The term «role» stands for the function played by someone or something. In an enterprise context, a «role» is the set of permissions that a user needs to do its job. A well-designed role should map to a category or responsibility (for example, room clerk, hiring manager or archivist) and be named accordingly.
Nevertheless there is no single way to manage the role definition and assignment. These are some typical ways to accomplish this task and how Soffid IAM helps to get it done.
1-IT department managed:
It is the most common way in which IT staff manages the roles of employees directly accessing the console. From this console, IT managers can manipulate identities and roles, regardless of the application’s technology platform.
With this model, Soffid IAM simplifies role management while security administrators don’t matter about the technological characteristics of each information system.
Additionally, support teams have a system that will inform them of the relevant information for each user, such as the validity status of passwords, authorized roles, and recently open sessions.
While these benefits are substantial, most organizations do not stay in this model but rather they move towards models that allow a better company’s policy and strategy alignment.
2-Human Resources Centralized Model:
In organizations with a good human resources management, the straightforward way is to integrate the HR information system and Soffid IAM for the creation, administration and management of identities, roles and procedures for the whole employees of the company.
Such integration can be fully automatic or semi-automatic, depending on how are aligned theoretical and actual functions of employees.
For semi-automatic integrations, Soffid IAM requires the intervention of the operating unit managers to validate or refine effective authorizations that should be granted to the user, based on the information stored in the human resources system.
Given that Soffid IAM knows about all the roles and authorizations information and their managers, Soffid IAM may determine in each case who is the person or group of persons who must carry out these semi-automatic tasks, managing its portfolio of pending tasks and notifying them via email.
This way, the company gets to involve units responsible of security functions, without taking unnecessary risks. As an immediate outcome the system security will increase while achieving lower operating costs.
In today organizations, the concept of user and employee are no longer necessarily bound. IT users are both employees, subcontractors, service providers or even customers.
In these complex structures, the identity management system can not blindly trust in the human resource management system. It requires that business units managers deal with the identities and roles of its customers and suppliers.
Additionally, there is a possibility of allowing third parties to use Soffid IAM in order to manage their own work forces in the scope of the needed tools and business applications.
In this model, Soffid IAM accurately controls what permissions can be assigned to each operating unit managers, and what set of users can act upon. Additionally, Soffid IAM gives the possibility of requiring strong authentication mechanisms or electronic signature, so that allowing external staff to access a critical system wouldn’t involve a security risks rise.
4-Separation of duties:
Security information best practice guidelines claims for separation of duties enforcement, so that any operation that can be potentially damaging to the company couldn’t be done by a single person.
Soffid IAM achieves this objective separating very clearly user registration and role assignement tasks. It allows to create user registration agents for organizational units and security managers for each affected information system, so that the registration of a new user is done in four steps:
1. Registration staff introduces the basic data of the new user, either directly or through the human resource management system.
2. Soffid IAM determines what authorizations should be assigned to the user. It will create the corresponding authorization tasks, assigned to the security officers of each affected information system.
3. Security Officers will approve, change or refuse proposed authorizations.
4. Soffid IAM will make effective the resulting authorizations.
There is no unique identity management model but a set of good practices that can be applied or not to each organization. Soffid IAM is a very powerful identity management tool that enables the organization to advance towards continuous information security improvement, thanks to the ability to adapt itself to the different identity management models.