The first step in role- and rule-basing is identifying and prioritizing the enterprise roles. This sets the direction for the entire effort, which – make no mistake – will be time consuming. Doing some thoughtful planning up-front is therefore imperative to ensuring that you don’t start out off-track.

Identifying the roles in the organization is like writing an outline for a book and helps with three things:

  • Determining and documenting departments (similar to defining how many chapters in the book)
  • Understanding which departments need to be addressed first (similar to organizing the chapters into a logical sequence)
  • Defining which roles need to be addressed first within the department (similar to detailing the order of points in each chapter)

Prioritizing Departments

Consider that organizations with many departments and diverse access possibilities it may not be feasible to try to list out all of the enterprise roles in one shot. As mentioned in the introduction, an enterprise role may or may not have a one-to-one correlation with an HR job code, so it’s not as easy as asking the HR team to run a report. It begins with HR data, but then requires conversations with department heads to understand the details of their particular department. In many cases, it requires follow-ups, since the initial conversations develop new ideas – and provide an opportunity to make improvements. Remember, this is an iterative process, not a point-in-time activity.

If there are too many departments for a big-bang approach, start with a prioritized list to identify the most important ones – from an identity management perspective, that is. In this case, “important” boils down to three things (in any combination):

  • High turn-over of users
  • Complexity of access (more complex is higher priority because this is where access granting mistakes get made)
  • Sensitivity of access (i.e., anything that’s likely to be audited; higher sensitivity is higher priority)

How many is too many, you ask? That depends on how many people will be working on this task, how long they have, and how complex the access is. The answer will be different for each organization, and it’s up to you to determine how many is too many in your situation.

Identifying Enterprise Roles

The process of identifying enterprise roles for each department begins with an analysis of the HR report: determine what job codes/titles are already stored in the HR system. This is followed by a working session with each department head. Notice I said working session, not meeting or “send an email.” Take this opportunity to build a relationship with each department head, and help them understand what you’re trying to do. Most will welcome the opportunity to set up roles and rules, because this greatly simplifies the process of requesting access for them (and probably receiving access too) – that’s all good.

There may be some resistance in anticipation of implementing the roles. This is normal (most people resist change); a common concern is people not being able to do their jobs in the transition to the new roles. By building the relationship now, it’s possible to understand and alleviate their angst before implementation begins.

This is also a working session because it will take time to educate the department heads and their direct reports on what needs to be identified. It’ll be hard for them to think of roles in terms of access – there will be vocabulary hang-ups with these individuals just like there were with the HR team. This will be very new and foreign to them, so start slow. Spend some time introducing the idea of role-basing, and helping them understand how it works and why it benefits them. Then engage them in the process of reviewing the HR output and filling in the blanks between HR’s reality and their own.

Identifying the roles with the department heads is only half the battle. After working with the department heads, it’s back to the HR system to figure out how those roles can be represented clearly, accurately, and uniquely. Typically, the HR representation of an enterprise role will be some combination of other factors – like job code + location (if you’re trying to distinguish between a clerk at Store A and a clerk at Store B), job code + manager (if you’re trying to distinguish a finance analyst in Accounts Payable and a finance analyst in Accounts Receivable), or job code + pre-defined rules (which get coded into identity management if there isn’t enough information in HR).

Although this information won’t be truly useful until the role management system is in place, starting to figure this out now will ensure that the roles are all built on the proper foundation for easy upload into the role manager.

It’s also important to start now in case the HR system cannot currently provide the information needed to get to an appropriate level of granularity of roles for access. If the HR system cannot provide the needed information, more research will be necessary:

  • Can the information be pulled from some other source, like the recruiting system?
  • Will a workflow be required to have a manager specify the missing information?
  • Can the HR system be modified to contain more information?

Clearly, if system modifications are needed, it could take some time to get it done.

Prioritizing Enterprise Roles

Some departments are very large, and as such contain a large number of roles. But just as not all departments are created equal from an identity management perspective, not all roles are created equal, either. When faced with too many roles and not enough time, prioritize the roles using the same criteria that were used for prioritizing departments.

In the next article we’ll continue by discussing IT roles.

About the Author Ioana Bazavan Justus

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.