Learning Library

← Back to Library

Simplifying Identity Management with Roles

9mUnknown ChannelsecuritytutorialintermediateWatch on YouTube ↗

Key Points

  • The speaker proposes a role‑based approach that can shrink identity‑management size, cost, and complexity by orders of magnitude, making security easier because simplicity reduces vulnerabilities.
  • Managing permissions per individual user creates a tangled “spaghetti” of unique entitlements that are hard to track, especially when users leave the organization.
  • Introducing **business roles** (e.g., doctor, nurse, lab technician) groups users by function, while **application roles** group the underlying permissions needed to perform high‑level tasks.
  • Mapping business roles to application roles lets administrators assign a single role to grant all required entitlements for a task (like admitting a patient), dramatically simplifying provisioning and de‑provisioning.
  • This layered role model streamlines operations, cuts costs, and improves security by reducing the number of granular permissions that must be administered.

Sections

Full Transcript

# Simplifying Identity Management with Roles **Source:** [https://www.youtube.com/watch?v=5v4v-MPoEOs](https://www.youtube.com/watch?v=5v4v-MPoEOs) **Duration:** 00:09:00 ## Summary - The speaker proposes a role‑based approach that can shrink identity‑management size, cost, and complexity by orders of magnitude, making security easier because simplicity reduces vulnerabilities. - Managing permissions per individual user creates a tangled “spaghetti” of unique entitlements that are hard to track, especially when users leave the organization. - Introducing **business roles** (e.g., doctor, nurse, lab technician) groups users by function, while **application roles** group the underlying permissions needed to perform high‑level tasks. - Mapping business roles to application roles lets administrators assign a single role to grant all required entitlements for a task (like admitting a patient), dramatically simplifying provisioning and de‑provisioning. - This layered role model streamlines operations, cuts costs, and improves security by reducing the number of granular permissions that must be administered. ## Sections - [00:00:00](https://www.youtube.com/watch?v=5v4v-MPoEOs&t=0s) **Simplifying Identity Management with Roles** - The speaker explains how adopting role‑based access control dramatically cuts the size, cost, and security risks of managing individual user permissions by replacing a tangled per‑user setup with a streamlined, reusable role structure. ## Full Transcript
0:00what if I could show you a way that 0:02would reduce the size and complexity of 0:04managing user identities by two or even 0:07three orders of magnitude it would cut 0:10down on cost it would make the operation 0:12more efficient and it would make it more 0:14secure because it was more simple and as 0:16I mentioned in other videos complexity 0:19is the enemy of security 0:20so let's think about managing these 0:23identities without user roles and then 0:26with user roles and I'll show you the 0:28advantages of using roles so what we 0:31think about first is we've got a bunch 0:33of users here who need access to 0:36Applications 0:37simplistically it sounds like this I'm 0:40going to give this guy access here and 0:43here and I give this guy this access and 0:46that's all they really need that's what 0:48it seems like but in fact it's more 0:50complicated than that 0:51what happens is inside of these 0:53applications there may be individual 0:56permissions that are necessary for 0:59instance it could be an administrator 1:00access it could be read only access it 1:03could be read write access there could 1:06be a lot of different underlying 1:07permissions that need to be granted so 1:10in fact instead of this gross level of 1:13permissions that I'm giving in fact what 1:15I really need to do is give this guy 1:18these access rights and this guy needs 1:22these 1:24and this guy needs these and it 1:27continues before long you end up with a 1:30spaghetti mess that you've got to manage 1:33every user is a one-off every user is 1:36unique every user is complex and when I 1:39have to unroll all of these access 1:41rights when the user leaves the 1:43organization it gets even more 1:45complicated and more costly and more 1:47difficult to accomplish 1:49so let's look at a different approach 1:51where instead of doing individual user 1:54to permission or entitlement accesses 1:57I'm doing those mappings I'm going to 1:59introduce another concept we are now in 2:03the middle I'm going to have this idea 2:05of user roles so I'm going to create a 2:09set of roles at a business I'll call 2:11these business roles for instance 2:13there's a role uh let's talk let's say 2:16this is a hospital so we have a doctor 2:18we might have a nurse we might have a 2:21lab technician those are the business 2:23roles so business roles are a collection 2:26of users 2:27I'm also going to create a second 2:29abstraction of application roles and in 2:32this case these are going to be high 2:34level functions that need to be 2:36performed so maybe the high level 2:38function is admit a patient or discharge 2:41a patient or update a patient record 2:45so those are high level things in fact 2:48those high level features might involve 2:51multiple underlying permissions in 2:54different applications 2:56so now you see it gets a lot more 2:59complicated but what I'm trying to do is 3:01reduce that complexity 3:02so once I've created these two different 3:05tiers of roles business role is a 3:07collection of users application rolls a 3:09collection of entitlements or access 3:11rights then all I have to do is come 3:14back and say okay to admit a patient 3:16what do I need to be able to do well I 3:19need to be able to have access to these 3:21two features along with this one which 3:23is actually in a different application 3:25imagine in a complex organization there 3:28might be six or seven applications that 3:30need to be involved in performing a high 3:33level function 3:35so to discharge a patient maybe I need 3:38these and to update a patient record I 3:41need these 3:42now I've mapped out the application 3:44entitlements up here all I need to do is 3:48say which ones are these people are 3:49doctors okay here are my doctors 3:52here are my nurses and here's my lab 3:54tick 3:56now I've created the collection of 3:58business roles and those users the 4:00collection of application entitlements 4:03and all I have to do is connect the dots 4:05I'm just going to say doctors can admit 4:08patients discharge patients and update 4:11patient records nurses cannot admit and 4:14discharge but they can update records 4:16and lab techs when they get in the lab 4:18results can update patient records 4:21that's all I have to do the beauty of 4:23this then is the flexibility that 4:25happens over time let's say later I need 4:29to add in a new entitlement here 4:32and this now is required anytime I 4:35update a patient record 4:37then all I have to do is add in this and 4:41the update capability now involves that 4:46entitlement 4:47and all the people who have the update 4:50capability in this case it's all of 4:52these users now have this new capability 4:56and if later I decide for whatever 4:58reason I'm not going to allow uh nurses 5:02to perform a perfect particular function 5:04I just take that function out of the 5:06nurse role and all the nurses now lose 5:08that capability or add something in all 5:12of those users 5:13instantly gain that capability 5:15by separating these two different layers 5:17I don't end up with a spaghetti I end up 5:20with something that is much simpler to 5:22manage and it feels like now instead of 5:25managing what might be 5 000 users it 5:29feels like I'm managing three users if 5:32I've got three roles so I've taken the 5:35the magnitude of the problem and reduced 5:37it dramatically 5:38so let's think about what are some of 5:40the best practices then in role 5:42management if we want to carry this 5:44through and there's a number of things 5:46you can do here 5:47for instance don't make the mistake of 5:50letting the perfect become the enemy of 5:52the good 5:53in doing so I've seen organizations that 5:55try to Define this in a perfect way that 5:59will meet all the needs for all time and 6:02the fact of the matter is we don't need 6:03to do that it needs to be flexible it 6:05will change over time one organization I 6:07worked with took a year to Define their 6:09roles that was a delay on the process 6:12because they were letting the perfect 6:13become the enemy of the good the second 6:16best practice is related to that first 6:18aim for more like an 80 20 split 6:21try to cover your role entitlements and 6:24accesses with about eighty percent of 6:26the cases with something like this and 6:29then let the other 20 be exceptions and 6:31we can handle them as one-offs more like 6:33this but I've still reduced the problem 6:35space dramatically 6:37other things I can look at is role 6:40design or role engineering where I sit 6:44down as I've done here kind of as a 6:46tabletop exercise and envisioned how 6:49these roles should should be I can 6:52Envision that these are the different 6:53types of users these are the different 6:55access rights and we do that kind of an 6:57exercise this is more of a top-down 6:59approach 7:00the bottom up approach is more of a role 7:03Discovery process and there are tools 7:05that will allow you to go out and see 7:07all of the entitlements that a user has 7:09and what function they perform and then 7:12you can go through and see all of these 7:14users who are peers seem to have the 7:16same access rights so let's create a 7:18role around that and therefore we're 7:20essentially discovering the roles that 7:22already exist in the organization that 7:24just have not been explicitly stated 7:26I would actually recommend using both of 7:28those the top down and the bottom up the 7:32design and the engineering and let them 7:34meet in the middle and then we apply 7:35some of these other principles 7:36principles that I've talked about in 7:38addition to these uh we also should use 7:42good tools that allow us to do this 7:46discovery and there are Enterprise class 7:48identity governance tools that will 7:51allow to do this allow you to manage it 7:54and manage this over time as these roles 7:57need to change we'll need to make those 7:59kind of changes and then finally the 8:01thing that I've Illustrated here and 8:03that is use multiple tiers of roles 8:05because if we try to use a single roll 8:07structure we'll overload it here I 8:10separated out the groups of users from 8:12their entitlements that way I have more 8:15separation I can change the entitlements 8:17without changing the users I can change 8:19the organization of users without having 8:21to change their underlying entitlements 8:23that gives me the maximum level of 8:25flexibility and it keeps me from that 8:27sort of analysis paralysis that I 8:30mentioned the other organization I 8:31talked about hit so you can see I hope 8:33with this that I can take a very complex 8:36space reduce it to a much more 8:39manageable space therefore with this 8:41more manageable space it's cheaper it's 8:43more efficient and I'll argue even more 8:46secure because complexity is the enemy 8:48of security and this is simpler 8:51thanks for watching please remember to 8:53like this video And subscribe to this 8:55channel so we can continue to bring you 8:57content that matters to you