Blogger: Kevin Kampman
On Wednesday afternoon at Catalyst, we closed the Identity Management, Role and Entitlement discussion with a panel consisting of enterprise practitioners Robert Amos of NuStar Energy, Paul Rarey of Safeway, and David Laurance of JPMorgan Chase. Also on the panel were Edward Coyne of SAIC, representing both the Veterans Administration and the INCITS CS1.1 committee responsible for Role Based Access Control (RBAC), and Alan O’Connor, Research Economist with RTI International.
The purpose of the panel was to discuss the challenges and opportunities facing Role Management as a discipline, and how industry can influence continuing efforts in the RBAC standards community. In particular, Alan O’Conner was at Catalyst to learn more about enterprise experiences with roles, in order to advise the National Institute for Standards and Technology (NIST) about areas for future investment.
There were several major observations from the panel. First of all, there was agreement that roles are a business challenge, but as Paul Rarey observed, “talking to the business about roles is a non-starter.” Instead, the conversation needs to focus on business value. Robert Amos cited success in convincing the business to take ownership of roles, however the proper infrastructure must be provided to manage the relationship of roles to resources.
Another challenge is in understanding what roles are about. David Laurance identified that there were seven applications of roles discussed during the afternoon:
- To identify expertise
- To manage job assignments
- For authorization
- To abstract identities from entitlements
- To enforce policies such as separation of duties
- To enable provisioning, and
- To establish accountability.
NIST and INCITS are interested in addressing implementation issues in organizations; this list represents a good starting point for future activity. It is not just the integration of attributes into applications that needs to be addressed, but guidance for organizations that want to characterize what people do in a meaningful context.
David contributed three challenges for role management:
- Definition
- Analysis and interpretation, and
- Assignment to individuals.
During the afternoon, Robert and Paul provided excellent case studies about how their organizations successfully accomplished these, and admitted that their efforts are ongoing and would benefit from more consistent processes, procedures, and more effective role management applications. Alan observed that NIST needs these recommendations from industry in order to provide direction to their committees, and both Ed and Alan are soliciting participation of this nature.
Organizations wishing to provide input to RTI’s NIST survey can contact Alan O’Connor (oconnor@rti.org). Those interested in investigating revisions to the RBAC standard (INCITS 359-2004) can get more information about participation by contacting Ed Coyne (ed.coyne@va.gov) or Rick Kuhn (kuhn@nist.gov).
Comments