Home » Identity & Access » Identity Management

Role Management Software: Making it Work for You

Role management software enables the creation and lifecycle management of enterprise job roles

Do's and Don'ts
DON'T select a tool until you've defined your process. Implementers warn that the system should support the role management process, not the other way around. That was clear to Martin Kruit, a vice president at ABN Amro, who knew that the wholesale business unit in which he worked needed to improve the way it handled access management. At the time, access requests were sent to whichever administrator had implemented the application. Essentially, Kruit says, "If you needed something you could get it. There was no rationale behind it."

So, in 2004, Kruit and his team worked to create a centralized system that not only streamlined the process but also met the needs of internal auditors to prove employees had access only to needed resources.

The team worked, department by department, to define roles and determine what access people in those roles required. It manually cleaned up the system, including ridding it of "orphaned" accounts of ex-employees. At the time, Kruit says, there was nothing available to automate this process so his team used spreadsheets to record roles and related access needs, but this eventually grew unwieldy. By 2005, Kruit and his team began looking for a role management tool and decided on BHOLD.

Now, when an access request comes in, the system reconciles it against the requestor's role profile and sends an e-mail to an offshore administrator in India to provide access. ABN Amro does not do automated provisioning because it would be too costly to create the customized interfaces with the company's legacy systems, Kruit says.

"We looked for software that fit our philosophy of having a strong process first and then the automation," he says. "The system had to grow with us, and not all companies did that—they just want to sell you a total solution."

Similarly, Energy East spent six months redesigning its process before "throwing software at it," says Steven Harkola, director of support services at the diversified energy delivery provider. His team trained 40 team members in ITIL foundations and worked with a consultancy to form a project management office, eventually deciding to integrate access management with incident and asset management processes to create a Web-based shopping-cart-like front end to the system.

In fact, when Energy East decided on Courion as a vendor, Harkola says, a major factor was the vendor's willingness to perform the integration work necessary to connect the systems together and create a workflow system.

DO take a combined top-down, bottom-up approach. According to Kampman, role management typically combines a top-down (or business responsibility-driven) perspective, and a bottom-up (or system resource-oriented) approach. Top-down reflects the needs of the business, while bottom-up reflects the application privileges and permission sets to satisfy those business responsibilities.