Phase 5: Role Based Access Control (RBAC) User Provisioning and IDM (2 days on average)

Role-based Access Control (RBAC) provides an overview of the network resources available to an employee based on the role he or she holds in the organization. UMRA can handle RBAC information in various ways. Populating an RBAC matrix is predominantly an organizational concern. However, populating an RBAC matrix 100% is often not feasible. This will involve a painstaking effort that can take months, if not years. At the start of such an initiative, the RBAC matrix will often contain as many entries as there are employees.

To enable a quick and targeted RBAC implementation, UMRA offers various processing options for an empty, partially or completely populated RBAC matrix.

Empty RBAC matrix

If the RBAC matrix is empty, in many cases privileges and applications will be copied from a template or existing user. One of the drawbacks of this approach is that there is insufficient control over pollution and employees will eventually end up with far too many network privileges. Nevertheless, the objective is often to use the first method copy user or template-during the first phase of the UMRA implementation to ensure a fast implementation as the dependency of an RBAC project can delay IDM implementations for months or years on end. In any case, accounts are created in more uniformly, and a starting point is created for collecting the information required to populate the empty RBAC matrix.

Partially populated RBAC matrix

Although it can be difficult to populate the RBAC matrix completely, it is very simple to populate it partially to the department level. In many cases it is also feasible to populate the matrix easily for a large group of employees. An RBAC matrix populated this way already offers a major advantage in the user management process. After all, for new employees it is possible to assign all groups at the organizational level (login, word processing, email) and departmental level (access to departmental shares and applications) directly. This means new employees can start working immediately. More time is freed up for assigning more specific privileges. If UMRA detects an unpopulated section of the RBAC matrix, the manager of the employee in question will automatically receive email notification and will get an UMRA form asking for the specific privileges and applications required for the employee. The manager's choices will be recorded in UMRA. This information can be used for further definition of empty sections in the RBAC matrix.

Completely populated RBAC matrix

Although it can be difficult to populate an RBAC matrix fully, it will prove to be the ideal tool for assigning and storing the right privileges and applications for every employee. Using the RBAC matrix, UMRA can regulate the assignment of privileges and applications to new employees and handle changes occurring when roles and/or job titles of employees change or employees change departments. More complex scenarios are also supported, e.g. cases where an employee works part-time for two different departments or when employees remain active in their previous department, etc. It is also possible to store RBAC information in UMRA, or to have UMRA retrieve RBAC information from a customized or default third-party software application.

How to implement RBAC within your organization? Read about it in the Tools4ever white paper
‘The what, how and why of Role Based Access Control (RBAC)’.