Home » Identity & Access » Identity Management

Industry View

Industry View | Role Management and Risk

Role-based access control is nothing new, but Sarbanes-Oxley and other regulations give it new impetus

By Jackie Gilbert

Page 2

Role management facilitates business and IT policy alignment by making it easier to translate business process rules into technical IT controls without delving into detailed IT entitlements. Defining access policy at the role level (a higher-level abstraction that maps to technical access privileges) allows business and IT groups to more effectively collaborate on separation-of-duty (SOD) conflicts and other access policy rules. For example, business managers can use business terms to define roles that cannot be held simultaneously by the same user (e.g., the ability to both approve a payment and change payment approval rules). Role management also makes it easier for business managers to align and enforce access policy across diverse application environments by centrally defining and managing the access privileges of all users who have access to critical resources.

Transparency

Transparency strengthens an organization’s internal controls by enabling better visibility into IT data and operations. In the face of regulatory compliance, it’s no longer acceptable for the IT department to be a “black box” to business users and executive management. In order to meet compliance mandates, there must be a level of visibility – in the form of audit data and compliance metrics – that can be understood and approved by business managers and executives.

The need for transparency has amplified the importance of roles and given them new relevance. Roles provide the business context necessary for non-technical compliance and audit personnel to verify user access policy and to determine if the actual state of user access matches the desired state as defined by compliance and governance policy. With role management, organizations can more effectively audit and report on the effectiveness of controls, including all approvals, authorizations, and certifications, and can identify potential risks, such as inappropriate access or policy violations.

Role Management in Perspective

As you consider the technologies required to meet your IT governance, risk management, and compliance (GRC) requirements, it’s important to remember that role management is not an end goal in itself, but rather a means to an end. By providing valuable business context and facilitating collaboration between business and technology groups, roles can help your organization move in the direction of stronger accountability, policy alignment, and transparency. However, in and of itself, a role management project will not help you address IT security risk. To effectively manage user access across complex IT environments, role management must work hand-in-glove with automated workflow, policy enforcement, analytics and reporting, and risk management capabilities. This holistic approach helps organizations automate compliance processes, detect and prevent policy violations, remediate and mitigate control weaknesses, and provide auditable evidence of compliance. Think of role management as one key component in the overall compliance solution set you will need to reduce compliance costs, focus controls, and better manage access to critical resources in the context of true business risk.