Role Based Provisioning

Large organizations employ thousands of people with ever changing needs to access devices, applications and information. Most of the access requirements are driven by an individual’s roles and responsibilities, which keep changing overtime due to promotions, shifts in geography and attrition. The need of the hour is for organizations to provision systems securely and efficiently and also de-activate them based on requirements.

Role based provisioning aims at providing a user access to specific data and applications based on his role. It is an automated selective process with varying levels of access provisions based on how senior or powerful the person’s role in the organization is.

Why is Role Based Provisioning Important?

Consistent access to data, applications and enterprise resources is a key lever for all employees to execute their job responsibilities properly. However, as an organization grows, the systems, processes, applications and interfaces also grow exponentially. So does the information that is generated and shared across various levels. It becomes extremely important to control and monitor what application and information is accessed by people across the organization. The risks of un-authorized access are immense, ranging from theft of important corporate data or consumer data to deliberated attacks on the IT infrastructure of the organization by unscrupulous elements. The damages caused by such attacks are serious, many of them leading to loss of revenue and reputation. It might also lead to breach of security compliance issues creating a regulatory nightmare for the enterprise. In some cases, it can very well lead to legal suits filed by angry customers whose confidential data might have been leaked or stolen from the organization’s databases. The downside is endless.

On the other hand, if users are not provisioned effectively, lack of access to critical resources essential for work can lead to a huge loss of productivity. If they are not de-provisioned properly after the employees leave the organization, there is a risk of unauthorized access to important data and resources which can be a serious risk to IT security.

What are the Components for a Role Based Provisioning to Succeed

For any role based provisioning to succeed, its essential that applications protocols do not just capture the details of people and their designation, but also their business role, and details about what kind of applications, data or information he must be able to access. It is essential to know the business context of the user.

An effective role based provisioning platform should have the following components

• Provisioning platform(Pp) – It fetches data from the source system( usually the HR system) and automatically creates accounts on a target system. The Pp keeps verifying the target system accounts against the source and whenever there are changes to the source system in case of users leaving or change of role etc. ,this system automatically removes the user access privileges.
• Role management platform – It organizes the rights of access for users on the basis of similar responsibilities in other departments across the enterprise. This is done on the basis of the company’s own process where roles might have formalized job codes with specific system access rights and security levels. The users access permissions keep changing with his roles.
• Access management platform – It allows the enterprise wide single sign in for access to resources
• Portal – Portals make use of the access management platform for the authentication and authorization of users and create personalized interface for the user which displays only the data and application that the user can access.

How Effective is Role Based Provision for Identity Management

Role based provisioning is an integral part of identity managemen . It is the first stage in the 5 stages that constitutes the Identity and access management life cycle – Provision/ De-provision, Enforce, Report and audit, Review and certify, and reconcile, which completes the process of granting access after a request has been received. It makes the whole process of identity and access management very effective by streamlining one of the most dynamic areas in the process, keeping track of the continuously changing roles and user profiles in an enterprise.