A well-designed roles program can help ensure that employees are granted the access they need to do their jobs – no more, and no less. Well-designed roles also simplify and streamline the administration of access, by grouping sets of access in a logical and intuitive way based on things like department, job function or title, region, or manager level.
Although every organization’s specific needs for roles will vary, some common elements of an effective roles program include:
A structure and naming convention that is user-friendly and intuitive to the business users who will work with roles
A model that is flexible and adaptable to inevitable changes in your organization (such as acquisitions, reorganizations, the onboarding of new systems, et cetera)
An awareness of “role explosion” – that is, the proliferation of very specific, narrowly-defined roles that can overwhelm your users and defeat the purpose of a roles program – as well as a plan to avoid role explosion.
Here are some simple best practices that can help as you create your organization's roles.
Cleanse Your Data Before You Begin
Roles are essentially collections of entitlements. Entitlements are tied to the ability to perform certain tasks (such as the ability to pay a vendor in the Accounting system, or the ability to approve a timesheet in the time tracking system), membership in a group, or access to sensitive applications and data. Users' permissions are determined by the entitlements they are granted by the roles they are assigned.
Before building your roles, ensure that both your entitlement and user data is clean and free of duplicate, incorrect, or stale information.
Tips for cleansing user and account data:
Remove or isolate data for permanently inactivated personnel
Identify and separate system/headless accounts
Remediate orphan accounts
Tips for cleansing entitlement data:
Before aggregating, evaluate your source applications for data that is obsolete, inaccurate, duplicated, or not relevant.
For existing entitlements, review the entitlement catalog for entitlements that are incorrect or obsolete. You can export data from your entitlement catalog to a CSV file for your governance team to review offline in a spreadsheet.
Your technical team can use rules and filters to clean up the entitlement catalog. These forum discussions include sample cleanup logic:
How you name and describe your roles can significantly impact the overall success of your roles program.
If role names and descriptions are not intuitive and meaningful, your users won’t fully understand the access they are asked to make a decision on. Consistent, meaningful names and descriptions help users quickly grasp important information about the roles they are assigning, approving, or reviewing.
Role mining is an IdentityIQ feature that lets you generate roles based on the access current employees already have. You can use role mining for both IT roles and business roles.
If you plan to use this feature, it is a good practice to perform role mining in a separate role mining sandbox environment, especially for large deployments. Performing role mining outside of the production environment ensures stability for your production environment, and reduces impact on day-to-day operations.
You can also discover roles in your organization using Access Modeling, powered by SailPoint Predictive Identity. Access Modeling can be used with both IdentityNow and IdentityIQ. Learn more about discovering roles.
Flag High-Risk Roles
Roles that grant users elevated privileges or access to sensitive data need to be managed more carefully than lower-risk roles. Identifying which roles are high-risk, and flagging this status to business users, helps ensure visibility during request, approval, and review processes.
The tagging feature in Identity Services lets you apply your business's well-known terms to important governance items, providing a simple and user-friendly way to identify high-risk access. Learn more about Tagging in IdentityNow.
IdentityIQ 8.1 includes a classifications feature that provides a simple, lightweight way to flag roles. You can implement your own custom classifications, import them from an outside system, and/or integrate with File Access Manager to use its classifications. You can configure access reviews (as well as access requests and approvals) to flag classified roles with a special icon, so that the users responsible for making access decisions can quickly and easily see which roles allow potentially risky access. Learn more about classifications in IdentityIQ 8.1
With IdentityIQ 8.1, File Access Manager users can integrate IdentityIQ and File Access Manager to aggregate classification data from File Access Manager and associate it with roles and entitlements. Learn more about integrating IdentityIQ with File Access Manager. Learn more about integrating IdentityIQ with File Access Manager.
If you’re using a previous version of IdentityIQ, you can use extended attributes for roles to add custom attributes that track risk level. You can use these attributes for searching and filtering in your certifications and access reviews. Learn more about extended attributes in IdentityIQ.
Identify Entitlements That Don’t Belong in Roles
Not everyone and everything needs a role. It is almost impossible to entirely avoid assigning some entitlements individually, especially when managing highly specialized access in departments such as IT. Don’t assume you have to force all entitlements and all access models into roles; this can quickly lead to role explosion.
Certify Role Composition Before Assigning Roles
Roles should be certified by business experts to validate that they comprise the correct, expected access. Accurate and up-to-date roles lets you be confident that your reviewers are evaluating correct access information in their reviews. In IdentityIQ, you can use the Role Composition certification to verify that your roles include the right permissions and entitlements.Learn how to certify the contents of a role.
