November 2004 Network Security5

ACCESS MANAGEMENT

Identity Management (IDM) is a broad,administrative area that deals with identi-fying individuals (identities) and control-ling their access to resources, services andsystems whereas Access Management(AM) defines the set of rules required tocontrol and allow individual access tointernal or external systems.

Many organizations are implementingIAM solutions for greater security,improved efficiency, reduced costs,maintaining data quality and regulatorycompliance. Human Resources (HR)can play a vital role in the enablement ofeffective employee IAM by utilisingexisting HR functions to provide tighterapplication security, rapid user provi-sioning and de-provisioning and privi-lege entitlement.

Introducing a HR-led, role-basedemployee IAM solution can also signifi-cantly reduce administration overhead,streamline business processes and helpfurther enforce security policy for ITsystems. But is the HR departmentaware of this?

Life-Cycle ManagementHR departments currently face a rangeof business challenges that includeincreasing value added service, whilereducing costs; streamlining businessprocesses, enhancing service quality; andmeeting the changing, increasingdemands and expectations of a diverseemployee population (e.g. job appli-cants, new hires, line managers, retirees).

Most HR systems today have built-inlife-cycle management capabilities thathelp businesses support employeesthrough every phase of their servicewithin the organization – from recruit-ment through training, development,and staff retention.

Some HR systems understand theconcept of business roles and associatespecific functions to them. A role is typi-cally related to a job or business func-tion within an organization or a businessrelationship. Examples includeAdministrator, Sales Manager,Consultant or Engineer.

An employee can then be associated toone, or more than one, business rolethroughout their employment, e.g.

change of business role, moves to different departments, promotion ordemotion, etc.

However, most HR systems considerroles as merely a one-to-one mapping toan employee’s job title and never consid-er the value that roles can introduce toother areas of the business.

HR systems can also distinguishbetween real employees and contractors(employee-type). This is sometimes rep-resented in a HR field with a value ofemployee and non-employee.

Life-event changesMany HR systems have built-in life-event or status values. Each status valuemeans something to the HR team.Examples could be present or active forcurrent, employed personnel and, forthose that have left, the value could beremoved or inactive.

Picking up on these employee life-event changes, employee types andassociated business roles is very usefulfor a comprehensive IAM solution. Butis there a natural linkage between whatHR know about an identity/role, andwhat electronic or asset resources andprivileges that identity/role shouldhave?

Life outside HRA typical scenario we see with many cus-tomers is thus: Employees enter into the

Human Resources have avital role to play withinemployee identity andaccess managementDale Young, Senior Consultant, Insight Consulting

While most organizations view security as ‘keeping the bad guysout’, Identity and Access Management (IAM) approaches securityfrom the opposite direction – focusing on how to securely let business in and control application access to internal employees,external customers and business partners.

Figure 1: Current Employee Life-cycle - Access to Accounts

Network Security November 20046

ACCESS MANAGEMENT

HR system and then a manual process or‘paper chase’ occurs whereby manualprovision of desktop logins, server space,laptops, files systems, etc, begins.Employees eventually get the resourcesthey require to do their jobs.

What we are finding, as Figure 1depicts, is as more life-event changesoccur within HR, employees and non-employees are never losing their elec-tronic privileges (open user accounts,group memberships), assets (mobilephone), etc when they should. In prac-tice, an employee gains more and moreprivileges throughout their company lifeand only ever relinquishes them (but notnecessarily all) once they have left theorganization.

This results in many issues including:

• Open access to privileges that theuser may no longer require.

• Orphaned accounts in target systems.• Administrative overhead in cleaning

up systems.• Assets not returned when the user no

longer requires them.• IT roles and permissions have no

relation to HR roles.• Difficulty in determining a common

provisioning policy for employeesand contractors.

By introducing an effective IAM solution based upon these HR eventsand role values, organizations canquickly clear up a lot of the inefficiencyin the current hand-off between HRand IT.

HR and IAM solutions fithand-in-handRole-based Access Control (RBAC) isthe preferred solution for cross-platformaccess management. Since many employ-ees need the same, or similar, authoriza-tions to perform their tasks, this consid-erably reduces administration effort.

RBAC is a reference model for design-ing access control systems using a role-based approach and which adopts thefollowing concept:• Users are assigned to roles based

on their responsibilities in the organization.

• Roles are mapped to IT system-spe-cific tasks through permissions.

• Permissions comprise access modesand operations to one or more sys-tem resources.

Thus, through the chainuser–role–permission, the user gains theaccess rights to system resources that areneeded to perform the job functionmodelled through the role.

The use of roles permits access rightsto be administered in business termsrather than in IT terms. Consequently,access management can be performed bypeople who understand which roles arenecessary for a user, e.g. HR personnel,rather than by technical IT staff. Therole-based approach to privilege man-agement allows for the separation ofuser administration and access rightsadministration.

User administrators only need to knowthe users’ roles (their job functions); theydo not need to know about each role’spermissions and rights on the IT systemsin the enterprise. Conversely, role admin-istrators define permissions and IT systemrights for each role; they do not need toknow which users have which roles.

Because roles evolve from businesssemantics, they are not limited to specif-ic IT systems, but have a cross-platformmeaning that combines users and per-missions in many systems.

Using business semantics as the basisfor granting access rights allows organi-zations to abstract away from a particu-lar IT system’s access model. Roles arederived from business processes in atop-down fashion. As they are based onbusiness processes, they are not as likelyto change as frequently as users do.

Figure 2: An example Role Hierarchy diagram

November 2004 Network Security7

ACCESS MANAGEMENT

Role hierarchyA role can represent a single task in anenterprise that has specific access rights.However, it is also useful to build rolesthat correspond to a user’s job descrip-tion, which can consist of many tasks.Some systems also support the conceptof role hierarchies, where roles that correspond to job descriptions in turncan contain roles that correspond to single tasks and aggregate their accessrights.

Senior roles with extended rights canbe defined on the basis of existing roles.A hierarchy of junior roles and seniorroles can be defined where the seniorroles aggregate the permissions of theirassigned junior roles. In this way, basicroles can be defined and used in morecomplex roles. This hierarchy helps tomaintain clarity in the structure of rolesand to simplify role assignment.

Typical employee life-cycle scenarioJoiner – Steve joins Company X and isgranted the role Manager. Within therole catalogue, the Manager role isallowed the permissions: application,desktop login, email account and accessto the sales database. Based on his HRlife-event status, e.g. active, Steve willautomatically be granted access to theappropriate systems.

Mover – Steve moves from theManager role to the Sales Manager role.This automatically grants him additionalprivileges. Based on the role catalogue,Steve could also lose other previouslysubscribed rights automatically.

Sabbatical – As Steve is on sabbaticalfor six months, he no longer needs accessto resources. These should not beremoved, however – simply locked toensure access security.

Leaver – When Steve leaves the organ-isation, all accounts owned by Steve areimmediately and automatically lockedand removed at a later date. Thisenforces any security policy in place anddisallows Steve from maliciously access-ing those resources.

The key to map this example scenarioto a business is as follows:

Document and use the employee HRlife-cycle as a trigger to create andremove operations within the IAM space

Document and use the employee HRlife-event as a trigger for lockingaccounts that should not be open

Document and use the employee HRroles within HR to build a role cataloguewhich can be used to assign and removeprivileges (IT and non-IT)

RecommendationsFor those currently thinking aboutimplementing an employee IAM solution, the following recommenda-tions (not exhaustive) will allow organi-zations to leverage existing HR businessprocess to achieve successful projectrealisation:

Get HR buy-in from the start of anyIAM project – the HR life-cycle processis key to effective employee IdentityManagement

Understand the HR life-cycle modelincluding life-event and hook this intothe IAM solution – e.g. simple transpar-ent provisioning can be provided for allemployees and approval provisioning fornon-employees

Look at mapping business roles to ITresources and assets either through role-mining or role-engineering to constructa role catalogue

Introduce simple roles to start with,e.g. employee and non-employee andassign common privileges to these roles

Consider what resources may requireapproval and those that do not and buildthese into the role catalogue

Consider introducing non-IT relatedresources, e.g. assets into the role-permis-sion model

ConclusionsEmployee IAM solutions need to identi-fy the authoritative source for identityinformation; this is typically found with-in HR. Within HR there is also usefuldata such as employee types, status val-ues and role information.

By getting HR buy-in at the beginningof the project, and leveraging HR life-cycle and life-events, this can significant-ly reduce an IAM project life-cycle as thedata and structures are already usedwithin the business.

Further introduction of a role-basedemployee IAM solution can significantlyreduce administration overhead, stream-line business process and help enforcesecurity policy for IT systems within theIAM project remit.

About the authorDale Young is a Senior Consultant withinInsight Consulting, working within theIdentity and Access Management (IAM)team. He has ten years experience in deliv-ering complex Directory, Meta Directoryand IAM solutions globally.

Figure 3: Role Based Access Management – Access to Accounts