At what point do you do a Role analysis for an organization? At the beginning of the org or somewhere down the maturity circle? This has been the debate for organizations. At the beginning of an organization, people are expected to play multiple roles so getting a definition is difficult. Later on though, there is such a mixture of roles that the task becomes as difficult as getting out of a labyrinth. Either way Role definition is an expansive and laborious task that will consume a lot of time for the business and unless it is a compliance requirement, the cost cannot be justified from an profit benefit perspective. There are several tools out there that can be used for Role analysis. Role analysis will involve the following staff
- Get an Identity and Access Management (IAM) analyst
- Get a business analyst
- Get business management representative
- Get IT management representative
- Get compliance and audit analyst
- Get HR analyst
What should be done
- Define what are the different roles in the organization
- Define what are the expected tasks of the different Roles
- Define what tools the different roles will need
- Define who will own the different roles
- Define the approvers for the different roles
- Define what IT resources will be used by the different roles
- Define how the roles will be related HR data
What I have seen in my experience is there is very little interest from the business to engage in this analysis but IT gets flagged by auditors that the resource access method and approval method lacks structure causing an organization risk. My focus then will be on how IT can define a basic Role model that would at least satisfy the auditors. There is no auditor that is looking for a comprehensive laid out Role model, most auditors know that the Role model is such a moving object that it is can be obsolete in one quarter depending on business needs and economics. But they want to see some kind of framework and this is what I hope to show you based on my experience.
We are going to look at environments where I have found role definition to be very different but equally complex. I will be looking at it from a high level view, I understand that there are several other sub-roles. I am really walking back from the end to the beginning. A lot of people start Role analysis from the beginning, get overwhelmed and abandon the exercise. The end for me is the deployment in the IT systems and that is where I will walk back to the business roles.
The Corporate environment
The diagram below explains the hierarchy. Let’s talk about the different people in the diagram
HR: HR will be the creator of these organizational roles. People in the organization are broadly classified as Full-Time employees or Contractors. In many organizations HR is not the driver for Contractors but I added it under HR because it really should be.
Manager: The manager of an employee is the secondary Role driver. The manager defines what would be the tasks of the staff and what resources would be needed. For contractors, the manager in many organizations is the creator or primary driver of that role.
FTE: The Full Time Employee (FTE) is the permanent employee of the organization. There are those who work in the office and those who do not (like factory workers). In the office does not necessary mean in the corporate office, in this age of the remote worker, it means one who engages in office related tasks. The resource requirements for these two types of workers is different, so I split them.
Contractor: The contractor is the non-permanent employee of the organization. Like the FTE, there are those that work in the office (IT contractors, admin assistants) and those that do not work in the office (drivers, custodians, factory workers).
Let’s look at another organization driven role model
The diagram below shows different attributes from the HR profiles of the user that can be translated to a role. Nothing in the diagram means that all access is removed. This is where role conflict may arise. Suppose someone is a factory manager, they fall under factory where all access is removed but also fall under manager role where access to email and certain folders is required. Any so you need a system to calculate roles and determine effective roles, we will talk about that in section 3 of the Governance series.
The Educational environment
It has a unique setup because one person can be a member of 4-6 different organizational roles at the same time and so there are other things we need to factor in if we are to maintain a single identity in the directory.
- What will be the priority for each of the different roles?
- What attributes or resource access will be affected by a Role?
- When will role activation begin and end?
We will talk about resolving the conflicts in section 3 of the Governance series