Also, beging part of the sales team, I was exposed to the latest requests of potential customers.
My first observation is that that the role management concept has been well absorbed and that customers and security administrators are focusing on best practices and use cases.
I would like to discuss in this publication on cleanup on entitlements.
Once you have imported your data from your systems and you have added your business HR data, you can start reviewing your data and cleanup your entitlements.
Cleanup can be a painful process , since we need to review millions of access rights. Therefore , an educated process can ease the cleanup project , make it efficient and easier to control.
The first step should be “ALLOCATE REDUNDENT OBJECTS”.
In this process you should easily identify all the objects that are not provisioned to anything as:
a. Accounts that are not linked to any resources or group
b. Groups that are not linked to any account
c. If you are handling a role base system as RACF, Top Secret , ACF2, SAP, ORACLE etc, you can identify roles that are not linked to any account or resource.
This step is easy and quick and can be accomplished in few hours per system.
Top Down Role Model for cleanup
In this phase you will use your role modeling tools (automated I hope) to discover your initial Top Down role model. The purpose of this process if to quickly identify which entitlements falls out of the role model. Those entitlements will be used in the next step in the certification review of entitlements.
In the figure above , you can see that the role model for the group of users with Title=Clerk.
The sub-group of users, in the red box, in the left hand side represents the users that have the resources that are in the red box on the left had side.
This is the proposed role model (created in minutes or few hours , using an automated role discovery software).
The BLACK arrow represents a link to a resource that is out of the role model.
In this phase, only the links to resources that are out of the RED box should be reviewed.
In this phase, we assume that the role model makes sense and that what is out of the role model should be reviewed and candidate for removal.
Self Certification
In this phase, use a certification portal (if you do not own one, you should, since certifying by emails or spread sheet files is not the way to continue) and send only the entitlements that are OUT of the role model for Self-Certification
The employees knows best which access rights they carry and they do not need any more since they were used in previous job function.
Apply all requests to revoke access rights.
Managers Certification
After the “Self Certification” phase, reload again a fresh import of the current access right and send only the entitlements that are OUT of the role model to the managers for certification.
Apply all requests to revoke access rights.
Compliance rules
If you have compliance rules (Segregation Of Duty rules) that you want to apply, you can apply them now and use the results for cleanup.
In many cases customers are not ready with SOD rules and therefore I will discuss this in a separated article.
