This document introduces a more balanced strategy for large-scale administration of identities (users, accounts) and access rights (entitlements, group memberships). It can support both large sets of users with static, uniform access needs (using roles) and unique, small groups of users or users with rapidly evolving needs (using requests and reviews).
The remainder of this document is organized as follows:
An introduction to entitlement modeling as a strategy for automated user administration.
Explains that, contrary to popular belief, roles are helpful for efficiency and usability rather than for security or internal controls.
Where entitlement modeling does work in practical deployments, where it doesn't and why.
A strategy to managing identities and access rights through user-submitted requests for new entitlements and periodic access certification process to revoke unneeded access.