Tuesday, January 09, 2007

What's this Role Management stuff about?

I read a press release today about a Role Management company called Vaau. Vaau first caught my attention back in March, when Gartner identified them as a "cool vendor". I'm sure the company name helped out, but the main reason for the honor seems to be the ability of their product RBACx to perform attestation at the user level rather than the role level (which seems like an obvious must-have for a role management product, although some "role management" vendors might disagree). Anyhow, today's press release was regarding a strategic partnership they struck with Sun. Seeing that there are more than a few vendors joining this space, I'd like write a few entries about the field, typical product features, general philosophies/approaches to role management, sushi and some of the vendors (off the top of my head, Eurekify, Bridgestream, Vaau, Courion, BHold, etc.).

The first place to start is what role management is all about. Using the latest technical jargon, a role is a grouping of things that need privileges to do stuff to other things. So it follows that role management is the management of what I just said. The main driver is usually all about access management, hence the term RBAC (role based access control). The idea is that its easier to manage roles as opposed to individual privileges. (Of course, compliance is a driver as well.) Sometimes that doesn't work out as planned. It's not unheard of for clients to complain that they ended up with more roles than people in their organization - which sort of defeats the purpose, especially if your role memberships are only people.
So the next post: typical product features in a role management app.

10 comments:

Unknown said...

I would like to point to another type of attestation, which is by the "resource".

Most of Eurekify customers start without roles. Their privileges is still in a mess, irrespective of the fact that they dont have roles. So the first use of Eurekify is to clean up privileges. We do this with our pattern-based detection of exceptions; we do that with our privileges browser; and we also do that with the resource attestation process.

In the resource attestation process, you appoint a person to every group of resources. Resources can be groups on other systems, or they can be files/datasets, transactions, etc. People can be assigned to resources by the platform (i.e. which platform they manage), by the application, by the business unit, etc. There are sometimes more than one approver per resource (although usually not at that stage).

The changes requested by the business managers as part of the resource attestation can often be used to clean up the data. We in Eurekify also believe that it is a good first rehearsal towards role approval processes that will follow later.

So to sum up, ERM provides 3 types of approval: by user, by roles, and by resource. Each is important in different phases of role-based privilages management, addressing different parts of the 5 Cs of role management.

Cheers

-Ron

Dr. Ron Rymon
Founder, Eurekify
http://www.eurekify.com

Ashraf Motiwala said...

Thanks for the comment, Ron. Thanks for the insightful details on attestation.

Anonymous said...

UkjhLB Your blog is great. Articles is interesting!

Anonymous said...

OI7RLE Nice Article.

Anonymous said...

Nice Article.

Anonymous said...

Please write anything else!

Anonymous said...

Magnific!

Anonymous said...

Hello all!

Anonymous said...

フロント サービス
新宿 マッサージ
多重債務

Anonymous said...

婚約指輪
出会い系
治験
三井ダイレクト
アクサダイレクト
一戸建て
債務整理
ソニー損保
そんぽ24

新宿 賃貸
人材派遣
ブログアフィリエイト
バイク便
マンスリーマンション
印鑑
ゴルフ会員権
育毛剤