RoleCourier® - Role Management

RoleCourier, Courion's role management solution, automates the process of creating and managing enterprise roles. Roles are sets of access rights that correspond to a specific business function.

Top down approach to role based access control, role management and segregation of duties

Features

Provides automated role creation incorporating top-down and bottom-up approaches
Enforces cross-role segregation of duties (SoD) policies
Comprehensive role lifecycle management
Role consolidation management

Benefits

Reduction in complexity of user administration
Efficiency for provisioning of new users
Enables compliance auditing using role assignments and role history
Streamlines the process of changing a user's role, saving time and cost

Role-based Access Control, Role Management and Segregation of Duties

For organizations wishing to simplify and optimize their access control security policy enforcement by creating user roles that align with their business functions, Courion offers the RoleCourier® role management solution. RoleCourier enables organizations to automate the often manual, cumbersome, and inefficient process of role creation and ongoing access control management. Unlike third party role creation tools with limited capabilities that lack true, real-time integration with the user provisioning process, RoleCourier creates a foundation for robust ongoing role lifecycle management that flexibly adapts to the constant changes in today’s business environment.

Addressing Role Challenges

A role is a representation of a set of access rights to resources/data that corresponds to duties associated with a business function. Roles are desirable to organizations wishing to deploy user provisioning because of their potential to simplify the administration and enforcement of security policy and the segregation of duties, particularly in environments where users access many applications. Roles reduce the complexity of user administration by mapping a large population of users into a smaller number of well-defined roles, each with its own duties. Those roles become the cornerstone of ongoing user access control security policy management.

Organizations wishing to create an enterprise role-based access control infrastructure often find that initial role creation is a major barrier. Even in small and medium-sized companies, the number of users, accounts, systems, locations, lines of business, and other attributes to map into roles is daunting. Lacking a centralized view, many organizations start from the “bottom up” by dumping user access data from multiple systems into databases and manually correlating access on a user-by-user basis. Other organizations use a “top down” approach to create roles based on organizational hierarchies and require creation of complex management frameworks. What is needed is a hybrid of the two approaches. The difficulty is finding tools that can automate and simplify the data collection and analysis aspects of role creation, create a capability for ongoing role management, and integrate it into an automated provisioning process.

Recognizing the barrier that role creation and management represents to successful security policy enforcement, Courion’s RoleCourier solution automates the time-consuming and manually intensive processes associated with roles.

Automating Role Creation

Courion’s RoleCourier access control software provides an automated role creation function which enables organizations to take a “hybrid” approach to role creation. A “bottom up” role building capability starts from existing accounts. Candidate users are dynamically checked for access commonality, and thresholds are applied to determine attributes for inclusion/exclusion. Candidate roles are checked against the user security policy for exceptions, policy conflicts, and least privilege violations. Then, correlating those results with a “top down” business organization model, the result is a role template that can then be applied across the enterprise. The role creation function is optimized to help minimize the number of required roles, easing the role management and governance burden on customers. It also accommodates all types of roles, including enterprise, IT, business, or application specific roles.

Enforcing Segregation of Duties Policies

An important aspect of role management for compliance purposes is to perform checks for segregation of duties violations. Checking segregation of duties is particularly critical in environments where users perform multiple roles, and where assignments of users to roles change on a frequent basis. To address this need, RoleCourier provides the ability to perform “what if” role modeling. This process examines a set of specified roles against the access control security policy to see if the superset of access rights across all the roles would create a segregation of duties violation. A similar process is used to detect attribute-level conflicts across multiple roles.

Managing Role Lifecycles

In addition to role creation and SoD checking, enterprises deploying roles need lifecycle management capabilities to keep up with changes that occur over time. This includes the ability to modify or delete attributes associated with roles, to enable or disable roles, and track the history of changes associated with roles. Role history analysis is a particularly important capability for compliance analysis and reporting.

Another key role management capability is role comparison and consolidation. This enables organizations to iteratively examine their role definitions and determine opportunities for merging similar roles, thereby simplifying management and administration of security policy.

Contact Courion for more information on how the Courion Enterprise Provisioning Suite™ solution can deliver results to your business.

Datasheet: RoleCourier Case Study: Gartner - SunTrust Banks Webinar: Leveraging Role Management Demo: Role Management White Paper: Role Management Webinar: Role Management Best Practices More Resources

Home Legal Privacy Contact Site map