RBAC is not designed to support the Real World of huge organizations

[OIBAC]

For about 9 years now, as consultant and expert in Identity and Access Management, I had the opportunity to analyze functional requirements of about 8 huge national and 6 multinational companies.

My customers were CTOs but it was systematically necessary to sell projets to CFOs, COOs and members of the Board.

The requirements of these top level managers were focused on : how is it possible to support the corporate and the operational organization, how to manage key people, merges and sales of enterprises, operational and functional structures, access to corporate systems from all over the world, compliance.

All these aspects were directly or indirectly linked to IAM, or it was necessary to find the right answer to have funds  .

Some of these organizations have now the right level of maturity, due to years of IAM projects. They came to the conclusion that RBAC is not aligned with their Real World  .

Actual ERM solutions that are based on the RBAC model have significant functional limitations on three main aspects :
1) multiple models of structure that coexist in huge organizations  ,
2) multiple workforce models, especially those that do not use "Roles" but "Processes", "Activities", combinations of "Activities and Roles"  ,
3) recurrent change of structures  .

They correspond to the first step toward a full alignement of IAM with the Real World of huge entreprises.

Lovcen 

[Forum Admin]

OIBAC

I wholeheartedly agree that to automatically assume that one model will fit all scenarios is a call for failure.  To be clear, we're talking about ROLE exchange here rather than RBAC exchange.  I don't believe it makes sense to be too focused on the model itself, better to allow for an extensible approach that can be used to capture the model restraints of the 359 standard BUT at the same time, to allow "softer" role model structures to be described, exchanged and operated upon as well. This is obviously very doable within the bounds of a single specification/standard.

I'd love to hear more about your experiences with large role projects and what/which use cases around role exchange you'd see as most valuable.

Regards
Darran

[OIBAC]

The are some facts to consider :
1) there is an "RBAC flavor" all over the Market and in your site itself  ,
2) leading IAM solutions support flat and symmetric RBAC, and Role Exchange should consider this reality,
3) some huge orgs decommissionned IAM solutions after years of projects, to align Business Roles and fine coarse grain permissions that cannot be supported by IAM solutions. That's a second reality.

So, Open Role exchange initiative should :
1) be global and independant from role models, including ANSI INCITS that is one conception among several, and not the most flexible,
2) take in consideration the cooperation of these models.


OIBAC

[OIBAC]

To answer to your last mail about valuable experiences to share, I would talk about 3 huge role management projects.

1) 2002 - Telco operator, 11000 employees, a yearly 20% internal turn over, cross positions and recurrent change of internal structures.
The corner stone of the model that I designed for this customer in 2002, is the couple "employee-employment".
The employment is a micro-representation of the organization, based on all his attributes : organization, work unit, site, active or inactive roles, dates... and relationships to support dynamic change of structures. The questions of the customer were : Who is where in our changing organization ? and Who is granted to What ?
The challenges of this model were :
1) to exchange active roles to IAM platforms by using rules.
2) to externalize complex aspects of management of internal structures.


2) 2004 - investment banking institution. The model was implemented in an in house development integrated to Novell Identity Manager II and demonstrated, in 2005, with IBM Tivoli Identity Manager.

The concept of User was splitted into personal an operational identity with associations of type "1 to many".
Operational identities were designed to support several work force models corresponding to the business culture of european, asian and north american teams.
In this models, formal and unformal roles were used as a gateway to interface RBAC models.
Timescales and status were used to manage dynamic changes of role occupations.

3) 2006 - global financial institution.
There were some interesting aspects around in house development with a workflow engine (W4) :
- The concepts of multiple identities and business / technical roles were encapsulated in multi-model workflows.
- Automatic reconciliation of entitlements were performed with roles and specific demands of out roles entitlements. This exposes interesting questions about SOD.
- eTrust Admin was directly integrated to this workflow instead of the CA's IAM solution.

[yoyohh]

Are you bored of models who state they love aging gracefully and show some gray and yet love wow power leveling themselves, when all you can see is a slim body with tone skin and smooth wow power leveling hair texture, the beautiful face staring at you from a magazine page? You are always left wondering, how do they manage to look that good while you are struggling ironing those creases on your face. Well, it is not impossible to keep wow gold uk looking young and there is absolutely no problem in taking help to maintain your face looking its best.Food and lifestyle habits can make cheapest wow gold a great difference to your anti-aging cycle. The right lifestyle and some good anti-aging products can help you shed off age and even keep it far away. It simply means that now you can turn back time and not feel bad about it.Here are a few anti-aging products and processes that can erase age rapidly and gold for wow make you look years younger.