FRAMINGHAM (10/03/2003) - In these days of distributed networks, user management is not for the faint of heart, and that is increasing interest in two techniques for streamlining the process.
Roles and rules are two approaches that promise automation and efficiencies in provisioning resources to users, and consistency in granting and revoking access rights. The goal is to replace the error-prone manual process of performing those tasks one user at a time with what amounts to batch processing.
Using roles- and rules-based models can help tighten security of network resources and ensure compliance with federal regulations such as the Sarbanes-Oxley Act, Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act.
Roles are predetermined sets of access privileges that are associated with a group of users on a network. Users are assigned to roles. The National Institute of Standards and Technology (NIST) developed the model, called Roles Based Access Control (RBAC), more than a decade ago. The Massachusetts Institute of Technology, Stanford University, Sun Microsystems Inc. and PricewaterhouseCoopers are among those that have developed their own roles-based models.
In comparison, rules were introduced recently with the advent of provisioning systems. They are more flexible and act as "if/then" expressions that are executed within software when a user attempts to access a network resource. For example, a rule might state "if" the user has the title "sales manager" and works in Division A "then" he is entitled to access System B.
Experts say that a combination of the two might be the best approach in meeting today's requirements for identity management.
"We found that just using roles would not be enough to provision users," says Steve Linstead, directory services architect for Johnson Controls, a Milwaukee supplier of automotive parts and building controls, such as heating/cooling.
Johnson Controls is finishing a pilot project with provisioning software from Netegrity that will be implemented next year. "Roles left too many gaps, and we needed rules to further define the user. We can have a supervisor role, but supervisor of what? The rule then determines how the role operates," Linstead says.
Interest in roles and rules is accelerating, especially with the number of networked applications growing along with the internal and external users seeking access. Corporate users are seeking options, and vendors such as Beta Systems Software AG, Business Layers, IBM Corp., Microsoft Corp., Netegrity Inc., Novell Inc., OpenNetwork Technologies Inc., RSA Security Inc., Siemens AG and Waveset Technologies Inc. are listening.
"Most companies today are under pressure to do more with roles- and rules-based user management," says Christy Hudgins, president of Hudgins Group, a research firm. "I see differing motivators among different types of businesses. Some retailers are very cost-reduction-driven, while others are most interested in relieving the administrative load on IT staff. Regulatory compliance is a big factor with regulated financial institutions, as well as medical groups. Security tends to be the big driver with retail banks."
Hurdles to clear
However, the road to exploiting efficiencies using roles and rules is paved with scalability problems and complexity in defining roles and rules that align with business processes, such as creating new user accounts.
Experts say users must be cautious when implementing roles and rules, which is most often done through provisioning, access management or directory software.
They say Extensible Markup Language-based policy languages eventually will further combine with roles and rules for user management among corporate networks integrated through Web services.
"If you have thousands of people needing access to your network because of a hiring cycle or contract work, all those accounts are set up with the right level of access, authorization is done once and done consistently, and there is less opportunity for human error," says David Shapiro, assistant director, Americas IT for Ernst & Young LLP. The company has used roles and rules within its provisioning software for the past six years to set up new users with necessities such as network access, telephones, building security badges and business cards. "We don't have people going to each server to set up accounts. What we have is a repeatable business flow, a workflow to support that process."
Experts say defining those processes is key.
"Coming up with role definition is hard work," says Gerry Gebel, an analyst with Burton Group. "Rule definition also has a similar process." But best practices such as limiting the initial scope of the project and getting people involved from business managers to IT helps immensely.
Once roles are deployed, the work is just beginning, Gebel says. Auditing must be done to keep role and rule definitions up to date, a process that is tougher with rules because they have more data and policy information than roles.
Vendor Eurikefy offers tools to help define roles and rules, and audit them once they are deployed to ensure they are correct.
Refinement is ongoing
NIST is working on improving RBAC, by performing tasks such as creating dynamic roles that include characteristics similar to rules, improving it with workflow capabilities and integrating it with Web services applications. NIST also has submitted RBAC to the American National Standards Institute for adoption.
Rules have their own sets of challenges, including the need for standardization. Web services protocols such as Extensible Access Control Markup Language and the emerging WS-Policy should begin to erase that limitation.
Still there are others who say roles and rules need even more help.
"Rules came about when the limitations with roles hit," says Vivek Pabby, vice president of applications development at The Depository Trust & Clearing Corporation (DTCC), the largest financial services post-trade firm in the world. "You have to track and administer rules, but there is no auditing or security associated with rules, and it becomes a maintenance nightmare." Pabby says roles and rules are two-dimensional and that another layer is needed that puts user management into context.
DTCC uses software called Concero from TruLogica Inc. that is billed as context-based user management.
Concero uses three constructs: a service, which defines an application; groups, which are sets of users; and business relationships, which define exactly what parts of an application a user can access.
But it also goes a step further to incorporate approval workflows and policies in the service. Concero also includes the ability to delegate user administration internally and with external partners to allow scalability, an issue that has hampered adoption of RBAC.
Pabby says user registration that used to take up to 10 days now is done in real time or within 24 hours if an approval is needed. Account termination, password reset and audits all happen in real time instead of days or weeks.
"Roles and rules can work for smaller organizations that only operate within their boundaries," Pabby says. "But we have 4,000 external partners, and roles and rules don't meet the requirements for our environment."