Reduce Role Sprawl with Dynamic Access Roles in ISC2400×1354 221 KB

Introduction

Many organizations implement some form of role-based access control for their access model in Identity Security Cloud. Role-based access control (RBAC) has long been an industry standard for managing user access. Users are granted access based on the role or function they perform in the organization. The minimum amount of access that would enable an employee to perform a specific function is bundled into a role according to the principle of least privilege. Roles can be automatically assigned by membership criteria supporting birthright provisioning. The criteria for role membership is usually based on attributes that are known about the employee such as job title, department, or region. For example, a bank teller in a financial institution needs access to three different systems. A role can be created that bundles this access. The membership criteria for the Bank Teller Role could be as simple as jobTitle="Bank Teller". When a new bank teller is hired, the role is automatically assigned, and the bundled access is provisioned. The new bank teller gets access to the required systems on day one without any manual intervention from IT, and everyone is happy.

Challenge

The previous Bank Teller Role example was obviously oversimplified. In the real world, we deal with much more complex scenarios and systems. An actual financial institution could potentially have hundreds or thousands of locations domestically or even internationally. Depending on what access rights a given bank teller at any of those locations requires, a unique role would need to be created. For instance, if there are localized groups in Active Directory for each bank location, a role with those specific entitlements would have to be created. That could amount to thousands of roles, and that’s just for the bank teller position. What about the other positions at the bank like loan officers, personal banking managers, branch managers, assistant branch managers? Thousands of roles would have to be created and maintained. What happens when a new system is onboarded and new entitlements need to be added to all those roles? We can see that maintaining that enormous volume of roles can get overwhelming very quickly. The traditional RBAC model dictates that all identities who meet the role membership criteria receive all the associated access. But this paradigm is exactly what leads to incredible role sprawl for organizations that need a lot of flexibility in role design.

Solution

There has got to be a better way to create and maintain roles that allows for needed flexibility and reduces role proliferation. Well, there is! SailPoint introduced Dynamic Access Roles at Navigate 2024. Dynamic Access Roles is a revolutionary way to implement complex role-based access control by providing the ability to selectively assign access to members of a role based on the evaluation of contextual attribute values, known as dimensions. This allows a single role to replace large numbers of roles by encapsulating the context information and access policies that are needed to assign the right access to the right members of the role. Remember our Bank Teller Role that had to be duplicated for each bank branch location (possibly thousands!)? It can now be collapsed into one Bank Teller Role with a location dimension. Based on the value of an identity’s location attribute, the appropriate location specific entitlements can be assigned to the identity. This model offers incredible flexibility such that some access that all bank tellers need regardless of where they work can be granted to identities where jobTitle="Bank Teller" and specific access can be granted based on the identity’s location. If location=Manhattan, then the AD group ManhattanPrinterAccess can also be assigned, but if location=Brooklyn then the AD group BrooklynPrinterAccess can be assigned. We can add other dimensions like override permissions, wire transfer limit, and cash withdrawal limit so that each bank teller who is assigned the Bank Teller Role is granted unique, specific access. Up to 1500 different dimensions can be defined on a role. We can see how powerful this dimensional role definition paradigm can be for many types of organizations like retail, medical, and higher education. But really any organization, large or small, that has complex and context-sensitive access policies required can benefit greatly from this feature.

Use Case Scenario

Let’s take Dynamic Access Roles for a spin in ISC! Instead of the financial institution example, let’s pivot to a medical institution. Our demo organization will be a Texas hospital network with facilities in Austin, Dallas, and Houston. Instead of building out multiple nurse roles for all the types of nurses who work there like oncology, cardiac, OBGYN, ER, NICU, ICU, and then creating each of these specialized nurse roles for each hospital location, we will create one nurse role with multiple dimensions so that the proper birthright access can be assigned automatically. Depending on seniority level, our nurses will require different access as well. Our nurse role dimensions will be location, specialty, and seniority level.

When creating a new role, we have the option of Standard or Dynamic:

Nurse role1429×896 27.4 KB

We select Dynamic for the Nurse role, and now we need to choose the identity attributes that will serve as our Dimension Attributes:

Screenshot 2024-12-05 1853411413×875 29.3 KB

We choose the Location, Department, and Job Title identity attributes, which correspond to our dimensions of location, specialty and seniority level, respectively:

Choose dimension attributes1424×890 33.7 KB

Now we can define the Dimensions and the access that should be granted based on specific values:

New Dimension1415×943 46.6 KB

We’ll create the Austin Location dimension first:

Austin Location dimension1426×940 22.1 KB

To define Dimension Criteria, we can choose any of the Dimension Attributes that we have already defined: Job Title, Location, or Department:

Austin Location dimension criteria1426×939 31.6 KB

We choose Location because that is our corresponding Dimension Attribute and add our relevant location value, “Austin”:

Austin Location dimension criteria value1422×940 30 KB

Our next step is defining the access that should be granted for the Austin Location dimension:

Austin Location manage access1427×940 46.4 KB

We search for entitlements starting with “Austin”:

Austin Basic Access AD ent1359×943 28.2 KB

We add the Active Directory group Austin-BasicAccess to the Austin Location dimension:

Add Austin-BasicAccess1363×943 23.2 KB

We repeat those equivalent steps for the Dallas and Houston location dimensions:

Location dimensions1552×889 40.4 KB

If we were to enable this role right now, then all identities in the Austin, Dallas, or Houston locations would get the assigned access, but we want to limit role membership to nurses and assign some nurse specific access to all members of this role who are actually nurses. We can achieve this by defining membership criteria and assigning access based on that.

Under Define Assignment we specify that the identity attribute Employee Category must equal “Nurse”:

Define assignment for Nurse role1578×950 48.2 KB

Under Mange Access, we add the Nurse-BasicAccess Active Directory group:

Manage Access1595×947 32.6 KB

After enabling the role and applying changes, all nurses will get the Nurse-BasicAccess entitlement, but only nurses in Austin will get the Austin-BasicAccess entitlement that was defined on the Austin Location dimension.

Florence Jones is a nurse in Austin:

Florence Jones identity1595×610 29.7 KB

She was assigned the Nurse role because the value of her Employee Category identity attribute is “Nurse”:

Florence Jones Roles1600×567 25.2 KB

We see that Florence has been assigned the Nurse-BasicAccess entitlement because she met the Nurse role membership criteria, but she received the Austin-BasicAccess entitlement because her Location identity attribute is “Austin”:

Florence Jones entitlements1599×612 30.5 KB

Let’s add a few more dimensions. First, we create the Seniority dimension that grants the Nurse-AdminAccess entitlement if the Job Title dimension attribute is “Nurse Manager” or “Nurse Charge”:

Seniority dimension criteria1597×945 31.2 KB

Seniority dimension access1594×945 31.1 KB

Then we define the Nurse OBGYN dimension that grants the Nurse-OBGYN entitlement if the Department identity attribute is “Nurse-OBGYN”:

Nurse OBGYN dimension criteria1596×944 31.2 KB

Nurse OBGYN dimension access1591×939 30.8 KB

After applying changes, we look at Margie Fontaine, who is a charge nurse in Dallas and works in the labor and delivery ward:

Margie Fontaine identity1594×613 30.4 KB

Margie has been granted the Nurse-BasicAccess entitlement because she met the Nurse role membership criteria, but she received the Dallas-BasicAccess entitlement because her Location identity attribute is “Dallas.” In addition, she received the Nurse-AdminAccess entitlement because her Job Title identity attribute is “Nurse Charge” and the Nurse-OBGYN entitlement because her Department identity attribute is “Nursing-OBGYN”:

Margie Fontaine entitlements1597×717 35.7 KB

So far we have only defined one criterion for each dimension, but multiple criteria can be defined per dimension. For example, to get the access defined under the Houston ICU Access dimension, a nurse would have to be in the Houston location and part of the Nursing-ICU department:

Houston ICU Access dimension criteria1590×942 36.1 KB

Houston ICU Access access1592×941 31.7 KB

Esther Summerson happens to meet that criteria, and we see that she has been granted the Houston-ICU-Access by the very dynamic Nurse role in addition to the other access granted by that role:

Esther Summerson identity1597×609 30.7 KB

Esther Summerson entitlements1595×690 33.6 KB

Conclusion

We have seen just how powerful the new paradigm of Dynamic Access Roles is for reducing roll sprawl and creating truly dynamic roles. The amount of time and resources this feature will save an organization is astronomical. Creating and maintaining thousands of roles can be a thing of the past. But if you are happy with your current RBAC implementation in ISC, it’s not going away! Dynamic Access Roles are meant to enhance an existing traditional RBAC program, not replace it if that’s not a business goal. This feature is included in ISC Business Plus, and the focus of the initial release was birthright access with limited certification support for Dynamic Access Roles. So much more good stuff is planned, so stayed tuned to the Product News category!

Resources

@christina_gagnon : Lets say an identity has dimension attribute value D1 and gets provisioned AP1.

Later the identity dimension attribute value changes to D2 and gets provisioned AP2 as per the same role.

But AP1 should get deprovisioned correct? I do not see this happening?

@kag11

Yes, that is the expected behavior. Is there any other mechanism by which the identity could have been granted AP1? If not, I recommend that you open a support ticket to investigate.

Is there any way to see the identity membership of the dimension sub-roles? Or, see the dimension sub-role existing on the identity? I could not determine a way to do either after my first glance at this new functionality. I have pretty solid use cases to use this but cannot justify the increased opaqueness from the current iteration.

I just created test access profiles to test the dynamic role itself.

What is observed was that when the dimension attribute changes value, the deprovisioning did not happen.

@kag11 Have you refreshed that identity and applied changes to all roles? If you have taken both those steps, and the access profile has still not been removed, I would open a support ticket.

@dominick-miller That is definitely a welcome enhancement! I am checking with the PM to see when that might be available.

@dominick-miller According to the PM, we are adding search capability so that you will be able to search for all users that have a specified dimension. That is planned for the first 1/2 of 2025. My understanding is that other enhancements to role dimension visibility are coming as well, but I don’t have a timeframe for those.

Thanks for following up! I’ll keep a look out for these changes as it would certainly be nice to use dimension functionality to reduce role sprawl.

We are running into some odd behavior with Dynamic Roles.

We have a role setup that has quite a bit of access in the main part of the Role. We also have a dimension that is setup that checks an Identity Attribute and assigns additional access. We had a new employee get assigned to the Role and received the access in the main part of the Role, but he did not have the Identity Attribute information to get the additional access from the dimension. Everything was working fine until his Identity Attributes change (on purpose) and now the Identity Attribute information was met for the dimension.

Rather than just add the access from the dimension, the full role was removed and re-added but this time included the dimension access too. Many just errored out when they got both an add and remove command. But a few systems processed both, including sending multiple tickets via our Service Desk integration. In some cases the removes were processed but not the adds. It got resolved during the next Identity refresh, but caused lots of issues for this user.

image861×624 86.4 KB

We opened a support ticket, after a week we were told this is expected behavior. We would love to be able to utilize Dynamic roles, but this issue make it hard to commit to moving to Dynamic roles.

@Carlatto I wanted to let you know that I am actively monitoring this issue. From what I understand, the mechanism of updating role assignment is expected behavior, but those errors that you initially encountered are not. It appears that there are some configurations in your tenant that might be a contributing factor. Support has raised this issue with engineering and you should expect them to respond to you on your ticket.