How Many Roles Would You Like With That?
As I was loading the dishwasher last night I was thinking about roles and role definitions and the good and the bad and asked myself the question –
Is role definition really about roles, access levels, or something else?
When I think about defining roles I think of what it takes to manage them and then what is the REAL point of a role. Is it to help group users in another way, such as access levels, or is it a way to assign trust to user type (assuming higher up the food chain you go you gain more trust), or is it simply a component of identity?
The other questions that followed were - why would anyone want to ever go down the road of defining roles in the first place, especially since users are the most transient component of a company. People come and go all the time, especially contractors. So why would anyone try to define a role unless it was to assign a level of trust and to set up rules for access to networks, infrastructure, or applications?
If roles are about access, then why wouldn’t you define roles for the applications and then maximize your directory group structure so you assign roles to a FAR less transient population (you don’t bring dozens of applications up every week, right?), and then define access by user or group, where the groups are where trust is assessed and assigned.
What’s missing here? I am asking the identity community for feedback here. If you blog a response, please email the URL back to me at identitystuff @ gmail.com, otherwise leave one here…
Is role definition really about roles, access levels, or something else?
When I think about defining roles I think of what it takes to manage them and then what is the REAL point of a role. Is it to help group users in another way, such as access levels, or is it a way to assign trust to user type (assuming higher up the food chain you go you gain more trust), or is it simply a component of identity?
The other questions that followed were - why would anyone want to ever go down the road of defining roles in the first place, especially since users are the most transient component of a company. People come and go all the time, especially contractors. So why would anyone try to define a role unless it was to assign a level of trust and to set up rules for access to networks, infrastructure, or applications?
If roles are about access, then why wouldn’t you define roles for the applications and then maximize your directory group structure so you assign roles to a FAR less transient population (you don’t bring dozens of applications up every week, right?), and then define access by user or group, where the groups are where trust is assessed and assigned.
What’s missing here? I am asking the identity community for feedback here. If you blog a response, please email the URL back to me at identitystuff @ gmail.com, otherwise leave one here…
2 Comments:
Roles are about ewfficiency. Efficiency in administration, in authorization and security.
You can define "groups" by application, but to refine access to documents and other resources roles work best.
seems that you are just reversing the object-subject pair
Post a Comment
<< Home