We once heard an anecdote of an access control consultant who would visit
a company and talk to its IT department about roles. He would ask them to
provide six roles that they thought were good and six roles that they thought
were bad. After running a scan with an automated tool, he invariably found
that almost all the “good” roles were bad, too. Consider the impact of these
bad roles: If one role has three SoD violations, and 3,000 users have that role,
that bad role creates 9,000 conflicts.The sheer number of potential violations that most companies have shocks
them into reality. Where they once believed they didn’t have a problem, they
now know it is time to be tactical, to fix their controls, and clean up their roles.Starting the conversation
The first step is one of the hardest. You need to bring IT and businesspeople
to the table together, along with internal auditors.If the roles that exist are causing SoD violations, somewhere a breakdown of
communications is occurring among these stakeholders.Examining the org chart
Some of the problems may stem from the jobs themselves. Are employees
given conflicting duties? Cleaning up their roles in the system won’t change
the problem if what is needed is a fundamental reorganization that segregates
duties effectively among employees.Defining auditable roles
Who owns and defines the roles? It’s highly possible that businesspeople
think this is the province of IT. But the people who define the jobs should
define the roles that reflect those jobs. Therefore, ownership should belong
to the business process owners. By taking responsibility for this area, line-of-
business managers accept that good role management is part of their every-
day business.Mapping the business roles to technical roles
Here is where the IT department comes into play. Business roles need to be
mapped to technical roles.Business process owners can define which permissions make up a role,
document role status, and keep change histories. They can redesign roles
and analyze what would happen if a role changes. (For example, how many
people would still be able to do their jobs, and would new SoD violations
be created?). Business process owners can develop new roles. This kind
of control consciousness will take the discomfort out of company audits.
Companies learn to be proud of their good, clean roles.