked, department by department, to define roles and determine what access people in those roles required. It manually cleaned up the system, including ridding it of "orphaned" accounts of ex-employees. At the time, Kruit says, there was nothing available to automate this process so his team used spreadsheets to record roles and related access needs, but this eventually grew unwieldy. By 2005, Kruit and his team began looking for a role management tool and decided on BHOLD.
Now, when an access request comes in, the system reconciles it against the requestor's role profile and sends an e-mail to an offshore administrator in India to provide access. ABN Amro does not do automated provisioning because it would be too costly to create the customized interfaces with the company's legacy systems, Kruit says.
"We looked for software that fit our philosophy of having a strong process first and then the automation," he says. "The system had to grow with us, and not all companies did that—they just want to sell you a total solution."
Similarly, Energy East spent six months redesigning its process before "throwing software at it," says Steven Harkola, director of support services at the diversified energy delivery provider. His team trained 40 team members in ITIL foundations and worked with a consultancy to form a project management office, eventually deciding to integrate access management with incident and asset management processes to create a Web-based shopping-cart-like front end to the system.
In fact, when Energy East decided on Courion as a vendor, Harkola says, a major factor was the vendor's willingness to perform the integration work necessary to connect the systems together and create a workflow system.
DO take a combined top-down, bottom-up approach. According to Kampman, role management typically combines a top-down (or business responsibility-driven) perspective, and a bottom-up (or system resource-oriented) approach. Top-down reflects the needs of the business, while bottom-up reflects the application privileges and permission sets to satisfy those business responsibilities.
Harkola says it's the bottom-up that's really time consuming because it requires developers to delve into the target applications and pull out the entitlement database to see what everyone has access to. The role templates were much easier to create, he says, thanks to Courion's Role Courier, which analyzes the entitlement data and quickly builds roles, which clients then verify as accurate.
Craig Shumard, CISO at Cigna, says its tool, Aveksa, can automate the bottom-up process. Before purchasing Aveksa, he says, his team worked manually to create roles based on business responsibilities, as well as the entitlements each role should have. However, Aveksa was able to go into the applications and provide a "book of record," he says, or an as-is state of the access people in those roles actually had. This, he says, exposed all the company's "sins of the past" and allowed them to clean up access privileges.
DO create links between IT roles and business roles. It's important to, as Craig Cooper, senior project manager at Thrivent Financial for Lutherans, puts it, "connect the dots" for the business between access entitlements and business definitions. That's why his team mapped each entitlement with a business definition. That way, a business person could ask simply to, say, update a customer record, without having to specify the dozens of access requests they'd need to perform that operation. "It puts it into a business context," he says.
DO go beyond access control when communicating business benefits. Kampman says because role management ensures that authority, responsibilities, resources and communications channels are aligned to meet business objectives, it can have great appeal to C-level execs who need this kind of visibility to achieve a more effective and efficient organization.
For Energy East, Harkola says, communicating business benefits meant ensuring the new processes his group created provided value-add from a service perspective. "You have to think of role management in a broader context, not just, 'I want to solve role management,'" he says.
At ABN Amro, Kruit says, selling role management meant not only emphasizing a speedier access request process but also a safety net against the types of data access scandals that afflicted organizations in the past year. "We had to make the case," he says.
Meanwhile, Cooper sees role management as an integral part of enhancing Thrivent's trusted reputation with customers. "We want to be able to demonstrate that we have the controls in place related to access, and this process has allowed us to do that," he says.
DO look for a tool that mirrors your organizational approach. It's important to ensure that the tool you choose is consistent with your organization's approach to structuring roles. For instance, when Cooper chose Vaau (before it was acquired by Sun), he felt it provided the flexibility he needed to provide not just primary roles but also sub-roles and out-of-role requests for temporary projects.
DON'T underestimate the time commitment. Implementers agree that role management is a multiyear effort. Having started in December 2007, Energy East predicts it will have role templates in place for more than 40 percent of its 6,000 employees by the end of this year. Harkola expects things to speed up with the implementation of Courion's Role Courier.
Cooper says he's spent almost his entire career at Thrivent on role management, with the effort starting in 2006. By the end of this year, he expects to have roles created across the majority of the organization, and 20 percent of the company's application portfolio will be integrated into the system. The most time-consuming piece, according to Cooper, is the communication, analysis and research required to get businesspeople on board and ensure your initial design is correct. The good news, he says, is that the learning curve drops off, and you can leverage process improvements and reuse definitions. While it took 12 weeks to set up roles for Thrivent's first business unit, the team is now completing units in six weeks.
But all in all, "the work effort is probably more than you anticipate, and you need to have a dedicated team," Shumard warns. Particularly thorny areas for Cigna included workflow, communication and getting role managers involved.
DO manage scope. Shumard says it's important to create a road map to best understand your goals, pain points and what you want to address first. And because of the time and cost involved, companies like Thrivent have honed the number of applications it will include in its role management system, choosing to focus first on its financially significant privacy applications, which make up 10 percent of its portfolio. "In a lot of our applications, less than a dozen people have access," Cooper says. "In cases like that, it doesn't make sense to apply $15,000 or $50,000 to integrate that application with the system."
DO consider getting a quick start with role mining. Role mining is becoming more common in full-featured role management systems. It's a feature that looks for established patterns, which users then interpret to define roles, eliminating 25 percent to 40 percent of the legwork that used to exist, according to Perry Carpenter, an analyst at Gartner. In this way, it can be used to show value quickly. Software provider Eurekify is well-known for its role-mining capabilities, and built its system on top of an analytic engine, but even companies that came into the market from an audit or compliance background are doing role mining now.
At the same time, role mining is no magic pill, Cooper warns. When he was evaluating vendors, for instance, it was clear through a proof of concept that Vaau's approach worked well for Thrivent; however, he says, some approaches are more effective than others. "Some might take hours to process, while others take minutes," he says. "It depends on the numbers they need to crunch."
DON'T create too many roles. It's important to keep the number of roles you create down to keep your management burden low. "It's a lot easier to manage 1,000 roles than 5,000 or 7,000 individual access profiles," Cooper agrees. It's good practice to use an 80/20 rule, he says, where you assign groups of users a base set of access and then use auxiliary roles and exceptions to cover additional access needs. Companies use different rules of thumb to determine how many roles to create. Some say you should have one role for every 10 people, Cooper says, while "role proliferation" is considered to be one role for every three to five people. Thrivent aims for one role per 12 to 18 employees.
The key, Harkola says, is working with management to create a template that accommodates the majority of people without a lot of exceptions. He expects to have about 200 roles defined for 6,000 employees.
DO look for reporting capabilities and a strong certification process. Available systems differ in the way they provide reporting capabilities. Cooper likes how Sun provides a centralized database for reporting. "If I need to know who has access to what, I just run a report, and it gives a list of systems, the roles the employee belongs to and the exceptions outside the role you have," he says. "It's a one-stop-shop report that you can run that can certify that your people have access to the right things."
The tool's certification process can also significantly ease the job of sharing role information with business managers and gives them the responsibility of certifying roles to auditors. Shumard says his company moved from a highly manual, error-prone, spreadsheet-based process to a "very slick" process that business users easily adopted, thanks to Aveksa.
DON'T assume you need a suite to integrate role management with your provisioning system. Carpenter stresses the need to look at the system's ability to integrate tightly with any user provisioning system you have in place, whether it's a stand-alone product that exports a feed or one that's part of a suite. Thrivent took a best-of-breed versus suite approach when it selected Vaau for role management and Oracle for user provisioning. "We knew there was a risk of Vaau being purchased, but they assured us they would maintain integration with Oracle," he says.