As the number of employees, vendors, contractors, and departments within an organization grows, so too does the complexity associated with managing access to a growing number of applications and systems.
System administrators commonly manage this complexity by preemptively creating more roles for exceptions and edge use cases. And organizations with more limited or older legacy Identity and Access Management (IAM) systems often have no choice but to handle new access requests by assigning new roles to a user.
However, the very concept of roles—and the accompanying practices of role analytics, role mining, and roles engineering—is quickly becoming an outdated and inefficient means of solely managing access rights, particularly for edge use cases.
New Roles Are Not Always the Answer
With traditional Role-Based Access Control (RBAC) methods, administrators can find themselves forced into “role nesting,” where new roles are stacked on top of existing ones, to address edge use cases and provide users with deep, granular level access to an application.
However, before too long, this can snowball into role creep—the unsupportable and unmanageable situation in which new roles are created inside of existing roles, for every new access need and use case that arises. By digging themselves into an ever deeper “role hole,” organizations set a bad precedent that leads to some unwieldy access management problems down the road.
The Challenges Associated with Role Nesting
When roles are nested, it becomes much more difficult to manage, support, and identify role properties because the role structure is so complex. The task of keeping track of additional roles-within-roles for each user becomes a significant support effort—first for the IT department and then for individual business owners or unit managers who have to oversee access rights to certain applications.
The level of role complexity may also be too much for some business applications and systems to bear. A system originally set up for one basic user and an admin user might slow down or crash as it attempts to interpret requests from a user with more and more roles piled onto his or her profile.
In addition, the largely manual process of handling exception use cases is not particularly efficient, robust, or secure. Consider larger organizations who might have hundreds of exception use cases to manage—no one person can effectively keep track of who has access to which systems or when this access needs to be turned off.
Why Role Mining Doesn’t Solve the Problem
Instead of pausing to rethink their access management approach, many organizations attempt to “solve” their role challenges with expensive role mining, roles engineering, and roles analytics solutions.
Any number of vendors stand ready to sell role mining tools that examine an organization’s structure, review the various business applications and systems in use, and then conduct an analysis designed to optimize the number of roles.
These tools might slightly improve the role assignment issue—cutting the number of roles down by as much as half—but they do not solve the problem outright. They merely allow the organization to operate more effectively, while perpetuating a bad habit. While they might make roles-based access more manageable, these tools do not to address the root of the problem.
A Better Approach
Classic roles management techniques and tools definitely have their place and provide value. But when it comes to special use cases, traditional techniques tend to treat exceptions like every other access request—the exception becomes the rule.
We recommend an alternative access-granting solution called Just In Time (JIT) Access—granting access to applications or systems for predetermined periods of time, only when needed.
Just In Time Access provides an innovative way to give users timely access and privileges to organizational resources that are outside their normal, routine work function. Complex and expensive role management processes and tools are not required. And, when JIT Access is combined with RBAC and ABAC policies, organizations can effectively cover virtually all of an organization’s access needs.
To learn more about Just In Time Access and how to determine the right access management policies for your organization, we recommend reading the ebook Just in Time Access: A More Secure Approach to Special-Case Access Needs that Fall Outside of RBAC & ABAC Policies.