Large organizations have many workers, each with different access requirements across multiple systems and applications. Rapid changes in both the organization's needs and the application mix, combined with regulatory and internal control requirements, necessitate rapid provisioning of new access and reliable deactivation of no-longer-needed security rights.
IAM systems streamline and secure enterprise-wide access administration by consolidating identity lifecycle processes into a shared infrastructure.
Previous approaches to consolidated user administration have focused on constructing and maintaining a formal model of user privileges, including roles and rules, that predicts what accounts and rights should be assigned to any given user, based on user classification via identity attributes.
In real-world deployments, formal models tend to work well wherever many users have the same access requirements. For small sets of users or for users who have unique requirements, the RBAC approach is typically not economical -- it can take more time to develop and maintain roles and rules than was previously needed to assign and revoke access rights directly to individual users.
Organizations that have many high-value/unique-needs users, who nonetheless attempt to manage all access rights using roles, will typically spend a lot of time and money in role development before either aborting the process or scaling back the exercise to focus only on large groups of users that have uniform needs.
This document introduces a more balanced strategy for large-scale administration of identities (users, accounts) and access rights (entitlements, group memberships). It can support both large sets of users with static, uniform access needs (using roles) and unique, small groups of users or users with rapidly evolving needs (using requests and reviews).
The remainder of this document is organized as follows:
An introduction to entitlement modeling as a strategy for automated user administration.
Explains that, contrary to popular belief, roles are helpful for efficiency and usability rather than for security or internal controls.
Where entitlement modeling does work in practical deployments, where it doesn't and why.
A strategy to managing identities and access rights through user-submitted requests for new entitlements and periodic access certification process to revoke unneeded access.