We can identify the roles using various techniques such as top down or bottom up or hybrid. Nowadays there are modern AI based tools, role mining methods to get the recommendation for the role models. However we have some practical questions, posting here to get different opinions:
Day 0 – PROD:
We will never have PROD like user’s access data available in lower environment to be able to use the automated role mining techniques to come up with the “final” role models.
In such cases what was the strategy that you have used to identify the role access models?
On-going role management:
How do you handle the modifications to existing role definitions? (e.g., handle it case basis modify roles to add/remove access profiles?)
Applications which will be onboarded post our role mining phase:
How do you incorporate the additional newly onboarded application entitlements into the existing roles?
Or is it a best strategy to define new IT roles representing the access entitlements of new applications?
I’ll start by saying that there is no one solution that is always valid. Offen, we dont have the possibility to have a good copy of production enviroments. The only way is talking with the customer to have a preview or an export of the group, roles and accounts if its not possibile to have a copy or an old backup in a dev\qa enviroments. In every case, you can prepare as much as you want, but on the 0-day there will always be some surprises. The only thing you can do is be ready.
Afterwards, it depends a lot on the management you want to have, the number of roles and the possible changes in roles over time.
The strategy changes if you use exclusively a RBAC model or if you also use requests or the customer can assing a role only in IIQ or also on the target system.
A solution, with you can managed a lot of cases and a large number of roles, is create and manage roles through rule\s. With a rule you can read the managedAttibute of each application a create every single type of role, the structure, assing match filer ecc…
An other way, is the role mining, but the target system of customer could be complex or full of waste and it can compromise the result.
Also, you can managed manually if you have little change over time.