One problem I frequently encounter when managing groups is the "Cartesian Product of Groups" within individual business applications.

A Common Example: Imagine "Business App A" which is built on top of a RACF system. For an end user to perform their job in Business App A, they need both a RACF Group and a RACF Profile assigned to them.

->Today, this situation is reasonably complex for an IAM system to manage. To support access requests or access certifications we either need to:

Abstract with Roles: Ensure that groups and profiles are invisible to end users by building "roles" on top of them. Assigning or removing a role automatically assigns/removes both the required group and profile.
User Education: Educate end users that they need both a RACF Group and a RACF Profile and ensure they always request them together.
IAM Side Scripting: Create a Cartesian product of all possible combinations of groups and profiles in the IAM system, adding metadata to explain each combination. Then, implement logic to ensure that provisioning or de-provisioning assigns/removes the correct group-profile pair.

Honestly, all 3 of these options are ugly. (I would argue Option 1 is best, but it still requires unnecessary leg work by the IAM team to create and define roles with the correct business logic). While I used RACF to illustrate the problem, I have seen this same issue with other on-prem apps and also some SaaS apps.

As part of the IPSIE standard, we should fix this. To achieve IPSIE compliance, applications should provide a clear interface—such as an API endpoint, stored procedure, or similar mechanism—that allows IAM systems to seamlessly manage their internal access models without forcing IAM teams to "hack" solutions.

Discuss/Define: Group Provisioning and Deprovisioning #21

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions