Role Management projects sometimes are stated as too complex. Yes, there are projects which failed due to their complexity. On the other hand, a recent Kuppinger Cole report based on a survey proves that the average number of business roles is relatively small. On the other hand, the complexity of role models for specific system environments (even SAP) is manageable. Thus, defining and implementing role models with multiple layers can be done – and it can be lean.
The keys, from my perspective, are the use of multiple clearly defined, separate layers of roles, defined responsibilities for roles within a role lifecycle management approach, and a separation of the overall project into different projects for business roles, IT-functional roles and the role models of different systems. There are some other best practices. Anyhow, it is obvious that managing a few Hundred or, at the system level in some cases even some few Thousand roles is much easier than managing all the single entitlements at the system level we are dealing with today. Role Management can be lean. And you can learn more about this in a webinar we will do tomorrow together with some of the vendors in the role management market.
By the way: The emerging market of vendors with strong role management capabilities underlines that role management isn’t too complex. There are many vendors out there which have successfully deployed role management implementations, either as part of specific role management products or as part of their GRC or IAM products.
There are some practical aspects of role manager that I do not see discussed and would be interested to hear input regarding how enterprise single sign on deployments can assist. Once an eSSO deployment has had the time to incubate, we can glean valuable information as to who accessed what, when, how and even where. With this data, organizations can correlate access versus purported role and group access rights to either validate or invalidate authorization to relevant applications and data. Implementing this practice as an ongoing process would give a role management project additional check points.