Large organizations have many workers, each with different access requirements across multiple systems and applications. Rapid changes in both the organization's needs and the application mix, combined with regulatory and internal control requirements, necessitate rapid provisioning of new access and reliable deactivation of no-longer-needed security rights.
IAM systems are intended to streamline and secure enterprise-wide access administration by consolidating identity lifecycle processes into a shared infrastructure.
Previous approaches to consolidated user administration have focused on constructing and maintaining a formal model of user privileges, including roles and rules, that predicts what accounts and rights should be assigned to any given user, based on user classification and other identity attributes.
In real-world deployments, formal models have not scaled well, because many users are unique and consequently there is no leverage to be gained by grouping them into roles or generalizing their access rights with rules. Indeed, role engineering projects are often abandoned or severely curtailed after significant effort and expense.
This document introduces a strategy for large-scale enterprise user administration. A traditional pre-defined role-based approach can practically be applied only to standard, static roles. The strategy offered in this document offers a complementing approach to automated privileges management for unique and/or dynamic roles. It is based on user-issued access requests combined with periodic audits.
Using this approach, new privileges are granted to users in response to user-entered requests, rather than being predicted by an automatic privilege model. Excessive user privileges are periodically identified and cleaned up using a distributed, interactive user rights review and certification process.
The remainder of this document is organized as follows:
An introduction to privilege modeling as a strategy for automated user administration.
Where privilege modeling does work in practical deployments, where it doesn't and why.
A strategy to user administration is introduced, based on user-submitted requests for new and changed privileges. A periodic access certification process is also introduced, to address the problem of privilege accumulation.