Burton Group Identity Blog

Blogger: Kevin Kampman

It’s stimulating to take a vacation and return to find that you’ve been challenged to weigh in on an issue. Late last year, Sun acquired VAAU, a role management and identity audit vendor. This followed Oracle’s acquisition of Bridgestream, another enterprise role management (ERM) vendor, earlier in the fall.

Ian Glazer posted a blog entry on enterprise role management asserting that these acquisitions would broaden the capabilities of the respective vendors’ identity management (IdM) suites, as well as raise the bar for other IdM vendors in terms of providing ERM capabilities. Since there are fewer ERM acquisition targets than IdM vendors, this promises to be an active area for development in the coming year, particularly as organizations recognize the value that ERM provides. Ian went on to question who in organizations really benefits from role management.

From my perspective, the administrative benefits of role management (efficiency and accountability) are derivative; the real benefits come from realizing new, structural perspectives on the organization. In an interview I participated in this week, I was asked about the return on investment from IdM. While there are tactical advantages to administrative efficiencies, what is more valuable in my mind and what I asserted in the interview is the potential “return on organization”.

The term “organization” can be viewed in two ways. From a static perspective, an organization represents an entity composed of people and their associated responsibilities, assembled to accomplish a purpose or objective. As an actionable term, organization represents alternatives for how people and responsibilities are structured to meet those needs.

While many enterprises follow similar structural patterns, any single enterprise is unique (by accident or design). Enabling that enterprise to understand and to refine its structure in response to changing needs is a longer term benefit of role management. Capturing that perspective in management tools is the immediate challenge, and provides the foundation to analyze and improve organizational structure. A short term benefit is the ability to leverage this knowledge to improve the administration and management of the enterprise.

In answer to Ian’s question, the entire enterprise can benefit from this return on organization. Some of this will be measured strategically, some tactically. The prerequisite for realizing these benefits is to capture and to populate the knowledge base.

With the addition of ERM capabilities, IdM can provide a more strategic and valuable contribution to the organization. The acquisitions by Oracle and Sun represent the impetus for IdM evolution, but only if these solutions are used as business enablers. Otherwise, we’ve just improved our ability to document and maintain the status quo.

Blogger: Kevin Kampman

When I became involved with the role management industry about four years ago, it was a tiny and highly specialized market, tainted by difficulties and the potential for failure. This was due in part to its focus on access related information, particularly for role mining. In order to improve role management’s probability of success, it was clear that something needed to change. The solution was to associate business responsibilities with access rights.

About this time, I became familiar with Bridgestream and its founder, Ms. Juanita Lott. Unlike its competition, Bridgstream’s product architecture was very HR-oriented and incorporated business structure and responsibilities into the solution. This was a result of her previous HR background with a software development firm. She had a vision to address the shortcomings in organizational management tools, and turned to role management as a viable solution to address the association of resources and responsibilities. Although her involvement in Bridgestream has diminished, her influence is noteworthy. 

Today, the playing field is much more level. Role management vendors all acknowledge the requirement to address business responsibilities and their alignment with technical privileges. Additionally, role management is integrally aligned with identity management solutions, a perspective that also evolved as the market became more established. In our research, role management projects are much more likely to succeed as a result of their engagement with the business community.

The potential acquisition of Bridgestream by Oracle has been a rumor since early this year. Acquisitions in the identity management space are common, but unknown for role management, until now. The Bridgestream acquisition underscores the growing importance of roles as part of a comprehensive identity management solution; it is certain that we will see additional attention to and expansion of these capabilities. At this point, it is fitting to recognize the pioneers of role management and their respective organizations. They all had a vision for role management and have seen it through to fruition.

Whenever I get involved in a discussion of role engineering, I am invariably asked what the appropriate ratio of roles to users ought to be. This is a challenging question and, I believe, difficult to quantify. Some academics cite a ratio of about three percent of the population (1:33), and previous research we’ve conducted ranges from one and one-half percent of the population (1:59) for enterprise applications, to 1:8,000 for generalized roles, to 1:44,000 for customer-facing, e-business environments. These wide ranges make some sense, but leaves us with more questions than answers.

Burton Group’s perspective is to distinguish between business responsibilities and IT privileges or resources. We call these Business and IT Roles, reflecting what someone needs to do, and the tools needed to do it. It makes sense to have this point of abstraction when you consider that the people deciding what responsibilities are in play come from the business, while those providing the tools usually come from the information technology community. Questions that make the numbers difficult to discern from this perspective include:

• Can a person act in more than one business role?
• Can they access more than one set of IT roles?
• Can business and IT roles be aggregated or disaggregated?
• Are these roles consistent for all of the organization, or are they specific to a particular line of business?
• Can we follow models established for our industry? Other industries?

Given the rapid growth of products designed to manage roles, we’ve stepped back from the problem and consider that the real question is not how many roles, but how many you can manage effectively. It’s fine to set boundaries to make sure that things aren’t out of control. For example, if you have more roles than users, you may or may not have a problem (we hear that this is OK in some educational environments). It is more than likely that 1-3 percent keeps the situation bounded, but there will always be exceptions.

Burton Group is conducting research in Q2-2007 to establish the feasibility and adoption trends of role management in organizations. We are conducting an enterprise survey of organizations having role management programs in development or implementation. If you’d like to get a sense for how you stack up to others, we invite you to participate. Send an email to kkampman@burtongroup.com for your copy of the survey instrument. Let’s decide if the numbers stack up.

[posted by Kevin Kampman]