Authorization Management is one of the unsolved problems of IT security. The problem is not that there are no access management capabilities in regards to authorizations. On the contrary, there are too many. No unifying standard or tool has materialized which is due to the fact that technologies are different and thus the underlying authorization concepts. A central identity management can help with the administration of users and their access rights including provisioning them through a heterogeneous landscape. But the fact remains that one has to create the different authorizations for the different backend systems, keep them up-to-date and explain to key-users what rights they grant an assigned end-user.
The authorization concepts vary from role-based access (RBAC) where authorizations are contained in roles that are assigned to users. Another concept are Access Control Lists (ACLs) where access is granted based on actions performed (read, write, change, delete etc) on an object (the data). LDAP directories work with groups. And some products have outsourced their authorization checks via XACML.
Changes to authorizations happen on a regular basis for various reasons. New features and products get implemented. Organizational structures change which influences the access to data and makes position-based security hard to implement, if your company re-organizes often. Users request more access. Sometimes this would only be needed temporarily, but why give up what one has. So role inflation is going on.
So far no-one has developed a tool that will allow to centrally administrate authorizations for a heterogeneous landscape and translate and provision these to your various backend systems. This would make authorization administration a lot easier and keep it consistent.
What does this mean for companies trying to implement a thorough authorization concept?
First and foremost I recommend that you start by analyzing what users access on a regular basis. You might have 1000s of web applications and hundreds of SAP systems, but you will be surprised how little functionality and how few different applications they access on a regular basis.
So this means that you further have to analyze if there are authorizations that every user has to have, which could be grouped into a larger container for “Everyone” so to speak. And which are the different access rights that can be grouped by job families. To be able to do this properly you have to find out, which role concepts are supported and which are the grouping mechanisms usually referred to as Business Roles or composite roles.
You also have to train your security administrators in a lot if not all of the above mentioned authorization concepts to be able to cover security holistically.
You have to have key-users that set up the authorizations for each application. These are a unique set of employees that know the applications as well as the authorization mechanisms within an application. The knowledge of the application is key, because it is the combination of functionality and organizational data that will be put into an authorization. This is usually not known by security administrators.
To avoid segregation of duties (SoD) issues the implementation of a governance, risk and compliance product will help. This absolutely should come with a pre-defined set of SoD issues. Make sure to ask for industry specific content, but be prepared to add your own unique SoD rules. Every company has a set of home-grown reports including data that is only deemed business critical by this specific company.
Workflow support is helpful to share the responsibility for access rights, but you have to make sure that all necessary workflow participants are trained in authorizations so that they know what they have to make a decision on.
Lastly to keep the role inflation at bay access re-certification on a regular basis is key. Otherwise the users will just aggregate way too many authorizations over time.
It might be worth while exploring security intelligence products to help analyze your user and role landscape and to reduce role inflation. You might be surprised how many users never log on and could be locked right away or how many roles are identical, which are ideal candidates for cleansing. Also often found are roles without any content, which are a clear candidate for immediate deletion. Users without any role assignment are a puzzle too. If they don’t have any authorizations, why do they have to be in a system. You have to check users with way too many authorizations. Is this really necessary and if so why? Role mining might help with the creation of roles from users with similar tasks.
However, you have to be prepared to live with many different authorization concepts and with many roles. But with the above mentioned recommendations, it should become manageable.