The Do’s and Do Not’s of Role Management & Mining with Aveksa
My last blog post about Role Based Access Control (RBAC) had to do with Role Mining specifically around techniques used in larger firms.
Recently, I’ve been working with Aveksa Compliance Manager (ACM) to develop roles for an up-coming certification and I have a few thoughts to share:
Have a good understanding of your data, or find somebody that does. ACM gives you so much flexibility that unless you have a firm grasp on your data, you will not chose the right path.
ACM breaks down roles into three distinct categories
DRAW out how you want these to be used first (see recommendations below).
Configure ACM to work within the constraints developed in Step #2. (Roles -> Configuration). This interface will allow you to configure Global, Business and Technical Roles and their membership constraints.
Now that you have made sense of your data and configured ACM to work within the boundaries of your Role Model, you can start creating or generating roles!
As I indicated above, I have some recommendations for you (not in any particular order):
Group collected entitlements into Technical Roles. DO NOT add members to your Technical Roles.
Create a Technical Role for any entitlement that you want to manage separately. In other words, if you want to create a Technical Role for Active
Directory Administrators, great, but if you want to manage Schema Admins and Domain Admins separately then these should be in different Roles.
Users will request access using the Business Role Name, so create Business Roles using names that make sense to Business users.
Along those same lines, don’t rely on your glossary to make up for your cryptic naming conventions.
Create a customer User View (Requests -> Configuration -> User Views)which lists all Business Roles when users request access.
When role mining, DO NOT create roles based on an attribute (say Department) for a large set of data without testing with a few departments first as roles can only be deleted one at a time!
Backup your database before you do any of this (this applies to all vendor tools btw, you will thank me for this later).
There’s probably 50 other things that I have learned in my RBAC travels; I’d love to share them with you and ensure that your ACM project is successful.