IBM's Role-Based Identity Management: Access
Control Made Agile

Managing user access rights is a huge challenge with few easy answers

SERVICE MANAGEMENT IN ACTION One of the most challenging aspects of IT security today is access governance—establishing which employees are authorized to access which resources, and with which privileges, then monitoring and updating those access privileges on an ongoing basis as workers come and go, or change job responsibilities. This is a particularly difficult puzzle to solve for enterprise-class organizations, in which both the employee headcount and range of resources is exceptionally large and unwieldy to administrate.

Consider, for instance, the problems of any user-provisioning approach based on direct assignments. Setting access privileges for each of 10,000 employees for a single application would be hard enough. Multiply that by the number of applications in the infrastructure, and the fact that employee job duties are constantly in a state of flux, and you begin to see that a much more efficient solution is called for.

This situation has led to the rise of role-based access control (RBAC) systems, in which access privileges are established not for each individual employee, but by the role that employee performs, and logical groups of such roles, as based on models developed from current access data. Managing privileges of roles and role groups is much more efficient as a process, helping to improve accuracy and keep user access rights in close alignment with organizational goals, established security policies, and regulatory compliance needs.

Often, though, even this acceleration isn't enough. This is because tremendous amounts of data about user activities and access rights must be collected, cleaned, and normalized to ensure that models will be accurate…but in the time required to do that, so much may have changed in the organization that often the results turn out to be of limited practical value.

That, in turn, leads to problematic integration of the role models with up-and-running applications and business processes. Instead of the new role structure serving business goals, in other words, it can actually impede them.

IBM Tivoli Identity Manager 5.1: Integrated role modeling, mining, and lifecycle management

“Tivoli Identity Manager is, in short, a straightforward, elegant, and powerful tool that customers can use to make rapid progress on what had been an exceptionally complicated and time-consuming job: developing, implementing, and managing a role hierarchy structure. And because Security Role and Policy Modeler can be tailored to suit the specific contextual requirements of almost any organization, it's not just simpler and faster than the competition—it's also more flexible.”

For this reason, IBM has developed an innovative new module for its identity management solution IBM Tivoli Identity Manager V5.1. This embedded component, IBM Security Role and Policy Modeler, fulfills the promise of role modeling and mining—easier, faster, and more accurate access definition and control—without introducing unwanted complexity or shortcomings common to other solutions.

Tivoli Identity Manager (the overarching identity management solution of which IBM Security Role and Policy Modeler is only a part) provides a business-centric approach to planning, understanding, and modeling the security roles and separation of duty constraints for securing access to critical resources. Because it is business-oriented and scalable, and because it is already built into Tivoli Identity Manager, Security Role and Policy Modeler is more easily applied to even the largest and most complex organizations, with the highest headcounts. Security Role and Policy Modeler also delivers exceptional power and flexibility through a range of innovative features that were carefully designed to bring business managers into the discussion of user access rights and thus streamline the approval of role structures.

Role management is best understood as only one element of an organization’s overall identity management strategy. Role modeling and planning are part of overall security process integration in an organization. Tivoli Identity Manager provides application services that help the organization plan for role-based access requirements and rollout and the day-to-day maintenance of roles and separation of duty constraints. Organizational security needs and requirements are prioritized, implemented, deployed, enforced, and monitored. As an organization or its requirements change, the security process integration cycle continues planning using the feedback from the process.

With Tivoli Identity Manager, new role structures can be created and sent to managers for approval. Based on the responses, these structures can then be adjusted or redesigned to reflect specific needs. The focus at all times is on acceleration: moving through quick, prioritized, and logical stages to arrive at a practical and accurate role structure that will help improve both security and compliance.

That's obviously no simple task, but Tivoli Identity Manager makes it relatively simple to accomplish. In part, this is because in developing Security Role and Policy Modeler, IBM developed an Analytics Catalog—a library of the most commonly used techniques (best practices) used in role modeling and design. This catalog is backed up with a role-mining tool and simulation engine, which help pull together data from the infrastructure and depict how a candidate role structure will likely perform.

Tivoli Identity Manager leverages visual tools and familiar business intelligence techniques to reduce the time and effort to design, manage, and approve roles and role structures for enterprise IT governance. It provides web-based modeling interfaces and reports for owners of business processes and applications so that they can use role-based access control for their employees.

Furthermore, Tivoli Identity Manager leverages key business process management capabilities drawn from the IBM Business Process Manager to address different use cases in role structuring approval and periodic recertification. In contrast, competing alternatives typically offer only specialized workflows that are difficult to adapt, requiring precious time and delivering reduced value as a result.

A clear, simple design that delivers both exceptional power and flexibility

If you're curious to see how Tivoli Identity Manager might actually be applied in a real-world case, consider its capabilities in the context of three common stages in the role-structure creation process: (1) empowering role analysts with simple-choice role-mining, (2) accelerating role-building via best practices, and finally, (3) developing a satisfactory role structure, including validation, to ensure accuracy.

Simple-choice role-mining essentially draws from cleaned and normalized data to create the structure. Here, Security Role and Policy Modeler strengths include a Web-based user interface with a business look and feel, including instant feedback and intuitive search behavior, as well as straightforward choices that also reflect a business perspective. Managers can, with relative ease, make decisions not with a technical focus, but a business focus—helping keep the role structure prioritized for business value, rather than tying it artificially to the IT infrastructure per se. As progress is made, the solution maintains a statistical summary to depict that progress in areas like project definition, scoping, modeling, and mining.

Role-building includes both analytics tools and the analytics catalog—both of which leverage proven best practices—to help managers create roles and role groups that closely reflect the organization's needs, fast. Data can be imported either through a standard CSV file or alternate sources, thanks to the included Tivoli Directory Integrator (which serves as a liaison to those alternate sources). It can also be exported easily to Tivoli Identity Manager for subsequent implementation. The emphasis, as always, is on simplicity and speed, both of which help keep the results in tandem with the fluctuating organization and its diverse, growing IT infrastructure.

Finally, utilization of the role structure is just as practical and fast as its development was; it's even automatic, in some cases. To a significant degree, this comes thanks to the fact that IBM offers many related solutions, and has taken pains to make Tivoli Identity Manager interoperable with them to create different forms of value.

For instance, Tivoli Identity Manager's role structure benefits from the previously mentioned business process management technology, to automatically approve the role structure and recertify access rights where appropriate. This delivers improved security while also minimizing the ongoing time and energy access managers will need to spend on such tasks themselves. Similarly, statistical analysis and reporting are based on technology drawn from IBM's Cognos acquisition. And of course, Tivoli Identity Manager is also interoperable with other members of the IBM Tivoli security portfolio, such as IBM Tivoli Federated Identity Manager, IBM Tivoli Access Manager for eBusiness, and IBM Tivoli Security Information and Event Manager.

Tivoli Identity Manager is, in short, a straightforward, elegant, and powerful tool that customers can use to make rapid progress on what had been an exceptionally complicated and time-consuming job: developing, implementing, and managing a role hierarchy structure. And because Tivoli Identity Manager can be tailored to suit the specific contextual requirements of almost any organization, it's not just simpler and faster than the competition—it's also more flexible.

Given accelerated accurate role models, you'll enjoy many business benefits

If that list of capabilities sounds impressive, consider the following business benefits that emerge as a result:

That idea will be pursued to a much greater extent in the near future. As IBM continues to augment its portfolio, and integrate analytics capabilities in new ways, Tivoli Identity Manager will both inform and benefit from that integration. The result will be that IBM's identity and access management portfolio in general will become smarter, more forward-looking, and more efficient than ever, leveraging all identity and access management solutions and data optimally to help drive organizations to a superior business outcome.

Learn more

Recent Articles

Contact IBM

Considering a purchase?

Migrate to Passport Advantage

IBM Software Support Lifecycle Policy

Revised Passport Advantage agreements bring multiple sets of existing terms together and offer Passport Advantage Express clients the option to migrate to Passport Advantage. Now a single agreement covers IBM Appliances, SaaS offerings, new licenses and Software Subscription and Support – with no entry point requirement for Passport Advantage.