Role Up-Role Up

Last week I attended the SunLive event in London, my main role was to support our colleagues in Wipro. Wipro had built a really powerful demonstrator showing the integration between RBACx and Sun’s IdentityManager. Unfourtunately I found the event pretty slow, the audience seemed to be more concerned about virtualisation, Java and Sun’s hardware, all intresting subjects in their own rights, just not my thing.

The one thing that caught my interest was a presentation by Drew Wagar from KPMG on the “Perils and Pitfalls of Identity Management”. The presentation was well informed honest and open, there was very little on the normal best practises around deployment. Drew adopted a refreshing approach and concentrated on the selection process, how in many cases projects are set to fail, due to poor vendor selection or lack of knowledge and lack of clearly defined requirements on the customer side.

The most salient point that Drew made (IMHO) was regarding the ITT process. He concluded that the process is fundamentally flawed, all vendors will state that their products meet all the requirements of any questions posed in an ITT.  On occasions, Drew suggested that vendors may bend the truth to receive ticks in the boxes on a scoring matrix, his comments naturally raised a few smiles. The net effect is that on paper all offerings are the same.

Drew laid out a sensible framework towards vendor selection, his presentation that outlines the approach can be found here. One of the best bits of advice offered to organisations looking for an IAM solution was to try and cut down on the ITT process, the suggestion here was to carry out a mini PoC’s with the same success criteria for each vendor, this approach would self select vendors, as those bending the truth would quickly be exposed.

From my own point of view, it was reassuring to hear one of KPMG’s advisors talking about law and regulatory compliance as a strong driver for procuring and deploying IAM, also the fact that roles, role modeling and role mining need to be considered factors in the selection criteria.  Fourtunatley Vaau have these 2 areas expertly covered within the “Identity Compliance Manager” and “Roles Manager” modules.  

In all it was a great presentation, with a bucket load of free advice from a KPMG advisor.

Prior to starting at Vaau I had a pre-conceived idea about a role. I thought a single role would be all encompassing and would be used for role based access control (RBAC) or by a provisioning engine to simplify the leaver, mover process.

Well thats part of the story, and a single role is achievable. Most organisations embarking on role management projects have a strategic vision and aim for a single set of enterprice level roles. This may be more of a panacea, a vision to aim for. At the coal face things are slightly more complex.

Fortunatly the Vaau product set is very flexible and offers configuration options to accomodate various types of roles and combination of roles. Further to this, organisations can facilitate a program of certification against these roles, ensuring the right users have the right role allocation, helping to increase security and drive compliance standards.

As they say a picture paints a thousand words, my colleague Hemen Vimadalal built this schematic frame work to help illustrate things. The diffrent role types are clearly visable in light yellow, and a rough guide to the information that may be contained within these role types in blue. (NB it’s not exhaustive)

Worth a look :- roles.pdf

The good thing being that all roads lead to Rome, in the roles case, Rome is enterprise level roles. Regardless of the start point a true role management tool, should be able to integrate in to an organisations IT estate and rapidly deliver business benefits, without the need for an exhaustive change management program.