Enterprise Roles are Broken: The Challenges of Traditional Roles

by | Aug 8, 2024

Roles have long been a cornerstone of access management within organizations. However, the landscape of business and technology has evolved, particularly when it comes to the need for applications and the various identities associated with those applications, and it is now evident that there are significant limitations in traditional roles.

As someone who has witnessed the evolution (and resultant limitations of) roles, I thought it was important to delve into the challenges associated with roles, and explain why organizations need a more granular approach. I’ll also share more on the Zilla Security approach to role management in the coming weeks.

Let’s dive into the role framework and why it makes roles difficult to design, build, and maintain.

Roles are Difficult to Define and Build

Organizations have relied on various role model frameworks that are related to the user and their job function to build and deploy roles. These models range from simple job roles like “Engineer” or “Senior Salesperson” to more complex structures such as “Engineering-SeniorDeveloper” or “Salesperson-Boston.” They can also be hierarchical, following a structure like “Company.Division.Department.Title.”

Defining role structure based on organizational attributes and then adding people and permissions to each role container is generally referred to as “top-down” role design. An alternative approach, often referred to as “bottom-up” role design, is based on traditional automated role mining, which discovers roles where groups of users have similar access, and proposes roles based on the discovered access clusters. This method is typically better at discovering application-level technical roles, which may be manually merged with top-down roles, but this strategy is still laden with manual effort and complexity.

While these concepts make sense, the membership lists within these roles present many management nuances that make them difficult to build and update. The lists per role must be initially proposed, scrutinized, and approved, with each user needing to fit into a predefined role.  Roles typically span multiple applications, necessitating a comprehensive assessment, design, and building of entitlement matrices for each role. This often involves assembling committees to design these matrices, a process that is both time-consuming and prone to human error.

The rise of cloud-based applications has further complicated consensus on role definitions, making it nearly impossible to reach an agreement that satisfies all stakeholders. Additionally, user attribute data must be nearly flawless before implementation, adding another layer of complexity to an already cumbersome process.

The nuances of job functions and users (and the need to govern them for compliance purposes), combined with the rising demand for access to enterprise applications have made roles increasingly difficult to design and build.

Broad vs. Narrow Roles: An Ineffective Dichotomy

As a result of their complexities, and as a means of trying to make roles work as a means of granting access, organizations may choose to take the approach of using either broad or narrow roles. As explained below, though, each category brings its own challenge.

  • Broad Roles: Roles encompassing a large number of users tend to include fewer entitlements common to all members. For a role to be effective as a means of provisioning and approving access, it should only contain permissions that all members need or may need. This constraint results in fewer but far less effective roles, and ones that are lacking job-appropriate permissions granularity.
  • Narrow Roles: Conversely, roles with fewer users have a higher commonality of entitlements among members. However, this results in a proliferation of roles, each with distinct membership requirements. As organizations evolve, these numerous, narrowly scoped roles need constant updates to reflect changes in user assignments and organizational structure. In this case, roles become cumbersome and complex to manage.

Given the limitations of both the broad and narrow approach to roles, this classification is therefore still problematic.

Roles are Rapidly Outdated and Hard to Maintain

Even if an enterprise can accurately define and use roles as an appropriate means of access, roles quickly become outdated, often the day after they are deployed. In dynamic business environments, user roles, applications, and permissions change frequently. Traditional roles struggle to keep pace and are difficult to maintain.

As users move within the organization and new applications are introduced, the constant need to update roles and permissions becomes overwhelming. Maintaining up-to-date lists of current members and permissions across multiple applications requires meticulous attention and frequent communication with business data owners. This verification process is necessary to update entitlement matrices and user membership policies accurately.

In many cases, the staff who led the initial role deployment effort find themselves locked into a new task: full-time role maintainer and data/application owner chaser. This shift leads to inefficiencies and increased administrative overhead, detracting from other critical business functions.

Conclusion: We Need More than Roles

While organizational roles have provided a foundation for access management, their limitations are increasingly apparent in today’s app-driven and fast-changing business environment. The challenges of designing, building, and maintaining traditional roles highlight the need for more flexible, automated solutions.

As organizations continue to evolve, the inefficiencies and complexities of role-centric systems underscore the importance of exploring alternative access management strategies that can adapt to change and streamline operations. The shift away from traditional roles towards more modern, dynamic approaches is not just a trend but a necessity for maintaining effective and efficient access control in the contemporary business landscape.

Zilla Security has a different approach to roles. In upcoming blogs, we’ll continue to dissect the role dilemma and our solution – stay tuned to learn more, or contact us today to set up a demo.

 

 

 

Author

  • Dan Peterson

    Dan Peterson is a Senior Advisor and Product Strategist at Zilla Security. He has spent more than 30 years successfully developing and delivering software and services.

    Prior to Zilla, Dan was a Founder and VP of Product Management at Aveksa. In this role, he was instrumental in growing the company into the market leader in Identity Security and Access Governance. RSA acquired Aveksa in 2013.

    Previously, he held various senior management roles at organizations, including Engage Technologies, Banyan Systems, Hewlett Packard, and IBM, in various senior management roles. Peterson has a BS from Northeastern University.

    View all posts Product Strategist

Recent Posts

Modern IGA as a System of Record

A Modern Identity Governance & Administration (IGA) solution does more than govern identities—it can also serve as a comprehensive system of record.

Key Takeaways from a Discussion on Modern Identity Governance

Highlights of Zilla’s discussion on the need to modernize identity governance strategies. IGA experts covered the complex nature of IGA, the importance of automation and AI in a modern IGA strategy, and how to address the challenge of non-human identities.