KuppingerCole Report
Advisory Note
By Martin Kuppinger, Matthias Reinwarth

Enterprise role management done right

Role-based access control (RBAC) has become an important part of Access Management and Access Governance. However, defining, implementing and maintaining an enterprise role model remains a substantial task and many projects fail. This document describes best practice approaches towards the right data model, efficient processes and an adequate organization for implementing role management as the foundation for achieving administrative efficiency and maintaining regulatory compliance.

1 Management Summary

Managing access to resources within an organization is one of the essential tasks in Identity and Access Management Systems (IAM). Being able to acces ...

Login Get full Access

2 Highlights

  • Enterprise Role Management (ERM) is a strategic approach towards structuring complex organizations, while improving administrative efficiency and co ...
Login Get full Access

3 Why Enterprise Role Management?

Enterprise Role Management is a systematic and strategic approach for understanding an organisational structure and for describing and defining enterp ...

Login Get full Access

3.1 Controlling access

Role-based access control is a method for controlling access to computers, devices, services, infrastructures or network resources, based on the roles ...

Login Get full Access

3.2 Mastering complexity through abstraction

The main idea behind the design of roles is the reduction of complexity in the access management process, in two perspectives. One is relying on entit ...

Login Get full Access

4 Embedding role management into the enterprise

Enterprise Role Management needs to be understood as on organisation-wide challenge and on ongoing process. It requires the expertise of a diverse com ...

Login Get full Access

4.1 The corporate organisation at the core

Designing an appropriate role hierarchy both suitable for a complex organisation and efficient to deploy for RBAC has proven to be one of the most dif ...

Login Get full Access

4.2 Involving the right people

The identification of adequate business roles and thus the structuring of complex enterprise business processes by mapping them to well-defined activi ...

Responsibilities and accountabilities need to be clearly defined, which is typically reflected by the term role ownership. As we will see later in thi ...

Login Get full Access

4.3 Role lifecycle management and role governance

It is obvious that an enterprise role design defined at a given point in time needs to change due to changing requirements and constantly evolving sys ...

Login Get full Access

5 Role Types: From business roles to application level entitlements

Enterprise Role Management highly relies on the abstraction process from on enterprise strategic level down to an operational system-specific layer. I ...

Login Get full Access

5.1 System-level entitlements

The foundation for such a concept is usually the level of basic, typically system-specific permissions or entitlements. This allows to look at individ ...

Login Get full Access

5.2 System roles

When looking at Fig.2 we see a clear dividing line between the upper end of the lower half of the image. With the depicted hierarchy going into more d ...

Login Get full Access

5.3 Business roles

Today's organisations are complex structures. This is true for almost any type of organisations (including educational and governmental organizations) ...

Login Get full Access

5.4 Base roles

In many cases it is useful to design a set of roles, which are not really business roles, but are rather roles that bundle basic entitlements for larg ...

Login Get full Access

6 Approaches towards an enterprise role management process

Both bottom-up and top-down approaches at defining role catalogues are possible, but not similarly successful. Hybrid strategies with a strong focus o ...

Login Get full Access

6.1 Top-Down approach – Actively designing and shaping roles

The main focus for this approach is on the business and organizational view at an enterprise. Business roles are identified and defined based on the t ...

Login Get full Access

6.2 Bottom-Up approach – Mining existing roles

No role concept is built in a green field approach, so there will typically be already existing systems with roles and permissions already in place. S ...

Login Get full Access

6.3 The right way to do it: Top-Down, Bottom-Up, mapping everything in the middle

The two main approaches towards role design, as described in the recent chapter are typically driven by different departments within the organisation. ...

Login Get full Access

7 Dealing with complexity - Hierarchical role designs

Large organisations and enterprises with diverse, specialized and sophisticated business models require adequate role designs at a similarly adequate ...

Login Get full Access

7.1 Requirements for system level roles and entitlements

The overall layout of the lower half of a role design is typically clear: While it is usually indisputable to have system entitlements and derived sys ...

Login Get full Access

7.2 Business roles and their hierarchies

On the business side, however, the questions regarding the overall layout of a role design are more complex as the structure and interdependency of th ...

Login Get full Access

7.3 Data sources for role information

One important factor for looking at potential layers within an enterprise role design is the availability of authoritative role data as it is usually ...

Login Get full Access

7.4 Role information

A crucial aspect for understanding business roles appropriately is the quality of available descriptive information. Providing adequate, accurate and ...

Login Get full Access

7.5 Example: Flat, 2-level role hierarchy

Real-life enterprise role designs typically deploy two or three layers of business roles. While more layers are possible they usually do not provide a ...

In many cases simple, two-layer layout for an enterprise role design are fully sufficient. This is especially the case when there is no authoritative ...

Login Get full Access

7.6 Example: Three-tier design

This second example shows a substantially different approach: In this case there is an authoritative source for enterprise roles available, which form ...

Login Get full Access

8 Common pitfalls

The large number of failed Enterprise Role Management projects across many organizations proves that there are many obstacles and pitfalls that need t ...

Login Get full Access

9 Recommendations and Conclusions

Avoiding the above given issues and pitfalls is a key challenge when planning and executing a successful ERM project.

Login Get full Access

9.1 Key recommendations

The following recommendations aim at achieving a consistent and sustainable role design:

  • Embed ERM in your organisation as an enterprise task

Login Get full Access

9.2 Conclusion

In many organisations ERM and RBAC lay the foundation for sustainable Access Management and Access Governance frameworks. Striving for a well-defined ...

Login Get full Access

10 Appendix A - The underlying concepts: the RBAC standard

Role Based Access Control has been standardized by publishing the American National Standard for Information Technology “Role Based Access Control€...

Login Get full Access

10.1 A.1 RBAC0 – The basic concept

The foundation layer is RBAC0 which defines the core concepts and terms object, operation, permission, user, role and session.

Term Definiti ...
Login Get full Access

10.2 A.2 RBAC1 – Role Hierarchies

The RBAC1 level adds role hierarchies to RBAC0. This allows to derive roles from already existing roles by adding more permissions to the set of alrea ...

Login Get full Access

10.3 A.3 RBAC2 – Constraints, Static and Dynamic Segregation of Duties

To cover the business requirement that functions within the same business process might not be executed by the same user, RBAC2 adds the concept of Se ...

Login Get full Access

10.4 A.4 RBAC3 – 1 plus 2 equals 3

The full standard, entitled RBAC3, combines all features of the underlying layers. This version is usually taken as the basic reference standard, alth ...

Login Get full Access


©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.