I am a consultant and analyst of role base projects and this book lays out the foundations of RBAC model.
i would like to add:
There are few ways to start a role base project. It depends on factors as # of users, # of systems , # of security Admins , budget, auditors, company needs and more.
Usually, companies are trying to approach this project, using the current resources and do this project manually, without any external consultancy or experience, best practices and methodologies
By taking the manual approach, you can generate few roles, usually, the basic enterprise roles or departmental roles, but then , you will find that you need to generate many other roles, by analyzing many users, resources , access rights and working and interviewing with many business managers, a process that can take 24-48 months for an organization with 10k users.
I have been managing 10-15 RBAC projects and involved in about 50 others, in USA & Europe, and I can share with you the high level best practices.
1. Mapping the company systems, and business model.
2. Set the RBAC targets - # of roles, workflows etc
3. Import current access rights and perform a mini cleansing project - 3-4 weeks
4. Doing role engineering on very polluted data, will product roles, but vary dirty roles.
5. It is better to spend few weeks on cleansing till you feel that you managed to clean the major faulty access rights
6. Use smart AUDIT tools to analyze your current access rights model and advice you what access rights are suspected
7. Use compliance and policy check tools (Segregation of duty etc) to perform the cleansing
8. Use a workflow for Access-Rights Certification - (example Eurekify/Sage)
Use tools that can help you creating roles by analyzing your current access right. There are few tools in the market as Eurekify/Sage.
Run all the techniques that this tool provide and analyze the results.
Use a tool that has a built in workflow for Role Approval
Audit your roles and make sure that the roles are normalized
highly recommended to use automated solutions to audit your roles
Build compliance rules to validate the roles.
Ensure that you will be able to modify and alter the roles easily
build or use a solution that will help you to manage and maintain the roles
keep in mind that roles are dynamic and will change
Role certification / re -certification
Make sure that you have a workflow to certify / recertify roles
record and archive all the changes
Build reports that will help you to manage and control your roles and results.
Hope it helps
Director - Eurekify