RBAC Features in Hitachi ID Identity Manager
Identity Manager includes a complete infrastructure for managing user entitlements using role based access control (RBAC).
- Define roles:
Administrators define roles in Identity Manager as collections of:
- Login accounts on specified target systems.
- Membership in groups on target systems.
- Role/entitlement analytics:
Identity Manager includes extensive analytics relating to existing roles, user classes and entitlement assignments. These are intended to support development and ongoing maintenance of a role model:
- Find clusters of users who have shared identity attributes and shared entitlements, as these are potential user classes and roles.
- Identify roles with overlapping entitlements -- should they be merged?
- Identify user classes with materially overlapping user populations -- should they be merged?
- Identify roles with too few users -- perhaps they should be retired.
- Identify roles with too many users -- perhaps they are too coarse-grained.
- Identify users with too many entitlements -- they could cause technical problems on end systems and probably represent high business risk.
- Identify users with too few entitlements -- do they still need access to systems or applications at all?
- Identify entitlements that are included in too many roles -- perhaps they should be attached to a base role, which is then nested into higher level roles.
- Identify entitlements not included in any role -- should they be?
- Identify users not assigned any role -- should they be? Are they members of a large enough community for this to be economical?
- Identify users assigned too many roles -- do they have too many access rights? Do new, higher-level roles have to be defined?
- Do any roles violate SoD policies internally (i.e., entitlements in the role are mutually exclusive)? This can happen when SoD policies are defined after the roles and should be remediated -- illegal combinations should not be so easily requested.
- Which roles have many users that, in turn, have many out-of-role entitlements? How many out-of-role entitlements do users assigned each role have, on average? This suggests either incomplete role definitions (add entitlements) or users that do not fit well into a role model.
- Role hierarchy:
In addition to entitlements on target systems, roles can include other roles. This allows organizations to define:
- Technical roles, consisting of entitlements on target systems.
- Business roles, consisting of other roles.
- Mandatory and optional components:
Roles may contain both mandatory and optional entitlements. Users who are assigned a role will, in general, be assigned all of the mandatory elements in a role. In addition, users who have been assigned a role may request any of its optional components, which will be granted without need for additional approvals.
- Role assignment:
Users can be assigned zero or more roles:
- Some users can be outside the scope of the RBAC infrastructure.
- Other users can be assigned exactly one role, representing their singular job function.
- Still other users can be assigned multiple roles, representing multiple job functions.
- Manual and rule-based assignment:
Roles may be assigned via a request process -- i.e., a requesting user U_q asks that a receiving user U_p be assigned role R_x. Such requests may be subject to policy and human approval before being completed.
Roles can also be assigned automatically, by defining a class of users who should be assigned a given role and associating that class with the role. In this case, both on a batch basis (e.g., every few hours), with a throttle mechanism and as user profiles are altered in a manner that changes their qualification for the user class, roles are automatically assigned or revoked.
- Role-based access requests:
Requests to create new user profiles can specify a role -- either instead of or in addition to other entitlements that the new user should be provisioned.
Requests relating to preexisting users can include role changes. Role changes may cause entitlements to be added, removed or left in place.
- Approved exceptions:
Some users may have a legitimate reason to retain privileges beyond those called for in their assigned roles or may not need all of the privileges in that role. Identity Manager supports users who remain legitimately out of compliance, through approved exceptions to role-based security entitlements.
- Controlled enforcement:
Users can be flagged for role-based access control (RBAC) enforcement. This means that any entitlements they have in violation of their assigned roles -- either too many or too few -- can be detected and automatically remediated.
- Cascading changes to role definitions:
Identity Manager includes an RBAC enforcement engine, which is normally run as batch process every 24 hours. This engine can detect users whose actual security entitlements are out of compliance with the entitlements that their assigned roles predict. This may be because changes were made to their profiles outside of Identity Manager, or because the role's definition has changed.
The RBAC enforcement engine detects non-compliant users and automatically submits workflow change requests to bring users back into compliance.
One of the use cases this supports is cascading role changes: an administrator can change a role's definition and commit the change. On the next automated enforcement run, the RBAC automation engine will automatically submit workflow requests to bring users into compliance with the new role definition. These requests may be auto-approved (depending on Hitachi ID Systems customer policy), which means that they may be applied to target systems immediately.
- Incremental deployment:
It is difficult to enforce RBAC to every user in a large population simultaneously, such that any excess entitlements are automatically removed and any missing entitlements are automatically added. To avoid this, Identity Manager supports gradual activation of users for RBAC enforcement, allowing time to educate users about the new system and troubleshoot errors in the role model for a few users at a time.
- Role-aware access certification:
Identity Manager supports certification of user entitlements at several levels of granularity:
- Fine-grained entitlements assigned to users -- many checkboxes, based on data pulled directly from target systems.
- Roles assigned to users -- fewer checkboxes, representing groups of privileges.
- Approved exceptions to the privileges predicted for a user by policy, where the policy may be role assignment or a segregation of duties rules.
When To Use Roles
It is important to understand that role-based access control (RBAC) is useful for efficient administration and to improve the user friendliness of requests, but is not an effective approach to risk management.
Roles are an excellent way to grant appropriate rights where many users have identical requirements. As one considers users with ever larger scope of authority in an organization, such as executive management, two things happen simultaneously:
- The risk represented by these business users increases. Clearly, the CFO can do much more harm to a company than a sales clerk.
- Users become increasingly unique, which makes the use of roles to govern their access rights less cost effective -- what is the point of defining a role if only one user will be assigned that role?
This means that roles are a useful tool to improve usability of access requests and to automate entitlement assignment and revocation. Roles help manage entitlements that are shared by many users, something that usually happens in low-risk job functions.
Fine-grained roles that are applicable to only a few people are not cost effective, do not help much in managing entitlements and do not lower the access risk posed by the most privileged users.
Other mechanisms -- segregation of duties policy, approvals prior to
granting access, risk scoring and access certification -- are more
appropriate tools for risk management and access governance.