How do I prepare for an RBAC Program?

Professional chefs don’t prepare their ingredients as they cook. They prepare them in advance and then cook, it’s a concept called “Mise En Place” and it allows them to focus on the task at hand when they’re cooking. You can cook without doing it but once you’ve done it you won’t go back. It’s easier to add a diced onion when you need it if you’ve already diced it. An Access Consolidation project  is no different, you don’t have to do these steps in advance but if you do you’ll set yourself up for success.

1. Bring as much access data and its provisioning as you can into your IAM system

Automating the provisioning of access is a task that is best performed in an IAM system. Sure, you could leave it up to the legacy scripts and rules built into downstream applications, but your organization will befit in the long run from having a single tool and a single team to deal with when they need to resolve access issues. If you're in charge of an IAM program you will be the person that people,come to for access issues regardless of whether the access is being managed by you and your team or not. Move it in.

There's also a mathematical reason to move the access into your IAM system, so it can be included in an Access Consolidation Item. The more access you can put into an item the more work it will eliminate. Your goal for this should be to put as much access into as few items as possible.

2. Bring as much relevant identity data as you can into your IAM system

Access Consolidation requires information about the identities it is providing access for. You can't assign a role for a bank teller, use a doctor patient relationship for FGA or authorize access for security personnel if you don't have the relevant information about the identities that you're trying to provide the access to. If your IAM system was configured by a third-party there's a good chance they didn't bother to include all relevant identity information. In this case relevant means any information, almost always from an HR system of record, that describes the work a person does, including how they do it, why they do it and where (both physically and in an organization) they do it. You don't need everything from HR, you will not need identity information that isn't relevant to a person’s work, no telephone numbers, social security numbers, emergency contacts and you're certainly better off not having that information in your IAM system. What you will want are things like: Job Title, Work Location, Division, Department or Team. Not every organization has all of those and there might be more that are relevant. If you're unsure reach out and I'll happily tell you what's relevant.

3. Clean up that Identity Data as much as you can

There have been a lot of posts on LinkedIn recently bemoaning the fact that Identity teams are downstream of producers of bad identity data. I have some unfortunate news for you, that "bad identity data"  (e.g. meaningless job titles, organizational elements that aren't at all organized, personal identifiers that aren't static), you're going to want to clean that up as much as possible. It might seem unfair but unfortunately you are the only team in your company that can do anything about this because you're the only team in your company that can see it as an issue. Some of this you can handle within your own organization such as normalizing job titles within your own tools, assigning unique personal identifiers or deriving an actual organization from a management hierarchy. Do what you can.

3. Make an effort to clean up your access

Access Consolidation depends on statistics based on relationships between Identity Data and Access. The closer your access is to correct within your organization the more accurate the Access Consolidation calculations will be. Perfection isn't necessary but ideally your organization will have conducted at least an access certification and removed any obviously unnecessary access prior to attempting RBAC. If you know you have vestigial access remaining in your IAM system from failed application onboarding, decommissioned applications, pieces of your organization that have been divested or the single most likely candidate: a long-neglected AD system you'll want to remove as much of it as possible.

4. Make an effort to clean up your access metadata

Your IAM team will have to review your organizations access with other members of the organization. They will need to make decisions about whether to include or not include that access in the Access Consolidation Items intended for their people. This will be a lot easier if that access includes a name that's written for a human instead of for a computer. A DN is not human legible. Access owners, security levels and indicators of additional legal scrutiny may all be appropriate for your access, Access Consolidation Item creation will need all of those, the creation process will go smoother if they are in place prior to kickoff of an Access Consolidation Project.

Everything that I have written above is optional. You don't need to do any of it and I have run successful Access Consolidation Projects with organizations that have done none of them. They all would have been finished a lot sooner though if that work was done in advance. If you're unsure if your organization is ready for an Access Consolidation Project and would like an expert’s opinion on what to do to prepare for one, reach out and we'll be happy to schedule a short, no-cost consultation to figure out what you need to do to get ready for one.