How Many Roles Would You Like With That?
Is role definition really about roles, access levels, or something else?
When I think about defining roles I think of what it takes to manage them and then what is the REAL point of a role. Is it to help group users in another way, such as access levels, or is it a way to assign trust to user type (assuming higher up the food chain you go you gain more trust), or is it simply a component of identity?
The other questions that followed were - why would anyone want to ever go down the road of defining roles in the first place, especially since users are the most transient component of a company. People come and go all the time, especially contractors. So why would anyone try to define a role unless it was to assign a level of trust and to set up rules for access to networks, infrastructure, or applications?
If roles are about access, then why wouldn’t you define roles for the applications and then maximize your directory group structure so you assign roles to a FAR less transient population (you don’t bring dozens of applications up every week, right?), and then define access by user or group, where the groups are where trust is assessed and assigned.
What’s missing here? I am asking the identity community for feedback here. If you blog a response, please email the URL back to me at identitystuff @ gmail.com, otherwise leave one here…