The concept of automated role- or attribute-based provisioning for user accounts and permissions is nothing new to the world of Identity Governance and Administration (IGA). Customers evaluating Identity Governance solutions such as One Identity Manager see the value in creating dynamic business logic to assign permissions to peoples’ accounts. This could be for pure governance reasons such as periodic attestation or to simply enhance the efficiency of provisioning; both are valid.
In today’s market it is a given that IGA solutions will automatically assign role membership based on “birth-right” attributes which are attributes that originate from the human resource systems. As it happens, One Identity can process both role- (RBAC) and attribute-based (ABAC) assignments from this original data.
However, what is often overlooked in IGA projects is the quality of the data that's driving the business logic. In my years in the IGA space, I’ve determined that it’s imperative to assume a defensive position against this “wild-west” of heterogeneous systems and data in a customer’s IT landscape. There is no such thing as a "safe" system and “garbage in, garbage out” was never so true in the case of access controls.
For instance, some IGA projects immediately follow a migration such as an Active Directory domain consolidation or Lotus Notes to Office365 mail migrations. During these migration projects, the question of data integrity naturally arises and the following question is invariably asked: "should we migrate this account or mailbox?" My answer is equally unequivocal - if we can't identify an owner or validate the veracity of the data, then NO. However, if the data is validated and migrated, then the next question becomes, “how do we keep the data landscape clean going forward?” We have proven the value in using One Identity Manager in exactly this scenario using automated controls and policy defined within the solution.
Beyond the migration scenario, one of the common surprises our customers see is the lack of data integrity once we have reconciled entitlements from key systems where attributes are mastered into the repository. I have seen it all – missing values, values outside the constraint boundaries, duplicate data, mis-matched types and so on. Implementing business logic to drive role membership (or ABAC-based provisioning, doesn't matter) based on "dirty" incoming attributes or inaccurate target system account memberships can (read: will) lead to inaccurate role membership within IGA tools and can influence non-compliant provisioning downstream. In the governance case of access review (i.e. attestation or recertification) this situation of dirty data can see people being inaccurately reviewed and inconsistent content in audit reports which leads to additional attestation iterations, wasted resources and dollars and possibly an expensive audit finding.
Continuing the theme of dirty data and its influence, let us consider the creation of business roles for a moment. Customers often ask about role mining as a technique to jump start a RBAC initiative. The same caution applies here; garbage in will result in garbage out. This is where approaching your Identity Governance program with an initial dose of access review (attestation) can help. Performing the attestation review with One Identity Manager can help you gain a level of certainty relating to the data quality within your target systems. Involving the business owners in this review process is critical. Presenting the line of business with an easy-to-understand, business-friendly experience to attest to a person’s access underpins this whole process. The initial access review will be more involved than the subsequent follow up reviews if you're starting from scratch. One Identity Manager can create realistically-sized work buckets for business owners based on many different techniques, whether it be risk-based, system-based, by job description, reporting manager, location, cost center and many more. What's more, given that the provisioning and governance engines are built into the same solution natively (no after-market acquisition integration to be found here) any inaccuracies found by business owners performing the review can be quickly changed once final approval has been granted.
So there you have it, an initial access review of key user populations for the strategically important target systems has been performed. The line of business has given its blessing and activities such as role mining can take place with the knowledge that all is well out there and any candidate business roles are determined using a reviewed data set.
One Identity Manager can help mitigate such data quality issues with features such as Company Policies and Attestation. Out of the box, Identity Manager provides policies which can monitor data quality for a single system or across many systems. Any exceptions are presented to business/system owners through the web ITShop interface and can be handled with full auditing and reporting. Just another example of using One Identity Manager to provide value by helping customers with their IGA initiatives, whether it be Governance or provisioning, using RBAC or ABAC… just be wary of the data that’s already out there.