Oktane truly kept me busy last week, so a few days later than anticipated I’m able to share my first Notes from the Field. Recently a fresh RFP landed in my inbox. An organization was looking to replace their existing legacy identity management solution with a new, more modern identity governance platform. One of their Must Have capabilities immediately raised suspicions. An absolute requirement was a migration of their current roles matrix with all application mappings and assigned roles, without having to do any custom work.

This wasn’t the first time I’ve seen such a requirement. Or the requirement to do role mining. And from my experience, in almost all cases the only reason an organization asks for this is because they have no control over their authorization model. As a result, permissions have been assigned over the years, culminating in access for identities that are not in line with their role and their additional projects. Why do we know they have lost control over their authorizations? Because if they would have control and know exactly how to map internal job functions to required authorizations, they would just tell us to implement their existing and updated policies and have the authorizations be applied dynamically. There might still be a few edge cases and exceptions that would require some custom work, but the majority of application assignments and entitlements would be applied automatically.

To validate my suspicions, I started looking through my Field Notes for this customer. And in the past two years I did speak with this customer at multiple events. My initial thoughts were proven to be correct: during a conversation last year they mentioned they had close to 10,000 different roles for their 6,000 identities. Migrating that over to a newer tool only gives you that: a more modern tool to not be in control over your identities and their authorizations. It may look prettier, your teams might be able to create roles a bit quicker, but it doesn’t increase your organization’s security posture and you will still struggle with the same challenges.

My feedback on the RFP was to rethink the project, take a few steps back and think about the models that you want to implement. I love to sell, but I feel it’s more important to help customers achieve their goals rather than to sell another product. But it also got me thinking about RBAC and why so many organizations struggle with keeping their RBAC model under control. And this is not a dig at RBAC and structuring your organization in roles. I do think most modern organizations require a more flexible approach, think about policy-based access controls, but for many organizations an RBAC model can work perfectly. But why is it then so common to speak with organizations that have 2x or 3x the number of roles compared to their employees?

I started to think back to the time I was doing this in one of my first IT jobs at the end of last century. And for many organizations the challenges started during that time. Where roles prior to that were mostly contained to a single application, with the rise of enterprise directories we started to build out roles touching multiple applications, granting permissions across file servers and allowing very specific permissions within databases. That increased the complexity of managing roles and instead of following the best practices to create a new role and deactivate the old role when additional or changed permissions were needed, we started to amend existing roles.

With this the problem would get exponentially bigger. Because the new role didn’t match the profile of a new joiner exactly, we would just create a new role. Typically by copying the old role and making a few changes. Because every identity would have a slightly different profile and be unique in their own ways, the path to parity between number of identities and roles was completed quickly. With new hires joining the organization and not deleting old roles, because you never knew who else would be impacted, the number of roles now outnumber the number of employees. 

As a result, it takes a long time to implement new governance solutions, get value from modern technologies and we’re looking at AI to help us sort this mess. Is there an easy solution? No, I don’t think so. But in order to not be stuck in the same situation in 3, or 5, or even 10 years time, the only solution is to go back to basics. Think about a dynamic authorization model that fits your dynamic organization today, not the organization of 5 or 10 years ago. Understand and accept that not all of your employees will have the same permissions as they currently enjoy. Nor do they have to, because their roles and responsibilities typically have also shifted over all those years. Map the critical authorizations and make sure you have a plan to enforce those when the automated deployment of entitlements doesn’t fully cover them. But only by mapping your model again will you set up your organization for success and reach your goals.