How Many Roles Should I Build?

This is the second most common question I'm asked, and a close relative of "What Roles Should I Build?". Sometimes it comes with contextual information like "If I had 10,000 employees" or "We just want birthrights" (which is a wildly overloaded term worthy of its own post). The motivation is clear, the desire to know in advance how much a thing will cost,what it will take to maintain it and what value it will return are all tied up in this surprisingly simple question. 

The short, and likely infuriating, answer is: "Build as many roles as add value to your organization.". The reason this question is infuriating is because you do not know how many that is. If you did, you would not be asking the first question. Do not be alarmed by this, it is not a question for intuition and you have not been taught how to determine it. The answer, which will surprise no one who's been following along, is in your data. A formal mathematical evaluation of the relationship between your identities and their access needs to be conducted to determine which potential roles could add value to your organization. Those are the roles, from those with the greatest potential value, to the least, that should be created. 

Potential roles that do not add value, because they have too few people, or too little access in common, should not be built. Failing to make this determination prior to role creation is the source of the dreaded "Role Explosion", a term meaning an overabundance of roles that aren't adding any value to the organization. This might seem like a trite observation, but the way in which you avoid building too many roles that don't add value is by not building them. In many cases the automated role creation tools that come with IAM solutions will allow you to create those value-less roles. They should not be used without making your own evaluation first.

The answers above are still unlikely to satisfy, without your Identity and Access data the best I can do is set some boundaries on the problem space and describe the effort required that's based on the number of roles.

The boundaries on the number are simple, the lower bound is zero. There are organizations that will not benefit from a roles program. If there is no discernible relationship between a populations access and their job than there's nothing useful to build a role on. This is a rare edge case but I've seen it in two instances, the first was a company that was clearly in crisis, it had never formally captured its organizational hierarchy beyond reporting, no divisions, no departments etc... While the situation was salveagable it first required an organization generation effort (it would be too generous to call it a re-org, since it had never org'd in the first place) to delineate responsibilities and reporting structures beyond simply "who manages who". The second example was an organization that was so young, effectively a startup, where everyone wore multiple hats meaning that there was no relationship between any identity attributes and the access that a person had, typically because everyone had access to nearly everything.

The upper boundary on role creation is only slightly more complex and its based on a pretty simple calculation, it is an order of magnitude more effort to create and maintain a role than it is to request and review access for a person. Since roles that cost more than reviewing a persons access don't add value, they should not be created. Them maximum number of roles that should exist within an organization should be at least an order of magnitude less than the number of identities that are under management. If you have a hundred people, you should have no more than ten roles. Most organizations ideal role models are significantly smaller than that.

The final hard numerical answer to the question of "How many roles should I build?" can only come as a result of a detailed Role Model Analysis of your organization. This is what we do at Thornton Data Solutions. If your organization is wondering "How many roles should I build?" along with "Which ones?" and "In What Order?" reach out and we'll help you get started reducing the cost of your IAM operations with an Access Consolidation Program.