Roles for the Real World
Novell Identity Manager 4 Takes a Giant Step Toward Practical Role-Based Resource Management with Role Mapping Administrator
Written by Bill Tobey
Many claims have been made in these pages regarding the beneficial impacts that role-based resource management will inevitably have on the efficiency, agility and cost of IT operations. Among these have been promises that widespread adoption of roles would lead to:
- Reduced administrative workloads and costs through automated resource provisioning
- Increased user productivity through faster access delivery
- Tighter security through improved provisioning accuracy and real-time re-provisioning response to changes in work assignments and employment status
- Simpler, less onerous, more reliable compliance.
Getting There Can Be More Than Half the Work
At this point in time, however, the reality is that widespread adoption of roles as a resource management strategy has been held up by the real and perceived demands of practical implementation. And it’s true that most roll-outs must negotiate two significant cost and manpower hurdles: the upfront development of an enterprise role model, and the subsequent definition and lifecycle maintenance of role-resource relationships.
Before roles can be used to manage entitlements they must first be created in an identity management system such as Novell Identity Manager. A role is a construct that represents a group of users with a common set of functions and resource requirements, and it usually maps to an actual organizational role. Identifying the important roles that comprise an enterprise role model can be a significant front-end workload. It typically involves a combination of top-down analysis based on observation and description, and bottom-up statistical analysis to assess patterns in the existing distribution of access permissions. Tools like Role Lifecycle Manager (part of the Novell Access Governance Suite) can automate much of this analysis, but the process is inherently labor intensive and demands specialized skills that are often outsourced. Fortunately, once created, an organizational role model is relatively stable; so start-up labor and expenses are front loaded and largely non-recurring.
A second major focus of effort and expense is the process of assigning appropriate resource authorizations to each role. Because these requirements change as the organizational structure, business conditions and IT environment evolve, defining and maintaining these assignments is an ongoing process. Changes often require custom programming, and the burden of nearly continuous change management weighs on high-level personnel across the security, compliance and business operations domains. Over time, managing role-resource assignments often becomes a major drain on productivity and budgets, not to mention a real compliance headache. It’s often cited as a delaying factor in the launch of new business initiatives, and as a serious competitive disadvantage.
At least that used to be the case, before the release of Novell Identity Manager 4 Advanced Edition with Role Mapping Administrator.
Role Mapping Administrator is a breakthrough innovation in access management, a visual tool that lets line-of-business analysts make and modify resource assignments for existing roles quickly, easily and directly, without IT support.
Introducing Role Mapping Administrator
Role Mapping Administrator is a breakthrough innovation in access management, a visual tool that lets line-of-business analysts make and modify resource assignments for existing roles quickly, easily and directly, without IT support. It can reduce the time required to provision resources for a new initiative from as much as five days to less than five minutes, with proportional increases in productivity and reductions in IT operating expense.
Role Mapping Administrator puts all the information required to manage resource access permissions on a single screen. It automatically discovers the roles that have been defined in Identity Manager, the resources assigned to those roles, and the authorizations that are available to be granted on systems and services throughout your IT environment. Creating a new role-resource association requires only a drag-and-drop gesture that replaces complex back-end coding with point and click simplicity, reducing the time, labor and cost requirements by an order of magnitude. Role Mapping Administrator provides a sustainable access compliance solution for all the IT systems and applications that integrate with Novell Identity Manager, a long list that now includes SAP and Microsoft SharePoint.
Using Role Mapping Administrator
In the Role Mapping administrator interface, the left pane displays all the roles that have been defined for this organization in Novell Identity Manager. (See Figure 1.) In this view we see a resource assignment change in progress. Because the Accounting role has been selected, the center pane displays all the resources currently provisioned to this role, as well as the resources available for assignment, which are shown in the right-hand pane. In this view, the right column shows the authorizations available within an instance of Active Directory. The current user—a finance manager responsible for a new acquisition merger—has selected a workgroup mailing list for the merger team, and is dragging it onto the center pane, adding it to the resource assignments for the Accounting role.
Before the change is applied, Role Mapping Administrator provides a confirmation prompt, and offers the user an opportunity to annotate the change. (See Figure 2.) Once this assignment is confirmed, all members of the Accounting role will automatically be added to the mailing list.
Access to applications can be assigned just as simply. Role Mapping Administrator can call up and display the available authorizations for any IT system for which there is an Identity Manager connector. (See Figure 3.)
With the available application authorizations now loaded and displayed in the right-hand column, our finance manager now selects an authorization to access the merger accounts in Oracle Financials. (See Figure 4.) She is about to map that permission to the Accounting role, and it currently appears as a pending assignment in the center pane.
When this change is confirmed, Novell Identity Manager 4 Advanced Edition will automatically create the required user accounts behind the scenes. The mailing list and the accounting application will be added to the resource set that is automatically provisioned to anyone joining the Accounting role and automatically de-provisioned from anyone transitioning out of the Accounting function.
Three months from now when the merger project has been completed, removing these authorizations from the Accounting role will be just as quick and easy. The finance manager will simply sign in to Role Mapping Administrator, select the Accounting role, highlight the resources to be de-provisioned in the center column, click Remove, and then Apply. Novell Identity Manager 4 Advanced Edition will do the rest.
Role Mapping Administrator also makes it easy to track which authorizations are currently in use and by which roles. Selecting an application in the right pane and clicking View References in the menu above displays a list of all the roles to which that application has been provisioned. (See Figure 5.)
Provisioning Power to the Business People
With most of the role-based resource management solutions in use today, changes like the ones described above still require custom code development, excessive expense and frustrating delay. The entire process of defining the necessary changes, documenting requirements, outsourcing development, then testing and validating the resulting code often delay essential new resource authorizations by days, weeks, a month or more.
With Role Mapping Administrator the entire process can be completed by a line-of-business analyst in a matter of minutes, using a simple, intuitive visual tool. It’s a powerful innovation that can reduce the labor, time and cost requirements of role-based resource management by an order of magnitude. More importantly, it puts the power to quickly and efficiently provision IT resources to important new business initiatives exactly where it belongs—in the hands of business-side managers.
To learn more about Novell Identity Manager 4 Advanced Edition and Role Mapping Administrator, visit the product site at www.novell.com/products/identitymanager/. You’ll find a flash version of the demo above at www.novell.com/media/content/idm4-role-mapping-administrator.html.