Part of a successful Identity Management (IdM) project is a successful role discovery and mapping phase. Many organizations — after having mapped and optimized their business processes — turn to role design and management solutions (VAUU RBACx, BHOLD, Oracle’s BridgeStream, and others). While these solutions give a great initial insight into the existing role structure, they are not the only source of role interrelationship information. Role design can build
many other sources: demographics mined from helpdesk tickets from users requesting access, job descriptions, quality management systems (it certain cases this is wishful thinking…), and increasingly from Enterprise or Desktop eSSO solutions (PassLogix, ActivIdentity, CA). eSSO solutions store multiple login credentials for users to multiple applications. As such, extracting account linkage, mapping and correlating user IDs between user repositories based
access information built by end-users is much more reliable than any artificial role mining logic, usually based
user repository attributes. This user mapping data could then be used as the starting point of role discovery – maybe even
a periodic basis. There is one technical problem today: smart data interchange between role mining and eSSO products does not exist.
This post is a call for action for eSSO and role mining vendors to build these crossroads and help end users’ struggles with defining provisioning roles in large organizations.