| 09-05-2009 | |
| |
Identity Management - Plug and Play Provisioning, Managing and Revoking Access |
| | |
| | |
| | | | |
Identity Management - Plug and Play
Provisioning, Managing and Revoking Access
Organizations have a complex task in transitioning employees to new roles and responsibilities with minimal overhead and cost. This is applicable to new hires as well as the tenured employees. One of the key challenges in such transitions is Provisioning, Managing and Revoking Access to various Business Applications with an audit-proof trail. Identity Management - Plug and Play helps you address these risks and achieve the desired levels of security with least overhead.
Business Process Evaluation
The best exercise to begin with would be to spend quality time with the Business Process Owners to understand the various Roles the employees interplay and at what stage in each of the Business Process. For instance it could be a Survey conducted by the Human Resource Department for a Trainer taken by the employees trained by the Trainer. So for this Business Process we need a Trainer, the concerned Human Resource Department Personnel, the trainees, the Supervisor of the Trainer for sharing the results of the Survey. In this manner all the Business Processes which needs to be covered under the Identity Management Process can be evaluated for the required inputs. Depending on the complexity and maturity of the process, the time taken for collating the inputs would vary. A sample template to collate the inputs for the Business Process is shown below in Table 1.1
Business Process | Business Sub Process | Functionality | Actor/Business User Type | Activity Performed | Identification of Business User | Tenure/Business Event |
Survey | Trainer Evaluation | Initiation of Survey | Human resource Personnel | Identifying the Trainer who needs to be Evaluated | Human Resource Personnel mapped to the Trainer | As long as the HR Personnel is mapped to the Trainer. Assignment of the HR to the Trainer |
Table 1.1 - Sample Template to Collate Business Process Evaluation
(This evaluation can be more elaborate and could also be an opportunity for Business Process Re-engineering)
Business Process to Application specific Access Mapping
The next activity is mapping the Business Process wise evaluation done to specific access in the Application(s) on which the Business Process is executed. This would require an exact one-to-one translation of the Business Functionality broken down into Application specific activities/features. Continuing with the Business Scenario discussed in Table 1.1, Initiation of Survey could mean, access to survey Application, provision to see relevant Trainers for Evaluation, access to Trainer related information to make an informed choice, choose a the duration for the survey and so on. Refer to Table 2.1 to see more.
Business Sub Process | Activity Performed | Application Specific Activities | Elaboration | Remarks |
Trainer Evaluation | Identifying the Trainer who needs to be Evaluated | 1. Access to Survey Application | HR Personnel to have access to the Portal where the Survey Application is hosted | This could be a part of the Enterprise Portal accessed by all employees or a stand-alone Portal. |
| | 2. Choose the Trainer | Based on the Mapping of the Trainer to HR personnel only those Trainers should be available for initiating Survey | This can either be brought in as part of Identity Management purview or can be taken care at the Application level |
| | 3. View the Details of the Trainer | HR Personnel to have access to the relevant records of the Trainer like Date of Joining, Course Details, Years of Experience, Previous Survey Ratings etc. | However not all details like Salary and other confidential details of the Trainer to be accessed at the time of Initiation of Survey |
Table 2.2 Mapping Business Process to Application specific Access
The elaboration can be done at a more detailed level to collate the Technical details like the specific Tables/Clusters/Infortypes/Transactions/Reports/Views/Methods/Classes etc. to which the access needs to granted and with what validity.
Strategy for Grouping
Now that the mapping for the Business Process steps to the Apllication is done, we need to create Roles and Profiles. However, we need to use the right strategy for Grouping these Roles. Either we can create all Roles and Profiles without any Grouping. This would allow is change and manage any further enhancements easily at a Sub Process level. However, the drawback in this is the volume and maintenance overhead. Hence depending on the inputs collated from the above activities, the below proposed grouping can be used to Group the Roles and Profiles. The need for this grouping would be appreciated from the management of the Roles and Profiles perspective post implementing the Identity Management.
With the above activities done you would have broadly the following sample possible groupings as shown in Table 3.1
Possible Groupings |
Business Process |
Business Sub Process |
Business User Type |
Business Activity |
Access Type |
Table 3.1 Sample Possible Groupings
The Roles and Profiles for giving access to Business Applications can be grouped as shown in the above Table 3.1. We will see the each of the Groupings in a more detailed manner.
- 1. Business Process: Each Business Process can be treated as a Group for preparing a mapping of the Roles and Profiles which needs to be assigned to Business Users who need to access the Application. This would mean mapping the Roles and Profiles for a Process to a Business User who needs access. This is based on the assumption that all the Business Users for the Process have same permissions.
- 2. Business Sub Process: In case within a Business Process the Access to be provided varies based on the Sub Process, which is usually the case, the Roles and Profiles can be grouped at the Sub Process level. In this case the identification of Business users for Provisioning, managing and revoking would be at the Sub Process Level.
- 3. Business User Type: User type could be trainer, HR, Manager etc. where each of the user types have a spectrum of permissions to do certain activities. However, a Trainer in Alaska or a trainer in New Jersey would have the same permissions as a Trainer in Ohio. Within that premise it is possible to group all the user types together while creating the Roles and Profiles to be assigned. With this strategy any employee who becomes a Manager would get permission to all Business Applications which they need to access as Managers.
- 4. Business Activity: Activity wise grouping requires all Roles and Profiles for initiations across Business Applications to be grouped together. With this design, if any employee needs to gain access to a certain application for Initiation alone, then, for that application the Role created for Initiation needs to be assigned to the user with the validity period.
- 5. Access Type: This involves aligning the Roles and Profiles based on the access type like - Review Access/Change/Approve/View etc. In this approach the Roles are created with further categories to allow various types of access as needed by the Application.
The above mentioned Groupings can also be aligned to the various frameworks which may be applicable for the Organization. This would make the Role Mapping more audit-proof.
Alignment to the Business Events
The next step would be to align the Business events which would link the above Role and Profile assignment/revocation/modifications for the users. This would ensure a seamless integration between the Business Event and the Transition planned. In other words, by virtue of a becoming HR personnel for a Trainer- the access to the Survey and the application to initiate a Survey should be provisioned. This would align the Business Event of the HR Personnel taking charge to trigger the needed assignment of Roles and Profiles required in executing the tasks.
This is the critical part of the Plug and Play technique where there is a seamless integration between the Business event and the assignment of required Roles and Profiles to perform the needed tasks in various applications automatically.
Plug and Play
Once the Roles and Profiles are mapped we are ready to use the Plug and Play approach for Identity Management. The Master switch to control the Entire Plug and Play is ascertained. Now these are the steps which the Governance team for the Identity Management Team needs to incorporate to use it effectively.
- 1. On new sub process being included in the Process, review the additional generic bare minimum access which needs to be given in addition to the existing Roles.
- 2. Evaluate periodically if the Business Event alignment to Role assignment is the latest. The Business Process could be changed, and in such an event the mapping of Business Event to the Role assignment needs to be altered
- 3. There could be addition/removal of Business User from a process; in such an event a re-evaluation needs to be done at all levels
- 4. During the course of time there could be changes to the Business Events in which case again the re-evaluation needs to be done ascertain the changes
In all the above scenarios, whenever there is a change, implementing the change is only Plug_and_play. You need not redesign the entire Mappings and Alignments, only the changes needs to be plugged. The entire machinery of the Provisioning, Management and Revoking Access continues to work seamlessly.
Conclusion
The Plug and Play technique for Identity Management allows the Organization to ensure minimal transitioning time and cost in terms of access and controls. It also allows auto assignments, updates and de-provisioning without any manual interventions. Moreover the centralization and alignment of the entire Business Processes and Events to the Assignment of the Roles and Profiles to the users allows better Governance and Control. Further, it eases Change Management for any of the Processes.
