The roles revolution...........................................................................
As the number of users increased, it became harder for system administrators
to manage their associated permissions. One day, someone had a bright idea.
What if we give salespeople access to the system based on their job and not
on their user name? It would be easier to manage access based on a limited
number of roles instead of based on the number of users. Role-based access
control was a major step forward, organizing and streamlining access to com-
puter systems.
The equation changed. A thousand users have 50 jobs; 50 roles with associ-
ated permissions.
That looks pretty good, right? Much more manageable and auditable. And if a
user changes jobs — or takes over someone else’s duties — they could be
assigned more than one role, but we still only need 50 roles.
How Access Control Got Messy .................................................................
In theory, roles looked like a huge step forward, anyway. But like many good
ideas, maintenance is tricky. And today, at many companies, there are once
again almost as many roles as there are users.
How did access control get messy again? There are at least five contributing
factors:
�Every user is different
�Virtual things are hard to track
�IT and business don’t speak the same language
�Exceptional circumstances dictate exceptional access
�Large scale increases complexity
In the next few sections, we look at each of these factors in more detail.
Every user is different........................................................................
Going from 1000 users to 50 roles sounded pretty good. But then, as life would
have it, one salesperson needed a little more access than another one. And one
accounts payable clerk needed slightly different access from another. Over
time, the number of roles escalates to close to 900 roles for 1000 users, and a
lot of those roles are similar, but not exactly the same. Now in walks the auditor,
and the job of seeing whether duties are properly segregated just got a whole
118 Part II: Diving into GRC
