RoleCourier® Role Management
Automates the creation and management of enterprise roles, fully integrated with provisioning and access compliance management, as part of an Access Governance strategy.
- Ensure alignment of business operations with user roles
- Enable efficient, consistent user account provisioning
- Streamline access compliance and certification
- Enable the ability to respond to dynamic business changes
- Enforce security policies, including cross- or multi-role segregation of duties (SoD)
Role Lifecycle Management
RoleCourier, Courion's role management solution, automates the process of creating and managing enterprise roles, which are sets of IT accounts and access rights associated with a specific business function.
Courion, a leading provider of Access Risk Management products, was the first major vendor to deliver role management integrated with a provisioning, access management, and compliance reporting suite. RoleCourier enables organizations to optimize access control policy enforcement by aligning business operations with user roles. It automates the often cumbersome and inefficient process of role-based access control and provides a flexible framework that adapts to constantly changing business environments.
Automating Role Creation
Organizations wishing to create an enterprise role-based access control infrastructure often find that initial role creation can be extremely complex. Even in small and medium-sized companies, the number of users, accounts, systems, locations, lines of business, and other attributes that map into roles can be daunting. Many organizations start from the “bottom up” by collecting user access data from multiple systems and using common attributes to identify potential roles on a user-by-user basis. Other organizations use a “top down” approach to define roles based on organizational hierarchies which may not be accurately aligned with IT accounts and entitlements and often require creating complex management frameworks.
What is needed is a combination of the two approaches that can automate and simplify the data collection and analysis aspects of role creation, create a capability for ongoing role management, and integrate it into a comprehensive access management lifecycle.
Courion's Hybrid Approach
Courion’s RoleCourier role management software streamlines role creation using a hybrid approach. A “bottom up” role mining capability starts with existing accounts. Candidate accounts are dynamically checked for common access attributes, and thresholds are applied to determine attributes for inclusion or exclusion. Candidate roles are checked against the user security policy for exceptions, policy conflicts, and least privilege violations. Then, these results are correlated with a “top down” role discovery process based on the businesses organization model, to align IT accounts and attributes with business roles and functions.
The result is a role template that can be applied across the enterprise and accommodates all types of roles, including enterprise, IT, business, or application-specific roles. The hybrid role creation model optimizes the number of roles, reduces role proliferation, and eases the role management and governance burden on customers.
RoleCourier's “what if” role modeling examines a set of roles against the access control security policy to see if the superset of access rights across all the roles would create a policy violation or attribute-level conflicts across multiple roles. This is particularly helpful for uncovering potential segregation of duties (SoD) violations. Identifying SoD violations is much easier with "what if" modeling, particularly in situations where users perform multiple roles or where role assignments change on a frequent basis.
RoleCourier is fully integrated with Courion's user access provisioning solution. Managers can quickly and easily provision a new hire using a pre-defined role, streamlining the provisioning process, reducing potential over-provisioning, and enabling them to concentrate on running the business. Organizations that implement a "lights-out" provisioning process can do so with the assurance that new users have access rights that are appropriate for their position. In either scenario, integrated provisioning ensures that security policies regarding access rights are automatically enforced, while at the same time, overhead costs are reduced and the onboarding process is accelerated.
Comprehensive Role Lifecycle Management
In addition to role creation and SoD checking, enterprises require lifecycle management capabilities that can adjust as business conditions change over time. This includes the ability to add, modify or delete role attributes, to enable or disable roles, and track the history of changes associated with roles. Role history analysis is a particularly important capability for compliance analysis and reporting.
Another key role management capability is role comparison and consolidation. This enables organizations to iteratively examine their role definitions and determine opportunities for merging similar roles, thereby simplifying management and administration of security policy.
Compliance and Attestation
In today's increasingly regulated business environment, the ability to verify that user access rights are consistent with policy, industry requirements and government regulations, is essential. RoleCourier's role definitions are fully integrated with Courion's ComplianceCourier product which enables managers to quickly and efficiently review and validate that the user accounts and access rights within their business unit are in compliance with policy.
- Comprehensive role lifecycle management adapts to changing business requirements
- Combines "top down" and "bottom up" approaches to align business and IT functions
- Enforces security policies, including cross- or multi-role segregation of duties (SoD)
- Comprehensive integration with provisioning, access management and compliance
- More robust policy enforcement
- Simplifies user administration complexity
- Provides more efficient and consistent user access provisioning
- Enables compliance auditing using role assignments and role history
- Streamlines the process of creating and modifying user access rights, saving time and cost