Role management refers to the set of activities required to develop roles initially and to maintain role definitions over time:
- Defining new roles and their associated assignment rules.
- Changing role definitions and assignment rules.
- Periodically reviewing and updating the set of security entitlements.
- Periodically reviewing and updating the list of users assigned each role.
- Analyzing existing data about users, identity attributes and security entitlements to assist in the development and maintenance of roles.
- Deprecating or retiring old, no-longer-required roles.
Developing a role model that effectively encapsulates the privileges needed by a majority of users can be difficult. Hitachi ID Systems does not require that customers pursue a purely role-based approach, but does provide analytics capabilities in our products to assist in identifying groups of same-identity-attribute or same-entitlement users, to help develop a role model.
Once a role model has been developed, Hitachi ID Identity Manager includes enforcement technology to periodically (typically every 24 hours) compare actual user rights to those predicted by the role model, less approved exceptions. Any deviations can either be automatically corrected or sent to human authorizers to approve (i.e., convert to an approved exception) or deny (i.e., correct on the target systems).
The same enforcement is integrated with the workflow requests system, to prevent users from requesting access rights that would violate the model.