Home » Identity & Access » Identity Management

Role Management Software: Making it Work for You

Role management software enables the creation and lifecycle management of enterprise job roles

At the same time, role mining is no magic pill, Cooper warns. When he was evaluating vendors, for instance, it was clear through a proof of concept that Vaau's approach worked well for Thrivent; however, he says, some approaches are more effective than others. "Some might take hours to process, while others take minutes," he says. "It depends on the numbers they need to crunch."

DON'T create too many roles. It's important to keep the number of roles you create down to keep your management burden low. "It's a lot easier to manage 1,000 roles than 5,000 or 7,000 individual access profiles," Cooper agrees. It's good practice to use an 80/20 rule, he says, where you assign groups of users a base set of access and then use auxiliary roles and exceptions to cover additional access needs. Companies use different rules of thumb to determine how many roles to create. Some say you should have one role for every 10 people, Cooper says, while "role proliferation" is considered to be one role for every three to five people. Thrivent aims for one role per 12 to 18 employees.

The key, Harkola says, is working with management to create a template that accommodates the majority of people without a lot of exceptions. He expects to have about 200 roles defined for 6,000 employees.

DO look for reporting capabilities and a strong certification process. Available systems differ in the way they provide reporting capabilities. Cooper likes how Sun provides a centralized database for reporting. "If I need to know who has access to what, I just run a report, and it gives a list of systems, the roles the employee belongs to and the exceptions outside the role you have," he says. "It's a one-stop-shop report that you can run that can certify that your people have access to the right things."

The tool's certification process can also significantly ease the job of sharing role information with business managers and gives them the responsibility of certifying roles to auditors. Shumard says his company moved from a highly manual, error-prone, spreadsheet-based process to a "very slick" process that business users easily adopted, thanks to Aveksa.

DON'T assume you need a suite to integrate role management with your provisioning system. Carpenter stresses the need to look at the system's ability to integrate tightly with any user provisioning system you have in place, whether it's a stand-alone product that exports a feed or one that's part of a suite. Thrivent took a best-of-breed versus suite approach when it selected Vaau for role management and Oracle for user provisioning. "We knew there was a risk of Vaau being purchased, but they assured us they would maintain integration with Oracle," he says.