What Roles Should I Build?

One of the most contentious questions in an Access Consolidation Project is what Roles (or other Access Consolidation Items) an organization should build. The two most common answers to this question "Job Title Based" and "Department Based" have been argued by their champions and their detractors for years now. These approaches have champions because they have been seen to work by different people, but how can two very different approaches to role creation both be right?

Because they're right for the organizations they were built for. Different companies have different relationships between their Identity Data and their Access Data because they have different growth stories. Even within the same industry vertical (e.g. two banks, two manufacturers or two hospitals) the optimum structure of roles may be very different because the history, structure and access between the organizations will differ. Different people, in different places, at different times, make different decisions, and they all impact the value of role structures. What works for one company will not necessarily work for another.

The key to optimizing a role structure is to look at the underlying data and make an informed decision based on which potential role structure will produce the greatest value for the organization. Any Identity attributes that could have a predictive relationship to granted access should be considered for inclusion in a potential role model. If you're going to dig through "Job Title" and "Department", you might as well dig through everything else as well, "Company" (if you're a conglomerate), "Division" and "Team" (if you have a multi-tiered organizational structure), "Location", "Store" or "Warehouse" (if you have geographically distributed operations) should all be considered. Given the quantity of potential roles that may need to be considered I strongly suggest using automated statistical analyses to filter out candidates that have no chance of adding value to an organization. If it finds for example that there's no relationship between "Location" and the work that a person is doing, as might be the case if an organization was entirely remote, or entirely co-located, there's no reason to further consider building that role.

The short answer to "What Roles Should I Build?" is "Your Data Will Tell You", but you have to be willing to look at the data, and potentially sift through the noise of messy Identity and Access Data (for more on that read here) to see what your options are before coming to an agreement as an IAM organization on what the best Role Model is for you. Your organization may have perfectly valid reasons to reject seemingly valid mathematically superior choices as well, for example, potential roles may depend on corporate structures that may soon cease to be relevant due to divestment.

There is no simple answer to the question "What Roles Should I build?" but the questions and analysis that need to be done to answer it are known. If your organization is considering an Access Consolidation program and wants to make sure that it performs the necessary analysis correctly and chooses the optimum Role Structure. Reach out to us and ask about how Thornton Data Solutions can help them perform a Role Model Analysis. We can't tell you right now which roles you should build, but we can absolutely work with you to figure it out!