Capabilities of Full-Fledged Role Management Systems

(For tips on evaluating and implementing role management systems, see Making Role Management Systems Work for You.)

• Role mining and discovery: The ability to collect user access and authorization information from a variety of resources, associate this data with candidate roles and responsibilities, propose alternative roles and leverage decisions made about the data on an ongoing basis.
• Organization and business role modeling: As business roles are developed, they may need to be associated with organizational characteristics, especially reporting and working relationships.
• Business role management: From the business perspective, roles are viewed as a set of responsibilities performed in conjunction with a position in the organization. The system should be able to define, maintain and examine existing roles to determine if they can be repurposed.
• IT role modeling: From the perspective of access management and authorization, resources should be managed at as general a level as possible. This requires the association of users or business roles to specific privileges or permission sets, which the tool should enable. The tool should also enable business and IT roles to be mapped to one another.
• IT role management: Similar to business roles, IT roles need an administrative mechanism to define, maintain and search roles.
• Role reconciliation: The solution should provide a way to identify who is assigned to one or several roles, when and how the assignment was made, and when it should be reviewed. A similar capability should be provided for IT roles.
• Policy definition and management: Roles are frequently associated with policies, particularly from a separation of duties perspective. That is, someone acting in one role may need to be prevented from acting in another role at the same time, in a serial manner, under the direction of someone in a particular role or under some other condition. The system should provide for the definition and management, if not the discovery of policy, as well as the association of policies to roles.
• Role and policy publication: The system may become the authoritative source for publishing role and policy information.
• Role integration with identity, policy, workflow and authorization solutions: Interfaces may be provided directly, or the developer may leverage connectors or agents provided by the application in question.
• Attestation and compliance collection and reporting: The system should enable responsible parties to periodically verify that roles are still effective and in compliance.
• Activity monitoring and correlation: The system should enable monitoring of user interaction with resources to provide information for the development of roles. This also provides visibility into normal and abnormal usage.
• Temporal modeling and state management: The system should keep track of who held a particular role at a particular time, as well as some characteristics of that assignment, for example, who assigned them to that role. The solution should also enable modeling and prediction of the consequence of changes in the role infrastructure and principal assignments.
• Conformance with the ANSI INCITS 359-2004 Role-Based Access Control (RBAC) standard: This standard describes the relationship of users to roles, roles to other roles, and roles to resources in a privilege-management system. It also describes how to establish static and dynamic separation of duties. Note: Conformance is difficult to ascertain, as there is no profile or testing to verify that a solution truly supports the standard.