I'll Get My Coat

Enterprise Role Management, any good?

If you follow Identity Management and have been awake recently you'll have seen the buzz around the Vaau "intent to acquire" made by Sun, if not check here. I had the privilege to work alongside Vaau on a proof of concept recently for a major UK retail financial institution. This particular prospect had requirements for Identity, Access and Role Management and had selected Sun and another vendor.

The requirements where pretty typical these days I'd guess and an increasing number of deals are mandating that RBAC be included in their product evaluation criteria:

1. User Onboarding using complex rule based provisioning


2. Approval based User provisioning


3. User Certification


4. Audit & Reporting


5. Role Mining and Role Management

So what does Role Mining and Role Management actually mean?
In we went with the Vaau RBACx product and Sun Identity Manager version 7.1 First steps where to integrate the two products, Tomcat was selected for ease and speed of installation as the web container for the two products. In little more than a couple of hours we had both RBACx and Identity Manager products up and running on good old :8080 Integration between the products is simple and effective (most things worth their salt are aren't they?) using SPML SOAP calls to pass information relating to Users, Roles and Role Membership between RBACx and Identity Manager. Here's a rough stab at the methodology assumptions in place:

1. Build an Identity Warehouse containing users and their access to all critical applications (both managed and non-managed systems)
2. Launch certification and audit (continuous monitoring)


3. Start deployment of IdM solution (unless one exists already)


4. Perform Role Engineering in RBACx (using a hybrid approach, both top down and bottom up)


5. Require Manager sign-off on candidate Roles


6. Assign Role Owners to Roles


7. Export roles into the Sun IdM solution


8. Perform continuous role management

The sample data set provided by the customer wasn't extremely large and contained pretty well uniquely defined roles, such that say the HR extract contained 50 records per business unit each User within the BU had a distinct job function. This made mining on HR data pretty pointless for the product eval since we'd have ended up with 50 Roles and 50 Users, it was the ability for the product to aggregrate the data provided (remember it's just a test and not a complete set of user attributes). So we performed the Role Mining based upon business unit and not solely the HR data. This worked extremely well, identifying the Roles and User Role Memberships, exporting these information into Sun Identity Manager using the SPML protocol and then re-provisioning any Users who's current resource account entitlements differed from what was certified within the Enterprise Role Management tool.

Both tools worked extremely well together, non-intrusive, easy to configure, both web based and both responsible for their own domain within Identity Management. With the pending acquisition of Vaau and their RBACx product Sun will become well placed to chase the pure-play User & Role Certification opportunities currently out of their reach.



For more information on RBACx and Sun Identity Manager check out this link

Posted at 07:09PM Nov 27, 2007 by Paul Walker in Sun  |  Comments[2]