How best way to define Business Access Model for Customers

Identity Security Cloud (ISC) ISC Discussion and Questions
, , , ,
1

Hi all,

We are currently starting new projects and would like to know your recommendations for choosing an appropriate access model.

Our main question would be: what is the best way to design access model by using Roles, Access Profiles and Entitlements?

What would be the advantages/disadvantages of each access items?

What would be the best implementation so that each customer can manage and maintain access updated through all identities?

Thank you for your answers!

Leo

2

My recommendations:

  • Roles are mapped to business functions
  • If you have purchased dimensions for Roles, leverage these so that you can simplify the role model (e.g., ‘Senior Analyst’ has dimensions for ‘Chicago’ vs ‘London’ for incremental access needs)
  • Naming convention must be established and followed strictly
  • Access Profiles should contain the application name as part of the naming convention
  • Cluster entitlements in an access profile where that cluster is re-used across Roles, or where you want that to be requestable as part of an Access Application

All of the three access items will be used. Leverage role auto assignment where possible to minimize need for manual provisioning. If you want people to hold two business roles of access (e.g., to bridge time during a transition to another role), you can make the roles requestable.

If you have AI, use role insights and recommendations as a starting point to make business decisions on changes.

1 Like
3

Hi Leo, as our experience, Access Profiles is becoming something like obsolete. Staying with entitlments/roles should be sufficient and more clear to client.

Entitlement implementation is trivial, they will exist for every access in your connected (and perhaps disconnected) sources.

About roles.. even if client has RBAC implemented, you should go in stages. First Go should implement some basic entitlements kit covering onboarding access. There you can begin your role engineering using ISC.

If client has RBAC, you can implement roles by areas or deparments instead of whole organization. If client does not have RBAC, you can make use of ISC tools for discovering roles, and suggest them to client.

1 Like