(Posted by Praveen Vedula)
It's a bright Monday morning and today is the first day at your new job. You are excited as you are shown to your desk. After filling in all the mandatory forms, you try to get down to business....only to realize that you have to raise a multitude of requests just to get access to the necessary applications. Most of you have been there, done that already and can understand what a harrowing experience it can be.
Now consider this: It is possible to reorient this entire process in a way that is user friendly and in accordance with IT requirements; all it requires is a careful analysis of the access product life cycle and how it overlaps with service catalogue from an ITSM point of view.
There is a thin line between role management and entitlement management. Role management deals with the administrative nature of roles while entitlement management deals with the functional aspect of access though both fall under the umbrella of Identity access management (IAM).
Control, accountability and transparency are the central tenets of Identity access management. So, how do we control or detect access violations? Most organizations depend on IT service management to have a seamless process of ordering products through a service catalogue. However, it remains a challenge to manage the user access lifecycle given the number of authorizations involved and may not be easy to manage due to its sheer volume and structure. There are several products like Axiomatics , Securent (acquired by Cisco) in the market which manage authorizations. However, it will be a while before we have an end to end entitlement management product as pointed out by Earl Perkins from Gartner research, in his blog.
Having said that; there are three key issues which need to be addressed while managing access roles and entitlements-
- How do we present the access roles as orderable items in service catalog?
- How do we enforce the policies and rules for the access roles while ordering them?
- How do we update CMDB with relevant entitlement data to drive IT service management?
One of the most important aspects of a service catalog is the ease with which it can be accessed and browsed. The key challenge here is to transform an access product into an orderable item that can be accessed by users who have the requisite rights as determined by their roles. Given the flexibility of cloud based ITSM tools, it is quite possible to manage the search parameters on the front end while a compliance check is run by authorization tools in the back end. The governing rules of the access products can be centrally defined and managed at the application layer making it simpler to manage them at one go. In order to make life easy for business users, the orderable access items can also be grouped based on the job level or job description or any other parameter based on the organizational structure.
So, going back to the first example, a new employee has to simply select the access products required from the service catalog. This has been a success story at a large reinsurance firm in Europe that was recognized by the European Identity & Cloud awards 2013 for its project on access management using cloud and authorization tools.
Based on his or her role identity, it will be easy to assign the right levels of access to a given user. In one shot, a pleasant user experience and adherence to IT policies can be achieved.