Best Practice Role Management Methodologies
When developing Roles within an organization it is important to pre-select the proper Role Management Methodology for use on your project and for ongoing operations once your roles are ready to go live.
There are two approaches that can be used when developing access roles for a company or organization:
- Top down – With this approach uses a pre-defined method of organizing user access based upon known or developed plan. An example of this would be: defining user access based upon job function and what access that job requires as the method of organizing people into roles.
- Bottom up – With this approach you examine what access people currently have and assign roles based upon what rights those users have. An example of this would be: discovering what rights all (or a group) people have and selecting common access rights for the role being developed.
Both of these approaches have merits and drawbacks associated with their use such:
+ Most effective and comprehensive method of role development
+ Aligns access rights and compliance to business goals regarding compliance
– Requires business and organizational understanding of access rights at the site
– Requires significant time in role development before implementation
– Often difficult to quantify all role assignments and proper access
– Complexity often leads failure role development or “stuck in the weeds”
+ Quick role development
– Highly difficult to quantify specific access rights for the roles developed
– Requires access and mining of specific access data
– Difficult to align business objectives and compliance with developed roles
It is has been my experience that using a hybrid approach using the following methodology will make a role discovery project successful:
- Top + Bottom Role discovery – This method uses one or more business or organizational top down role methods and follows with a bottom up approach for discovery and verification. An example of this would be: take employees job codes as the basis for role creation and locate the access rights associated with the job codes. Use manual or campaign determination of proper access rights for the roles developed.
- 80 / 20 Rule– The goal should not be to develop roles for every person at the company or organization. The goal is provide the most role value by locating access right combinations that cover the majority of individuals. Implement these effective roles quickly. Address the exception or difficult to quantify roles later (or when possible). For example: CEO is not a role, it is a unique job function or more accurately an “exception role”.
- Phased approach – It has been my experience that role implementation encompassing the entire organization often fails due to the time and complexity required to complete. Political and/or procedural roadblocks appear, addition of access endpoints and role function or purpose questions occur. You should implement roles across focused areas of the company or organization where goals are well understood and attainable.
Questions, comments or concerns? Feel free to reach out to us below or at IDMWORKS