Most companies on the verge of an identity and access management project face the challenge of mining roles to determine appropriate access for their workers. Even if an organization is not planning on implementing a complete role-based access control (RBAC) model, they should still identify some set of core birthright entitlements that can be assigned to a new hire. In many situations, this at least means finding entitlements that apply to every user or potentially common entitlements at a division level.
Role mining, however, is not a simple task to undertake if it is attempted via manual processes. The sheer number of entitlements and volume of unique positions makes a manual role mining effort almost impossible. Analyzing this type of data in spreadsheets would take a considerable amount of time and is prone to errors. The only efficient way to have a successful role mining initiative is to leverage software that analyzes the data for you to determine the roles and corresponding access entitlements.
Regardless of whether you are using sophisticated software or manual role mining approaches, it is important to think logically throughout the process. Making assumptions about HR, directory and entitlement data can truly derail your efforts. Some key things to think about include:
- Based on your HR and/or directory data, determine what data points actually constitute a role. In some organizations, this could simply be the "Title" field of the identity. However, in many other organizations an additional attribute may need to be applied to define the role. Location is one example that is fairly common. For instance, an Accountant in Chicago may have different access rights than an Accountant based in San Francisco. In this scenario, you would need to account for both Location and Title during the role mining efforts.
- Never assume current entitlement assignments are accurate. When you start looking at existing user access entitlements, do not assume that their current access is actually appropriate access. If workers have been at an organization for years, they may have accumulated excess rights that are no longer needed. Your role mining effort, therefore, needs to incorporate analytics to identify similarities of access rights within roles as well as identify excessive access rights of certain users within those roles.
- If your HR organization processes are immature, you might want to take a step back and focus on solving underlying data problems with the HR data first. In order to "mine" user and entitlement data, there must be some standards in place around the identity data you are mining. For instance, if every Sales Rep in your organization has a completely different title in both HR and in the user directories, you either need to have a mapping system in place to correlate different titles into a single role or the source data needs to be corrected. Spend time up front to understand whether your directory and HR data is in a suitable state to even allow you to pursue role mining analytics.
Addressing the items above are important, but utilizing software tools such as Avatier’s Role Mining software can make the entire effort much less painful and more accurate. Would you rather sift through and compare entitlement data of 20 different Financial Analysts via spreadsheets, or simply choose Financial Analysts from a drop-down list and click submit to get your answers? Utilizing software and services from an identity and access management leader ultimately saves time and money.
Get the Top 10 Identity Manager Migration Best Practices Workbook
Start your migration from legacy software with the Top 10 Identity Manager Migration Best Practices Workbook. Use this workbook to think through your information security risk before you transition to next generation identity manager software.