Career Forums

 
  Modern Analyst Forums  Business and Sy...  Requirements  Role Modelling for an RBAC Project
Previous Previous
 
Next Next
New Post 2/3/2023 9:59 AM
User is offline Ged Dunn
3 posts
No Ranking


Role Modelling for an RBAC Project 

I am currently planning a RBAC implementation and in particular want to start designing my approach to engage with the business to gather requirements.

I was planning on using SP 800-171 Rev. 2, Protecting CUI in Nonfederal Systems and Organizations | CSRC (nist.gov) but would be interested in any community views on driving strong engagement from the business, promoting understanding and ownership and what templates or best practices might be available to capture the data. 

Questions that occurr:

1.   I can imagine that the natural tendency would be to align roles to current organisation and people: HR Manager/HR User etc. However, I wonder if there can be any more innovative approaches with using a core:
Standard User + Standard Manager + HR Overlay type approaches

2. Has anyone any experience with setting up central Active Directory groups representing roles and using that to inherit access to multiple appliations.  So HR Manager gets you HR privs in Dynamics, and Power BI etc.

Can anyone point me at any alternative perspectives or taxonomies that could help us explore other options?

All observations welcome!

Thanks!

Gerald

 
New Post 4/25/2023 2:31 AM
User is offline Stewart F
119 posts
7th Level Poster


Re: Role Modelling for an RBAC Project 

Hi there Gerald, apologies for not replying sooner, and I hope this is still relevant.

A little bit of background first of all - I have managed BA Teams ranging from 25 people to smaller teams of 4 or 5. I’ve worked on many a Digital project as well as ‘ground up’ new core systems for companies.

Now first of all, I should mention that I am from the United Kingdom, so your first part about “…was planning on using SP 800-171 Rev. 2, Protecting CUI in Nonfederal Systems and Organizations | CSRC (nist.gov)” I know nothing about.

However, If my understanding is correct, we do have a similar protocol here in the UK, and I would imagine other countries do as well.

My initial thought on reading your question was to use Active Directory as an approach – so I read that bit with interest. It’s important to remember that a HR based alignment of roles is basically another version of Active Directory (indeed in some companies it is one and the same).

For those reading this who don’t know what Active Directory is – in it’s simplest of forms think of it as a train signal box. The signalman (or woman) will let a train go on path/route 1 if that train has permission. Active Directory works in the same way in that for any given system it groups people together who have permission to perform task ‘a’.

For example, I have a CRM system which allows me to create new Customers on the system. Active Directory will have a list of people (called Users) within the Company who have permission to do that. Anyone not in that Directory will not be able to do so.

To answer your question more directory Gerald, I would say that you can create teams which differ from the HR prescribed teams, but I would make sure that if you do so, any other system (e.g. a HR based system) would still be able to perform as required. There is a bit of impact analysis to carry out. There are other formats of teams other than Standard User + Standard Manager – especially in larger teams. There may be, for example a ‘Team Lead’ middle manager type role. There may be Junior roles (junior to the Standard role).

One or two things to consider:

  1. Is there a specific reason why you want a different team structure to that used in HR? If there is no good reason, then I would ask what the benefit is. You will be just creating work for yourself.
  2. If you create Active Directories for your system, what about other systems – do they need to accommodate your new roles as well? How will that happen, and will it have a knock-on effect? Will it go against any known policies within the company?
  3. Lastly, but probably the most important of all – someone will need to manage the Active Directory. Who will that be? Are they aware of what you are doing? (They must be a stakeholder, so that they have a say in what you are expecting them to manage).  

So in short, yes you can use Active Directory to set up different team structures, but be wary of doing so as it may have an unexpected knock-on effect. HR should be a stakeholder, as well as whoever is due to manage your Active Directory account. You’ll need their buy-in otherwise you may come up against quite a bit of opposition (at least that was my experience).

 
Previous Previous
 
Next Next
  Modern Analyst Forums  Business and Sy...  Requirements  Role Modelling for an RBAC Project

 






 

Copyright 2006-2024 by Modern Analyst Media LLC