Once all of the roles are defined, itâ€™s time to document them and obtain approval for their use. Weâ€™re now past the point where the distinction between enterprise and IT roles matters, so in this segment I go back to the generic term, â€œrole.â€
Documentation and approval
Once testing is complete, the final roles should be clearly documented. This defines which permissions apply to which IT roles, and which IT roles apply to which enterprise roles. It is important to make sure the documentation is clear and detailed, leaving no question as to what is or isnâ€™t included in a given role, all the way down to the granular permission level. Documenting roles in visual ways such as matrices is encouraged. In the case of rules, consider documenting the decision process as a flowchart.
Initially, roles may be captured in a spreadsheet, but that spreadsheet may quickly get very large and unwieldy. In the absence of a role management system, consider setting up a simple database to store the information.
This is where normalization becomes important.
Itâ€™s best to define IT roles as the lowest common denominator, and build out from there. For example, there might be two levels of accounts payable clerk â€“ junior and senior. The junior level gets the basic access needed for that job function. The senior level gets the junior access plus some extra. This reduces role maintenance over time because if there is a change in the basic level access permissions, it only has to be changed in one role instead of two. This also explains why some enterprise roles will have more than one IT role on a given system.
When the documentation is complete, it is important to circle back and get approval of the roles from the appropriate parties â€“ the department head(s) and/or the system owner(s). Consider this part of the running dialogue and relationship building that is essential to success of this process. This can be used as pre-approval when applying the access to new users in the future â€“ since the access was already approved for the job function, as long as the correct role(s) are applied to the user, re-approval from the department head or system owner for each individual userâ€™s request is not needed, shortening the delivery time for obtaining access, and also saving approvers time ongoing. Conveniently, this practice is also acceptable to auditors.
In the final segment, weâ€™ll wrap up the monthâ€™s activity with implementing the roles and doing a cleanup of extraneous access.