IAM Granular Access Control

One of the core functions of any Identity and Access Management solution is access control. This provides the organisation with the means to specify and enforce users’ access to its resources. This ensures that users only have access to the resources that they need, preventing unnecessary or unauthorised access that could potentially create serious issues for the organisation. 

However, managing these controls at scale is hard: many users and multiple services creates many possible permutations. This led to Role-Based Access Control (RBAC), where a user’s access privileges based on what access they need to do their job. This makes configuring access control much easier in organisations where many users have similar roles. 

However, there can be access needs that don’t easily conform to RBAC. For example, a user may need temporary, elevated access to a resource if their manager is away. Or a user may only be permitted this elevated access when they’re physically located within a certain jurisdiction. RBAC does not easily accommodate these edge cases, which can result in costly and error-prone manual administration. Often, these edge cases are more common than expected. 

So how does Able+, New Era’s IAM solution, address the challenge of these edge cases? The answer is RBAC combined with Granular Access Control (GAC). 

Resource-level entitlements

The first of these GACs is resource-level entitlements. This simply enables a user (or group) to be assigned an entitlement unconnected with their role. These entitlements can be added and removed administratively. Alternatively, a user can request access from a designated approver, such as their manager or the resource owner. The screenshot below shows an administrator manually assigning new entitlements. 

The ability to assign entitlements manually (either by an administrator or designated approver) is helpful but not always scalable with large numbers of users and/or resources. To address this, bespoke workflows can be used to automatically determine the appropriate entitlements for a user, aligned with the organisation’s policies. The screenshot below shows a bespoke approval workflow for access requests managed by the IT helpdesk. 

Identity attributes

Identity attributes are items of information about users that are associated with their identities within the IAM solution. Often these attributes are generic (“Department”) but Able+ allows organisations to add organisation-specific attributes, such as an employee identifier or type of contract. 

These identity attributes can be used by workflows to automatically assign entitlements. If these attributes change, the workflow can respond immediately, changing the user’s entitlements if necessary. 

The screenshot below shows an extract from an Able+ workflow that determines some of the user’s access entitlements based on the value of an identity attribute. 

Time and location

Often, the time and user’s location play a role in determining access. For example, physical access to premises or rooms might not be permitted during specific hours. Able+ can use this information to determine access. 

uthX workflows

Finally, Able+ workflows can also be used to authorise access. As well as allowing the use of complex logic, workflows can determine the user’s entitlement at the instant of the user’s request, rather than the user’s entitlements being assigned in advance. 

Summary

While RBAC will continue to form the backbone of any IAM solution, it has limitations that can result in costly and error-prone manual effort to manage the “edge cases”. Able+ addresses these challenges with tools that provide Granular Access Control. These complement RBAC, enabling full automation of an organisation’s IAM solution.