tag:blogger.com,1999:blog-12613717012132318952024-03-19T04:42:45.196+01:00GenericIAM.org BLOGThis BLOG is devoted to the work of the GenericIAM community. We aim at carving out generic processes for the discipline of Identity- & Access Management in order to ease life of all forthcoming implementors.Horst Waltherhttp://www.blogger.com/profile/03381708015477095465noreply@blogger.comBlogger29125tag:blogger.com,1999:blog-1261371701213231895.post-45582611849669043732023-05-04T22:42:00.000+02:002023-05-04T22:42:07.206+02:00What is your Alumni concept?<div class="separator" style="clear: both; text-align: center;"><span style="font-family: inherit;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5mpyL_fZYmfoIfQr5IsNf3msmgeK7KOvVClFTED32Yytu5yzALzpySG-Q4ktC2Eu5iiGR5nLVCavi0qvjAyoVqZOLnwaiCA3ogPOnwHat75IG06nQ_7aEAbAOeZ1hf5P8eE1gehMgqhy7MDH_-Yt9ki-4-jDnGvzeqm9bNHwUrg8omXKGRmWrgw/s903/Francis%20Luis%20Mora,%20Evening%20News,%201914.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="903" data-original-width="673" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5mpyL_fZYmfoIfQr5IsNf3msmgeK7KOvVClFTED32Yytu5yzALzpySG-Q4ktC2Eu5iiGR5nLVCavi0qvjAyoVqZOLnwaiCA3ogPOnwHat75IG06nQ_7aEAbAOeZ1hf5P8eE1gehMgqhy7MDH_-Yt9ki-4-jDnGvzeqm9bNHwUrg8omXKGRmWrgw/w476-h640/Francis%20Luis%20Mora,%20Evening%20News,%201914.png" width="476" /></a> </span></div>
<hr />
<p style="text-align: center;"><i><span style="font-family: inherit;">When employees leave a company, often all contact between the company and them does not end abruptly. Instead, there are often follow-up obligations to be fulfilled by one or both sides. Perhaps there is a conscious desire to maintain and cultivate contact. In short, the ex-employee is managed as an alumnus, not ignored as a stranger. What is known about such alumni concepts? Which companies have implemented it? What precautions in terms of policies, processes and systems does a company have to take if it wants to introduce an alumni concept? </span></i></p>
<hr />
<h2 style="text-align: left;"><span style="font-family: inherit;">Introduction</span></h2>
<p><span style="font-family: inherit;">Alumni programs are increasingly common in companies that recognize the value of maintaining relationships with former employees. These initiatives aim to foster a sense of community, promote networking, and potentially benefit from the knowledge, skills, and connections of former employees. Some well-known companies with alumni programs include McKinsey, Deloitte, PwC, IBM, and Microsoft, among others. </span></p>
<h2 style="text-align: left;"><span style="font-family: inherit;">What has to be done?</span></h2>
<p><span style="color: #2b00fe; font-family: inherit;"><i>Which components need to be in place in order for an alumni program to be professionally implemented. </i></span></p>
<p><span style="font-family: inherit;">When introducing an alumni concept, a company should consider the following policies, processes, and systems: </span></p>
<ol>
<li><span style="font-family: inherit;">Define the <b>objectives</b>: Clearly outline the goals of the alumni program, which could include networking, knowledge sharing, recruitment, business development, or maintaining a positive brand image. <br /><br /></span></li>
<li><span style="font-family: inherit;">Establish <b>policies</b> Develop clear policies on eligibility, communication, and engagement. Determine which former employees can join the alumni network and establish guidelines for how members should interact with the company and each other.<br /><br /></span></li>
<li><span style="font-family: inherit;">Designate a <b>responsible</b> <b>team</b>: Assign a dedicated team or individual to manage the alumni program, ensuring regular communication, organization of events, and maintenance of the network.<br /><br /></span></li>
<li><span style="font-family: inherit;">Develop a <b>communication strategy</b>: Create a strategy for keeping alumni informed about company news, updates, and events. This may involve a mix of email newsletters, social media, or a dedicated alumni portal on the company website.<br /><br /></span></li>
<li><span style="font-family: inherit;">Organize <b>events</b>: Plan and host regular events, both virtual and in-person, to facilitate networking and knowledge sharing among alumni and current employees. These events can include seminars, workshops, social gatherings, or webinars.<br /><br /></span></li>
<li><span style="font-family: inherit;">Offer <b>benefits</b>: Provide incentives for alumni to stay engaged, such as access to exclusive resources, training, or job opportunities within the company. Some companies even offer special alumni discounts on products or services.<br /><br /></span></li>
<li><span style="font-family: inherit;">Integrate with <b>HR</b> and recruitment: Collaborate with HR and recruitment teams to leverage the alumni network for talent acquisition, referrals, or rehiring of former employees with valuable skills.<br /><br /></span></li>
<li><span style="font-family: inherit;">Measure <b>success</b>: Regularly evaluate the effectiveness of the alumni program by tracking key performance indicators (KPIs), such as the number of active members, event attendance, referrals, or business leads generated through the network.<br /><br /></span></li>
<li><span style="font-family: inherit;">Maintain <b>data privacy</b>: Ensure that the company complies with data privacy regulations and respects the privacy preferences of alumni members. This may involve obtaining consent for communication, providing options to opt-out, and securely storing personal data.<br /><br /></span></li>
<li><span style="font-family: inherit;">Encourage a <b>culture of support</b>: Promote a positive and inclusive atmosphere that values the contributions of alumni and encourages current employees to engage with and support the alumni network.</span></li>
</ol>
<p><span style="font-family: inherit;">Implementing an alumni program can be an effective way to strengthen relationships with former employees and potentially benefit from their skills, knowledge, and connections. By taking these precautions in terms of policies, processes, and systems, a company can successfully introduce and manage an alumni concept. </span></p>
<h2 style="text-align: left;"><span style="font-family: inherit;">What are the benefits?</span></h2>
<p><span style="color: #2b00fe; font-family: inherit;"><i>Are there tangible benefits for corporations associated with the implementation of an alumni concept? </i></span></p>
<p><span style="font-family: inherit;">There are tangible benefits for corporations associated with the implementation of an alumni concept beyond occasional re-hiring. A well-executed alumni program can have a positive impact on the company's bottom line and even make a strong business case. Here are some key benefits that can contribute to a business case for an alumni program: </span></p>
<ol>
<li><span style="font-family: inherit;"><b>Talent Acquisition and Referrals</b>: Alumni can serve as valuable referral sources for new talent, helping the company identify high-quality candidates who may be a good fit for open positions. This can reduce recruitment costs and time to hire. <br /><br /></span></li>
<li><span style="font-family: inherit;"><b>Business Development</b>: Former employees who work in other companies or industries can refer new clients or business opportunities to their former employers. This can help drive revenue growth and expand the company's client base. <br /><br /></span></li>
<li><span style="font-family: inherit;"><b>Brand Ambassadors</b>: Alumni can act as brand ambassadors, promoting the company's reputation and strengthening its employer brand in the talent market. A positive image can attract high-quality candidates and improve overall recruitment efforts. <br /><br /></span></li>
<li><span style="font-family: inherit;"><b>Knowledge Sharing and Innovation</b>: Alumni networks can facilitate the exchange of ideas, insights, and expertise between former employees and current staff members. This can help foster innovation, improve decision-making, and keep the company informed about industry trends and best practices. <br /><br /></span></li>
<li><span style="font-family: inherit;"><b>Collaborative Partnerships</b>: Alumni can become strategic partners, offering their skills, expertise, or resources to support the company's projects or initiatives. This can lead to new business opportunities, joint ventures, or collaborations that drive growth and innovation. <br /><br /></span></li>
<li><span style="font-family: inherit;"><b>Training and Mentorship</b>: Former employees with specialized skills and experience can provide training or mentorship to current employees. This can help develop the skills and capabilities of the workforce, leading to increased productivity and performance. <br /><br /></span></li>
<li><span style="font-family: inherit;"><b>Alumni Re-hiring</b>: As mentioned earlier, re-hiring former employees can save on recruitment and onboarding costs, and these employees often have shorter ramp-up times due to their familiarity with the company culture and operations. <br /><br /></span></li>
<li><span style="font-family: inherit;"><b>Community Engagement</b>: A strong alumni program can foster a sense of community and goodwill, leading to increased engagement among current employees, stronger company culture, and improved employee retention. </span></li>
</ol>
<p><span style="font-family: inherit;">To make a business case for an alumni program, companies can quantify the potential benefits in terms of cost savings, revenue growth, and other performance indicators. By demonstrating the tangible benefits and return on investment, organizations can justify the resources needed to implement and maintain a successful alumni program. </span></p>
<h2 style="text-align: left;"><span style="font-family: inherit;">Who benefits?</span></h2>
<p><span style="color: #2b00fe; font-family: inherit;"><i>Do some companies benefit more than others? </i></span></p>
<p><span style="font-family: inherit;">There is evidence to suggest that some companies may benefit more from the implementation of an alumni concept than others. The extent of the benefits depends on several factors, including the nature of the industry, company culture, workforce structure, and business objectives. Here are some factors that can influence the success and impact of an alumni program: </span></p>
<ol>
<li><span style="font-family: inherit;"><b>Industry</b>: Companies in industries with a high demand for specialized skills or rapid innovation, such as technology, consulting, or finance, may benefit more from an alumni network as they can tap into a pool of experienced professionals who possess in-demand expertise. <br /><br /></span></li>
<li><span style="font-family: inherit;"><b>Company Culture</b>: Companies with a strong, positive culture that fosters long-term relationships and values employee contributions are more likely to benefit from an alumni program. Alumni from such organizations may feel a stronger sense of loyalty and connection, which can lead to increased engagement and collaboration. <br /><br /></span></li>
<li><span style="font-family: inherit;"><b>Workforce Structure</b>: The influence of workforce structure, characterized by skill level, experience, age, and blue-collar vs. white-collar workers, can also impact the effectiveness of an alumni program. Companies with a predominantly white-collar workforce, higher skill levels, and more experienced professionals may benefit more from an alumni network, as these individuals may be better positioned to contribute to knowledge sharing, referrals, and business development. <br /><br /></span></li>
<li><span style="font-family: inherit;"><b>Turnover Rate</b>: Organizations with high employee turnover may benefit more from an alumni program, as they can maintain relationships with former employees and leverage their expertise, connections, or referrals to fill open positions or address skills gaps. <br /><br /></span></li>
<li><span style="font-family: inherit;"><b>Size of the Organization</b>: Larger organizations with more employees and a more extensive network of former employees may benefit more from an alumni program due to the broader reach and potential impact of their alumni community. <br /><br /></span></li>
<li><span style="font-family: inherit;"><b>Business Objectives</b>: Companies that prioritize innovation, collaboration, and talent acquisition may benefit more from an alumni program, as these objectives align with the potential benefits of maintaining relationships with former employees. </span></li>
</ol>
<p><span style="font-family: inherit;">While these factors can influence the success of an alumni program, it's important to note that the program's design, management, and engagement strategies also play a critical role in determining its impact. </span></p>
<p><span style="font-family: inherit;">Companies that invest in creating a well-structured and engaging alumni program tailored to their unique needs and objectives are more likely to realize the potential benefits, regardless of the industry or workforce structure. </span></p>
<h2 style="text-align: left;"><span style="font-family: inherit;">Is there System Support?</span></h2>
<p><span style="color: #2b00fe; font-family: inherit;"><i>Are there systems for Alumni support on the market? </i></span></p>
<p><span style="font-family: inherit;">There are several other companies that offer products or services to support corporate alumni programs and processes. These providers typically offer platforms or software solutions to help organizations manage alumni networks, communication, events, and engagement activities. Some of these companies include: </span></p>
<ol>
<li><span style="font-family: inherit;"><b>EnterpriseAlumni</b>: EnterpriseAlumni is a leading alumni management platform that enables organizations to engage with their alumni community, providing tools for communication, event management, content sharing, and reporting. The platform also supports talent acquisition, business development, and collaboration features. <br /><br /></span></li>
<li><span style="font-family: inherit;"><b>IntraWorlds</b>: IntraWorlds offers a comprehensive alumni management solution that includes customizable alumni portals, communication tools, event management, and analytics. The platform is designed to help organizations build and maintain relationships with their alumni community, fostering collaboration and driving business outcomes. <br /><br /></span></li>
<li><span style="font-family: inherit;"><b>Graduway</b>: Graduway is a provider of alumni engagement and mentoring software, helping organizations build and manage their alumni networks. Their platform includes tools for communication, event management, mentoring, and analytics, as well as integrations with popular CRM and HR systems. <br /><br /></span></li>
<li><span style="font-family: inherit;"><b>Almabase</b>: Almabase is an all-in-one alumni management platform designed to help organizations create and maintain an engaged alumni community. The platform offers features such as alumni directories, event management, email marketing, fundraising, and reporting, along with integrations with various CRM and HR systems. <br /><br /></span></li>
<li><span style="font-family: inherit;"><b>360Alumni</b>: 360Alumni offers an alumni engagement platform with features such as alumni directories, event management, email marketing, and fundraising tools. The platform is designed to help organizations build and maintain strong relationships with their alumni community. <br /><br /></span></li>
<li><span style="font-family: inherit;"><b>Tassl</b>: Tassl is an alumni engagement platform that provides organizations with tools to manage alumni networks, events, communication, and collaboration. The platform supports features such as mentoring, job boards, and community building, as well as integrations with popular CRM and HR systems. <br /><br /></span></li>
<li><span style="font-family: inherit;"><b>PeopleGrove</b>: PeopleGrove offers a platform designed to support alumni networks, mentoring programs, and community engagement. Their solution includes features such as personalized portals, communication tools, event management, and analytics, along with integrations with various CRM and HR systems. <br /><br /></span></li>
<li><span style="font-family: inherit;"><b>Vaave</b>: Vaave is an alumni management platform that helps organizations build and maintain relationships with their alumni community. The platform offers features such as alumni directories, event management, email marketing, fundraising, and reporting, as well as integrations with popular CRM and HR systems. <br /><br /></span></li>
<li><span style="font-family: inherit;"><b>Alumni Channel</b>: Alumni Channel provides a web-based alumni management solution that helps organizations create, manage, and maintain their alumni networks. Their platform includes tools for communication, event management, directories, and reporting. </span></li>
</ol>
<p><span style="font-family: inherit;">These companies offer products and services that support alumni processes, making it easier for organizations to manage their alumni networks, engage with former employees, and leverage the potential benefits of an alumni program. </span></p>
<p><span style="font-family: inherit;">In addition, the San Francisco based Okta, Inc. known for the alumni support through the software it offers. </span></p>
<p><span style="font-family: inherit;">When selecting an alumni management platform, it's essential to consider factors such as features, scalability, integration capabilities, and pricing to ensure the solution meets the organization's specific needs and objectives. </span></p>
<h2 style="text-align: left;"><span style="font-family: inherit;">What signals to watch?</span></h2>
<p><span style="color: #2b00fe; font-family: inherit;"><i>Are there signals to watch, leading to the conclusion that an alumni concept might be worth a closer look? </i></span></p>
<p><span style="font-family: inherit;">A closer look at the process of a person leaving the company may already reveal a fine structure leading to a differentiated treatment of the individual cases. </span></p>
<p><span style="font-family: inherit;">This fan-out of caring options gives an indication that there might be a status in-between the status of being an active employee and having terminated all relationship between both parties as the example below demonstrates. </span></p>
<p><span style="font-family: inherit;">While all of the following cases are expressed being in status “terminated” or “permanently inactive” in the Human Resources department, variants may be maintained, leading to different actions following an employee’s active period. </span></p>
<p><span style="font-family: inherit;">Will there be a relationship maintained between the corporation and the individual, when … </span></p>
<ul>
<li><span style="font-family: inherit;">The person is regularly <b><i>retired</i></b>? ➤ Yes, there might be a pension scheme to follow <br /><br /></span></li>
<li><span style="font-family: inherit;">The contract is <b><i>terminated</i></b> for other reasons? ➤ No, once all legal obligations are fulfilled <br /><br /></span></li>
<li><span style="font-family: inherit;">The person is on <b><i>paid leave</i></b>? ➤ Yes, obviously payments have to be done <br /><br /></span></li>
<li><span style="font-family: inherit;">The person is reported as a “<b><i>No Show</i></b>”? ➤ No, there is no longer a legal basis to keep any records <br /><br /></span></li>
<li><span style="font-family: inherit;">The person enters <b><i>early retirement</i></b> due to special local ruling? ➤ Yes, similar to regular retirement, but stricter rules apply <br /><br /></span></li>
<li><span style="font-family: inherit;">The person is in the passive phase of a <b><i>partial Retirement</i></b>? ➤ Yes, as some special part-time pension scheme applies here <br /><br /></span></li>
<li><span style="font-family: inherit;">“Persona <b>non grata</b>” ➤Well, no, in this case there will be no desire to maintain a relationship due to some possibly unpleasure events in the past. <br /><br /></span></li>
<li><span style="font-family: inherit;">Long Term <b>Account</b> ➤ Yes, this special case, where the retirement can be flexibly deposited on a kind of “savings account” will finally lead to case #1 (retired). </span></li>
</ul>
<p><span style="font-family: inherit;">Several of these examples are sending weak signals already that it is justified to consider introducing an intermediate status between being an active member and terminated all relationship: the status “alumnus”. </span></p>
<p><span style="font-family: inherit;">But there are more reasons for taking the Management of the corporation’s alumni into consideration. Several external factors are currently driving corporations towards the implementation of an alumni concept. These factors include the changing talent market, rising costs of personnel fluctuation, digital transformation, and a general cultural shift. </span></p>
<ol>
<li><span style="font-family: inherit;">Changing <b>Talent Market</b>: The talent market has become increasingly competitive, with companies vying for the best talent to drive innovation and growth. The alumni concept enables corporations to tap into a pool of skilled and experienced professionals, who are already familiar with the company culture and operations. This can help businesses address skills gaps, reduce the time and cost of recruitment, and secure high-quality referrals. <br /><br /></span></li>
<li><span style="font-family: inherit;"><b>Rising Cost</b> of Personnel Fluctuation: High employee turnover can be costly for organizations, as they need to invest in recruitment, onboarding, and training for new hires. By implementing an alumni program, companies can maintain relationships with former employees, which may lead to rehiring or referrals of suitable candidates. This can help reduce the costs associated with personnel fluctuation and ensure a smoother transition during periods of change. <br /><br /></span></li>
<li><span style="font-family: inherit;"><b>Digital Transformation</b>: The rapid pace of digital transformation has increased the demand for employees with specialized skills in areas such as data analysis, artificial intelligence, and cybersecurity. The alumni concept can help organizations stay connected with former employees who have developed these skills and may be interested in returning or collaborating on projects. Additionally, alumni networks can facilitate knowledge sharing and innovation, as former employees contribute their expertise and insights gained from other industries or companies. <br /><br /></span></li>
<li><span style="font-family: inherit;">General <b>Cultural Shift</b>: There has been a cultural shift towards valuing long-term relationships and recognizing the potential benefits of maintaining connections with former employees. Companies are increasingly acknowledging the contributions of alumni and the role they can play in driving business success. This shift is driving the adoption of alumni programs as a way to foster goodwill, promote brand loyalty, and leverage the expertise </span></li>
</ol>
<p><span style="font-family: inherit;">All four of these external factors should be felt in different corporations to a varying degree. However, they would need a confirmation through a thorough research cantered around the feedback from those of a company’s departments, which are potentially exposed to those external factors. </span></p>
<h2 style="text-align: left;"><span style="font-family: inherit;">Call to action</span></h2>
<p><span style="color: #2b00fe; font-family: inherit;"><i>What should be done next? </i></span></p>
<p><span style="font-family: inherit;">If your company is thriving in an industry sector with a high demand for specialized skills or rapid innovation, if its workforce consists predominantly of white-collar workers of higher skill levels, and of more experienced professionals, if it prioritizes innovation, collaboration, and talent acquisition -then it may benefit more substantially from an alumni program than others. </span></p>
<p><span style="font-family: inherit;">The considerations laid out in this paper were triggered by the necessity to find a conceptual foundation for a variety of follow-up activities in case a person leaves a company’s ecosystem. However, the full potential of maintaining an appropriate relationship to former members of the community, might they have been employees, apprentices, contingent workers or even external contributors, will only be unleashed, if the full concept will be implemented. </span></p>
<p><span style="font-family: inherit;">To start with conducting a 6-weeks pre-study resulting in a fully fleshed-out implementation plan would be helpful. This preliminary study should cover the first four points of the implementation plan as outlined below plus effort, elapsed time, costs and manpower involved. </span></p>
<h2 style="text-align: left;"><span style="font-family: inherit;">Proposed implementation plan</span></h2>
<p><span style="color: #2b00fe; font-family: inherit;"><i>How could a typical plan for the introduction of an alumni concept look like? </i></span></p>
<p><span style="font-family: inherit;">Introducing an alumni program requires a strategic approach, with a clear plan and timeline to ensure its successful implementation. Here's a typical plan for the introduction of an alumni concept and its maintenance once all processes and systems are up and running (points 10 to 12): </span></p>
<ol>
<li><span style="font-family: inherit;">Conduct a <b>Needs Assessment</b> and set<b> Objectives</b>: Evaluate the potential benefits and goals of the alumni program by identifying the company's needs and priorities. Define clear objectives, such as knowledge sharing, recruitment, business development, or networking. <br /><br /></span></li>
<li><span style="font-family: inherit;">Obtain <b>Management Buy-In</b>: Present the proposed alumni program to key stakeholders and obtain management support. Clearly communicate the benefits and objectives of the program and demonstrate how it aligns with the company's overall strategy. <br /><br /></span></li>
<li><span style="font-family: inherit;">Define <b>Policies and Guidelines</b>: Establish policies and guidelines for the alumni program, addressing issues such as eligibility criteria, data privacy, confidentiality, and the scope of benefits and services provided to alumni. <br /><br /></span></li>
<li><span style="font-family: inherit;">Appoint a <b>Program Manager </b>or<b> Team</b>: Designate a dedicated team or individual(s) to manage the alumni program. This team will be responsible for coordinating communication, events, and other program activities. <br /><br /></span></li>
<li><span style="font-family: inherit;">Develop a <b>Communication Plan</b>: Create a communication plan that outlines the channels and frequency of communication with alumni. This may include newsletters, social media groups, or a dedicated alumni portal. <br /><br /></span></li>
<li><span style="font-family: inherit;">Design the <b>Alumni Engagement Strategy</b>: Develop a strategy for engaging alumni through various activities and opportunities, such as events, webinars, networking sessions, mentorship programs, or training and development resources. <br /><br /></span></li>
<li><span style="font-family: inherit;">Implement <b>Data Privacy </b>and<b> Security Measures</b>: Ensure compliance with relevant data privacy regulations and establish data retention policies. Implement secure systems for storing and managing alumni data. <br /><br /></span></li>
<li><span style="font-family: inherit;">Collaborate with <b>HR</b> and <b>Talent Acquisition</b> Teams: Integrate the alumni program with HR and talent acquisition processes to leverage the alumni network for referrals, rehiring, and mentorship opportunities. <br /><br /></span></li>
<li><span style="font-family: inherit;">9. <b>Launch</b> the Alumni Program: Announce the launch of the alumni program to current and former employees. Invite eligible alumni to join the program and provide clear instructions on how to participate. <br /><br /></span></li>
<li><span style="font-family: inherit;"><b>Execute</b> the Engagement Strategy: Begin implementing the planned engagement activities, such as hosting events, sharing newsletters, and organizing networking sessions. Monitor participation and gather feedback to improve the program. <br /><br /></span></li>
<li><span style="font-family: inherit;"><b>Track</b> Performance Metrics: Measure the success of the alumni program by tracking key metrics, such as the number of participants, event attendance, referrals, and business partnerships generated through the alumni network. <br /><br /></span></li>
<li><span style="font-family: inherit;"><b>Review</b> and <b>Refine</b> the Program: Regularly review the alumni program to ensure it remains relevant and engaging. Update the program based on feedback, performance metrics, and changing company objectives. </span></li>
</ol>
<p><span style="font-family: inherit;">By following this plan, companies can create a well-structured alumni program that maintains strong relationships with former employees and leverages the potential benefits of their experience, knowledge, and connections. </span></p>
Horst Waltherhttp://www.blogger.com/profile/03381708015477095465noreply@blogger.com0tag:blogger.com,1999:blog-1261371701213231895.post-465242816052863922023-05-03T07:16:00.000+02:002023-05-03T07:16:54.113+02:00On Total Workforce Management (TWM) <p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdd6EXhaWSwlrV0ic58tvWZAUVuP-iUBm0OWNCzFgzON4auvlpjnwHJHv3n3-KrYWGBwORo_N2zrAAWtOIkEylrIYRRKgGXuibU_tBLeS1XybxMasDjxuZQOoGaPxxgUk5yWZydA0okz5X6CuSqBcuItRc7nK1wimTBCuqhwpLFQ-n6FZ8G20KrA/s4408/preview00_large%20(1).jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="2950" data-original-width="4408" height="429" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdd6EXhaWSwlrV0ic58tvWZAUVuP-iUBm0OWNCzFgzON4auvlpjnwHJHv3n3-KrYWGBwORo_N2zrAAWtOIkEylrIYRRKgGXuibU_tBLeS1XybxMasDjxuZQOoGaPxxgUk5yWZydA0okz5X6CuSqBcuItRc7nK1wimTBCuqhwpLFQ-n6FZ8G20KrA/w640-h429/preview00_large%20(1).jpg" width="640" /></a></div><br /> <p></p><p class="MsoNormal" style="margin-bottom: 6.0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 6.0pt;"><span class="MsoIntenseEmphasis"><i><span style="color: #2b00fe;">Why the concept of Total
Workforce Management symbiotically complements the Alumni concept.</span></i><o:p></o:p></span></p>
<h1>Introduction<o:p></o:p></h1>
<p style="margin-bottom: 6.0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 6.0pt;"><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Total Workforce Management (TWM) is a
strategic approach to managing an organization's entire workforce, including
full-time employees, part-time employees, temporary workers, freelancers,
contractors, and even remote workers. The main goal of TWM is to optimize
workforce productivity, reduce costs, and improve overall business performance
by aligning workforce planning with the organization's strategic objectives.
TWM takes a <b>holistic view </b>of workforce management, addressing the needs
of all worker categories and considering the <b>entire employee lifecycle</b>
from hiring to retirement.<o:p></o:p></span></p>
<h1>Elements of total Workforce Management<o:p></o:p></h1>
<p class="MsoNormal" style="margin-bottom: 6.0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 6.0pt;"><span class="MsoIntenseEmphasis"><i><span style="color: #2b00fe;">What are the characterizing
components of Total Workforce Management?</span></i><o:p></o:p></span></p>
<p style="margin-bottom: 6.0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 6.0pt;"><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Key aspects of Total Workforce
Management include:<o:p></o:p></span></p>
<ol start="1" style="margin-top: 0cm;" type="1">
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l2 level1 lfo1; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Workforce Planning</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: TWM involves a comprehensive analysis of the organization's
current workforce, future workforce requirements, and potential gaps in
skills or resources. This helps organizations to identify areas where they
may need to recruit, upskill, or reskill employees to meet business
objectives.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l2 level1 lfo1; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Talent Acquisition</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: TWM encompasses the process of attracting, recruiting, and
hiring the right talent for the organization. This includes developing
strategies for sourcing candidates, employer branding, and efficient selection
processes.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l2 level1 lfo1; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Talent Management</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: TWM includes performance management, employee engagement,
career development, succession planning, and eventually being complemented
by alumni Management. These elements ensure employees are well-equipped to
contribute to the organization's success and have a clear path for career
growth.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l2 level1 lfo1; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Learning and Development</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: A crucial aspect of TWM is investing in the continuous
development of employees' skills and competencies, which enables the
workforce to adapt to changing business needs and remain competitive.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l2 level1 lfo1; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Compensation and Benefits</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: TWM encompasses the development and management of
compensation and benefits programs, ensuring they are competitive, fair,
and aligned with business objectives.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l2 level1 lfo1; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Compliance and Risk Management</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: TWM involves managing compliance with labour laws,
regulations, and industry standards, as well as mitigating potential
workforce-related risks.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l2 level1 lfo1; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Workforce Analytics</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: TWM leverages data and analytics to gain insights into
workforce performance, productivity, and trends, enabling organizations to
make informed decisions about workforce planning, talent management, and
resource allocation.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l2 level1 lfo1; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Technology and Automation</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: TWM incorporates the use of technology and automation tools
to streamline workforce management processes, improve efficiency, and
reduce costs.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l2 level1 lfo1; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Alumni Management</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: At the cross roads of Talent Acquisition, Talent Management
and Reputation Management there lies the Management of Alumni, i.e. former
members of the corporate ecosystem. Alumni Management has merits on its
own and deserve a separate conceptual treatment.<o:p></o:p></span></li>
</ol>
<p style="margin-bottom: 6.0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 6.0pt;"><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">By adopting a Total Workforce
Management approach, organizations can optimize their workforce to achieve
strategic objectives, increase employee engagement, and maintain a competitive
advantage in their target market, as well as in the talent market. TWM requires
collaboration between HR, general management, and other key stakeholders like Business
Process Management and Identity & Access Management, to ensure that
workforce planning and management align with the organization's overall
strategy and goals.<o:p></o:p></span></p>
<h1><span style="border: none windowtext 1.0pt; mso-border-alt: none windowtext 0cm; padding: 0cm;">What are the benefits?</span><span style="border: none windowtext 1.0pt; color: windowtext; font-size: 11.0pt; mso-border-alt: none windowtext 0cm; padding: 0cm;"><o:p></o:p></span></h1>
<p class="MsoNormal" style="margin-bottom: 6.0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 6.0pt;"><span class="MsoIntenseEmphasis"><span style="color: #2b00fe;"><i>What are the benefits of the
TWM approach?</i></span><o:p></o:p></span></p>
<p style="margin-bottom: 6.0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 6.0pt;"><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">The Total Workforce Management (TWM)
approach offers several benefits to organizations by providing a comprehensive
and strategic view of their workforce. Some of the key benefits include:<o:p></o:p></span></p>
<ol start="1" style="margin-top: 0cm;" type="1">
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l1 level1 lfo2; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Improved Workforce Optimization</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: TWM helps organizations optimize their workforce by
aligning human resources with business objectives, ensuring that the right
people with the right skills are in the right roles at the right time.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l1 level1 lfo2; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Cost Savings</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: By managing the entire workforce more effectively,
organizations can identify areas for cost reduction and efficiency
improvements. This can include optimizing labour costs, reducing employee
turnover, and minimizing recruitment expenses.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l1 level1 lfo2; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Increased Flexibility and
Adaptability</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: TWM enables organizations to
respond quickly to changing business needs, market conditions, and
workforce trends. By taking a proactive approach to workforce planning,
companies can adapt their workforce to meet new challenges and opportunities.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l1 level1 lfo2; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Enhanced Employee Engagement</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: A TWM approach focuses on employee development, engagement,
and satisfaction. By creating a supportive work environment and offering
opportunities for growth and development, organizations can improve
employee engagement, which in turn can lead to higher productivity and
reduced turnover.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l1 level1 lfo2; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Better Talent Acquisition and
Retention</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: TWM helps organizations attract and
retain top talent by focusing on employer branding, competitive
compensation, and benefits packages. This can lead to a stronger talent
pool and a more competitive position in the job market.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l1 level1 lfo2; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Improved Compliance and Risk
Management</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: TWM encompasses compliance with
labour laws, regulations, and industry standards, helping organizations
mitigate workforce-related risks and maintain a positive reputation.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l1 level1 lfo2; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Data-Driven Decision-Making</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: By leveraging workforce analytics, TWM enables
organizations to make informed, data-driven decisions about workforce
planning, talent management, and resource allocation. This can lead to
more effective and strategic decision-making. Limitations due to local
privacy regulation have to be strictly observed however.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l1 level1 lfo2; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Enhanced Collaboration</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: TWM promotes collaboration between HR, management, and
other key stakeholders, ensuring that workforce management aligns with the
organization's overall strategy and goals. This can lead to more effective
execution of business objectives and improved organizational performance.<o:p></o:p></span></li>
</ol>
<p style="margin-bottom: 6.0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 6.0pt;"><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Overall, adopting a Total Workforce
Management approach represents an acceleration of the process maturity of
HR-related management processes. It can hence result in a more efficient,
effective, and engaged workforce that is better equipped to meet the
organization's strategic objectives and drive business performance.<o:p></o:p></span></p>
<h1><span style="border: none windowtext 1.0pt; mso-border-alt: none windowtext 0cm; padding: 0cm;">What challenges are to be expected</span><span style="border: none windowtext 1.0pt; color: windowtext; font-size: 11.0pt; mso-border-alt: none windowtext 0cm; padding: 0cm;"><o:p></o:p></span></h1>
<p class="MsoNormal" style="margin-bottom: 6.0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 6.0pt;"><span class="MsoIntenseEmphasis"><span style="color: #2b00fe;"><i>Is there on the other hand a
downside to the introduction of TWM? Which challenges have to be expected
during its implementation process? </i></span><o:p></o:p></span></p>
<p style="margin-bottom: 6.0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 6.0pt;"><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">While Total Workforce Management (TWM)
offers numerous benefits, there can be some downsides and challenges associated
with its implementation. Some of these challenges include:<o:p></o:p></span></p>
<ol start="1" style="margin-top: 0cm;" type="1">
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l0 level1 lfo3; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Complexity</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: Implementing TWM involves integrating multiple workforce
management processes and systems, which can be complex and time-consuming.
This requires a clear understanding of the organization's workforce
structure, existing processes, and future requirements.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l0 level1 lfo3; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Organizational Resistance</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: Changing existing workforce management practices can be met
with resistance from employees and managers who are accustomed to current
processes. Overcoming this resistance requires effective change management
and communication to demonstrate the benefits of TWM and gain buy-in from
stakeholders.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l0 level1 lfo3; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Resource Constraints</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: Implementing TWM often requires additional resources,
including technology, skilled personnel, and financial investment.
Organizations may face challenges in securing the necessary resources and
budget to support the implementation of TWM initiatives.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l0 level1 lfo3; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Data Quality and Integration</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: Leveraging workforce analytics is an essential component of
TWM, but this requires access to accurate, timely, and comprehensive data.
Organizations may face challenges in gathering, integrating, and
maintaining high-quality data from multiple sources.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l0 level1 lfo3; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Technology Adoption</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: Implementing TWM often involves the adoption of new
technology tools and platforms to automate and streamline workforce
management processes. This can pose challenges in terms of technology
selection, integration with existing systems, and user adoption.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l0 level1 lfo3; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Skills Gap</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: Implementing TWM may reveal skills gaps within the
organization, requiring investment in training and development programs to
upskill employees. Addressing these gaps can be challenging and may
require significant time and resources.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l0 level1 lfo3; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Maintaining Consistency and
Compliance</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: Ensuring that TWM practices are
consistent across the organization and compliant with labour laws,
regulations, and industry standards can be challenging, particularly for
large or geographically dispersed organizations.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l0 level1 lfo3; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Measuring Success</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: Defining and measuring the success of TWM initiatives can
be difficult, given the broad scope and complexity of the approach.
Organizations may struggle to identify appropriate key performance
indicators (KPIs) and assess the impact of TWM on their overall business
performance.<o:p></o:p></span></li>
</ol>
<p style="margin-bottom: 6.0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 6.0pt;"><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">To address these challenges,
organizations should invest in change management, stakeholder engagement, and
communication strategies, and allocate sufficient resources for implementation.
Additionally, organizations should prioritize data quality and technology
adoption, and consider partnering with external consultants or vendors with
expertise in TWM to ensure a successful implementation.<o:p></o:p></span></p>
<h1><span style="border: none windowtext 1.0pt; mso-border-alt: none windowtext 0cm; padding: 0cm;">Whom to include?</span><!--[if mso & !supportInlineShapes & supportFields]><span
style='mso-element:field-begin;mso-field-lock:yes'></span> SHAPE <span
style='mso-spacerun:yes'> </span>\* MERGEFORMAT <span style='mso-element:field-separator'></span><![endif]--><v:rect alt="mail@horst-walther.de" filled="f" id="Rectangle_x0020_4" o:gfxdata="UEsDBBQABgAIAAAAIQC75UiUBQEAAB4CAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbKSRvU7DMBSF
dyTewfKKEqcMCKEmHfgZgaE8wMW+SSwc27JvS/v23KTJgkoXFsu+P+c7Ol5vDoMTe0zZBl/LVVlJ
gV4HY31Xy4/tS3EvRSbwBlzwWMsjZrlprq/W22PELHjb51r2RPFBqax7HCCXIaLnThvSAMTP1KkI
+gs6VLdVdad08ISeCho1ZLN+whZ2jsTzgcsnJwldluLxNDiyagkxOquB2Knae/OLUsyEkjenmdzb
mG/YhlRnCWPnb8C898bRJGtQvEOiVxjYhtLOxs8AySiT4JuDystlVV4WPeM6tK3VaILeDZxIOSsu
ti/jidNGNZ3/J08yC1dNv9v8AAAA//8DAFBLAwQUAAYACAAAACEArTA/8cEAAAAyAQAACwAAAF9y
ZWxzLy5yZWxzhI/NCsIwEITvgu8Q9m7TehCRpr2I4FX0AdZk2wbbJGTj39ubi6AgeJtl2G9m6vYx
jeJGka13CqqiBEFOe2Ndr+B03C3WIDihMzh6RwqexNA281l9oBFTfuLBBhaZ4ljBkFLYSMl6oAm5
8IFcdjofJ0z5jL0MqC/Yk1yW5UrGTwY0X0yxNwri3lQgjs+Qk/+zfddZTVuvrxO59CNCmoj3vCwj
MfaUFOjRhrPHaN4Wv0VV5OYgm1p+LW1eAAAA//8DAFBLAwQUAAYACAAAACEA3MWMXQMDAAC+BgAA
HwAAAGNsaXBib2FyZC9kcmF3aW5ncy9kcmF3aW5nMS54bWykVclu2zAQvRfoPxC8y5IceZEQJY23
oEDaBHH7AQxFW0QpUiXprUX/vUNKjhWn6CHRQSJneZx5M0NdXu8rgbZMG65kjuNehBGTVBVcrnP8
/dsiGGNkLJEFEUqyHB+YwddXHz9ckmytSV1yigBBmozkuLS2zsLQ0JJVxPRUzSToVkpXxMJWr8NC
kx0gVyLsR9EwrAiX+OoENSOWoI3mb4ASiv5gxZTILTEAKWjWlbQxCvp+ZJLJ7a2ul/WDdpHTr9sH
jXiRY2BOkgoowmGraM1gG555rU8A+5WunL1ardDeoxzc22OwvUUUhBdRMo4An4KqXTdnlPf/8KLl
/L9+EExzKCw6gZjahSG3rzNLjpk9MgqtsBYMgahghuocQw3Fp1JpY4MdEbZkulewZwqOYKa+gwIZ
JNW0BAR2Y2rAgoYD6KNIa7UrGSmMEzekAbsNgifwBAaUP+2+qALYJhurfA+9nchnQkhWQx63TFXI
LXKsIUgPTrZ3xjYxHU08W2rBhfC1EPKFADAbCdQQXJ3OVdM39+80Sufj+TgJkv5wHiTRbBbcLKZJ
MFzEo8HsYjadzuI/7tw4yUpeFEy6Y46DFievurjiVCujVrZHVRVCK3HKjsMGoxZHp1EzSvDCwbmQ
jF4/TYVGWyJyvPBPy3zHLHwZhu9myOUspbifRJN+GiyG41GQLJJBkI6icRDF6SQdRkmazBYvU7rj
kr0/JbTLcTroD3yVOkGf5Rb553VuJKu4ZRoJXuUYZgyepnddI85l4UtrocWbdYcKF/6JCij3sdCw
NO3lYPdLP1R2P1HFwRH2BF9oXq2guWCg4eK19/BaCQV5UMFrjGCWfp3LnB0UHTQY7eDazbH5uSGa
YSQ+S5iXNE4SgLN+kwxGfdjoruapqyGSAlSOLUbNcmphBy6bWvN1CSfFnk6pbmC4Vrxt/CZ2l4Uw
dmkPgnl2fIZMFg9Ek0fITcB855jJ4HbS8g0WQMqJhI1hy9rdJc1ANSx52sDw7Ob2ru2fxv0euvur
vwAAAP//AwBQSwMEFAAGAAgAAAAhAJJ9h+AdBwAASSAAABoAAABjbGlwYm9hcmQvdGhlbWUvdGhl
bWUxLnhtbOxZS28bNxC+F+h/WOy9sWS9YiNyYMly3MQvREqKHCmJ2mXMXS5Iyo5uRXLqpUCBtOih
AXrroSgaoAEa9NIfY8BBm/6IDrkvUqLiB1wgKGwBxu7sN8PhzOzM7PDO3WcR9Y4xF4TFbb96q+J7
OB6xMYmDtv9osP3Zbd8TEsVjRFmM2/4MC//uxqef3EHrI0qSIUN8PAhxhD0QFIt11PZDKZP1lRUx
AjISt1iCY3g2YTxCEm55sDLm6AQWiOjKaqXSXIkQif0NkCiVoB6Ff7EUijCivK/EYC9GEax+MJmQ
EdbY8VFVIcRMdCn3jhFt+yBzzE4G+Jn0PYqEhAdtv6L//JWNOytoPWOicgmvwbet/zK+jGF8tKrX
5MGwWLReb9Sbm4V8DaByEddr9Zq9ZiFPA9BoBDtNdbFltla79QxrgNJLh+yt1latauEN+bUFnTcb
6mfhNSiVX1/Ab293wYoWXoNSfGMB3+isdbZs+RqU4psL+FZlc6vesuRrUEhJfLSArjSatW6+2wIy
YXTHCV9r1Ldbq5nwEgXRUESXWmLCYrks1iL0lPFtACggRZLEnpwleIJGEJNdRMmQE2+XBCEEXoJi
JoBcWa1sV2rwX/3q+kp7FK1jZHArvUATsUBS+nhixEki2/59kOobkLO3b0+fvzl9/vvpixenz3/N
1taiLL4dFAcm3/ufvvnn1Zfe37/9+P7lt+nS83hh4t/98tW7P/78kHjYcWmKs+9ev3vz+uz7r//6
+aVD+iZHQxM+IBEW3j4+8R6yCDbo0B8P+eU4BiEiJsdmHAgUI7WKQ35PhhZ6f4YocuA62LbjYw6p
xgW8N31qKdwP+VQSh8QHYWQB9xijHcadVnig1jLMPJjGgXtxPjVxDxE6dq3dRbHl5d40gRxLXCK7
IbbUPKQolijAMZaeesaOMHbs7gkhll33yIgzwSbSe0K8DiJOkwzI0IqmkmmHROCXmUtB8Ldlm73H
XodR16638LGNhHcDUYfyA0wtM95DU4kil8gBiqhp8F0kQ5eS/RkfmbiekODpAFPm9cZYCBfPAYf9
Gk5/AGnG7fY9OotsJJfkyCVzFzFmIrfYUTdEUeLC9kkcmtjPxRGEKPIOmXTB95j9hqh78AOKl7r7
McGWu8/PBo8gw5oqlQGinky5w5f3MLPitz+jE4RdqWaTR1aK3eTEGR2daWCF9i7GFJ2gMcbeo88d
GnRYYtm8VPp+CFllB7sC6z6yY1Xdx1hgTzc3i3lylwgrZPs4YEv02ZvNJZ4ZiiPEl0neB6+bNu9B
qYtcAXBAR0cmcJ9Avwfx4jTKgQAZRnAvlXoYIquAqXvhjtcZt/x3kXcM3sunlhoXeC+BB1+aBxK7
yfNB2wwQtRYoA2aAoMtwpVtgsdxfsqjiqtmmTr6J/dKWboDuyGp6IhKf2wHN9T6N/673gQ7j7IdX
jpftevodt2ArWV2y01mWTHbm+ptluPmupsv4mHz8Tc0WmsaHGOrIYsa66Wluehr/f9/TLHufbzqZ
Zf3GTSfjQ4dx08lkw5Xr6WTK5gX6GjXwSAc9euwTLZ36TAilfTmjeFfowY+A75nxNhAVn55u4mIK
mIRwqcocLGDhAo40j8eZ/ILIsB+iBKZDVV8JCUQmOhBewgQMjTTZKVvh6TTaY+N02FmtqsFmWlkF
kiW90ijoMKiSKbrZKgd4hXitbaAHrbkCivcyShiL2UrUHEq0cqIykh7rgtEcSuidXYsWaw4tbivx
uasWtADVCq/AB7cHn+ltv1EHFmCCeRw052Plp9TVuXe1M6/T08uMaUUANNh5BJSeXlO6Lt2e2l0a
ahfwtKWEEW62EtoyusETIXwGZ9GpqBdR47K+XitdaqmnTKHXg9Aq1Wjd/pAWV/U18M3nBhqbmYLG
3knbb9YaEDIjlLT9CQyN4TJKIHaE+uZCNIDjlpHk6Qt/lcyScCG3kAhTg+ukk2aDiEjMPUqitq+2
X7iBxjqHaN2qq5AQPlrl1iCtfGzKgdNtJ+PJBI+k6XaDoiyd3kKGT3OF86lmvzpYcbIpuLsfjk+8
IZ3yhwhCrNGqKgOOiYCzg2pqzTGBw7AikZXxN1eYsrRrnkbpGErpiCYhyiqKmcxTuE7lhTr6rrCB
cZftGQxqmCQrhMNAFVjTqFY1LapGqsPSqns+k7KckTTLmmllFVU13VnMWiEvA3O2vFqRN7TKTQw5
zazwaeqeT7lrea6b6xOKKgEGL+znqLoXKAiGauVilmpK48U0rHJ2RrVrR77Bc1S7SJEwsn4zFztn
t6JGOJcD4pUqP/DNRy2QJnlfqS3tOtjeQ4k3DKptHw6XYTj4DK7geNoH2qqirSoaXMGZM5SL9KC4
7WcXOQWep5QCU8sptRxTzyn1nNLIKY2c0swpTd/TJ6pwiq8OU30vPzCFGpYdsGa9hX36v/EvAAAA
//8DAFBLAwQUAAYACAAAACEAnGZGQbsAAAAkAQAAKgAAAGNsaXBib2FyZC9kcmF3aW5ncy9fcmVs
cy9kcmF3aW5nMS54bWwucmVsc4SPzQrCMBCE74LvEPZu0noQkSa9iNCr1AcIyTYtNj8kUezbG+hF
QfCyMLPsN7NN+7IzeWJMk3ccaloBQae8npzhcOsvuyOQlKXTcvYOOSyYoBXbTXPFWeZylMYpJFIo
LnEYcw4nxpIa0cpEfUBXNoOPVuYio2FBqrs0yPZVdWDxkwHii0k6zSF2ugbSL6Ek/2f7YZgUnr16
WHT5RwTLpRcWoIwGMwdKV2edNS1dgYmGff0m3gAAAP//AwBQSwECLQAUAAYACAAAACEAu+VIlAUB
AAAeAgAAEwAAAAAAAAAAAAAAAAAAAAAAW0NvbnRlbnRfVHlwZXNdLnhtbFBLAQItABQABgAIAAAA
IQCtMD/xwQAAADIBAAALAAAAAAAAAAAAAAAAADYBAABfcmVscy8ucmVsc1BLAQItABQABgAIAAAA
IQDcxYxdAwMAAL4GAAAfAAAAAAAAAAAAAAAAACACAABjbGlwYm9hcmQvZHJhd2luZ3MvZHJhd2lu
ZzEueG1sUEsBAi0AFAAGAAgAAAAhAJJ9h+AdBwAASSAAABoAAAAAAAAAAAAAAAAAYAUAAGNsaXBi
b2FyZC90aGVtZS90aGVtZTEueG1sUEsBAi0AFAAGAAgAAAAhAJxmRkG7AAAAJAEAACoAAAAAAAAA
AAAAAAAAtQwAAGNsaXBib2FyZC9kcmF3aW5ncy9fcmVscy9kcmF3aW5nMS54bWwucmVsc1BLBQYA
AAAABQAFAGcBAAC4DQAAAAA=
" o:spid="_x0000_s2050" stroked="f" style="height: 24pt; mso-left-percent: -10001; mso-left-percent: -10001; mso-position-horizontal-relative: char; mso-position-horizontal: absolute; mso-position-vertical-relative: line; mso-position-vertical: absolute; mso-top-percent: -10001; mso-top-percent: -10001; mso-wrap-style: square; v-text-anchor: top; visibility: visible; width: 24pt;">
<o:lock aspectratio="t" v:ext="edit">
<w:wrap type="none">
<w:anchorlock>
</w:anchorlock></w:wrap></o:lock></v:rect><!--[if mso & !supportInlineShapes & supportFields]><v:shape id="_x0000_i1025"
type="#_x0000_t75" style='width:24pt;height:24pt'>
<v:imagedata croptop="-65520f" cropbottom="65520f"/>
</v:shape><span style='mso-element:field-end'></span><![endif]--><span style="border: none windowtext 1.0pt; color: windowtext; font-size: 11.0pt; mso-border-alt: none windowtext 0cm; padding: 0cm;"><o:p></o:p></span></h1>
<p class="MsoNormal" style="margin-bottom: 6.0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 6.0pt;"><span class="MsoIntenseEmphasis"><span style="color: #2b00fe;"><i>What types of employees should
Total Workforce Management encompass?</i></span><o:p></o:p></span></p>
<p style="margin-bottom: 6.0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 6.0pt;"><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Total Workforce Management (TWM) is
designed to encompass all types of employees and non-employee workers within an
organization. This holistic approach ensures that all aspects of workforce
management are considered, providing a comprehensive view of the workforce and
enabling organizations to optimize their resources. The types of workers that
TWM should encompass include:<o:p></o:p></span></p>
<ol start="1" style="margin-top: 0cm;" type="1">
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l5 level1 lfo4; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Full-time employees:</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"> These are permanent employees who work a standard number of
hours per week and receive a full range of employee benefits, such as
health insurance, retirement plans, and paid time off.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l5 level1 lfo4; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Part-time employees</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: Part-time employees work fewer hours per week than
full-time employees and may have different benefits and entitlements. TWM
should consider their unique needs and contributions to the organization.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l5 level1 lfo4; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Temporary employees</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: These employees are hired for a specific period or project
and may be employed directly by the organization or through a staffing
agency. TWM should account for their short-term nature and specific skill
sets.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l5 level1 lfo4; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Contract workers</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: Contract workers are engaged on a contractual basis for a
specific project, task, or period. They may be self-employed or work for a
third-party contractor. TWM should consider their specialized skills and
the flexibility they provide to the organization.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l5 level1 lfo4; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Freelancers or independent
contractors:</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"> These are self-employed
individuals who provide services to clients, including organizations, on a
project or task basis. TWM should account for their expertise and the
potential cost savings of utilizing their services.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l5 level1 lfo4; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Remote or virtual employees</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: These employees work remotely, either from home or another
location outside of the organization's primary office. TWM should consider
the unique management and engagement strategies needed to support remote
workers effectively.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l5 level1 lfo4; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Interns or apprentices</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: Interns and apprentices are typically engaged on a
temporary basis to gain work experience, training, or education in a
specific field. TWM should account for their development and potential
future contributions to the organization.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l5 level1 lfo4; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Contingent workforce:</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"> This category includes any non-employee workers who are
engaged on a temporary or project basis, such as consultants, advisors, or
gig workers. TWM should consider their specific skills, expertise, and the
flexibility they offer to the organization.<o:p></o:p></span></li>
</ol>
<p style="margin-bottom: 6.0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 6.0pt;"><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">By encompassing all types of workers
within Total Workforce Management, organizations can gain a comprehensive
understanding of their workforce, identify gaps and opportunities, and make
more informed decisions about workforce planning, talent management, and
resource allocation.<o:p></o:p></span></p>
<h1><span style="border: none windowtext 1.0pt; mso-border-alt: none windowtext 0cm; padding: 0cm;">Who did it before?<o:p></o:p></span></h1>
<p class="MsoNormal" style="margin-bottom: 6.0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 6.0pt;"><span class="MsoIntenseEmphasis"><span style="color: #2b00fe;"><i>Are there companies known to
have successfully implemented TWM?</i></span><o:p></o:p></span></p>
<p style="margin-bottom: 6.0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 6.0pt;"><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">While specific examples of companies
that have successfully implemented Total Workforce Management (TWM) are not
widely publicized, many large organizations have adopted TWM-like approaches to
manage their diverse workforce effectively. Companies that have developed
sophisticated workforce management strategies often share certain
characteristics, such as operating in highly competitive industries, having a
global presence, or managing complex and diverse workforces.<o:p></o:p></span></p>
<p style="margin-bottom: 6.0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 6.0pt;"><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Some examples of companies known for
their advanced workforce management practices include:<o:p></o:p></span></p>
<ol start="1" style="margin-top: 0cm;" type="1">
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l4 level1 lfo5; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">IBM</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: IBM has implemented a comprehensive workforce management
approach that encompasses various types of workers, including full-time
employees, contractors, and remote workers. They utilize data analytics
and AI-driven tools to optimize workforce planning, talent acquisition,
and employee engagement.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l4 level1 lfo5; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">General Electric (GE)</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: GE has long been recognized for its focus on human capital
management and has adopted a strategic approach to managing its global
workforce. Their workforce management practices include robust talent
acquisition, development, and retention strategies, as well as the use of
advanced analytics to drive decision-making.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l4 level1 lfo5; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Procter & Gamble (P&G)</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: P&G is known for its strong focus on talent management
and has implemented strategic workforce planning practices to ensure they
have the right talent in place to drive business growth. Their approach
includes comprehensive talent acquisition, development, and retention
strategies, as well as a focus on diversity and inclusion.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l4 level1 lfo5; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Accenture</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: As a global consulting and professional services firm,
Accenture places a strong emphasis on managing its diverse workforce,
which includes full-time employees, contractors, and remote workers. They
utilize sophisticated workforce planning, talent management, and analytics
tools to optimize their human capital and drive business performance.<o:p></o:p></span></li>
</ol>
<p style="margin-bottom: 6.0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 6.0pt;"><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">While these companies may not
explicitly label their approach as "Total Workforce Management,"
their practices and strategies align with the principles of TWM. These examples
demonstrate that companies can successfully implement comprehensive workforce
management strategies to optimize their human capital, drive business growth,
and maintain a competitive edge in the market.<o:p></o:p></span></p>
<h1>Which steps are to be taken?<o:p></o:p></h1>
<p class="MsoNormal" style="margin-bottom: 6.0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 6.0pt;"><span class="MsoIntenseEmphasis"><span style="color: #2b00fe;"><i>If a company intends to
introduce and implement TWM, which steps should be planned for, how long might
it take and which set of skill should be involved?</i></span><o:p></o:p></span></p>
<p style="margin-bottom: 6.0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 6.0pt;"><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Implementing Total Workforce
Management (TWM) in a global organization lien Roehm, which is operating in the
base chemicals industry and has 5,000 employees can be a complex and
time-consuming process. However, by following a structured approach, the
company can successfully adopt TWM to optimize its workforce. Here's a
suggested plan, including steps, timeline, and skills required:<o:p></o:p></span></p>
<ol start="1" style="margin-top: 0cm;" type="1">
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l3 level1 lfo6; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Assess the current state</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: Begin by evaluating the existing workforce management
practices, systems, and tools. Identify any gaps or areas for improvement.
This step may take 1-2 months and involve HR professionals, team leads,
and managers.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l3 level1 lfo6; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Define TWM objectives and
strategy:</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"> Align TWM with the company's overall
business objectives and develop a clear strategy that outlines the goals,
scope, and desired outcomes. This step may take 1-2 months and involve
senior management, HR leaders, and key stakeholders from various
departments.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l3 level1 lfo6; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Establish a TWM team</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: Form a dedicated TWM team responsible for overseeing the
implementation process. This team should include HR professionals,
workforce planners, talent management experts, data analysts, and IT
specialists.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l3 level1 lfo6; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Develop a TWM framework</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: Design a comprehensive TWM framework that encompasses all
aspects of workforce management, including workforce planning, talent
acquisition, talent management, learning and development, compensation and
benefits, compliance and risk management, and workforce analytics. This
step may take 3-6 months and involve HR professionals, subject matter
experts, and IT specialists.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l3 level1 lfo6; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Select and implement technology:</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"> Identify and invest in appropriate technology tools and
platforms that support TWM processes, such as HRIS, workforce analytics,
and talent management systems. This step may take 3-6 months and involve
IT specialists, HR professionals, and technology vendors.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l3 level1 lfo6; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Develop and implement TWM
policies and processes</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: Create standardized policies
and processes for all aspects of TWM, ensuring consistency across
subsidiaries and compliance with local labour laws and regulations. This
step may take 3-6 months and involve HR professionals, legal experts, and
local HR representatives from each subsidiary.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l3 level1 lfo6; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Train and engage stakeholders</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: Provide training and support to managers, HR professionals,
and employees to ensure successful adoption of TWM practices. Develop
communication strategies to keep stakeholders informed and engaged
throughout the implementation process. This step may take 1-3 months and
involve HR professionals, trainers, and change management experts.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-bottom: 6.0pt; margin-top: 6.0pt; mso-list: l3 level1 lfo6; tab-stops: list 36.0pt;"><b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Monitor and evaluate progress</span></b><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">: Continuously monitor the implementation of TWM, track
progress against objectives, and adjust the approach as needed. Utilize
workforce analytics to measure the impact of TWM on workforce performance,
productivity, and overall business outcomes. This step may take 6-12
months and involve data analysts, HR professionals, and senior management.<o:p></o:p></span></li>
</ol>
<p style="margin-bottom: 6.0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 6.0pt;"><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">Overall, the implementation of TWM in
a large, global organization may take 12-24 months or longer, depending on the
complexity of the existing workforce management practices and the level of
change required. The process should involve a diverse set of skills, including
HR professionals, workforce planners, talent management experts, data analysts,
IT specialists, legal experts, and change management experts.<o:p></o:p></span></p>
<p style="margin-bottom: 6.0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 6.0pt;"><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;">The results however may justify the
overall effort.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom: 6.0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 6.0pt;"><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-bottom: 6.0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 6.0pt;"><span style="mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin;"><o:p> </o:p></span></p>Horst Waltherhttp://www.blogger.com/profile/03381708015477095465noreply@blogger.com0tag:blogger.com,1999:blog-1261371701213231895.post-20902789598629721692023-03-28T16:17:00.001+02:002023-03-30T08:54:32.444+02:00Role Modelling Guidelines<h1><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgr05x7oY6vEtl6FyhbhSQGxZrfXOwGzO2JVjz4__ig3hHQLr1nNPZXStouU9D9-ObLZBT5I5-Rd3Rzkf_TNRRkxonkHZi8kqbawrzmcEY835iGLrsyiyhDlvHW0crhimrOwRP8cYgBJFhVrMb0p5TBHi-WV0-1Hg55QVhkxYAVjm3LtJgephI7aw/s717/people%20observances%20-%20painting.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="478" data-original-width="717" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgr05x7oY6vEtl6FyhbhSQGxZrfXOwGzO2JVjz4__ig3hHQLr1nNPZXStouU9D9-ObLZBT5I5-Rd3Rzkf_TNRRkxonkHZi8kqbawrzmcEY835iGLrsyiyhDlvHW0crhimrOwRP8cYgBJFhVrMb0p5TBHi-WV0-1Hg55QVhkxYAVjm3LtJgephI7aw/s320/people%20observances%20-%20painting.jpg" width="320" /></a></div><br />Roles – What we mean by the term</h1>
<p>According to a definition published by the NIST
<a href="#_ftn1" name="_ftnref1" title=""> [1]</a> a role is a job function or employment position to which people or other system entities may be assigned or a set of named duties or job functions within an organization. </p>
<p>This definition clearly represents a business view. It is therefore a natural approach to define roles in business terms first. Hence the resulting business roles are to be owned by those, who own the business itself.</p>
<p>A more technical perspective leads to the definition: A role is a collection of permissions in role-based access control, usually associated with a role or position within an organization. </p>
<p>Hereby permissions are understood as operations on objects. By objects in the context of information technology information objects are meant, as ultimately it is the information, the access to which needs to be controlled. Systems are needed only as a means only to achieve that goal.</p>
<p>In order to use executable business roles in automated processes, in the end the business view and the technical view needs to be combined in the responsibility of the business role owner.</p>
<h1>How to design roles</h1>
<h3 style="text-align: left;">1. Start with the information objects</h3><p>The most common justification for access control is to protect sensitive corporate information like e.g., products, customers or contracts against unsolicited disclosure or manipulation. Hence in these cases the Information sensitivity class or information protection class determines the measures to be taken. </p>
<h3 style="text-align: left;">2. Name the operations</h3><p>Information objects are to be protected by blocking or restricting access to them. There are the basic maintenance operations like create, read update and delete (CRUD) and operations shaped by a business intent, like authorize up to a certain amount or close contracts with a certain customer group. These are the most basic business functions to be authorized. These operations on objects are also known as permissions.</p>
<h3 style="text-align: left;">3. Order the operations in a functional taxonomy</h3><p>All permanent business functions are to be ordered in hierarchical enterprise model, usually called functional taxonomy or domain model. The functional taxonomy not only serves as the foundation for access control but may in addition be used for fine grained cost controlling or serve as a basis for a digital twin of the corporation.</p>
<h3 style="text-align: left;">4. Package business functions to functional roles</h3><p>Business functions in the functional taxonomy may be referenced to be assembled to functional roles according to documented job descriptions and / or common (good) practices used in operation. In case functional roles have to be created from scratch, basic activities taken out of business processes are a good starter, provided represent an elementary session (one person, one time & one location).</p>
<h3 style="text-align: left;">5. Form business roles by constraining functional roles by constraints</h3><p>Functional Roles form the basic element of Role Based Access Control (RBAC) as defined by the NIST. For practical use however they need to be further narrowed in by applying one or more constraints as they offer too broad a range. Typical static constraints are location, hierarchical level, organisational unit, contract type, sales region, product family or customer group. There may be more static constraints as well as dynamic one, which use to change over time, like device, time of the day, location of access (via mobile devices) or work status (in temporary leave or not). The resulting roles represent the central object of role based access control and are called business roles. Up to here all tasks are defined in business terms and should be carried out by business people. No IT skills are required so far.</p>
<h3 style="text-align: left;">6. Identify the systems, enabling the operations on objects</h3><p>As information objects are rarely manipulated directly but rather via systems, access control is done via these systems. But first the relevant information objects need to be linked to the systems which enable disclosure or manipulation. To do this sufficient system knowledge is required. </p>
<h3 style="text-align: left;">7. Subdivide the business roles to system roles</h3><p>Once the supporting systems are identified, they can be selected per business role. If there is more than one system supporting the business role, it can be split by system into system roles, otherwise business role and system role will collapse, meaning they are simple identical. Often systems contain their own pre-built role model, which need to be linked to business role in a bottom-up process. In these cases, it is not guaranteed that a complete match of the business functions assembled and constrained in the business role will completely match the functions offered by the pre-build system roles. Creating system roles requires a joint effort of business people and technical staff.</p>
<h3 style="text-align: left;">8. Link the business functions to technical functions</h3><p>If not already done by assigning pre-built system roles in the previous step, now the business functions need to be assigned to technical functions, offered by the system. And this has to be done system by system, resulting in a complete implementation of the business roles’ business functions as technical functions. Obviously this task is to be performed jointly by business people and technical staff as well.</p>
<h1>What types of roles will exist?</h1>
<p>As mentioned in the role design process there are 3 major types of roles:</p>
<p></p><ol style="text-align: left;"><li>Functional roles,</li><li>Business roles and</li><li>System roles</li></ol><p></p>
<p>Functional roles are just a bundle of corporate functions.</p>
<p>Business roles are functional roles further narrowed in by applying constraints of different dimensions. </p>
<p>System Roles are business roles reduced to that part, which applies to just one system.</p>
<p>You might come across more seemingly different role types, which however can be reduced to the existing ones. E.g. organisational roles are business roles with always the same very general function, (e.g. employee, or member) but the two constraints organisational unit and location are varied. </p>
<h1>How to
<a name="_Hlk122100368">maintain a high role quality</a></h1>
<p>The entire role model of an enterprise needs to have assigned a responsible owner.</p>
<p>It is in his responsibility to …</p>
<p></p><ul style="text-align: left;"><li>Scan for redundancies, detect, discuss and eventually remove them.</li><li>Define health metrics for the role model and keep records of their status.</li><li>Check for adherence to the naming conventions</li><li>Check, if by an improved role-model security breaches, SoD violations, SoD exceptions or business complaints could have been avoided </li><li>Report the status of the role model on a regular basis.</li></ul><p></p>
<h1>Who is responsible for roles?</h1>
<p>Next to the role model owner, there are role owners, who hare typically responsible not just for a single role but for a bunch of roles.</p>
<p>For functional roles and business roles the role owners need to be business people.</p>
<p>For system roles the owners will be located most probably within information technology (IT).</p>
<p>For linking the business view on the roles with the technically offered functionality role owners of both sides need to meet in regular sessions or on demand.</p>
<h1>What other processes are associated with role modelling?</h1>
<p>Generally, there are three layers of processes, as with all business there are operation, managerial and governance processes …</p>
<h3 style="text-align: left;">1. Operational processes</h3>
<p>Assumed a common static role model is in use the typical operational processes are assigning and revoking roles. For the regular standardised business jobs these processes should run in a fully automated way.</p>
<p>Only the assignment of additional role, which are not part of the pre-defined job descriptions need to be assigned via a request and approval process.</p>
<h3 style="text-align: left;">2. Managerial processes</h3>
<p>The managerial layer encompasses all role maintenance processes including those mentioned in the chapter “How to design roles”. </p>
<p>Special care however has to be applied to role change and role deletion. </p>
<p>As long as roles are in use any change may cause unwanted side effects. The involved risks may be reduced, if a role versioning is supported, so that the old version of a role, which is subject to change, may stay unaffected and only new role assignments benefit from the actual role content.</p>
<p>A deletion of roles is only appropriate once no references to the role exist any longer, i.e. they are no longer in use.</p>
<h3 style="text-align: left;">3. Governance processes</h3>
<p>As governance is defined as “direction & oversight”, the mostly informal processes regarding role strategy are located here as well as all audit, re-certification, expiration and quality management processes, like the above-mentioned processes to maintain a high role quality.</p>
<div>
<br clear="all" />
<hr align="left" size="1" width="33%" />
<div id="ftn1">
<p>
<a href="#_ftnref1" name="_ftn1" title=""> [1]</a> National Institute of Standards and Technology – NIST ,
<a href="https://csrc.nist.gov/glossary/term/role"> https://csrc.nist.gov/glossary/term/role</a> </p> </div> </div>
Horst Waltherhttp://www.blogger.com/profile/03381708015477095465noreply@blogger.com0tag:blogger.com,1999:blog-1261371701213231895.post-1753768609850191582018-12-19T22:46:00.001+01:002018-12-19T22:46:33.636+01:00Identity Process Utopia<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<div class="MsoSubtitle">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-OcwZXOzmjk0/XBq4zxCh6gI/AAAAAAAArzk/TSIx5MVWgqUMZYUQjXY181yqVPG1YTMpQCLcBGAs/s1600/IdM_processes_220x220_t1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="220" data-original-width="220" src="https://4.bp.blogspot.com/-OcwZXOzmjk0/XBq4zxCh6gI/AAAAAAAArzk/TSIx5MVWgqUMZYUQjXY181yqVPG1YTMpQCLcBGAs/s1600/IdM_processes_220x220_t1.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<h3 style="text-align: left;">
<b style="mso-bidi-font-weight: normal;"><i style="mso-bidi-font-style: normal;"><span lang="EN-GB" style="color: #002060; mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;">A light-hearted view at some idiosyncrasies
of naming processes in Identity & Access </span></span></i></b></h3>
<br />
<div class="MsoSubtitle">
<b style="mso-bidi-font-weight: normal;"><i style="mso-bidi-font-style: normal;"><span lang="EN-GB" style="color: #002060; mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;"><br /></span></span></i></b></div>
<div class="MsoNormal" style="text-align: left;">
<span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;">A few of
you may know that process definition in general and Identity & Access
processes in particular are the special object of study for me since several
years already. As a tiny indication how serious I took this self-imposed duty
the formation of the standardisation initiative <a href="http://genericiam.org/">GenericIAM.org</a> may be taken. <o:p></o:p></span></span></div>
<div class="MsoNormal" style="text-align: left;">
<span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;">But before
I will impertinently demand of you to confront the insights and results of more
than a decennium of intellectual efforts, a more light-weight menu awaits you
here.</span></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;"><o:p></o:p></span></span><span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;">It all
started, when I stumbled across a process designated the “Rejoiner Process”.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;">With utter
dismay I already had to experience the surging popularity of the Joiner, Mover-
and Lever-Processes during the recent years.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;">Processes
should be named according to their essential property. This is trivial at first
and easily accepted. Essential business processes transform an initial state
into a target state, a source material into a desired result, maintain (create,
change or eliminate) an object - in computer science an information object.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;">Consequently,
they should carry exactly that essence in their name: "Achieve target
state", " Create result" or "Maintain object" - i.e. a
verb that characterizes the transformation and a noun that designates the
object to be transformed or which emerges from the transformation. This is how
canonical process designations are created.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;">Designations
like Joiner, Mover & Leaver more hint at the actors who perform the
activities, than to the activity itself. Moreover, the complete process chain
which encompasses the ‘onboarding’ of an individual to a corporation pertains
to typical traditional HR-processes. While the mere notion of ‘Human Resources’
is so yesterday and an approach addressing a corporations’, total workforce
would be more appropriate, we anyway have to accept, that Identity Management
usually start after <a href="https://www.linkedin.com/pulse/whos-going-wake-up-human-resources-horst-walther/">old-fashioned HR-processes</a> had their lengthy run. And
Access Processes only start thereafter. So, a closer look anyway reveals a more
complex picture.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;">Nevertheless,
despite all fruitless complaining, the Joiner, Mover & Leaver found their
way into process reality. I fear, we henceforth have to live with them.
Realising this undeniable truth, I finally found my peace of mind.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;">But then
the Rejoiner suddenly popped up in a low profile and low quality conceptual
corporate paper. The rationale behind that game-changing invention was to give
new hire in one of the groups companies, who once were employed (or had some
other relationship) by another or the same of the group’s members, should be
given a special treatment to reflect this continuity – as if this pre-employment
/ pre-relationship-check shouldn’t be part of the regular onboarding anyway.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;">Driven by
strong inventive spirit and unlimited creativity the team soon gave birth to a
zoo of more exciting process variants. Yes, they come in all shapes, flavours
and colours. <o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;">Among the
artefacts which sprung from of the mad scientist minds were: The Multiple Joiner,
the first Mover, the final Leaver, the Releaver (or reliever?). Obviously, the
Believer would be welcome. And what about the Rejoicer? In times of mass
layoffs certainly the Remover Process would make ultimate sense.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;">In the end
- and after sustainably sobering out - we came the common conclusion that it
would be best to better hit the undo-button and rollback to the state we were
in prior to the creative explosion and after passing through the ages of the
great process extinction and purge the Identity & Access process Utopia - the
Rejoiner included.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;">To
diffidently voice my very personal concern: the spirit may have left the bottle
irreversibly however.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;">Take this
short story as a hint to stay tuned as more about the results of the
longstanding <a href="https://www.linkedin.com/groups/95319/">GenericIAM</a>-effort will soon be presented here. Unfortunately,
however it will represent heavier stuff that this tiny contribution.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="mso-ansi-language: EN-GB;"><span style="font-family: Verdana, sans-serif;">Meanwhile
all of you may enjoy the coming year end festivities.<o:p></o:p></span></span></div>
<br /></div>
Horst Waltherhttp://www.blogger.com/profile/03381708015477095465noreply@blogger.com0tag:blogger.com,1999:blog-1261371701213231895.post-30814456804850044422017-08-21T09:27:00.001+02:002017-08-21T09:41:32.050+02:00GDPR & Digital Transformation - What do they have in common?<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-yGXQT82t0oU/WZF_i6P0PXI/AAAAAAAAnaU/afrGAoqOKB0DoCOncVXOjYA1WPCf5hiPwCLcBGAs/s1600/BK_80x100_1.800_-Umbruch.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="1286" data-original-width="1600" height="256" src="https://4.bp.blogspot.com/-yGXQT82t0oU/WZF_i6P0PXI/AAAAAAAAnaU/afrGAoqOKB0DoCOncVXOjYA1WPCf5hiPwCLcBGAs/s320/BK_80x100_1.800_-Umbruch.jpg" width="320" /></a></div>
<a href="https://www.blogger.com/blogger.g?blogID=30383251" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a>At first sight nothing – you would say, except perhaps that both of them, the General Data Protections Regulation and the change imperative digital transformation, are currently hot topics in the public professional debate. And I would even agree – at least at first sight.<br />
<br />
When digging a bit deeper into the very nature of both concepts, the necessary preconditions, the resulting effects, we might feel compelled to paint a different picture. There might even be a common layer of overarching or underlying principles both concepts need to follow in order to be successfully implemented.<br />
<br />
<h3 style="text-align: left;">Digital Transformation</h3>
Much has been written about this fashionable term – not least by <a href="https://horst-walther.blogspot.de/2017/07/digital-confusion.html">myself</a>. So I will spare you elaborating at length and in depth about this topic. Let’s just focus on some characteristics to be further discussed in the course of this article.<br />
<br />
Here we define digital transformation being a transformation of a business aiming at a competitive advantage in its market by profoundly making use of latest digital technology.<br />
<br />
By latest technology we mean such, which has sufficiently matured to be seriously considered with acceptable risk as a foundation for the new transformed business.<br />
<br />
Like in the past this approach rarely results in re-inventing the business totally, rather more often than not it boils down to the automation of processes, previously done manually.<br />
<br />
Nevertheless meanwhile some change has occurred, some kind of the often cited transition from quantity to quality:<br />
<ul>
<li>Artificial intelligence, belittled for many years as a lab only technology, has grown up,</li>
<li>Advanced analytics, mature enough now for in-process decision taking,</li>
<li>Connecting ordinary “things” to the internet broadens the range of processes to automate</li>
<li>and some more</li>
</ul>
… have meanwhile evolved into powerful tools.<br />
<br />
By automating most of the operational layer, making most of the management layer obsolete, adding a new breed of change agents instead, and requiring a much more technology aware strategy process, nevertheless the entire corporation may hereby undergo a fundamental transformation.<br />
<br />
<h3 style="text-align: left;">GDPR</h3>
The General Data Protection Regulation (GDPR) apparently is quite a different story. <br />
<br />
The GDPR intends to strengthen and unify data protection for individuals within the European Union. It also addresses the export of personal data outside the EU. Citizens and residents benefit by getting back control over their personal data. For international business the unification of the regulation within the EU is a welcome side effect as it simplifies the regulatory environment.<br />
<br />
The GDPR is driven by some major underlying Principles relating to processing of personal data as expressed in its Article 5: lawfulness, fairness and transparency, purpose limitation, accuracy, storage limitation, integrity and confidentiality, accountability.<br />
<br />
While this sound fine and most of us might intuitively agree to it, for enterprises there is reason to be concerned, as the regulation opens a new compliance frontier. Some of its requirements represent rather new concepts like: 'privacy by design' and 'privacy by default', the right to data portability on request of the data subjects, explicit consent, minimal data, or the right to be forgotten, just to name a few .<br />
<br />
Hence to comply with the regulation will require changes and enhancements deep in the practiced processes and implemented data structures. In addition regular risk assessments, called Data Protection Impact Assessments (DPIA) in GDPR, will become mandatory once you deal with ‘high risks’, e.g. sensitive personal data. Doubts are justified that both can be achieved within the few months left. But rather it may need years of maturing, at least when starting form a low level of process maturity – which can safely be assumed in the majority of cases.<br />
<br />
The volume of the resulting activities too may not be neglectable as a recent OliverWyman survey of 1,500 British consumers, revealed that as many as half of the respondents said they were already leaning toward reclaiming their information.<br />
<br />
Regarding the requirement to report a data breach to the supervisory authority within 72 hours, a recent <a href="https://www.veritas.com/content/dam/Veritas/docs/reports/gdpr-report-ch2-en.pdf">survey</a> illustrates this statement as it found that only 2% of responding companies actually appeared to be compliant, although almost half (48%) of the respondents reported that they were.<br />
<br />
In most cases this discrepancy is not due to unwillingness but due to severe deficits in the mere underpinnings. Most often no data encryption is applied by default, may it be structure retaining (pseudonymisation or tokenisation) or not. No company-wide and cross-process identity concept implemented, no role-based or attribute based access management, no executable security policies are in place.<br />
<br />
From the regulators perspective these all are elements of ordinary housekeeping which have to be in place to comply with GDPR. And as well they are a necessary precondition for any digital transformation.<br />
<br />
GDPR may drive digital transformation. Why so? Let’s randomly take one of the requirements as a small however important example: As mentioned above GDPR obliges companies to report data violations within 72 hours. If they cannot prove that the data were encrypted and the private keys have been sufficiently protected, they will face a severe fine. As traditionally reliable end-to-end data encryption whether it is "at rest" or "in flight" was difficult to achieve and rather costly, new solutions need to be put in place: new processes, new software and most probably even new, specialized hardware. This might further drive the move towards cloud solutions, which in the end will turn out to offer a higher security than in-house solutions.<br />
<br />
Thus we here have an example of GDPR paving the way for a further digital transformation, as vulnerabilities due to insufficient IT security measures are the major concerns, withholding the transformation towards truly digital corporations.<br />
<br />
Data portability and the right to be forgotten also are examples where the data architecture has to follow a holistic identity concept. It has to include all kinds of stakeholders like customers, vendors and all parts of the workforce – not just employees, hereby inflating the data volume by several orders of magnitude.<br />
<br />
Additionally the relationship to planned, on-going and past business activities and of legal obligations must be reflected here to be able to determine the purpose for which the data are actually held for and to effortlessly decide if the and be safely deleted.<br />
<br />
The necessary defragmentation of the underlying data architecture and the explicit expression of relationships which to date are often only implicitly stated in no-related documents, too can be welcomed as an enabler for further automation<br />
<br />
<h3 style="text-align: left;">Conclusion</h3>
With only a few months to go GDPR seems to be by far more urgent to be taken serious than any digital transformation. This impression is strongly supported by the looming penalties of up to 4% of annual global turnover or €20 Million (whichever is greater).<br />
<br />
Lagging behind the competition however is not much less of a threat. Market dynamics has increased considerably. While in the recent past it took about 20 years for a company to reach sufficient size for a considerable market visibility, today it can well happen after one year. Meanwhile the corporate average life span has shrunk to about 12 years. These numbers might give an impression that by missing the train in the realm of digital transformation might come with penalties in a similar order of magnitude.<br />
<br />
There is definitely no time to loose. The good news however is: Doing both is not exactly double the work. There are several commonalities and reason to assume substantial synergies, when addressing both of them.<br />
<br />
And by the way: Both have to be done anyway.<br /><br />
<h3 style="text-align: left;">Further readings and references …</h3>
<ul>
<li>General Data Protection Regulation:<a href="http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679">http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679</a></li>
<li>EU General Data Protection Regulation (GDPR): An Implementation and Compliance Guide:<a href="https://www.amazon.com/gp/product/1849288356/">https://www.amazon.com/gp/product/1849288356/</a></li>
<li>Understanding Privacy:<a href="https://www.amazon.com/gp/product/0674027728/">https://www.amazon.com/gp/product/0674027728/</a></li>
<li>NIST Guide to Protecting the Confidentiality of Personally Identifiable Information (PII):<a href="http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf">http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf</a></li>
</ul>
</div>
Horst Waltherhttp://www.blogger.com/profile/03381708015477095465noreply@blogger.com0tag:blogger.com,1999:blog-1261371701213231895.post-31964258910953802052016-11-25T17:20:00.003+01:002016-11-25T17:56:39.880+01:00Just the compliance issues …<div dir="ltr" style="text-align: left;" trbidi="on">
<div>
During a long professional career a lot is supposed to happen along the intricate windings of our mortal life and hence some folklore piles up to be drawn from when telling our grandchildren our adventures.<br />
<br /></div>
<div>
Once upon a time for example there was a large corporation from the financial sector I was working for for a while. One day the board of directors was confronted with some nasty audit finding, which would prevent them from being compliant to a considerable range of regulations.<br />
<br /></div>
<div>
As most of the findings were more or less related to IT security, the order to get things right immediately at no costs quickly trickled down the long command chain (well, as I told you, it was a large and prestigious corporation) until it finally pounded the desk of the chief information security officer, also known as CISO in the corporate jargon.<br />
<br /></div>
<div>
For those, who are not familiar with tribal rites of large corporations I like to reveal a common habit. If new and challenging problems arise on corporate level, which could neither be ignored nor annihilated through a onetime bold & swift strike by top management, but needs long and tedious work on several levels of the hierarchy, we use to assign this task to a new responsibility. By this mechanism special corporate functions like e.g. the Quality Manager (although “quality is everybody’s job”), the Risk Manager (although conscious risk taking is the prime entrepreneurial task of top management) or finally the IT-Security Manager was born. <br />
<br /></div>
<div>
No one – and this even for good reason – dared to bestow the CISO with sufficient power to really mitigate the root causes of the reported security holes: He might bring the business operations to a grinding halt – secured however. Moreover some responsibilities are loaded on the shoulders of this poor creature, which should not necessarily be included into his role. <br />
<br /></div>
<div>
Identity & access is quite a good example. Management of identities certainly is not an IT function and even less an IT-security topic. Rather it must be considered as a necessary general organisational infrastructure for any organisation interacting with human (and even non-human) actors. However a functioning Identity Management is a necessary prerequisite to achieve a sufficient security level (as it is for fine grained cost control, process automation, digitalisation …). Even the access part is Janus-headed with one faced toward providing access (e.g. for automation) and one face towards preventing access (hence the IT-security part). Like nearly all business tasks however its implementation eventually needs a heavy IT involvement.<br />
<br /></div>
<h2 style="text-align: left;">
The fatal Todo</h2>
<div>
So after setting the scene for the drama to unfold, let’s continue with the story. So the CISO was told to deal with the issues and come back with a detailed plan to be presented at the next board meeting (however with 1 week notice period for each intermediate management level). As the CISO was an honest man his proposal was quickly refused by the board as totally unrealistic and amended with the advice to his line manager to straighten out that strange security guy and educate him on how to serve the company interests best.<br />
<br /></div>
<div>
“<i>Ok folks hear the news. The board is not amused. The situation is serious. It’s not the right time to present your wish list, of what you always wanted to address. They are not stupid up there. They know all these tricks for long. So, no gold plating, don’t’ try to boil the ocean – just the security issues and nothing else.</i>”<br />
<br /></div>
<div>
Poor CISO, he desperately tried to explain, that IT-security is not an add-on, but that it rather is deeply rooted in the IT processes and even more in the whole organisational framework, which he was not the least mandated to address.<br />
<br /></div>
<div>
<b>Listen to his plea: </b><br />
<br /></div>
<div>
Look, Compliance is just the result of a long-term effort. That’s the bad news. The good news is that after investing all this effort it comes as a by-product. I am tempted to borrow the quote from Philip Crosby: (<a href="http://www.philipcrosby.com/25years/read.html">quality is free</a>) <br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://3.bp.blogspot.com/-RRTNao09YiA/WDhsV8tWXjI/AAAAAAAAmdI/u5dmtM3wQI8i7wGOXbNn6uaZ1rm1hHtoACLcB/s1600/compliance_pyramid.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="272" src="https://3.bp.blogspot.com/-RRTNao09YiA/WDhsV8tWXjI/AAAAAAAAmdI/u5dmtM3wQI8i7wGOXbNn6uaZ1rm1hHtoACLcB/s320/compliance_pyramid.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">The compliance pyramid</td></tr>
</tbody></table>
<br /></div>
<h2 style="text-align: left;">
<br /></h2>
<h2 style="text-align: left;">
1. Identity & Access depends on Business</h2>
<div>
Representing an organisational infrastructure layer, Identity & Access processes depend on a sufficient maturity of the of underlying Business processes, which they are meant to support. A major part of these business processes is represented by the workforce management processes (aka Human Resources). <br />
<br /></div>
<h3 style="text-align: left;">
Roles are the business</h3>
<div>
To get a grip on the inherent complexity of a large organisation, it has become commonly accepted practice to express a person’s task in roles (if they are to be considered as sufficiently static) or business rules (in a more dynamic environment). They jointly with some other dimensions or constraints like location, amount authorisation, contract type, organisational Unit and the like determine the necessary and hence maximum access to corporate resources. These business roles however as well as business rules have - the naming gives a strong indication already - to be defined in business terms by business literate staff. Only after that is done they should be underpinned by low level permissions (aka permissions, entitlements, privileges, access rights, …). Ideally the job description is linked to a set of business roles / rules already.<br />
<br /></div>
<h3 style="text-align: left;">
Workforce Management Policies</h3>
<div>
Moreover policies should be in place to provide the Identity & Access domain with the necessary guidance. Policies with some influence on Identity & Access may pertain the scope of the workforce (e.g. Contractors, trainees, apprentices, interns, temp. staff included?), automation of time & attendance tracking, automation of employee/manager self-service functions, deputy procedures in case of planned / unplanned absence, formalisation of a flexible, remote and mobile working strategy, retention times for personal information / digital identities, and finally the standardisation of processes & policies itself.<br />
<br /></div>
<div>
When taking digitisation seriously, the processes of the identity & Access should be automated in all standard cases – relying however on timely and meaningful triggers fired by the workforce management. <br />
<br /></div>
<div>
So there is a lot of solid ground which can and should be provided by the business side to support a rock solid Identity & Access layer. If workforce management is however only not rigorously enough defined and only loosely coupled to Identity & Access, no one should be surprised if the latter remains shaky and unreliable.<br />
<br /></div>
<h3 style="text-align: left;">
On the other side – the assets</h3>
<div>
Let’s remember. The Access part of Identity & Access is about the relationship of 2 major objects: the digital identity (most often representing a person) and the asset to be protected. So, not surprisingly, not just the person has to be well known and properly embedded in workforce processes – the assets have to be too. So first there must be a registry or repository of all assets. The assets documented therein must be sufficiently characterised. A responsible owner has to be assigned and – most importantly – the asset must be assigned to a sensitivity class after undergoing a thorough sensitivity analysis. <br />
<br /></div>
<h3 style="text-align: left;">
The enterprise model</h3>
<div>
As I mentioned above, roles are the business and it is necessary to express a person’s task in roles. But where do roles come from? They are not invented on the fly during the recuting process. Nor do they emerge somewhere form thin air. They are to be populated by business functions from an enterprise model. Well and this should better be handy to do so. In cases when such models exist, most often they are functional enterprise models, hierarchically structured and named canonically and via aliases. Canonical naming is required for methodological rigour and to easily spot commonalities, aliases for the sake of comforting business by mirroring their folkloric designations from their business as usual. Functional model are often well suited, as regulations requiring e.g. Segregation of Duties (SoD) are overwhelmingly expressed in functions to be assigned to different actors. Even more helpful would be the use of an object oriented enterprise model.<br />
<br /></div>
<h2 style="text-align: left;">
2. The Management layer feeds Governance </h2>
<div>
Governance is defined as giving direction to and exerting oversight over the underlying Management processes in the focus area. <br />
<br /></div>
<h3 style="text-align: left;">
Direction</h3>
<div>
We talked about giving direction already. Good governance here has to craft and publish a domain strategy, closely in line with the overall enterprise strategy. Its results should be fed into policies for the business as usual or action for the defined change activities. The role of corporate policies can’t be overemphasised here. <br />
<br /></div>
<h3 style="text-align: left;">
Oversight</h3>
<div>
It is so obvious that knowing what’s going on in the domain of your responsibility, is a key requisite of all governance efforts – and it as obviously so difficult to achieve. The mechanisms how to exert oversight, are already laid out in a bit more detail <a href="http://genericiam.blogspot.de/2016/07/from-oversight-to-algorithm-driven.html">elsewhere</a>. <br />
<br /></div>
<div>
For the sake of clarity and to provide a good fit to the next – the compliance layer – it is advisable to compile a list of control objectives and implement them in one or more management controls each. Even in the absence of compliance requirements good guidance abound in several standardisation or management models like CoBIT5, ISO 27000 series and more. <br />
<br /></div>
<div>
It is not to concealed here, that gaining the necessary overview on may require a massive involvement of technology use, like advanced analytics or even big data.<br />
<br /></div>
<h2 style="text-align: left;">
3. Governance feeds Compliance</h2>
<div>
As implied by the illustration with its pyramidal appearance, this chapter should even be shorter than the one before, which in turn was shorter than the first one. The major amount of work indeed should have been done in the lower levels, so that the compliance layer should become a cheap one.<br />
<br /></div>
<div>
This doesn’t mean that no more work is involved. As I mentioned <a href="http://genericiam.blogspot.de/2016/07/challenges-ahead-for-digital.html">here </a>before, Thomson Reuters once counted a mere number of ~100 minor or major regulatory changes per day to be taken into account, most of them in the financial sector, many of them IT-security related. This sheer number, which is even <a href="http://thomsonreuters.com/en/press-releases/2016/june/thomson-reuters-global-cost-of-compliance-2016-survey.html">expected to rise</a>, justifies assigning the responsibility of watching out for new / changed regulations, assessing their relevance, operationalising them as controls, matching with existing ones and if necessary, initiating change activities to get them implemented, to an own function.<br />
<br />
<div class="MsoNormal">
So
once we have done all our homework, which are anyway elements of good conduct,
compliance does not need to be artfully crafted. Rather it just bubbles up from
the layers below – nearly for free<span style="font-size: 14px;">.</span><o:p></o:p><br />
<span style="font-size: 14px;"><br /></span></div>
</div>
<h2 style="text-align: left;">
But you can’t fool a strong leader</h2>
<div>
Hours later after patiently waiting and pretending to carefully listen to the CISO’s lengthy, while still not exhausting, elaboration.<br />
<br /></div>
<div>
“<i>Dear colleague, I really don’t understand, what you are saying. First you presented a huge bill to us, containing lots of items; we all would have to pay for dearly, besides that you threatened us with a huge effort and a yearlong duration. Now you tell me it comes for free. Isn’t it a bit strange – to say the least. I don’t want to repeat myself. Hopefully you listened carefully to the message from above. I strongly recommend: Just the compliance issues – and just do it!</i>”<br />
<br /></div>
<div>
Having said that the line manager left in a good mood. Didn’t he just demonstrate strong leadership, after all?<br />
<br /></div>
<div>
You like to know, how the story ended, if it had a happy end? Well, I think you may not really want to know that. You most probably can already quite easily sense it ...<br />
<br /></div>
<div>
So this could become one of the often repeated talks form the past. However as I am not blessed with grandchildren yet, the public fell victim of my insatiable talkativeness.</div>
<br /></div>
Horst Waltherhttp://www.blogger.com/profile/03381708015477095465noreply@blogger.com1tag:blogger.com,1999:blog-1261371701213231895.post-41673656307893303862016-08-05T10:48:00.000+02:002016-08-05T11:36:26.247+02:00Challenges ahead for a digital transformation agenda<div dir="ltr" style="text-align: left;" trbidi="on">
In last
week's contribution (<a href="http://genericiam.blogspot.de/2016/07/from-oversight-to-algorithm-driven.html">From ‘oversight’ to the algorithm-driven company</a>) I
contemplated about the necessary underpinnings of a digital transformed
corporation, gave some justification why it is so hard to answer the
obviously simple question, which is at the core of any oversight: Who
has (had) access to which Resources? And I mentioned how oversight is
executed according to the state-of–the-art. In this third and final post
I will discuss current trends and - with the help of professional
analysts - try to look ahead.<br />
<br />
<h2>
What does Pythia foresee for us?</h2>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-L-LNvSYwahQ/V5IcCkuBTzI/AAAAAAAAkjQ/-WLVG3Z1j-YhHLGl8KyAMdA0B0iAM7YTwCLcB/s1600/Delphische%2BSibylle.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="200" src="https://1.bp.blogspot.com/-L-LNvSYwahQ/V5IcCkuBTzI/AAAAAAAAkjQ/-WLVG3Z1j-YhHLGl8KyAMdA0B0iAM7YTwCLcB/s200/Delphische%2BSibylle.jpg" width="156" /></a></div>
Despite Mark Twains (among others) warning “<i>It is difficult to make predictions, especially about the future.</i>” in 2015 modern days Pythia, The Gartner Group, predicted that “<i>By
2020, 70 percent of enterprises will use ABAC as the dominant mechanism
to protect critical assets, up from less than 5 percent today.</i>”<br />
<br />
Why
do they come up with such a radical opinion and what are the driving
forces behind? Well, unfortunately, after all these years in business I
am still not capable to read the mind of a Gartner analyst. However
there are some evident trends, which even I stumbled upon. And so might
have done those augurs.<br />
<br />
ABAC stands for Attribute Based Access
Control as opposed to RBAC (Role Based Access Control). It is a policy-based
approach, where machine executable policies (executable business rules)
act on certain attributes (well, parameters, as a programmer would say).
If invoked at runtime a highly dynamic and responsive authorisation
infrastructure can be created this way.<br />
<br />
And this is exactly the
point. Agility is not only required on project level, but on corporate level
as well. It goes without saying that just the board of directors being agile will not be
sufficient. Its rulings need to take immediate effect, without trickling
down the organisation throughout the following years.<br />
<br />
Dealing
with compliance for example has become more complex and costly than ever
before.<br />
<br />
Thomson Reuters once counted a mere number of ~100 minor or
major regulatory changes per day
to be taken into account, most of them in the financial sector. You certainly need to be fast in order not to
be breathlessly chasing after their implementation, before finding them
already outdated, but instead get into the driver seat again and take
advantage of market opportunities.<br />
<br />
A policy-based approach means a
centralization of management with executable policies as its key
element. As the total of interacting policies on all levels can be
considered as the central governance processing machine, direction
& oversight will be executed by running these governance
programs.<br />
<br />
Also decision making can be centralised and implemented in a redundancy-free way – decluttered.<br />
<h2>
</h2>
<h2>
Combining RBAC and ABAC</h2>
I took both four-letter-acronyms RBAC
and ABAC as antagonists for the (old) static and the (new) dynamic
world of “real-time enterprises”. Well, static is not all bad and the
world is not black and white. Static structures will remain and they
will do so for the benefit of the corporations.<br />
<br />
My statement here
is: Roles are just the result of rules applied on the access space –
however most often without being documented. Implement those rules directly and
RBAC will appear to you as a special case static ABAC. This striking
similarity has been recognised by the “inventors” of ABAC too. The NIST
proposes 3 different ways to take advantage of both worlds by a model
extension.<br />
<br />
First of all, roles already were capable of being
parametrized. This easily overlooked little, yet powerful, feature was
initially designed to cope with non-functional attributes and dynamic
decisions based on attributes.<br />
<br />
Some attributes however are
independent of roles. A combined model was sought therefore. The NIST
came up with a 3-fold proposal. Note: All three variants can even be
combined and used within one single access model.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-x_C8w4eFJpw/V6RZtcpuJmI/AAAAAAAAkmo/nXBF3cQ8QH431agaFvlorygq75rMlJHhwCLcB/s1600/NIST_alternatives.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="95" src="https://3.bp.blogspot.com/-x_C8w4eFJpw/V6RZtcpuJmI/AAAAAAAAkmo/nXBF3cQ8QH431agaFvlorygq75rMlJHhwCLcB/s320/NIST_alternatives.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />
<h3>
Dynamic roles</h3>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-aemITRqy1dM/V6RW7hmJ_iI/AAAAAAAAkmU/w60S5dBTUUsGewrycPwspCZ5vfAp2FxHwCLcB/s1600/dynamic_roles.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="60" src="https://2.bp.blogspot.com/-aemITRqy1dM/V6RW7hmJ_iI/AAAAAAAAkmU/w60S5dBTUUsGewrycPwspCZ5vfAp2FxHwCLcB/s200/dynamic_roles.png" width="200" /></a></div>
Dynamic attributes like time or date are used
to determine the subject's role, hereby retaining a conventional role
structure but changing role sets dynamically. For further reading I
refer to R. Fernandez, <a href="http://csrc.nist.gov/rbac/EDACv2overview.pdf.">Enterprise Dynamic Access Control Version 2 Overview</a>. <br />
<br />
<h3>
Attribute-centric </h3>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-zlC3Pj71NlU/V6RKy_iRGwI/AAAAAAAAklo/6nQuPnWJi30UvY8YHkaQcohNKQbDSCrpgCLcB/s1600/attribute_centric.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="60" src="https://2.bp.blogspot.com/-zlC3Pj71NlU/V6RKy_iRGwI/AAAAAAAAklo/6nQuPnWJi30UvY8YHkaQcohNKQbDSCrpgCLcB/s200/attribute_centric.png" width="200" /></a></div>
<a href="https://2.bp.blogspot.com/-NJ4lEnoC9DQ/V5IZmRJj-cI/AAAAAAAAki4/ecdwYfc_sMQAtErHcsbiaEXY2Uzpa1i9gCLcB/s1600/attribute_centric.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><br /></a>
Here a role name is just one of many
attributes – without any fine structure. The role is not any longer a
collection of permissions like in conventional RBAC.<br />
<br />
The main
drawback is the rapid loss of RBAC's administrative simplicity as more
attributes are added (IEEE Computer, vol. 43, no. 6 (June, 2010), pp.
79-81). In this approach you may have problems determining the risk
exposure of an employee's position.<br />
<br />
This 2nd scenario could serve
as a good approach for a rapid start, generating early results of
automatic entitlement assignment - without deep knowledge of the job
function.<br />
<br />
<h3>
Role-centric</h3>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-YmZ-4_ZRyXs/V6RZE_2hEOI/AAAAAAAAkmk/BcPhTeubFoUns0YJ9UdfUzt6xxNrkZmOACLcB/s1600/role_centric.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="60" src="https://4.bp.blogspot.com/-YmZ-4_ZRyXs/V6RZE_2hEOI/AAAAAAAAkmk/BcPhTeubFoUns0YJ9UdfUzt6xxNrkZmOACLcB/s200/role_centric.png" width="200" /></a></div>
In the 3rd variant attributes are added to
constrain RBAC. Constraints can only reduce permissions available to the
user not expand them. Some of ABAC's flexibility may get lost because
access is still granted via a (constrained) role. On the other hand
system retains the RBAC capability to statically determine the maximum
set of user-obtainable permissions.<br />
<br />
The RBAC model in 1992 was
explicitly designed, to apply additional constraints to roles. This
approach is the one envisioned as the natural <a href="https://www.kuppingercole.com/report/enterprise_role_management_done_right">RBAC approach by KuppingerCole</a>.<br />
<h2>
</h2>
<h2>
Governance in a flexible RBAC & ABAC world</h2>
A question
remains to be answered: How to do recertification if there are no
static entitlements? We remember that re-certification is one of the
traditional key elements within the detective controls of the oversight
part of Identity & Access Governance.<br />
<br />
<i><b>First </b></i>of all, don't
leave rules unrelated. Provide a traceable deduction from business- or
regulatory requirements, e.g.:<br />
<br />
<ul style="text-align: left;">
<li>Regulations (external) → Policies
(internal) → Rules (executable, atomic) → Authorisations (operational)</li>
</ul>
<br />
<i><b>Second</b></i>,
attributes must be provided on demand during runtime during invocation
of the authorisation sub-system by calling an attribute server, e.g. an
operational Data Warehouse, which in turn collects them from various
corporate or external sources.<br />
<br />
<ul style="text-align: left;">
<li>However, some limitations may
remain: In the end there is no static answer the
“who-has-access-to-what” question in a dynamic environment.</li>
</ul>
<br />
<i><b>Third</b></i>, there
is no way around the enumeration of the same rules for reporting &
audit, which are used for the authorisation act as well. And maybe the
auditor's questions have to be altered & more explicitly
specified too.<br />
<br />
<ul style="text-align: left;">
<li>Re-certification of dynamic entitlements will feel
more like debugging JavaScript code than ticking off long entitlement
list twice a year.</li>
</ul>
<h2>
</h2>
<h2>
Requirements to I&A technology</h2>
So what will be the
requirements to the supporting technology? As I mentioned IAM, IAG
& IAI are by no means isolated disciplines. They operate on
highly fragmented yet massively overlapping information in arbitrary formats following different retention policies.<br />
<br />
If different tools are used for
specific sub-tasks, the underlying data have to be kept in tight sync.
Hereby single duty services, operating in an SOA fashion, are to be
preferred over all encompassing monolithic suites.<br />
<br />
In addition in
attestation runs business line representatives reassess past business
decisions. Information hence needs to be expressed and presented to
them in business terms.<br />
<br />
Finally Information security demands a holistic
approach. Entitlement information and operational access information
have to span all relevant layers of the IT stack (Applications,
Middleware, operating systems, hardware and – of course – physical
access).<br />
<br />
For forensic investigations assessments have to be
performed back in time. Past entitlement situations hence need to be
stored in a normalized structure, reaching sufficiently back and easy to
query in its historic context (aka ‘temporal’ functionality).<br />
<br />
Deciding
on the implementation of appropriate activities however needs a solid
foundation. Data analytics applied to I&A provide the equivalent
of switching on the light before cleaning up a mess. The resulting architecture hence should be layered into at least the following:<br />
<ul style="text-align: left;">
<li>A Business Layer</li>
<li>A Technical Layer and </li>
<li>A Data Layer.</li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-oKsOYYo7E6w/V6RbBrXjpWI/AAAAAAAAkm4/RzaepNkcKPsKFJ9rzohD01euNhiepNMRwCLcB/s1600/IAG_architecture.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="193" src="https://2.bp.blogspot.com/-oKsOYYo7E6w/V6RbBrXjpWI/AAAAAAAAkm4/RzaepNkcKPsKFJ9rzohD01euNhiepNMRwCLcB/s320/IAG_architecture.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
Each layer itself may be expressed in its own Business-, Technical or Data-architecture.<br />
<br />
Based on a
sufficiently rich set of data the compilation of the most basic
I&A health indicators allows for directing effort in the most
promising IAM and / or IAG activities. Hence IAI should be the first of
the three disciplines to invest into. Identity & Access
Governance needs to be built on top of a powerful data warehouse.
Discovery & warehousing hence enter centre stage of I&A
Governance.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-Qt_Yri2ASEg/V6RaZ1HsUhI/AAAAAAAAkmw/eHP1QQfV8uYaV2L6hyQO5K1Qp43aw2bhgCLcB/s1600/IAI_IAM_IAG.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="95" src="https://4.bp.blogspot.com/-Qt_Yri2ASEg/V6RaZ1HsUhI/AAAAAAAAkmw/eHP1QQfV8uYaV2L6hyQO5K1Qp43aw2bhgCLcB/s320/IAI_IAM_IAG.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
A caveat should be mentioned however: In addition to
I&A knowledge this approach requires sound data analytics skills
– usually not found in I&A but rather in marketing- or
product-Q&A departments.<br />
<h2>
</h2>
<h2>
Outlook - dynamics blends in to the static approach</h2>
Although
a powerful technology needs to be invoked, in order to keep the
complexity on a manageable level, the transformation my not need to be
performed in one revolutionary big bang step. Rather an agile,
evolutionary approach will lead to faster and better results and a
higher degree of user (i.e. Management level) acceptance.<br />
<br />
The changes to be expected are …<br />
<table><tbody>
<tr><td width="45%"><ul>
<li>All privilege determining parameters expressed as static roles.</li>
<li>Complex roles</li>
<li>All access expressed as roles<br /><br /></li>
<li>Manual processes<br /><br /></li>
<li>Recertification campaigns<br /><br /></li>
<li>Necessity for management interaction</li>
<li>Easy to re-certify static entitlements</li>
</ul>
</td><td width="10"><div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-nagtwMWrP30/V5IayJPtEWI/AAAAAAAAkjE/HSzxio8B1fcdOQw3hwftXXIuDEJAmNbbQCLcB/s1600/arrow.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /><img border="0" height="320" src="https://1.bp.blogspot.com/-nagtwMWrP30/V5IayJPtEWI/AAAAAAAAkjE/HSzxio8B1fcdOQw3hwftXXIuDEJAmNbbQCLcB/s320/arrow.png" width="36" /></a></div>
</td><td width="45%"><ul>
<li>Roles augmented by rules / attributes<br /><br /></li>
<li>Reduced role complexity</li>
<li>Roles complemented by rules / attributes</li>
<li>Automated access assignment and removal</li>
<li>Policy driven entitlement assignment</li>
<li>Risk driven on-demand re-certification</li>
<li>Real-time analytics<br /><br /></li>
</ul>
</td></tr>
</tbody></table>
To summarize all the sections in three (although lengthy) sentences:<br />
<br />
<ol style="text-align: left;">
<li>In essence it thus turns out that after undergoing a digital transformation not only the business <i><b>operations </b></i>will be automated.<br /><br /></li>
<li><i><b>Management </b></i>of these operational processes as well as the overarching <i><b>governance </b></i>will need to follow that automation trend too.<br /><br /></li>
<li>This is certainly still a long way to go.</li>
</ol>
</div>
Horst Waltherhttp://www.blogger.com/profile/03381708015477095465noreply@blogger.com2tag:blogger.com,1999:blog-1261371701213231895.post-41088104400812327102016-07-29T15:45:00.000+02:002016-07-29T16:31:19.850+02:00From ‘oversight’ to the algorithm driven company<div dir="ltr" style="text-align: left;" trbidi="on">
In last weeks contribution (<a href="http://genericiam.blogspot.de/2016/07/identity-access-governance-in-age-of.html">Identity & Access Governance in the age of digital transformation</a>) I was outlining
the general picture, answering the question, what Governance is after
all, what it means, when applied to Identity & Access,
emphasizing the need to look at Identity and Access separately, and
finally breaking ’direction' down, following the downstream path from
strategy to executable rules. Today I will cope with how to make
policies & guidelines actionable.<br />
<br />
<h2>
About the necessary underpinnings of a digital transformed corporation</h2>
When
considering the quality of everyday management decisions in major
corporations, the well-known Nobel laureate Daniel Kahneman found
himself <a href="http://knowledge.wharton.upenn.edu/article/nobel-winner-daniel-kahnemans-strategy-firm-can-think-smarter/">not exactly awed</a>: “<i>You look at large organizations that are
supposed to be optimal, rational. And the amount of folly in the way
these places are run… is actually fairly troubling</i>.”<br />
<br />
Even
more worrying was the insight that this routinely making poor decisions
did not correlate with experience, training and other factors usually
considered having a positive effect. Rather the less encouraging
conclusion was that this nearly unavoidable “<i>noise</i>” was the effect of
the very human nature – the traps and biases we use to run into during
our daily life, whether job or business.<br />
<br />
And the cure?
Well, Kahnemans advice is “<i>Algorithms</i>”. Let algorithms run the company?
Yes! That's what he meant. As radical as this advice sounds, it is not
an entirely new view. We have them since long. Policies &
guidelines, Procedures & standards and Specifications &
work instructions, representing a layer of abstraction each.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-5onRZqvc8KQ/V5IXAirPLWI/AAAAAAAAkiU/nu8qSV9HqdAcBvPJhV7lbaqRAKGILb7UgCLcB/s1600/document_pyramide.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="288" src="https://2.bp.blogspot.com/-5onRZqvc8KQ/V5IXAirPLWI/AAAAAAAAkiU/nu8qSV9HqdAcBvPJhV7lbaqRAKGILb7UgCLcB/s320/document_pyramide.png" width="320" /></a></div>
However
these business rules are meant to be processed by humans – not by
machines. They still need some degree of translation, interpretation and
situational judgement. And even worse, they usually don't provide a
complete set of guidance even for the majority of the “Business As
Usual” cases.<br />
<br />
While it still might take a while until
we will see governance performed by robots (although in some companies
it already might look like that), the operational layer of the
traditional corporate pyramid can well be, and quite often already is,
run in an automated way. Next target now is the Management layer, where
less frequently decisions are taken to keep operation within the
pre-defined policies & guidelines channel. This will be the
battlefield where the success of the digital transformation, many
companies lately decided to head for, will be archived – or not.<br />
Nevertheless,
giving “direction” needs to be expressed in a formal way. And it is
still a good start for many corporations to fill the voids in the
document pyramid, as shown in fig. 1.<br />
<br />
It might be a
disturbing idea which Kahnemann conveys, when he expects systems powered
by artificial intelligence (AI) one day to be able to execute
professional judgement even better than humans. For now however laying
the necessary foundation as the necessary underpinnings for a (more)
digitized corporation, will be already enough of a task for most of us.<br />
So let's do our homework first.<br />
<br />
<h2>
Oversight starts with a simple question</h2>
Oversight starts with a simple question: Who has (had) access to which Resources?<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-ykAo0ylvh_Y/V5IXM8rUZ6I/AAAAAAAAkiY/M-2cKm3RPv8qS7NokqlVfxhj_6M7DiSxwCLcB/s1600/Who_has_access_wide.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="183" src="https://2.bp.blogspot.com/-ykAo0ylvh_Y/V5IXM8rUZ6I/AAAAAAAAkiY/M-2cKm3RPv8qS7NokqlVfxhj_6M7DiSxwCLcB/s320/Who_has_access_wide.png" width="320" /></a></div>
Simple
question – simple answer? Yes? No! Rather only few corporations are
currently able provide sufficient evidence of their access situation as
outlined below.<br />
<br />
<h3>
Who</h3>
Let's first look at the ‘who’: usually you may think of
(fixed term) employees. And indeed, providing them with the appropriate
access to corporate resources causes headache enough and keeps hordes of
colleagues, consultants, system integrators and auditors busy. However
the subject behind the ’who' needs to be looked at more fine-grained.
It can be other staff, like contractors or those with elevated rights
like admins. It could be suppliers or customers and even their
respective administrators in case some limited delegated administration
is implemented. Increasingly non-human actors like other systems
interact via more or less controlled APIs and need to be included into
the access control focus. And finally the IoT age is dawning, bringing
new challenges to the table, let them be the sheer number, the often
external nature or the limited capabilities of those ’things'.<br />
<br />
<h3>
Has (had) </h3>
The innocent word ’has' can be broken down into
sufficiently complex cases too. It is not just about listing all
resources any digital identity has access too – now. Not just listing
them by resource, by digital identity, by system, content authorisation
level, or context exclusion rule. Also it must be immediately
back-traceable why this privilege exits, who (person or policy) granted
it and when last has been checked. For audit purposes or forensic
investigations these answers have to be given for any chosen period of
time, which legal and corporate retention rules permit.<br />
<br />
<h3>
Access to </h3>
What about the ’access'? Is it uniform? What a stupid
question. No, it is not. Next to the trivial CRUD-access (Create, Read,
Update, and Delete): There are risk-mitigating content-based access
limitations in place, restricting access according to pre-defined
authorisation levels: “<i>You are allowed to close contracts up to 1
million US-Dollars</i>.” Next to content, the context might add to the
sensitivity, like: “<i>Well, you might close that contract but not during
your vacation, from a nightclub in Shanghai, during (local) night-time,
using your private smartphone, which hasn't been updated to the latest
security patch level</i>.” The last example could even contain several
policy violations. A third restriction is process based and prevents a
digital identity from running a complete business process just by
his/her own. Also known as Segregation of Duties (SoD) this risk
minimizing step can be performed at administration time (static SoD) or
at run-time (dynamic SoD). Privileged access finally is quite a
different breed and should again be handled completely different, e.g.
via granting completely monitored and recorded session-based access.<br />
<br />
<h3>
Which Resources</h3>
After talking about the subject of the
access act, what about the object, the corporate ’resource'. The
sensitive corporate resources, which need to be protected, are not the
ERP-, CRM- or HR-systems but the underlying information objects, the
employees, customers, contracts payments, … . They should be
well-known, classified by their sensitivity, assigned into areas of
responsibility and expressed in a formal model. As information objects
don't interact by their own and are unable to protect themselves, access
to them goes through a whole stack of systems, which are usually object
of access control in lieu of them. This IT stack comprises, but is not
limited to, applications as the most obvious part, but also middleware,
operation systems, networks, telco-systems and physical assets, e.g.
premises, as well. There are no logical – only practical reasons – why
the entry of humans into buildings is handled by independent PACS
(physical access control systems) and not by the access control systems,
which shields digital resources.<br />
<br />
<h2>
Executing oversight for I&A Governance</h2>
When it comes to implementation of Governance usually 3 types of controls are considered:<br />
<ul>
<li>Preventive controls</li>
<li>Detective controls and</li>
<li>Corrective controls</li>
</ul>
There is no question that it would be optimal to prevent any
deviations from our policies, hence fully rely on preventive controls.
This however would mean that the ’direction' part of I&A
Governance would have got sufficient traction to rely on it. It further
means that you have to declutter your architecture, mature your
administrative processes to a high level of maturity and - as we learned
from the introduction above – automate all administrative processes to a
high degree.<br />
As these prerequisites are rarely fulfilled, we have
to rely on the second best set of controls, the detective ones, which
belong to the oversight part of I&A Governance.<br />
<br />
A few
standard implementations of detective controls are required by major
regulatory bodies and hence found wide acceptance. Detective controls
therefore dominate the IAG processes. They should be gradually reduced
in favour of preventive controls once the necessary preconditions are
given.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-rd4xH24lOF0/V5IXZdLTYYI/AAAAAAAAkic/YVKPzwKIK68PEJ4nXRDdZEqegVNYUVIjgCLcB/s1600/detective_controls.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="83" src="https://1.bp.blogspot.com/-rd4xH24lOF0/V5IXZdLTYYI/AAAAAAAAkic/YVKPzwKIK68PEJ4nXRDdZEqegVNYUVIjgCLcB/s320/detective_controls.png" width="320" /></a></div>
The three top-level detective controls in use today are:<br />
<ul>
<li><b>Reconciliation</b> - Does the implementation reflect the intended state? <br />
This daily health check is only necessary, if the access definition is
done on a different location (Policy Administration Point or PAP) than
the policy decision (Policy Decision Point or PDP) and the policy
execution (Policy Enforcement Point or PEP) and the target systems still
maintain their native Administration Interface. In an architecture
where there is (at least logically) just a single policy store, there is
no need for this control; in reality however it quite often is.</li>
<br />
<li><b>Attestation</b> - Is our decision still valid? <br />
Also known as Re-certification this regular (quarterly to biannual)
check on validity just reconfirms the decision once taken during initial
grant of the privilege in question. This check become necessary (and
hence is required by regulatory bodies) as we don't have sufficient
trust in our administrative processes, that they would properly,
immediately and automatically react on change events in the real world
and reflect them in the access structure accordingly.</li>
<br />
<li><b>Expiration</b> - To limit risks for domains outside your own control.<br />
Expiration of once granted privileges is a widely underestimated and thus underutilised detective control. Its use is evident for granting access in the context of limited endeavours, like task forces or projects. Also in environments outside of the direct control, like vendor employees authorised via delegated administration, whose leaving and changing positions would otherwise go undetected. But also for regular employees on BAU tasks (Business As Usual) it would be beneficial and could even replace attestation. Prerequisite however is a proper implementation of time-out dates and a powerful workflow support.</li>
</ul>
<div class="MsoNormal">
<span style="mso-ansi-language: EN-GB;">One important point to
mention is that I&A Governance is by no means an IT task. It is rather purely
organisational. Therefore all decisions must be well understood and taken here by
representatives of the business side. As this can only be expected when all
access objects like roles, rules, privileges, or information objects are named
and described in business terms, it is only a minor step from here to find the
find and implement the appropriate business rules (Kahnemann calls them
algorithms) to drive the process henceforth.</span></div>
<br />
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<span style="mso-ansi-language: EN-GB;">In these two postings
I described the current status of what is expected of corporations to have
implemented today. In my third and last part next week I will focus on the
challenges lying ahead and what they will mean for us. </span></div>
<br />
<ul>
</ul>
</div>
Horst Waltherhttp://www.blogger.com/profile/03381708015477095465noreply@blogger.com0tag:blogger.com,1999:blog-1261371701213231895.post-59431526980113332052016-07-22T11:03:00.000+02:002016-08-05T11:26:20.786+02:00Identity & Access Governance in the age of digital transformation<div dir="ltr" style="text-align: left;" trbidi="on">
Identity & Access Governance obviously is a difficult task. Many major corporations struggle to meet their various compliance criteria, which could be expected as a natural by-product of good governance. But having hardly completed this job, the next one, innocently called “digital transformation” knocks at the door.<br />
<br />
Will governance thus become even much harder by then: At least I was asked that question recently. Ok, let me quickly give an introduction to the total topic, go into a little more detail where it appears appropriate to me and eventually come up with a couple of brave conclusions.<br />
<br />
You might have heard of the new esoteric trend “Declutter your life”. Some very similar recipe I would prescribe the majority of today's companies: “Declutter your infrastructure (before going to digitize it)!” So, with all right, you can expect a decluttered contribution too, dear reader. However, the text nevertheless has become slightly lengthy. I will therefore publish it in three parts - one per week: <br />
<ol>
<li><a href="http://genericiam.blogspot.de/2016/07/identity-access-governance-in-age-of.html">Governance and Identity & Access</a></li>
<li><a href="http://genericiam.blogspot.de/2016/07/from-oversight-to-algorithm-driven.html">From ‘oversight’ to the algorithm driven company</a></li>
<li><a href="http://genericiam.blogspot.de/2016/07/challenges-ahead-for-digital.html">Challenges ahead for a digital transformation agenda</a></li>
</ol>
<h2>
What is Governance after all?</h2>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-1SZ4nhrVCuE/V5HsGpYeDHI/AAAAAAAAkho/bRfr0DRdHtQyPqyf-x5_5FUnBTJyHf1jgCLcB/s1600/Governance_layers.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="221" src="https://1.bp.blogspot.com/-1SZ4nhrVCuE/V5HsGpYeDHI/AAAAAAAAkho/bRfr0DRdHtQyPqyf-x5_5FUnBTJyHf1jgCLcB/s320/Governance_layers.png" width="320" /></a></div>
The term Governance was coined and defined during the last years of the previous century. However before that time too some form of ’governance', i.e. oversight, strategic change & direction was always expected from high ranking positions like non-executive directors.<br />
<br />
In the beginning it was all about corporate governance, as senior management first had to be convinced of the usefulness of handling this new discipline explicitly – before it was applied to sub categories, like e.g. Identity & Access. By now it is accepted that a governance layer should reside on top of each management layer.<br />
<br />
In case you want to get an in-depth introduction into Corporate Governance, its Principles, Policies and Practices I recommend the voluminous authoritative guide by the 'father of corporate governance', Bob Tricker, surprisingly named, '<a href="http://www.bobtricker.co.uk/corporate-governance.html">Corporate Governance</a>'.<br />
<br />
<h2>
Identity & Access Governance </h2>
So, how did we discover Governance in the I&A world?<br />
<br />
Historically we started with the attempt to manage Identity & Access – as it became time to do so. This task alone turned out not to be easy going. While by then I expected the corporate world to do their homework within a timeframe of 3 to 5 years, it isn't even achieved today to a sufficient degree. And more challenges are looming around the corner, not least the digital transformation.<br />
<br />
But even when companies succeeded with the introduction of I&A Management, the questions arose: Are we doing the things right? Are we doing the right things? Therefore, and as any management layer needs a governance layer on top of it to stay healthy, I&A Governance appeared out of the dark.<br />
<br />
But IAG itself turned out not to be an easy task. The sufficiently powerful equipment for data analytics was missing and, more often than not, is still missing today. I&A Intelligence was born - the application of data analytics to the domain of Identity & Access.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-pR5Sb1KRHZM/V5HsP5W_0XI/AAAAAAAAkhs/Rlt-r21Hq_oNDTAqgrkb-BZ7pPDGSK0kACLcB/s1600/The_making_of_IAG.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="95" src="https://3.bp.blogspot.com/-pR5Sb1KRHZM/V5HsP5W_0XI/AAAAAAAAkhs/Rlt-r21Hq_oNDTAqgrkb-BZ7pPDGSK0kACLcB/s320/The_making_of_IAG.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<h2>
</h2>
<h2>
Separating into Identity and into Access</h2>
While working hard on making Identity & Access Management (IAM) become reality some fine structure was discovered in what had been reluctantly lumped together into one discipline. The equation hence became: IAM = Identity Management (IM) + Access Management (AM).<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-Q8RuW0_BTk4/V5HsWJmcjKI/AAAAAAAAkhw/4BJsLDdp-nAY1wQi8VWVgWq6gmWpLXsWgCLcB/s1600/Identity_and_Access.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="114" src="https://4.bp.blogspot.com/-Q8RuW0_BTk4/V5HsWJmcjKI/AAAAAAAAkhw/4BJsLDdp-nAY1wQi8VWVgWq6gmWpLXsWgCLcB/s320/Identity_and_Access.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
Identity Management being a genuine Management discipline on its own, is the necessary organisational foundation for many corporate necessities like business automation, fine grained cost controlling, classical disciplines like human resources management and – of course – access management. So access needs identity a solid foundation – but not the other way round.<br />
<br />
Hence one can imagine 6 distinct disciplines, as for identity all 3 layers (operations, management and governance) have to be performed, as has it for the access part.<br />
<br />
<h2>
Direction – we need a strategy</h2>
<a href="https://1.bp.blogspot.com/-j5FRn2HT6R0/V5HscnU-FGI/AAAAAAAAkh0/-rigdZTqXbM-1_YhxVvXUvVxa-UX2aZWACLcB/s1600/strategy_process.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="213" src="https://1.bp.blogspot.com/-j5FRn2HT6R0/V5HscnU-FGI/AAAAAAAAkh0/-rigdZTqXbM-1_YhxVvXUvVxa-UX2aZWACLcB/s320/strategy_process.png" width="320" /></a>
Remembering the definition of Governance as ’direction & oversight' let me quickly have a look at the 1st half of the world: direction. Certainly you should have to follow a strategy while directing a whole business towards its future.<br />
<br />
This insight is not entirely new and so the procedure of defining a strategy is pretty well understood by now. Strategy development is merely a high level planning process, leading from the current state to some assumed future state. To do this with sufficient rigour, some prerequisites need to be fulfilled.<br />
<br />
First you need to have meaningful mission. As for a corporate mission “Earning tons of money” might not be a good enough driving mission, so “Securing the business” would not suffice for Identity & Access. Good news is that nearly every company has started with a clear mission. By the time it may however need some adjustment or even re-invention, enough in each case to keep top management busy for a while.<br />
<br />
Second you should now your current “<i>As is</i>” status, as ”<i>if you don't know where you are, every direction might be the right one</i>”. As trivial as this “<i>know thyself</i>” sounds, given the complexity of today's major institutions, you can easily run into the “<i>analysis paralysis</i>”-trap.<br />
<br />
And thirdly you should have an idea of what lurks around the corner, the future drivers, influences, trends, new technologies, which may have an impact on your business.<br />
<br />
Hence “<i>Strategy Development</i>” can be understood in a narrow and abroad sense, depending on whether the necessary foundation is laid already, or the entire work lies ahead still.<br />
<br />
<h2>
Strategy development - a cyclic process</h2>
<div class="separator" style="clear: both; text-align: right;">
<a href="https://4.bp.blogspot.com/-1wy8SphTQsA/V5HtA0q4JWI/AAAAAAAAkh8/X1CHlohljC8UpGlTUaBmqnby8291_X-hQCLcB/s1600/strategy_cycle.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="202" src="https://4.bp.blogspot.com/-1wy8SphTQsA/V5HtA0q4JWI/AAAAAAAAkh8/X1CHlohljC8UpGlTUaBmqnby8291_X-hQCLcB/s320/strategy_cycle.png" width="320" /></a></div>
Strategies often bear the stigma of being fuzzy, general, overambitious or even outright unrealistic. At least they are blamed to talk about a distant future in abstract terms. This perception is not completely wrong and not entirely right. Strategy development follows a cyclic process. And as its goal is to transform an organization from a defined here-and-now state to a specific future state, during this process it deals with abstract and far-off future issues, just to come back to the here-and-now, the cruel dirty world, with change items to be implemented tomorrow.<br />
<br />
<h2>
Expressing it as guidance</h2>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-ctGZXi9-T6Q/V5FABmFoI3I/AAAAAAAAkg0/BK90cijqhX00aY3R8EYnh8QjCTLze0qxgCLcB/s1600/document_pyramide.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><br /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-4ADbWcGjeDk/V5HtV3LEwtI/AAAAAAAAkiA/gv_eJCc6DcYAuLe_-5HOBZi4uxlnEBcrQCLcB/s1600/document_pyramide.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="288" src="https://3.bp.blogspot.com/-4ADbWcGjeDk/V5HtV3LEwtI/AAAAAAAAkiA/gv_eJCc6DcYAuLe_-5HOBZi4uxlnEBcrQCLcB/s320/document_pyramide.png" width="320" /></a></div>
Having been perhaps too generously spending 356 words on a well-known corporate discipline like strategy development, I cannot afford the luxury to do the same for the subsequently necessary change activities. Let's assume however, that one fine day the projects will have come to an end, yielding new corporate processes – and altered corporate guidance. <br />
The pyramid of corporate regulatory documents traditionally looks like this:<br />
<ol>
<li><h3>
Strategic level: Policies & Guidelines</h3>
<h4>
<br />Policies:</h4>
Policies are binding corporate documents, usually issued by top management. They express goals, principles, focal areas and responsibilities. They represent the top level of the documentation pyramid.<br /><br />
<h4>
Guidelines: </h4>
Guidelines like policies are of a high level of abstraction. However they don't come with a binding character.<br /><br />
</li>
<li><h3>
Managerial level: Procedures & Standards</h3>
<h4>
<br />Procedures:</h4>
Procedures lay out all management controls for a defined problem domain on an <a href="http://genericiam.blogspot.de/2010/08/modelling-fundamentals.html">essential</a> level. They contain (static) functions & responsibilities and (dynamic) processes.<br /><br />
<h4>
Standards:</h4>
They state requirements for generic minimum standards, a choice of good practice examples or a bandwidth of tolerable quality parameters.<br /><br />
</li>
<li><h3>
Operational level: Specification & work instructions</h3>
<h4>
<br />Specifications:</h4>
The Implementation of controls on a physical level is specified in operational specifications, work flows, specifications, … Techniques, configurations of solutions and organisational processes are documented on this level.<br /><br />
<h4>
Work instructions:</h4>
Based on the defining procedures work instructions specify the volatile details like configuration parameters or physical techniques.<br /><br />
</li>
</ol>
Traditionally these documents on each level are written as some kind of narrative to be read and followed by its target group. This group evidently is meant to be made of humans. Automated processors usually are not in scope – however they increasingly need to be.<br />
<br />
To let process definitions seamlessly translate into executable workflows, to automatically check human and automated activities against corporate policies, to authorise digital identities (human 'users' or automated processors) dynamically and aware of its context, expressed as rules and attributes (ABAC), much more rigour has to be applied to definition of regulatory documents.<br />
<br />
As those documents become the central code, whose rules are executed in an unattended manner they need to be considered as the sensitive core of the entire organisation – and hence protected accordingly against failure, inadvertent or malicious alteration and creeping degradation.<br />
<br />
<a href="https://www.blogger.com/blogger.g?blogID=1261371701213231895" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a>Ok, that enough for now. Next week I will outline how to make policies & guidelines actionable. So please stay tuned.</div>
Horst Waltherhttp://www.blogger.com/profile/03381708015477095465noreply@blogger.com0tag:blogger.com,1999:blog-1261371701213231895.post-33166791440123658342015-10-27T18:05:00.002+01:002015-10-27T18:44:58.134+01:00RBAC first – ABAC next, or what?<div dir="ltr" style="text-align: left;" trbidi="on">
<h1>
Introduction</h1>
Recently, at a customer’s site, I heard an enlightening response to a simple and straightforward question. <br />
<br />
The question was: “<i>Why do we implement our access management system according to the old fashioned RBAC model and don’t follow the modern ABAC approach instead?”</i>
<br />
<br />
The answer came quickly and was as simple: “<i>As we are a large organisation, to go for ABAC would be a step too big for the start. So first let’s implement according to RBAC and later we go on to the ABAC model</i>.”<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSHCNkvjt1sy7QXdFUZVPYbdNR02p3CQycN4f0Qk_w36Z-IVG614r0MzbbE8lPIjw2W5MYymy9bBDukMZ-GHlGzeEYPlMUbLKj90FAdjS9qV2z1Fr8lEyop8cTCRjk_0obIhyVUldOl8Q/s1600/Evolution_of_Access_control.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="191" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSHCNkvjt1sy7QXdFUZVPYbdNR02p3CQycN4f0Qk_w36Z-IVG614r0MzbbE8lPIjw2W5MYymy9bBDukMZ-GHlGzeEYPlMUbLKj90FAdjS9qV2z1Fr8lEyop8cTCRjk_0obIhyVUldOl8Q/s320/Evolution_of_Access_control.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i></i><br />
<span style="color: #002060; font-size: 8pt;">Figure 1: The (perceived) Evolution of Access control</span></td></tr>
</tbody></table>
The answer left me wondering whether there is a logical sequence in which to implement an access model according to the ABAC approach: first RBAC then followed by ABAC? Indeed, while researching literature I found some proposed or perceived evolution paths, like the one illustrated in the graphic above (e.g. <a href="http://securesoftwaredev.com/2012/06/18/xacml-supports-all-major-access-control-models-2/">here</a>:, also conveying the promising news that <a href="https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml#CURRENT">XCML</a> support all of these models) <a href="http://securesoftwaredev.com/2012/06/18/xacml-supports-all-major-access-control-models-2/">here</a> .<br />
<br />
However, why couldn’t it be the other way round? Or can’t we have both at the same time, as roles are a good idea. But the dynamic access control, which often comes in the wake of attributes, might be very beneficial as well. What’s about a blended model, having the best of both worlds?<br />
<h1>
What is RBAC?</h1>
Role based access control (RBAC), as defined in the US standard ANSI/INCITS 359-2004, Information Technology, controls all access through roles assigned to users. Each role assigns a collection of permissions to users. <br />
<br />
Herby RBAC assumes that, in most applications, permissions needed for an organization’s roles change slowly over time, but users may enter, leave, and change their roles rapidly. RBAC meanwhile is a mature and widely used model for controlling access to corporate information.<br />
To cope with its early limitations, inheritance mechanisms have been introduced, allowing roles to be structured hierarchically. So some roles may inherit permissions from others.<br />
<br />
Intuitively roles are understood as functions - or bundles thereof - to be performed within a corporation. Not surprisingly they offer a natural approach to express segregation-of-duty requirements, where no single individual may be assigned all functions for critical operations such as expenditure of funds. <br />
<br />
It is evident, that roles are global to a given context by their very nature. Proper operation of RBAC hence requires that roles fall under a single administrative domain or have a consistent definition across multiple domains. In contrast employing distributed role definitions may become challenging.<br />
<br />
But not all permission determining dimensions are functional. What is about <i>location</i>, <i>legal entity</i>, <i>customer group</i>, <i>cost centre</i> and the like? Those ‘attributes’ in conjunction with the job function span a multidimensional vector space. A Point in this space defines the package of permissions.<br />
<br />
<table style="border-collapse: collapse; border: 1px solid navy;">
<tbody>
<tr>
<td align="center" style="border: currentColor; padding: 0.5cm;" valign="top"><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/-c9TqYAYejSo/Vi-nAgRmUQI/AAAAAAAAgOg/-hMbgBs5-6o/s1600/simple_static_role_meta_model.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="172" src="http://4.bp.blogspot.com/-c9TqYAYejSo/Vi-nAgRmUQI/AAAAAAAAgOg/-hMbgBs5-6o/s200/simple_static_role_meta_model.png" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><div align="center;" style="color: #002060; text-align: center;">
Figure 2: A simple (static) role meta model</div>
</td></tr>
</tbody></table>
</td>
<td style="border: currentColor; padding: 0.5cm;" valign="top">The separation of functions & constraints pays off even without complex rules<br />
<ul>
<li>In the (simplest) role meta model …</li>
<li>Roles express the function</li>
<li>Parameters are used as constraints</li>
<li>They combine to several business roles</li>
<li>Business roles are defined in pure business terms</li>
<li>Business roles must be mapped to entitlements.</li>
<li>Entitlements are operations on objects</li>
<li>Business roles may be statically generated.</li>
<li>They may be determined dynamically at run time.</li>
</ul>
</td>
</tr>
</tbody></table>
<br />
Of course, if the only tool, you have at hand is a hammer, all the world may look to you as a nail – or a variety of them. And so the inevitable happened and roles, with their functional nature, were abused for the assignment of any bundle of permissions, quickly leading to the well-known role explosion.<br />
<br />
Also the static nature of roles is increasingly felt as a severe limitation - in some cases. Where does agility enter the game? Well the context is to blame – and requires dynamic constraints. To make this cryptic statement a bit clearer, let’s take some examples …<br />
<ul>
<li><b><i>Device</i></b><br /> The device in use might limit, what someone is allowed to do. <br /> Some devices like tablets or smartphones might be considered to be less secure than others.</li>
<li><b><i>Location</i></b><br /> The location the identity is at, when performing an action. Mobile, remote use might be considered less secure than access from within the headquarters.</li>
<li><b><i>System health status</i></b><br /> The current status of a system based on security scans, update status, and other “health” information, reflecting the attack surface and risk.</li>
<li><b><i>Authentication strength</i></b><br /> The strength, reliability, trustworthiness of authentications. You might require a certain level of authentication strength to apply. Otherwise you might want to restrict access in a certain way.</li>
<li><b><i>Mandatory absence</i></b> <br /> Traders may not be allowed to trade in their vacation. Mandatory time Away (MTA) is commonly used as a detective / preventive control for sensitive business tasks.</li>
<li><b><i>Many more</i></b> …</li>
</ul>
It is evident, that static role models cope badly with such dynamic requirements.<br />
<h1>
What is ABAC?</h1>
To avoid “role explosions” and to provide for a higher agility, several attempts have been made. Likewise recent interest in attribute-based access control (ABAC) suggests that attributes and rules could either replace RBAC or make it more simple and flexible.<br />
<br />
The attribute-based access control (ABAC) model to date is not rigorously a defined approach. Its central idea expresses that access can be determined based on various attributes presented by a subject. These contemplations can be traced back to A.H. Karp, H. Haury, and M.H. Davis, “From ABAC to ZBAC: the Evolution of Access Control Models,” tech. reportHPL-2009-30, HP Labs, 21 Feb. 2009). <br />
<br />
Hereby rules specify conditions under which access is granted or denied.<br />
<br />
For example ...<br />
<ul>
<li>A bank might allow access if the subject is a teller, working during the hours from 7:30 am to 5:00 pm, or the subject is a supervisor or auditor working those same hours who also has management authorization.</li>
<li>This approach at first sight appears more flexible than RBAC because it does not require separate roles for relevant sets of subject attributes, and rules can be implemented quickly to accommodate changing needs. The trade-off for this flexibility is the complexity introduced by the high number of cases that must be considered. </li>
</ul>
Providing attributes from various disparate sources adds an additional task. Attributes may stem from different sources with different reliability resulting in different trust we place in them.<br />
<br />
ABAC (sometimes referred to as Policy Based Access Control or PBAC or Claims Based Access Control or CBAC) was proposed as a solution to these new issues. <br />
<br />
As it evolved it was also called Risk Adaptive Access Control (RAdAC). As the model and its application are still emerging, there is currently no widely accepted ABAC model as there are for DAC, MAC and RBAC. Although considerable literature has been published, there is no agreement on what ABAC exactly means.<br />
<br />
It is however safe to state, that attributes and policies (made of rules) are used in ABAC to derive access decision. As those attributes my change during run time, the ability is assumed to perform these policy decisions at runtime too.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-fEysJu95IaI/Vi-nXtwFkhI/AAAAAAAAgOo/bf3bxwDE1Fs/s1600/Agility_enters_the_game.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="64" src="http://3.bp.blogspot.com/-fEysJu95IaI/Vi-nXtwFkhI/AAAAAAAAgOo/bf3bxwDE1Fs/s320/Agility_enters_the_game.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 3: Agility creeps into the model from the increasingly dynamic corporate context</td></tr>
</tbody></table>
<h1>
RBAC vs. ABAC</h1>
As discussed above, both approaches RBAC and ABAC have their specific advantages and disadvantages. RBAC trades up-front role structuring effort for ease of administration and user permission review, while ABAC makes the reverse trade-off: it is easy to set up, but analysing user permissions can be problematic.<br />
<br />
This insight comes less as a surprise, if we start viewing both models as incomplete fragments, just projections of some richer model. And in fact, rarely does any organization use a pure RBAC or ABAC approach. Typically attributes augment or parameterise roles. They can be used independently to assign basic resources to digital identities, which are not linked to functions performed within the organization.<br />
<br />
This view supports the strong impression that the discussions of RBAC vs ABAC tend to search for the right answers to the wrong question. It would rather make sense to ask how much R vs. A should be taken to our xBAC model to best serve our needs.<br />
<h1>
Implementation</h1>
Coming to the above conclusion it is not surprising to find that the ‘inventors’ of RBAC themselves come up with even three different suggestions how to combine RBAC and ABAC. <br />
<br />
As D. Richard Kuhn, Edward J. Coyne and Timothy R. Weil, in their article “Adding Attributes to Role-Based Access Control” (IEEE Computer, vol. 43, no. 6 (June, 2010) IEEE Computer, vol. 43, no. 6 (June, 2010), pp. 79-81, pp. 79-81) present, there should be three approaches to handle the relationship between roles and attributes, all retaining some of the administrative and user permission review advantages of RBAC while allowing the access control system to work in a rapidly changing environment:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://2.bp.blogspot.com/-QeXJIve-o8k/Vi-nscGZ3lI/AAAAAAAAgOw/8Irwz2FRCQQ/s1600/Combining_RBAC_and_ABAC.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="95" src="http://2.bp.blogspot.com/-QeXJIve-o8k/Vi-nscGZ3lI/AAAAAAAAgOw/8Irwz2FRCQQ/s320/Combining_RBAC_and_ABAC.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 4: There are 3 basic models discussed here to combine RBAC and ABAC</td></tr>
</tbody></table>
<ol>
<li><b>Dynamic roles</b>. Attributes such as time of day are used by a front-end module to determine the subject’s role, retaining a conventional role structure but changing role sets dynamically (R. Fernandez, Enterprise Dynamic Access Control Version 2 Overview, US Space and Naval Warfare Systems Centre, 1 Jan. 2006; <a href="http://csrc.nist.gov/rbac/EDACv2overview.pdf">http://csrc.nist.gov/rbac/EDACv2overview.pdf</a>). Some implementations of dynamic roles might let the user’s role be fully determined by the front-end attribute engine, while others might use the front end only to select from among a predetermined set of authorized roles.</li>
<li><b>Attribute-centric</b>. A role name is just one of many attributes. In contrast with conventional RBAC, the role is not a collection of permissions but the name of an attribute called role. This approach’s (IEEE Computer, vol. 43, no. 6 (June, 2010), pp. 79-81) main drawback is the rapid loss of RBAC’s administrative simplicity as more attributes are added. It also suffers from potential problems with ABAC when determining the risk exposure of a particular employee position. However this 2<sup>nd</sup> scenario could serve as a good approach for a rapid start, generating early results in automatic the assignment of all those permissions, which can be granted without having deeper knowledge of the digital identities job function.</li>
<li><b>Role-centric</b>. Attributes are added to constrain RBAC. Constraint rules that incorporate attributes can only reduce permissions available to the user not expand them. Some of ABAC’s flexibility is lost because permission sets are still constrained by role, but the system retains the RBAC capability to determine the maximum set of user-obtainable permissions. As an aside, developers explicitly designed the formal model for RBAC, introduced in 1992, to accommodate additional constraints being placed on a role. This approach by the way is the one envisioned as the natural approach by <a href="https://www.kuppingercole.com/report/enterprise_role_management_done_right"> KuppingerCole </a>). </li>
</ol>
<h1>
Conclusion</h1>
<table style="border-collapse: collapse; border: 1px solid navy;"><tbody>
<tr>
<td style="border: currentColor; padding: 0.5cm;" valign="top"><div class="separator" style="clear: both; text-align: center;">
<a href="https://www.blogger.com/" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://1.bp.blogspot.com/-nR5FSJGnHZA/Vi-pXXSbIHI/AAAAAAAAgPA/zW2KUuAVD3g/s1600/Dynamic_authorisation_by_agility_insertion.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="172" src="http://1.bp.blogspot.com/-nR5FSJGnHZA/Vi-pXXSbIHI/AAAAAAAAgPA/zW2KUuAVD3g/s200/Dynamic_authorisation_by_agility_insertion.png" width="200" /></a></div>
</td>
<td style="border: currentColor; padding: 0.5cm;" valign="top">In a dynamic role meta model …<br />
<ul>
<li>Roles can be created at runtime</li>
<li>So can constraints</li>
<li>They are rule / attribute pairs</li>
<li>Roles & constraints can be deployed dynamically too.</li>
<li>Dynamicity is propagated from constraints and/or from functional roles to business roles and authorisations</li>
<li>Entitlements and identities remain static at the same time.</li>
</ul>
</td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="https://www.blogger.com/" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a>Figure 5: Roles and constraints may be created and / or used dynamically</td>
<td></td></tr>
</tbody>
</table>
<br />
Having said all this, we can safely conclude that sticking with one model in its pure breed will limit our expressive power and lead to suboptimal results. There should be less the question whether we have a preference for the A or the R in the respective xBAC-model. But rather we should decide on how much of each to be introduced at what point in time. Even a combination of the three approaches as mentioned in the above chapter may not lead to model degeneration but would rather have the potential to lead to an optimal model.<br />
<h1>
References</h1>
<ol>
<li>D.F. Ferraiolo and D.R. Kuhn (1992) "<a href="http://csrc.nist.gov/rbac/ferraiolo-kuhn-92.pdf">Role Based Access Control</a>", 15th National Computer Security Conference, October, 1992</li>
<li>M. Blaze, J. Feigenbaum, J. Ioannidis, “<a href="http://www1.cs.columbia.edu/~angelos/Papers/rfc2704.txt">The KeyNote Trust-Management System Version 2</a>”, IETF RFC 2704, September 1999</li>
<li>K. Brown, “<a href="http://msdn.microsoft.com/enus/magazine/cc163366.aspx">Exploring Claims-Based Identity</a>”</li>
<li>A. Pimlott and O. Kiselyov, “<a href="http://okmij.org/ftp/Prolog/Soutei.pdf">Soutei, a Logic-Based Trust-Management System</a>”, FLOPS 2006, 8th International Symposium on Functional and Logic Programming.,Fuji-Susono, 12 Japan, April 24-26, 2006. Also in Springer's Lecture Notes in Computer Science 3945/2006, pp. 130-145.</li>
<li>D. Richard Kuhn, Edward J. Coyne, Timothy R. Weil, “<a href="http://csrc.nist.gov/groups/SNS/rbac/documents/kuhn-coyne-weil-10.pdf">Adding Attributes to Role-Based Access Control</a>”, IEEE Computer, vol. 43, no. 6 (June, 2010), pp. 79-81</li>
</ol>
<h1>
More readings</h1>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.blogger.com/" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a><br /></div>
<ol>
<li>Anderson, A. 2004. <a href="http://docs.oasis-open.org/xacml/cd-xacml-rbac-profile-01.pdf">XACML Profile for Role Based Access Control (RBAC)</a>. </li>
<li>Anderson, R.J. 2001. Security Engineering: A Guide to Building Dependable Distributed Systems. New York: Wiley Computer Publishing.</li>
<li>Barkley, J.F. (no date). “Workflow Management Employing Role-Based Access Control.” U.S. Patent #6,088,679.</li>
<li>Barkley, J.F. 1995a. “<a href="http://www.itl.nist.gov/div897/staff/barkley/proj/paper.pdf">Application Engineering in Health Care</a>.” Second Annual CHIN Summit. Chicago, IL..</li>
<li>Barkley, J.F. 1995b. “Implementing Role-based Access Control Using Object Technology.” First ACM Workshop on Role-Based Access Control.</li>
<li>Barkley, J.F., and A.V. Cincotta. 1998. “Managing Role/Permission Relationships Using Object Access Types.” Third ACM Workshop on Role-Based Access Control, Fairfax, VA.</li>
<li>Barkley, J.F., and A.V. Cincotta. 2001. “Implementation of Role/Group Permission Association Using Object Access Type.” U.S. Patent No. 6,202,066.</li>
<li>Barkley, J.F., A.V. Cincotta, D.F. Ferraiolo, S. Gavrila, and D.R. Kuhn. 1997. “Role-based Access Control for the World Wide Web.” 20th National Computer Security Conference.</li>
<li>Barkley, J.F., D.R. Kuhn, Rosenthal, Skall, and A.V. Cincotta. 1998. “Role-Based Access Control for the Web.” CALS Expo International & 21st Century Commerce 1998: Global Business Solutions for the New Millennium.</li>
<li>Bednarz, J. 2005. “<a href="http://www.networkworld.com/research/2005/020705sox.html">Compliance: Thinking Outside the Sarbox</a>.” Network World. As obtained on 10/31/2008.</li>
<li>Bertino, E. and R. Sandhu. 2005. “Database Security—Concepts, Approaches, and Challenges.” IEEE Transactions on Dependable and Secure Computing 2(1): 2-19.</li>
<li>Bokhari, Z. 2009. Standard & Poor’s Industry Surveys, Computers:<a href="http://www.gpoaccess.gov/uscode/index.html"> Software. (April 23) and company Web sites. U.S. Code 44 (2006). Information Security, § 3532 (b) (1).</a>. Accessed February 5, 2009.</li>
<li>Bureau of Economic Analysis. 2009. “<a href="http://www.bea.gov/national/nipaweb/Index.asp">National Income and Product Accounts: Table 5.3.5. Private Fixed Investment by Type</a>.”. Accessed April 14, 2009.</li>
<li>Byrnes, C., Vice-President: Services and Systems Management, The META Group. June 13, 1997. “Security Administration Grows Up.” An analyst report produced for Tivoli, an IBM company.</li>
</ol>
<br /></div>
Horst Waltherhttp://www.blogger.com/profile/03381708015477095465noreply@blogger.com0tag:blogger.com,1999:blog-1261371701213231895.post-74767597172070439192014-05-21T11:51:00.000+02:002014-10-14T09:11:37.719+02:00Authorisation – what does it mean after all?<div dir="ltr" style="text-align: left;" trbidi="on">
<div>
In the field of Identity- & Access Management terms like authentication an authorisation are well understood, frequently used and everyone knows what they mean. Really?</div>
<br />
<div>
Well, Identity Management is about managing identities, e.g. of employees. Access Management consequently deals with access, e.g. to information objects. And it is quite obvious that, before you may access any protected information object, you 1<sup><span style="font-size: x-small;">st</span></sup> have to be authenticated (Are you the one you claim to be?) and 2<sup><span style="font-size: x-small;">nd</span></sup> you need to be authorised (are you allowed to perform that particular activity on a specific information object?).</div>
<br />
<div>
In a contemporary architecture, which may be considered as such when being ‘service oriented’, there hence would be an authentication service, taking care of the authentication task, and an authorisation service involved. Both are run time activities on an operational level, rather than administrative tasks on a management level.</div>
<br />
<div>
So it’s clear now, isn’t it?</div>
<br />
<div>
But what does authorisation mean? When is a digital identity authorised to access a protected information object in a defined way? Is it done 1) when the privilege is assigned to her / him (logically at administration time) or 2) when this authorisation is enforced (physically at runtime)?</div>
<br />
<div>
Hmmmm.</div>
<br />
<div>
There might be even 2 warring factions – and I have been member of each of them – each at a time. In the essential world (</div>
<a href="http://genericiam.blogspot.de/2010/08/modelling-fundamentals.html"><span style="color: blue; font-family: Calibri;">http://genericiam.blogspot.de/2010/08/modelling-fundamentals.html</span></a>) of course 1) applies, because once the role / attributes are assigned, nothing more is left to be done (<a href="http://genericiam.blogspot.de/2012/02/apply-approve.html"><span style="color: blue; font-family: Calibri;">http://genericiam.blogspot.de/2012/02/apply-approve.html</span></a>). For the SOA people, who live in the real – physical – world, it might rather 2). As here you may easily design a single-tasked service, an equivalent to an authentication service.<br />
<div>
<br />
<div>
Hmmmm.</div>
<br />
<div>
It might not appear worth to discuss these topics here. But I encountered this discussion once at one of my customers. The good news however is, we are not the first and only ones to be confronted with this schism.<br />
</div>
And I think the XACML people (<a href="http://xml.coverpages.org/XACML-v30-HierarchicalResourceProfile-WD7.pdf"><span style="color: blue; font-family: Calibri;">http://xml.coverpages.org/XACML-v30-HierarchicalResourceProfile-WD7.pdf</span></a>) have done quite a good job. You may remember that with PRP, PIP, PAP, PDP & <st1:stockticker w:st="on">PEP</st1:stockticker> they defined four fundamental processors.<br />
<br />
<div>
They perform the following tasks …</div>
<ol>
<li>The PRP does the policy retrieval,</li>
<li>The PIP does the policy information,</li>
<li>The PAP does the policy administration,</li>
<li>The PDP does the policy decision and finally</li>
<li>The PEP does the policy enforcement.</li>
</ol>
<div>
The 2<sup><span style="font-size: x-small;">nd</span></sup> P at the acronyms end obviously means ‘point’. In process notation the five processors do …</div>
<ol>
<li>Retrieve policy</li>
<li>Inform about policy</li>
<li>Administer policy</li>
<li>Decide policy and</li>
<li>Enforce policy. </li>
</ol>
<div>
All of them may be seen as processes from the authorisation ecosystem.</div>
<br />
<div>
As ‘policy retrieval’ and ‘policy information’ can be matched with the well-known directory service and / or database, where the ingredients for the following activities are stored, this activity can well be seen outside of the core authorisation.</div>
<br />
<div>
‘Administer policy’ however is the type 1) essential activity from above.</div>
<br />
<div>
Perhaps the illustrations created by Axiomatics may help here:<a href="https://www.axiomatics.com/policy-administration-points.html"><span style="color: blue; font-family: Calibri;"></span></a><br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-wdWmms2be6o/VDzJYHR2TnI/AAAAAAAAY0w/vF5l8KrlnZM/s1600/ABAC-reference-architecture_Axiomatics.png" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="http://1.bp.blogspot.com/-wdWmms2be6o/VDzJYHR2TnI/AAAAAAAAY0w/vF5l8KrlnZM/s1600/ABAC-reference-architecture_Axiomatics.png" height="185" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">see: www.axiomatics.com</td></tr>
</tbody></table>
</div>
<br />
<div>
The remaining two activities ‘decide policy’ and ‘enforce policy’ are performed at run-time and they would be part of the type 2) authorisation activity of the SOA people.</div>
<br />
<div>
The confusion is also related to the role based (RBAC) vs. attribute based (ABAC) access control discussion. </div>
<ul>
<li>Whereas in (static) <b style="bidi-font-weight: normal;">RBAC</b> thinking an Identity is assigned at least one role (The R in RBAC) and this role comes along with the elementary entitlements dangling from them, on essential level all is done to authorise this identity. The entity containing this assignment can well be called ‘authorisation’.<br /></li>
<li>In the (dynamic) <b style="bidi-font-weight: normal;">ABAC</b> approach rules operate on attributes (the A in ABAC) which in turn are associated with the identity. In case the attributes used here can be considered as being static, i.e. stay unchanged until next policy administration, on the essential level authorisation would happen – as in the RABC world – when the rules are set into place. However as rules might be complicated and are not directly assigned to an identity this case is less obvious and reveals its truth after closer examination only. </li>
</ul>
<div>
If however attributes (not to talk about rules) may change from one policy decision to the other, policy decision would be the authorisation step.</div>
<br />
<div>
For real world static RBAC authorisations you would anyway need roles and rules in combination. So changing the R for an A makes less a difference than the increase of dynamicity.</div>
<br />
<div>
I think I will adapt my essential processes to reflect this thinking. And time has come anyway to amend them with a ‘physical ring’in order to cover the physical runtime processes as well.
</div>
</div>
</div>
Horst Waltherhttp://www.blogger.com/profile/03381708015477095465noreply@blogger.com0tag:blogger.com,1999:blog-1261371701213231895.post-19398086770779522132012-05-02T18:35:00.002+02:002014-04-24T15:17:52.266+02:00Changing Roles<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="font-family: "Trebuchet MS",sans-serif;">
<span lang="EN-GB" style="font-size: 12pt;">
We saw that maintenance of roles is rather simple (<a href="http://genericiam.blogspot.de/2011/09/how-to-find-roles.html" name="find_roles">How to find roles</a>). Maintenance just consists of the CRUD (create, read, update & delete) operation on the role object. But what if a role is in use somewhere already? In this case obviously the referential integrity has to be maintained. Database people may be familiar with this requirement. But, can it be changed at all? Do we need to renew all approvals we received while assigning this role to an identity? Can it be done within the regular attestation?<br />
<br />
Well some tough questions. Let's break the case down to the different occasions:</span></div>
<h3 style="font-family: "Trebuchet MS",sans-serif; text-align: left;">
Create:</h3>
<div style="font-family: "Trebuchet MS",sans-serif;">
To my understanding this case is well covered. Roles are an artifact of organizing the business. So it will be a business responsibility, which has to deal with its creation. Let's call this role the <i>Business Architect</i>.<br />
<br />
In order to be able to use these roles for access management purposes they need to be underpinned by permissions to access systems. This can only be done in a joint effort with a technical role. Let's call it the <i>System Architect</i>.<br />
<br />
In some environments - like the SAP universe - we often distinguish between Applications and System(line)s. So there might be even 2 technical roles: an <i>Application Architect</i> and a <i>System Architect</i>.<br />
<br />
As all 3 types of architects are bound to a certain business domain as after all you cannot be a specialist for the whole world. So an overall coordinating <i>Role Model Owner</i> should be appointed to keep the role model clean and lean, comprehensible and free of uncontrolled redundancies.</div>
<h3 style="font-family: "Trebuchet MS",sans-serif; text-align: left;">
Update:</h3>
<div style="font-family: "Trebuchet MS",sans-serif; text-align: left;">
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-CKzeI_yGzFE/T6FiBe2-94I/AAAAAAAAQdE/LRhqcKQIO3w/s1600/Role_Version.png" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="http://1.bp.blogspot.com/-CKzeI_yGzFE/T6FiBe2-94I/AAAAAAAAQdE/LRhqcKQIO3w/s200/Role_Version.png" height="186" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">roles are versioned</td></tr>
</tbody></table>
</div>
<span lang="EN-GB" style="font-size: 12pt;">
</span><br />
<div style="font-family: "Trebuchet MS",sans-serif; text-align: left;">
<span lang="EN-GB" style="font-size: 12pt;">Let's assume for this case that delete is just a special case of update. For purposes of backward traceability and reporting I anyway doubt, that we should delete IAM entities which we may be requested to report on later. But rather I think we should flag them as being out of use and keep them to be able to sum up all changes to an audit trail.</span><br />
</div>
<div style="font-family: "Trebuchet MS",sans-serif; text-align: left;" trtempbr="temp_br">
If a role for any reason is not yet in use you may pretty much follow the same procedure.</div>
<div style="font-family: "Trebuchet MS",sans-serif; text-align: left;" trtempbr="temp_br">
But if the role is or has been in use it simply cannot be changed anymore. Instead versioning comes into play. You may however create a new version of this role. The old version of this role will then be disabled for any further assignment. Only the new version can be assigned henceforth.</div>
<div style="font-family: "Trebuchet MS",sans-serif; text-align: left;" trtempbr="temp_br">
</div>
<div style="font-family: "Trebuchet MS",sans-serif; text-align: left;" trtempbr="temp_br">
However in case the update is not just a convenience change, but there is an important reason for it; you may need a special process:</div>
<div style="font-family: "Trebuchet MS",sans-serif; text-align: left;">
<ol>
<li><div trtempbr="temp_br">
Create a new role version,</div>
</li>
<li><div trtempbr="temp_br">
disable the old role version, </div>
</li>
<li><div trtempbr="temp_br">
send an application to all affected persons' superiors and </div>
</li>
<li><div trtempbr="temp_br">
let them confirm the withdrawal of the old role version and the assignment of the new role version. </div>
</li>
<li><div trtempbr="temp_br">
Of course you have to inform the affected individual as well.</div>
</li>
</ol>
</div>
<div style="font-family: "Trebuchet MS",sans-serif; text-align: left;" trtempbr="temp_br">
</div>
<div style="font-family: "Trebuchet MS",sans-serif; text-align: left;" trtempbr="temp_br">
Sometimes things are a bit more complicated in reality that they looked at first sight.</div>
<br />
<div style="font-family: "Trebuchet MS",sans-serif; text-align: left;">
</div>
</div>
Horst Waltherhttp://www.blogger.com/profile/03381708015477095465noreply@blogger.com1tag:blogger.com,1999:blog-1261371701213231895.post-75564284280298771162012-03-11T23:00:00.001+01:002014-10-14T15:47:10.805+02:00The constraint universe<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="font-family: "Trebuchet MS",sans-serif;">
<span lang="EN-GB" style="font-size: 12pt;">
You might remember my simple model of static <a href="http://genericiam.blogspot.com/2011/06/objects-of-corporation-slightly-revised.html">objects of the corporation</a>. Now here comes the complexity. In my nice a lean model of the static IAM objects there was one innocent and less impressive object called <i>constraint</i>.<br />
<br />
I borrowed the term <i>constraint</i> from RBAC <a href="http://www.blogger.com/blogger.g?blogID=1261371701213231895#label1" name="labelref1" title=""><sup>[1]</sup></a>, where various kinds of <i>constraint</i>s can be specified. RBAC knows separation of duty constrains, prerequisite <i>constraint</i>s, and cardinality <i>constraint</i>s. The <i>constraint</i>s of the RBAC model are expressed using the Object <i>constraint</i> Language (OCL). OCL <i>constraint</i>s, based on first-order logic, are generally perceived as being difficult to understand.<br />
<br />
</span><br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-6x6YWkFpQ4k/T10fGGyOCuI/AAAAAAAAPHs/Q50aWkAdzEE/s1600/Dimensionen.png" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="http://3.bp.blogspot.com/-6x6YWkFpQ4k/T10fGGyOCuI/AAAAAAAAPHs/Q50aWkAdzEE/s320/Dimensionen.png" height="168" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">There are several privilege determining dimensions</td></tr>
</tbody></table>
<br />
<span lang="EN-GB" style="font-size: 12pt;">
In this BLOG post I don't follow the narrow RBAC view of <i>constraint</i>s. Let's step back first, to get a complete view of the privilege determining dimensions. If the question goes like this: "What are the dimensions of information, which determine the privileges (permissions) to be bundled to one role?" Then the answer might come as a list like this …</span><br />
<ul><span lang="EN-GB" style="font-size: 12pt;">
<li>Business function (as defined in a functional enterprise model),</li>
<li>Region,</li>
<li>Organizational unit,</li>
<li>Market, </li>
<li>Authorization amount limit</li>
<li>Project, </li>
<li>Information object</li>
<li>Contract type</li>
<li>…</li>
</span></ul>
<span lang="EN-GB" style="font-size: 12pt;">
The first Dimension, which leads to the determination of privileges, is indisputable. That is the function or functional role. The remaining privilege determining dimensions however are debatable and probably incomplete. This means they depend of the corporation we intend to model - expressing what appears to be important to them for privilege assignment. And as I doubt that we will ever be able to come up with an all-encompassing list of all possible dimensions from where we just have to select the right ones, I simply like to leave the end open to be completed individually by each modeller.<br />
<br />
Therefore I bundled all other dimensions - except the business function - to the object <i>constraint</i>. But now it is time to unfold them and to name the different dimensions or types of <i>constraint</i>s.<br />
</span><br />
<h2>
<span lang="EN-GB" style="font-size: 12pt;">
The seven commonly used <i>constraint</i> types are:</span></h2>
<span lang="EN-GB" style="font-size: 12pt;">
</span>
<ol><span lang="EN-GB" style="font-size: 12pt;">
<li><b>Region</b> - usually the functions to be performed are limited to a region (US, Germany, Brazil, China ...). It may be useful to explicitly state the absence of this restriction by the introduction of a region "world".<br /></li>
<li><b>OU</b> - quite often the areas of responsibility have been separated by the definition of organizational units (OU) already. This applies to markets on the top level such as banking, insurance and leasing as well as to executive secretaries (by business line) or to departmental activities. Again, it may be useful to make the absence of this restriction explicit by the introduction of the OE "group". Projects in this context can also be regarded as (temporary) OUs.<br /></li>
<li><b>Customer group</b> - the segmentation of the market by customer group (wholesale, retail, corporate customers, dealers …) also leads to <i>constraints </i>to the pure function.<br /></li>
<li><b>Authority level</b> - in order to control inherent process risks organizations often set "levels of authority". There may be directly applicable limits, which are expressed in currency units or indirectly applicable ones. In the latter case they are expressed in parameters such as mileage allowances, discounts, discretion in the conditions defining ... which in turn can be converted into monetary upper limits.<br /></li>
<li><b>Project</b> - If projects are not considered as (temporary) OUs, they represent a <br />separate dimension determining information access: project managers and other project functions usually have received their privileges for a particular project and cannot access resources of other projects.<br /></li>
<li><b>Object</b> - Sometimes you may be able to restrict permissions to a defined information object. A tester has to run tests on particular software object (application or system) only; a janitor is responsible just for a particular house.<br /></li>
<li><b>Contract type</b> - Different privileges also arise from the contractual agreement a person has with the corporation. Hence the permissions of permanent employees, interim managers, contractors, consultants and suppliers usually differ considerably.</li>
</span></ol>
<span lang="EN-GB" style="font-size: 12pt;">
<h2>
Other conceivable <i>constraint</i> types are...</h2>
<ol>
<li><b>Cost centre</b> - sometimes cost centres don't match with OUs or projects and for reasons of cost allocation employees are allowed to "move" within their cost centre only.<br /></li>
<li><b>Company Code</b> - To further fine structure market segmentation within customers groups or for the distribution of workload sometimes auxiliary structures such as client or company codes are used. Different codes may lead to in differing permissions.<br /></li>
<li><b>More</b> to come - ... most probably there are more privilege-determining dimensions in use out there, which haven't been listed here.</li>
</ol>
<h2>
Segregation of duties</h2>
Following the structure used above segregation of duties (SoD) do not count as <i>constraint</i>s. They do not further restrict the privileges which are granted via assigned functions, but exclude certain functions form being combined.<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="http://2.bp.blogspot.com/-jnFb1WBae2E/T10fikNb8QI/AAAAAAAAPH0/Cg-47irdQ0U/s1600/dimnsions.png" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="http://2.bp.blogspot.com/-jnFb1WBae2E/T10fikNb8QI/AAAAAAAAPH0/Cg-47irdQ0U/s320/dimnsions.png" height="178" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">IM + AM + CM</td></tr>
</tbody></table>
<br />
As a helpful notion, the three disciplines of AIM, IM (identity management), AM (access management) and CM (compliance management) can be clearly separated from each other's. Here, the AM resides on top of the IM and the CM on top of the AM. <i>constraint</i>s hence are part of the AM; SoD's however belong to the CM (which deserve its own, or more, BLOG post).<br />
<br />
Checks for the separation of duties are required in two cases:<br />
<ol>
<li>When roles are created / modified to ensure that they are inherently free of SoD conflicts.</li>
<li>When roles are combined, e.g. when assigning them to digital identities (persons) or when they are aggregated into combined types of roles.</li>
</ol>
<h2>
Application</h2>
To determine the necessary permissions for a given job description, you need to determine …<br />
<ol>
<li>Which of the above-mentioned <i>constraint</i> types are actually used to determine privileges,<br /></li>
<li>What possible additional <i>constraint</i> types can be detected by examining existing privilege assignments and<br /></li>
<li>Which values of these <i>constraint</i>s lead to which privilege restriction?</li>
</ol>
Using this information should - if done right - enable us to determine the full set of privileges necessary for a certain job description just on the business level; which is fine as <a href="http://horst-walther.blogspot.com/2010/07/iam-purely-organizational-task.html">IAM is a purely organisational task</a>.<br />
<br />
After having done that the technicians may add references the technical permissions which may be provisioned to target systems or interpreted directly at run time.<br />
<hr />
<div class="bildtext">
<span style="font-size: x-small;"><a href="http://www.blogger.com/blogger.g?blogID=1261371701213231895#labelref1" name="label1" title="">[1]</a> D.F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli. Proposed NIST Standard for Role-Based Access Control. ACM Transactions on Information and Systems Security, 4(3), August 2001.</span></div>
</span></div>
</div>
Horst Waltherhttp://www.blogger.com/profile/03381708015477095465noreply@blogger.com3tag:blogger.com,1999:blog-1261371701213231895.post-69735502873664374522012-02-18T23:27:00.001+01:002012-03-12T08:06:52.925+01:00Why IAM-Projects fail<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="font-family: "Trebuchet MS",sans-serif;">
7+1 reasons and more to expect</h2>
<div style="font-family: "Trebuchet MS",sans-serif;">
There are several caveats to be aware of up front when starting a major IAM project. These useful hints are driven by experience from projects that went wrong due to some common misconceptions:</div>
<div class="separator" style="clear: both; font-family: "Trebuchet MS",sans-serif; text-align: center;">
<a href="http://1.bp.blogspot.com/-1Mnd--lppS4/T0Aj7lSCZFI/AAAAAAAAO9E/9j46c4SPD-w/s1600/responsibility.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="197" src="http://1.bp.blogspot.com/-1Mnd--lppS4/T0Aj7lSCZFI/AAAAAAAAO9E/9j46c4SPD-w/s320/responsibility.png" width="320" /></a></div>
<h2 style="font-family: "Trebuchet MS",sans-serif;">
1. Sub-optimal assignment of responsibilities</h2>
<div style="font-family: "Trebuchet MS",sans-serif;">
corporate organisation needs a Business Owner
</div>
<h3 style="font-family: "Trebuchet MS",sans-serif;">
Complexity factors</h3>
<ul style="font-family: "Trebuchet MS",sans-serif;">
<li>Identity Management is a <b>management</b> task.</li>
<li>Identity Management means <b>organising</b> the enterprise.</li>
<li>HR could be the natural owner - but often <b>refuses</b>.
</li>
<li>IT has the implementation capabilities but is <b>not mandated</b> to change the organisation.</li>
<li>On the business side methodological and technical <b>knowledge</b> is lacking.</li>
</ul>
<h3 style="font-family: "Trebuchet MS",sans-serif;">
Possible countermeasures</h3>
<ul style="font-family: "Trebuchet MS",sans-serif;">
<li>Shift the <b>responsibility</b> to the business side.</li>
<li>Create a new <b>cross functional</b> function (group) for the doing.</li>
</ul>
<div class="separator" style="clear: both; font-family: "Trebuchet MS",sans-serif; text-align: center;">
<a href="http://2.bp.blogspot.com/-1BitaYi4gO4/T0AkJcDfbLI/AAAAAAAAO9M/IeCKQ8_hI3E/s1600/Cross-company+character.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="275" src="http://2.bp.blogspot.com/-1BitaYi4gO4/T0AkJcDfbLI/AAAAAAAAO9M/IeCKQ8_hI3E/s320/Cross-company+character.png" width="320" /></a></div>
<h2 style="font-family: "Trebuchet MS",sans-serif;">
2. Cross-company character</h2>
<div style="font-family: "Trebuchet MS",sans-serif;">
IAM-Projects touch multiple corporate functions</div>
<h3 style="font-family: "Trebuchet MS",sans-serif;">
Complexity factors</h3>
<ul style="font-family: "Trebuchet MS",sans-serif;">
<li>Identity-Management Processes are typically <b>cross-company.</b></li>
<li>There are <b>multiple stakeholders</b> from different corporate levels involved in a project.</li>
<li>You need to expect a 3 to 5 times higher <b>communication complexity</b> compared to "normal" IT-projects.</li>
<li>IAM-Projects show characteristics of typical <b>Change</b> Management Processes.</li>
</ul>
<h3 style="font-family: "Trebuchet MS",sans-serif;">
Possible countermeasures</h3>
<ul style="font-family: "Trebuchet MS",sans-serif;">
<li>Strengthen the <b>project management</b>.</li>
<li>Add an extra reserve for <b>communication</b>.</li>
<li>Insist on a <b>power sponsor</b> for your project.</li>
</ul>
<div class="separator" style="clear: both; font-family: "Trebuchet MS",sans-serif; text-align: center;">
<a href="http://2.bp.blogspot.com/-HYaoQYc-NfY/T0AkR5cRkNI/AAAAAAAAO9U/Y7MWn2wC2Bg/s1600/Process+maturity.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="98" src="http://2.bp.blogspot.com/-HYaoQYc-NfY/T0AkR5cRkNI/AAAAAAAAO9U/Y7MWn2wC2Bg/s320/Process+maturity.png" width="320" /></a></div>
<h2 style="font-family: "Trebuchet MS",sans-serif;">
3. Differing Process maturity</h2>
<div style="font-family: "Trebuchet MS",sans-serif;">
There are no islands of order in an ocean of chaos.</div>
<h3 style="font-family: "Trebuchet MS",sans-serif;">
Complexity factors</h3>
<ul style="font-family: "Trebuchet MS",sans-serif;">
<li>At higher levels of <b>maturity</b> of the management processes (e.g. according to CMMi) the introduction of IAM- processes, -rules, -roles, -policies becomes easier.</li>
<li>You can't implement mature IAM-processes in a low maturity <b>process environment</b>.</li>
<li>E.g. the top-down definition of roles needs defined processes.</li>
</ul>
<h3 style="font-family: "Trebuchet MS",sans-serif;">
Possible countermeasures</h3>
<ul style="font-family: "Trebuchet MS",sans-serif;">
<li>Only launch IAM-projects corresponding to the <b>maturity level</b> of the environment.</li>
<li>Occasionally just say "<b>no</b>"!</li>
</ul>
<div class="separator" style="clear: both; font-family: "Trebuchet MS",sans-serif; text-align: center;">
<a href="http://4.bp.blogspot.com/-6vW_tyExUe4/T0AkcAltkMI/AAAAAAAAO9c/Wmex8uu6PfM/s1600/Project+scope.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="216" src="http://4.bp.blogspot.com/-6vW_tyExUe4/T0AkcAltkMI/AAAAAAAAO9c/Wmex8uu6PfM/s320/Project+scope.png" width="320" /></a></div>
<h2 style="font-family: "Trebuchet MS",sans-serif;">
4. Wrong Project scope</h2>
<div style="font-family: "Trebuchet MS",sans-serif;">
An implementation project cannot reorganise the corporation.</div>
<h3 style="font-family: "Trebuchet MS",sans-serif;">
Complexity factors</h3>
<ul style="font-family: "Trebuchet MS",sans-serif;">
<li>Implementation project will have a <b>hard job</b> when having to reorganise the corporation first. </li>
<li>Process- and Role-Definitions require their own <b>definition projects</b> before or in parallel to the Implementation.</li>
</ul>
<h3 style="font-family: "Trebuchet MS",sans-serif;">
Possible countermeasures</h3>
<ul style="font-family: "Trebuchet MS",sans-serif;">
<li>Define <b>separate projects</b> for the Definition of Processes and Roles before or in parallel to the Implementation.</li>
</ul>
<div class="separator" style="clear: both; font-family: "Trebuchet MS",sans-serif; text-align: center;">
<a href="http://2.bp.blogspot.com/-G2VUR-_20ZM/T0AlHbVb0CI/AAAAAAAAO9s/dbNxR6t2VQ4/s1600/market+consolidation.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://2.bp.blogspot.com/-G2VUR-_20ZM/T0AlHbVb0CI/AAAAAAAAO9s/dbNxR6t2VQ4/s320/market+consolidation.png" width="260" /></a></div>
<h2 style="font-family: "Trebuchet MS",sans-serif;">
5. Adverse effects of the market consolidation</h2>
<div style="font-family: "Trebuchet MS",sans-serif;">
acquired components don't necessarily combine to Suites </div>
<h3 style="font-family: "Trebuchet MS",sans-serif;">
Complexity factors</h3>
<ul style="font-family: "Trebuchet MS",sans-serif;">
<li>Mergers & Acquisitions often lead to less compatible <b>product collections</b>.</li>
<li>The software of acquired companies is often not <b>supported sufficiently</b>.</li>
<li>It may <b>take a long while</b>, until components fit together as promised.</li>
</ul>
<h3 style="font-family: "Trebuchet MS",sans-serif;">
Possible countermeasures</h3>
<ul style="font-family: "Trebuchet MS",sans-serif;">
<li>Only a Pilot installation under <b>real world conditions</b> leads to the necessary evidence for a product selection.</li>
</ul>
<div class="separator" style="clear: both; font-family: "Trebuchet MS",sans-serif; text-align: center;">
<a href="http://2.bp.blogspot.com/-oKmQny-e87Q/T0AlVkJ2ZLI/AAAAAAAAO90/GtMdP858NVA/s1600/domain+specialists.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://2.bp.blogspot.com/-oKmQny-e87Q/T0AlVkJ2ZLI/AAAAAAAAO90/GtMdP858NVA/s320/domain+specialists.png" width="260" /></a></div>
<h2 style="font-family: "Trebuchet MS",sans-serif;">
6. Non-availability of domain knowledge specialists</h2>
<div style="font-family: "Trebuchet MS",sans-serif;">
persons with business domain knowledge are rare creatures</div>
<h3 style="font-family: "Trebuchet MS",sans-serif;">
Complexity factors</h3>
<ul style="font-family: "Trebuchet MS",sans-serif;">
<li>The availability of specialists with <b>domain knowledge</b> often turns out to be the bottle neck in role- und process definitions.</li>
<li>Their involvement is essential for the <b>requirements definition</b> and the QA.</li>
<li>Waiting times (for specialists) are driving the overall <b>effort</b>.</li>
<li>While in projects they tend to <b>disappear</b>.</li>
</ul>
<h3 style="font-family: "Trebuchet MS",sans-serif;">
Possible countermeasures</h3>
<ul style="font-family: "Trebuchet MS",sans-serif;">
<li>Assign the project responsibility to the <b>business departments</b>.</li>
<li>Think of <b>splitting projects</b> into business definition and an implementation part.</li>
</ul>
<div class="separator" style="clear: both; font-family: "Trebuchet MS",sans-serif; text-align: center;">
<a href="http://4.bp.blogspot.com/-D438tNraKX0/T0AlhYzznUI/AAAAAAAAO98/DyUcopSshxk/s1600/vertical+integration.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="302" src="http://4.bp.blogspot.com/-D438tNraKX0/T0AlhYzznUI/AAAAAAAAO98/DyUcopSshxk/s320/vertical+integration.png" width="320" /></a></div>
<h2 style="font-family: "Trebuchet MS",sans-serif;">
7. Too deep vertical integration</h2>
<div style="font-family: "Trebuchet MS",sans-serif;">
don't try to reinvent the wheel</div>
<h3 style="font-family: "Trebuchet MS",sans-serif;">
Complexity factors</h3>
<ul style="font-family: "Trebuchet MS",sans-serif;">
<li>Only a fraction of the overall IAM-Processes is really enterprise <b>specific</b>.</li>
<li>The <b>adoption</b> of processes and / or Roles from generic Models may speed up projects. </li>
<li>Not always it is a good idea to start with a <b>blank sheet</b> of paper.</li>
</ul>
<h3 style="font-family: "Trebuchet MS",sans-serif;">
Possible countermeasures</h3>
<ul style="font-family: "Trebuchet MS",sans-serif;">
<li>Ask your integration partner or consultant for <b>consolidated</b> models containing his experience. </li>
<li>Participate in Standardisation initiatives (like GenericIAM.org).</li>
</ul>
<div class="separator" style="clear: both; font-family: "Trebuchet MS",sans-serif; text-align: center;">
<a href="http://3.bp.blogspot.com/-PSZnHVC25zk/T0Alpux4B-I/AAAAAAAAO-E/EBfWi61IjVQ/s1600/Technical+risks+.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://3.bp.blogspot.com/-PSZnHVC25zk/T0Alpux4B-I/AAAAAAAAO-E/EBfWi61IjVQ/s320/Technical+risks+.png" width="213" /></a></div>
<h2 style="font-family: "Trebuchet MS",sans-serif;">
8. Technical risks - they still exist</h2>
<div style="font-family: "Trebuchet MS",sans-serif;">
Technology often is more of marketing than reality</div>
<h3 style="font-family: "Trebuchet MS",sans-serif;">
Complexity factors</h3>
<ul style="font-family: "Trebuchet MS",sans-serif;">
<li>IAM-SW-Suites are <b>complex</b> and often not easy to handle.</li>
<li>Without <b>implementation experience</b> in exactly the required environment risk of failure is high.</li>
<li>"Minor" changes of the version number sometimes cover oft complete <b>new developments</b>.</li>
<li>The support Matrix of environment <b>components</b> vs. versions often is only sparsely populated.</li>
<li>Forced replacement of infrastructure components leads to higher <b>effort</b>.</li>
</ul>
<h3 style="font-family: "Trebuchet MS",sans-serif;">
Possible countermeasures</h3>
<ul style="font-family: "Trebuchet MS",sans-serif;">
<li>Always test selected software in a <b>pilot run</b> before deployment.</li>
<li>Only choose integration partners with <b>true product experience</b>.</li>
</ul>
<div style="font-family: "Trebuchet MS",sans-serif;">
<br /></div>
</div>Horst Waltherhttp://www.blogger.com/profile/03381708015477095465noreply@blogger.com0tag:blogger.com,1999:blog-1261371701213231895.post-51687085425206906902012-02-09T14:31:00.001+01:002014-09-01T17:36:23.561+02:00apply & approve<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "Trebuchet MS", sans-serif;"></span><br /></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<a href="http://1.bp.blogspot.com/-aWq1EIptlg8/UClrP2meScI/AAAAAAAAR7E/U52iKiSaMaY/s1600/authorisation.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://1.bp.blogspot.com/-aWq1EIptlg8/UClrP2meScI/AAAAAAAAR7E/U52iKiSaMaY/s400/authorisation.png" height="317" width="400" /></span></a><span lang="EN-GB" style="font-size: 12pt;"><span style="font-family: "Trebuchet MS", sans-serif;">
Lately - well it is some four months ago already - I posted a simple model of the AM maintenance processes. Not covered at that time were the processes which lead to an assignment of roles to persons, respectively their digital identities - the mere act of authorization. <br /> <br />
We still view this world on the essential level (see </span><a href="http://genericiam.blogspot.com/2010/08/modelling-fundamentals.html"><span style="font-family: "Trebuchet MS", sans-serif;">Modeling fundamentals</span></a><span style="font-family: "Trebuchet MS", sans-serif;">). So as long as we just model the essence of systems we (still) need not to bother with such non-trivial artifacts like provisioning the business decision to the target systems. Those things will inevitably come later when we will be forced to step down from essential heaven to the cruel & dirty physical world.</span></span><br />
<span style="font-family: "Trebuchet MS", sans-serif;"></span><br />
<h2>
<span style="font-family: "Trebuchet MS", sans-serif;">
Maintenance of "authorization"</span></h2>
<span style="font-family: "Trebuchet MS", sans-serif;"><span lang="EN-GB" style="font-size: 12pt;">
</span>
</span><br />
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;">
Apply - approve - grant or revoke can in principle be understood as the maintenance processes (as in <i><a href="http://genericiam.blogspot.com/2011/09/how-to-find-roles.html">how to find roles</a></i>) for the object "authorization". There may be other designations for this object like "assignment" or "essential account". In order to optimize the communication with your in-house or outside clients you may choose a more suitable name, if you like.</span><br />
<span style="font-family: "Trebuchet MS", sans-serif;"></span><br />
<h2>
<span style="font-family: "Trebuchet MS", sans-serif;">
"authorization" as a derived object</span></h2>
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;">
Ok, as a maintenance process we would expect the CRUD crowd again: create - read - update & delete. However, "authorization" is not one of the fundamental objects. In fact it is a derived or relationship object and mostly consists of references to its constructing elements: "identity" and "business role". And this is where the necessity for an approval comes in.</span><br />
<span style="font-family: "Trebuchet MS", sans-serif;"></span><br />
<h2>
<span style="font-family: "Trebuchet MS", sans-serif;">
Finding approvers</span></h2>
<span lang="EN-GB" style="font-size: 12pt;"><span style="font-family: "Trebuchet MS", sans-serif;">
Why do we need approvals here and not before; when we considered the fundamental objects? The answer is: because the object "authorization" does not own all of its attributes. But instead references to other objects (identity and business role) attributes and their attributes. As a polite object it should ask for permission before doing so.<br /> <br />
So, the rule we like to follow here is: "if one of the attributes of an object represents a reference to another object, this objects’ owner has to consent his object’s use." So on one side the object is the identity: Its "owner" is its superior.<br /> <br />
On the other side of the equation there is the <i>business role</i>. Having a closer look to it however reveals that the business role itself represents a relationship. So we have to go even further. The "business role" is the intersection of the privilege determining dimensions. These dimensions are first of all the "functional role" and second all those which are subsumed under "constraints". These depend on the organization in focus, e.g. region, organizational unit, customer group, contract type. As an example we determine the permissions of a contract administrator in the US, in the headquarters, for whole sale customers if he is a fixed term employee. So the "business role" primarily consists of references to the "functional role", the various "constraints" and the assigned "permissions".<br /> <br />
"<i>Every object has an owner</i>" I once (2010-08-17: </span><a href="http://genericiam.blogspot.com/2010/08/objects-subjects-actions.html"><span style="font-family: "Trebuchet MS", sans-serif;">objects, subjects & actions</span></a><span style="font-family: "Trebuchet MS", sans-serif;">) stated in my BLOG. And I went on, that owners are prime candidates for actors to act on their objects. At least when it comes to the approval of requests to access objects, it is up to the owners to decide (unless the delegate it to clerks).</span></span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span lang="EN-GB" style="font-size: 12pt;"><br /><span style="font-family: "Trebuchet MS", sans-serif;">
Who now are the owners to ask for their approval? For the "functional role" as well as for the various "constraints" it should be a "business architect" or - even better - a "process owner". For the set of "permissions" there should be an owner of the "information object" be defined. Often this position is known as the "data owner".<br /> <br />
So these are the authorities to approve the formation of a business role. As the "business role" per se is neither sensitive nor does it contain much substantial information but rather references to other objects, its use may be pre-approved by policy. The same is true for two of its referenced objects: "functional role" and "constraint".<br /> <br />
But for the "Information objects" things are different. Information objects always need some level of protection. They may be classified due to their level of sensitivity (separately determined in the categories <i>authenticity</i>, <i>availability</i>, <i>confidentiality </i>and <i>integrity</i>) into levels like <i>low</i>, <i>medium</i>, <i>high</i> and <i> very high</i>.<br /> <br />
Whereas in cases of low protection needs access to the resources may be pre-approved via policy information objects attributed with high protection needs require the case-by-case approval of the owner (or his delegate).<br /> <br />
So at the end of this long story it turns out, that there will be two approvers during privilege assignment to a digital identity: the superior and the information owner.</span></span><br />
<span style="font-family: "Trebuchet MS", sans-serif;"></span><br />
<h2>
<span style="font-family: "Trebuchet MS", sans-serif;">
Process variations</span></h2>
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;">
There are several processes for granting authorization found to be in use. <br />
</span><br />
<ol><span lang="EN-GB" style="font-size: 12pt;"><span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Grant authorization</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Withdraw authorization</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Deactivate authorization</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Reactivate authorization</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Instantaneous withdraw authorization</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Change of position</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Deploy temporarily</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span></span></ol>
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;">
The most common are grant and revoke (withdraw). But as authorization should be granted with and end-date of its validity set while approval, the reverse action can be done as well: deactivate an authorization for a given period of time (e.g. planned absence). A reactivation process then cares for the case when deactivation period is meant to end ahead of schedule. Temporary deployments offer more complex cases (to fill an own BLOG post) as usually no clear cut can be done.<br /> <br />
A process which appears quite often is something like "Instantaneously withdraw authorization". However in an essential model (remember, we have perfect technology!) it simply collapses with "Withdraw authorization". Only if by technical restrictions it becomes necessary to be a bit faster than in the standard process, a separate (physical) process is justified.<br /> <br />
</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;"><a href="http://4.bp.blogspot.com/-dODzTlPmp9k/TzPJhC_WtzI/AAAAAAAAO40/2PLt6-FL3V0/s1600/image002.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="http://4.bp.blogspot.com/-dODzTlPmp9k/TzPJhC_WtzI/AAAAAAAAO40/2PLt6-FL3V0/s1600/image002.png" /></a></span></div>
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;">
But what to do, if an individual changes its position within a corporation? This process is often explained as a combination of a preceding revocation followed by a subsequent assignment of new privileges (grant). But this picture seems not to reflect reality properly. Quite often there is the necessity of an overlap of privileges of the old position and those for the new position - unless they are in conflict with each other’s. So the change process still may be a combination of revoke and grant - but rather running in parallel instead of being executed sequentially. However as an invariant to the parallel execution of both (sub-) processes the integrity (e.g. being free of SoD conflicts) needs to be checked after each step in the out-phasing of the old and in-phasing of the new position’s roles.</span><br />
<span style="font-family: "Trebuchet MS", sans-serif;"></span><br />
<h2>
<span style="font-family: "Trebuchet MS", sans-serif;">
Triggering events</span></h2>
</div>
</div>
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;">
And what are the triggering events? Well, in general processes are triggered by one of the following events.</span><br />
<ol><span lang="EN-GB" style="font-size: 12pt;"><span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">created by an subject,</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">triggered by time,</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">fired by embedding business processes,</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">fired by state transitions.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span></span></ol>
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;">
The 4<sup>th</sup> one can be debated, as it can be argued, that a state transition only occurs in embedding processes.<br /><br />
</span><br />
<h2>
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;">
Process composition: grant authorization</span></h2>
<span lang="EN-GB" style="font-size: 12pt;"><span style="font-family: "Trebuchet MS", sans-serif;">
"Grant authorization" can be imagined as being composed of the following activities:<br />
</span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span lang="EN-GB" style="font-size: 12pt;"><a href="http://4.bp.blogspot.com/-pKw1g3TXJVE/TzPI7ylVWVI/AAAAAAAAO4s/YsOZk_dGbfk/s1600/apply_approve.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://4.bp.blogspot.com/-pKw1g3TXJVE/TzPI7ylVWVI/AAAAAAAAO4s/YsOZk_dGbfk/s320/apply_approve.png" height="156" width="320" /></span></a></span></div>
<span lang="EN-GB" style="font-size: 12pt;">
<span style="font-family: "Trebuchet MS", sans-serif;">
</span><ol><span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;"><b>apply</b></span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span><ol><span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;"><i><b>Select identity</b></i><br />Usually either the applicant himself or one of this subordinates.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;"><i><b>Select business roles(s)</b></i><br />1<sup>st</sup> the functional roles should be selected, 2<sup>nd </sup>constraints should be assigned (based on rules) and / or selected. Rules may restrict the focus of the selectable roles.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;"><i><b>Check Validity</b></i><br />Validity is an invariant - it should be checked during each change - even when withdrawing roles. If rules are violated the choice could be disabled (strict rules) or an alert could be raised to allow for branching into a resolving (sub-) process. SoD rules for example can be imposed as a strong recommendation ("to be separated <i>in general</i>"), as a mandatory requirement or even with special emphasis ("to be separated up to the C-level"). At least in case of a mandatory SoD conflict a compensating control can be implemented to restore validity. But getting compensating controls approved may be a lengthy process, return in the "go" / "no go" after some days only - during which the application will be pending. When withdrawing roles an implemented compensating control may no longer become necessary. That’s why the validity check should be invoked in this case too. So "check validity" may look innocent. Nevertheless it introduces the bulk of organizational complexity to this activity.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span></ol>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><b><span style="font-family: "Trebuchet MS", sans-serif;">approve</span></b></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span><ol><span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Usually the choice which has been made has to be approved.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">It is possible however to pre-approve it via a policy, if appropriate. </span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Typical approvers are the <i>superior</i> of the identity (for contractors this may be the contracting counterparty) and the <i>information object owner</i>.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">In case of unresolvable SoD conflict leads to compensating controls, more approvers can be involved.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Usually a time limit is set after which an escalation is triggered.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">The approver has to name a deputy in case he is unable to perform the task himself.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span></ol>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span></ol>
<span style="font-family: "Trebuchet MS", sans-serif;">
Well, that's certainly not all. It is just one important process. But it is enough for today. More to be seen here soon.</span></span><span style="font-family: "Trebuchet MS", sans-serif;">
</span></div>
Horst Waltherhttp://www.blogger.com/profile/03381708015477095465noreply@blogger.com0tag:blogger.com,1999:blog-1261371701213231895.post-19564146968014291682011-09-18T12:05:00.000+02:002014-03-13T14:06:44.858+01:00How to find roles<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="font-family: "Trebuchet MS",sans-serif;">
<span lang="EN-GB" style="font-size: 12pt;"><span style="font-family: "Trebuchet MS", sans-serif;">
</span><a href="http://www.blogger.com/blogger.g?blogID=1261371701213231895" name="4591586591300943316"></a><span style="font-family: "Trebuchet MS", sans-serif;">Not, many of you may have read this Blog post before </span><a href="http://www.si-g.de/HTML/2007-06-30_Roles_are_the_organisation.htm"><i><span style="font-family: "Trebuchet MS", sans-serif;">here</span></i></a><span style="font-family: "Trebuchet MS", sans-serif;">, posted at Sat. June 30<sup>th</sup> to the </span><a href="http://genericiam.blogspot.com/"><u><span style="font-family: "Trebuchet MS", sans-serif;">GenericIAM Blog</span></u></a><span style="font-family: "Trebuchet MS", sans-serif;">. Here I made the statement that "<i>Roles are the organization</i>". You may read through this short contribution before you go on listening to me.
<br /><br />
And please always feel free to come up with a different opinion or with some critique as did </span><a href="http://webcache.googleusercontent.com/search?q=cache:39Z8NEjv4skJ:blog.melholloway.com/%3Fp%3D23+mel+holloway+blog+roles+are+the+organisation"><i><span style="font-family: "Trebuchet MS", sans-serif;">one BLOG author</span></i></a><span style="font-family: "Trebuchet MS", sans-serif;"> - who unfortunately did not completely get the point.<br />
<br />
Well, maybe I overstated my point there. More will be necessary to describe how an organization is expressed in roles.</span></span></div>
<h3 style="font-family: "Trebuchet MS",sans-serif; text-align: left;">
<span style="font-family: "Trebuchet MS", sans-serif;">What are roles?</span></h3>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;">When we talk about roles they are most commonly understood as <b>functional roles</b>. That means bundled corporate functions. So if you have a functional enterprise model (as opposed to an object oriented one) at hand, you may just select the appropriate functions, add them the functional role and give it a meaningful name. Yes, that's all.<br />
<br />
Will it be enough to use these roles for granting access? Remember this is the idea behind Role Based Access Control (RBAC) after all. No, it will not.<br />
<br />
But how do we get there? Ok, let's take a step back and consider the organization and all the objects around there and see what we can collect to finally have all determining information at had to define privileges.</span></div>
<h3 style="font-family: "Trebuchet MS",sans-serif; text-align: left;">
<span style="font-family: "Trebuchet MS", sans-serif;">What is the organization?</span></h3>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; font-family: "Trebuchet MS",sans-serif; margin-left: 1em; text-align: right;"><tbody>
<tr><td><a href="http://1.bp.blogspot.com/-I6RGMBEvpHQ/TnXKSQoe9YI/AAAAAAAANm0/trynTtYBlhw/s1600/processes.png" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://1.bp.blogspot.com/-I6RGMBEvpHQ/TnXKSQoe9YI/AAAAAAAANm0/trynTtYBlhw/s320/processes.png" height="320" width="318" /></span></a></td></tr>
<tr><td class="tr-caption"><span style="font-family: "Trebuchet MS", sans-serif;">Figure 1: Roles link process to resources</span></td></tr>
</tbody></table>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;">Processes - Roles - Rules - they express the abstract Organization. They form a generic template not yet populated with real people and still without individual customers, contracts and obligations. So we are on the class level still - not yet their physical incarnation. As mentioned - it's the abstract organization.<br />
<br />
So let's follow a top-down modelling approach:</span></div>
<ul style="font-family: "Trebuchet MS",sans-serif;"><span lang="EN-GB" style="font-size: 12pt;"><span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Business processes express the organization's dynamic behavior. Often they are the starting point. They are best understood and perceived as been the essence of the corporation - something to excel or to fail in.<br />
</span></li>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Processes themselves are made up of elementary actions which can be understood as some atomic activity - what one <u>person </u>does at a <u>time </u>in one <u>location</u>.<br />
</span></li>
<li><span style="font-family: "Trebuchet MS", sans-serif;">These actions are performed by someone - not yet individual persons but on class level roles instead. So here they come into play - the roles, functional roles still.<br />
</span></li>
<li><span style="font-family: "Trebuchet MS", sans-serif;">To be able to perform the singular actions these functional roles need appropriate access to resources. The functions are bound to resources. They are being "localized".<br />
</span></li>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Constraints drive this localization. They further restrict the roles access to certain subclasses in order to reflect the real world's needs. Those constraints express the privilege determining information dimensions like organizational unit, region, contract type, customer group and more. The resulting "business role" finally is the one which can be used for access control as it defines the intended privileges - still defined in business terms.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span></span></ul>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;">
So processes and roles can't be modeled independently - without being incomplete. But only by taking constraints into account makes the model sufficiently determined to derive privileges for information object access from functional roles.
<br />
This picture to my opinion is more straight forward and easier to comprehend than the so called Stanford model:<br />
</span></div>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="font-family: "Trebuchet MS",sans-serif; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td><a href="http://2.bp.blogspot.com/-v3P3BKv6UdM/TnXB18o6JXI/AAAAAAAANmo/COh1Ev5ldaI/s1600/stanfordmodel.jpg" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://2.bp.blogspot.com/-v3P3BKv6UdM/TnXB18o6JXI/AAAAAAAANmo/COh1Ev5ldaI/s320/stanfordmodel.jpg" height="234" width="320" /></span></a></td></tr>
<tr><td class="tr-caption"><span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: x-small;">Figure 2: Stanford model enterprise and system abstractions. McRae, R., The Stanford Model for Access Control Administration, Stanford, University, 2000 (unpublished but cited by Ferraiolo, D., and R. Kuhn).</span></td></tr>
</tbody></table>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;">
Obviously role finding requires good and - even more important - explicitly documented knowledge of the business domain (best to be expressed in a formal enterprise model), some experience in related business modelling areas and a sound portion of intuition.<br />
<br />
While existing, defined and documented business processes are an excellent starting point for successful role engineering, they still don't represent the most fundamental core objects of a corporation. Even more fundamental to an organization are the essential persistent (non-transient) objects:
<br />
</span></div>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-4YIdJDZuKDA/UCo6SE5cRzI/AAAAAAAAR7U/q-FHwKafCGU/s1600/static_objects.png" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://1.bp.blogspot.com/-4YIdJDZuKDA/UCo6SE5cRzI/AAAAAAAAR7U/q-FHwKafCGU/s320/static_objects.png" height="256" width="320" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "Trebuchet MS", sans-serif;">The static IAM objects</span></td></tr>
</tbody></table>
<div style="text-align: right;">
<span style="font-family: "Trebuchet MS", sans-serif;"></span></div>
<h3 style="font-family: "Trebuchet MS",sans-serif; text-align: left;">
<span style="font-family: "Trebuchet MS", sans-serif;">
The static IAM-Objects</span></h3>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;">Anchor point is the <i>business role</i> - ok, but let's start at the beginning - always a good idea. In this chapter I might reiterate ideas of earlier postings. However - as insight has progressed - my explanations may get a slightly different flavor than before. In case you feel bored just skip this chapter. But be warned - as virginal ideas are rare in general - you might encounter the usual suspects.<br />
</span></div>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span><table style="font-family: "Trebuchet MS",sans-serif; font-size: 12pt;"><tbody>
<tr><td><span style="font-family: "Trebuchet MS", sans-serif;">
</span><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/-LyfsfYLefi8/UCo6jo7MurI/AAAAAAAAR7c/4OaGxDYDAXM/s1600/identity.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://4.bp.blogspot.com/-LyfsfYLefi8/UCo6jo7MurI/AAAAAAAAR7c/4OaGxDYDAXM/s200/identity.png" height="160" width="200" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "Trebuchet MS", sans-serif;">The identity</span></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "Trebuchet MS", sans-serif;"></span><br /></div>
</td><td><span style="font-family: "Trebuchet MS", sans-serif;"><b><i>Identity</i></b>: the digital identity is the digital representation of the individual, which has a defined relationship to the corporation. It is stored and maintained as long as the as long as the interest in this relationship lasts and no legal or regulatory requirements restrict its use.</span></td></tr>
<tr><td><span style="font-family: "Trebuchet MS", sans-serif;">
</span><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/-_pELzLCXjFg/UCo612DbbCI/AAAAAAAAR7k/riTKsESo3SM/s1600/functional_role.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://4.bp.blogspot.com/-_pELzLCXjFg/UCo612DbbCI/AAAAAAAAR7k/riTKsESo3SM/s200/functional_role.png" height="160" width="200" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "Trebuchet MS", sans-serif;">The functional role</span></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "Trebuchet MS", sans-serif;"></span><br /></div>
</td><td><span style="font-family: "Trebuchet MS", sans-serif;"><b><i>Functional role</i></b>: a bundle made up of business functions as defined in a functional enterprise model which represents the tasks which have to be performed. So the functional role just specifies functions to be performed. The <i>functional role</i> can be understood as a projection to the enterprise model. In case the enterprise model is purely functional (in contrast to object oriented), the <i>functional role</i> just lists corporate functions. It doesn't contain any hints on how to grant access to information objects or applications. Even more; only in special cases you may be able to derive the affected information objects they are acting on from the role's names. Note: This applies if you have a functional enterprise model at hand. This is most commonly the case. Situation might look slightly different if there is an object oriented (means class based) enterprise model available.</span><br />
<span style="font-family: "Trebuchet MS", sans-serif;"> </span></td></tr>
<tr><td><span style="font-family: "Trebuchet MS", sans-serif;">
</span><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/-eY9mJAKRCwc/UCo6-zgs48I/AAAAAAAAR7s/0nDCUVmkEvw/s1600/contraint.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://4.bp.blogspot.com/-eY9mJAKRCwc/UCo6-zgs48I/AAAAAAAAR7s/0nDCUVmkEvw/s200/contraint.png" height="160" width="200" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "Trebuchet MS", sans-serif;">The constraint</span></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "Trebuchet MS", sans-serif;"></span><br /></div>
</td><td><span style="font-family: "Trebuchet MS", sans-serif;"><b><i>Constraint</i></b>: constraints narrow the focus of a <i>functional role</i>. Well known examples are defined <i>authorisation levels</i>, to limit transactions by a maximum value (<i>value</i> <i>authorisation</i>) or to limit the scope of activity to certain organisational units or regions (<i>structural</i> a<i>uthorisation</i>). <i>Value</i> <i>authorisations</i> in turn can be further split into direct and indirect <i>value</i> <i>authorisations</i>. For example the permission to close contracts or to grant discounts up to a certain (direct) limit can be expressed as an amount of money. On the other hand there can be also maximum values defined for parameters (maximal validity period, or maximum mileage - both of a leasing contract) which can be converted to an amount of money after some form of transformation only (indirect). Furthermore it is rather common, that the contract type (employee, contractor, interim manager …) might lead to further restrictions of a role's full privileges. More types <i>Constraints</i> are possible of course and more discussion on this object is necessary I fear.</span></td></tr>
<tr><td><span style="font-family: "Trebuchet MS", sans-serif;">
</span><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://2.bp.blogspot.com/-RJVUb8bChrI/UCo7THg8wOI/AAAAAAAAR70/jDf7--semYo/s1600/permission.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://2.bp.blogspot.com/-RJVUb8bChrI/UCo7THg8wOI/AAAAAAAAR70/jDf7--semYo/s200/permission.png" height="160" width="200" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "Trebuchet MS", sans-serif;">The permission</span></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "Trebuchet MS", sans-serif;"></span><br /></div>
</td><td><span style="font-family: "Trebuchet MS", sans-serif;"><b><i>Permission</i></b>: The elementary object of access management is the elementary privilege (<i>permission</i>). According to the RBAC standard it is defined as <i>operation</i> on <i>objects</i>. In case the privileges cannot be defined via access to information objects, privileges alternatively can be defined the access to systems.</span></td></tr>
<tr><td><span style="font-family: "Trebuchet MS", sans-serif;">
</span><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrxZuaGpFaNfUnJQCwNvraFEth3MExWfKiIHoQLNydxgzjee-7ac8txnY6fsJDFR7eUlacuWvxCeqecr2tROVAR5NOs6O1HofPNyVxWaXE_TZ30pIJNXHFj56WyZoENbkmgTon2AZu7s8/s1600/business_role.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrxZuaGpFaNfUnJQCwNvraFEth3MExWfKiIHoQLNydxgzjee-7ac8txnY6fsJDFR7eUlacuWvxCeqecr2tROVAR5NOs6O1HofPNyVxWaXE_TZ30pIJNXHFj56WyZoENbkmgTon2AZu7s8/s200/business_role.png" height="160" width="200" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "Trebuchet MS", sans-serif;">The business role</span></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "Trebuchet MS", sans-serif;"></span><br /></div>
</td><td><span style="font-family: "Trebuchet MS", sans-serif;"><b><i>Business role</i></b>: In this model the <i>business role</i> is the central structuring element. <span lang="EN-GB" style="font-size: 12pt;">It expresses all information necessary for the (technical) privilege assignment on business level.</span> But you could also call it the localized Role. By the introduction of the <i>business role</i> the purely functionally defined <i>functional roles</i> are finally bound to the specific Information objects (or alternatively systems). This can be done by linking directly to elementary permissions. (In some cases, when applications or systems offer some kind of roles already, the business role may link to these '<i>system roles</i>'. But their introduction needs its own discussion) Here the <i>constraints</i> unfold their by definition restricting effect. If you manage to bind the information objects strictly rule driven to the <i>functional roles</i> you may not need to store the <i>business roles</i>. In this (lucky) case they can be considered as purely virtual (transient) objects. In most - real world - cases however we have to consider them as static (persistent) objects. You may imagine the business role as a triple of keys - and not much more. Those are the keys of the functional role it points to, the constraint, if there is any and finally the permission which is used.</span></td></tr>
<tr><td><span style="font-family: "Trebuchet MS", sans-serif;">
</span><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-PtPMHpvUsIk/UCo7rCNAL5I/AAAAAAAAR8E/GEi8NgHHjp8/s1600/authorisation.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://3.bp.blogspot.com/-PtPMHpvUsIk/UCo7rCNAL5I/AAAAAAAAR8E/GEi8NgHHjp8/s200/authorisation.png" height="158" width="200" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "Trebuchet MS", sans-serif;">The authorisation</span></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "Trebuchet MS", sans-serif;"></span><br /></div>
</td><td><span style="font-family: "Trebuchet MS", sans-serif;"><b><i>Authorization</i></b>: when the <i>business role</i> is assigned to a digital identity the <i>object authorization </i>is created. By this assignment the very act of the role based privilege assignment is done. In reality the identity is assigned several business roles to define the planned information object use. All access information is stored in one or more <i>authorization </i>objects per identity representing the total use of all relevant information objects. Note: In this context the object <i>authorization </i>is often called <i>user</i>. But not the using person is meant but the relation expressing the use.</span></td></tr>
</tbody></table>
<h3 style="font-family: "Trebuchet MS",sans-serif; text-align: left;">
<span style="font-family: "Trebuchet MS", sans-serif;">
Processes of model maintenance</span></h3>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;">Those were the fundamental objects (again). But how to get the strange animals called roles now? Well, if you are asking for processes I finally have to deliver processes. Let's not forget: this is what GenericIAM is about, generic processes of the identity & access management.</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;"><br />
So which processes do we need at first? Model maintenance means the maintenance of all of its objects. So we obviously may expect …<br />
</span></div>
<ul type="disc"><span lang="EN-GB" style="font-size: 12pt;"><span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Maintain functional role,</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Maintain constraint,</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Maintain permission and</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Maintain <span lang="EN-GB" style="font-size: 12pt;"><i>business </i></span>role.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span></span></ul>
<h3 style="text-align: left;">
<span style="font-family: "Trebuchet MS", sans-serif;">
Maintain functional role:</span></h3>
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;">Due to the high overlap with job descriptions, the <i>functional roles</i> can be considered as the natural starting point for a role based privilege assignment.<br />
<br />
If requirements for separations of duties (SoD) are defined, <i>functional roles</i> are the appropriate object to check for violations as separations of duties are defined purely functionally as well. If the SoD conflicts cannot be resolved otherwise the implementation of mitigating actions (aka compensating controls) might become necessary. This SoD check becomes necessary when <i>functional roles</i> are either edited or combined.<br />
<br />
The process of <i>functional role</i> maintenance is triggered by the initial creation of new tasks or change of existing ones, e.g. caused by changes of business processes. In these cases creations or changes of <i>functional roles</i> might become necessary.<br />
<br />
Owner of this process should be some kind of business architect. To model <i>functional roles</i> he clarifies, which tasks within a business process are planned. By following along its elementary activities (what <u>a</u> person does at in <u>one step</u> at <u>one</u> location) he lists the functions according to the enterprise model that are necessary to run this activity.<br />
<br />
If SoD obligations have to be met the resulting <i>functional roles</i> have to be checked for segregation of duties conflicts. If present such conflicts can be either removed by remodeling or their inherent risk be reduced by implementation of compensating controls.</span><br />
<h3 style="text-align: left;">
<span style="font-family: "Trebuchet MS", sans-serif;">Maintain constraint:</span></h3>
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;">
Constraints are used to further restrict the functions acquired via the assignment of a functional role. The definition of <i>constraints</i> is a risk mitigating measure, which can be implemented additionally or alternatively to other controls (four eyes principle, separation of duties …) to function as a "compensating control".
<br />
The process can be invoked by "<i>maintain functional roles"</i> as it narrows their focus. It should be owned by the above before mentioned business architect too.
<br />
The necessity for the definition of constraints is originated by business departments, risk management or - if appointed - a business<i> </i>architect. Together they determine the scope limitation or the maximum authorization level.</span><br />
<h3 style="text-align: left;">
<span style="font-family: "Trebuchet MS", sans-serif;">Maintain business role</span></h3>
<span style="font-family: "Trebuchet MS", sans-serif;"><span lang="EN-GB" style="font-size: 12pt;">
As mentioned above in this model the <i>business role</i> is the central element of access management. By assigning a </span><span lang="EN-GB" style="font-size: 12pt;"><i>business </i></span><span lang="EN-GB" style="font-size: 12pt;"><i>role</i> to a person's <i>digital identity</i> they are granted their privileges. This assignment is stored in the <i>authorization </i>object. The </span><span lang="EN-GB" style="font-size: 12pt;"><i>business </i></span></span><span style="font-family: "Trebuchet MS", sans-serif;"><span lang="EN-GB" style="font-size: 12pt;"><i>role</i> is therefore the static projection of the <i>functional role</i> to certain information objects while applying some <i>constraints</i>.<br />
<br />
In a <strong>1<sup>st</sup> step</strong> a functional role is created as an empty container. It is given a meaningful name expressing the purpose of this role. Alternatively an existing functional role is selected from the enterprises pool of functional roles.<br />
<br />
In a <strong>2<sup>nd</sup> step</strong> corporate functions taken from a functional enterprise model are assigned to the functional roles. Note: in order to comply with the <b><i>principle of least privilege</i></b> (PoLP) only a minimum set of corporate functions should be selected in this step. Obviously for this purpose the functional enterprise model needs to be sufficiently fine grained. If necessary at this stage you may want to change functional roles or create new ones (maintain functional role).<br />
<br />
In a <strong>3<sup>rd</sup> step</strong> the constraints are applied to the </span><span lang="EN-GB" style="font-size: 12pt;"><i>business </i></span></span><span style="font-family: "Trebuchet MS", sans-serif;"><span lang="EN-GB" style="font-size: 12pt;">roles. This action obviously increases their number. A check for violations of segregation of duties requirements may be appropriate here as well.<br />
<br />
In a <strong>4<sup>th</sup> step</strong> <i>permissions </i>are assigned to the </span><span lang="EN-GB" style="font-size: 12pt;"><i>business </i></span></span><span style="font-family: "Trebuchet MS", sans-serif;"><span lang="EN-GB" style="font-size: 12pt;">roles. Obviously here the respective Information owners need to get involved. Remember: <i>Permissions </i>are defined as <i>operations </i>on information <i>objects</i>. In cases where no information objects are defined but systems or applications in place instead you may need to consider <i>permissions </i>as 'operations on applications'. If necessary those permissions need to be changed or created (using the process "maintain <i>permission</i>").<br />
<br />
The </span><span lang="EN-GB" style="font-size: 12pt;"><i>business </i></span></span><span lang="EN-GB" style="font-size: 12pt;"><span style="font-family: "Trebuchet MS", sans-serif;">role can still be understood on the business level. Not surprisingly we suggest the business architect again to be the appropriate owner. He will not be able to do this job alone. He might need the support of the information object owner / application or system architect.</span></span><br />
<h3 style="text-align: left;">
<span style="font-family: "Trebuchet MS", sans-serif;">Maintain permission:
</span></h3>
<span lang="EN-GB" style="font-size: 12pt;"><span style="font-family: "Trebuchet MS", sans-serif;">What's about the <i>permission</i>? Doesn't it need to be maintained as well? Yes it does. However most often this is done in a different system: In the target systems rather than in a central AM system. While modeling these processes on the essential level however we need not to deal with these system boundaries.<br />
<br />
Of course to decide which ones of the possible permissions to be exposed to the business oriented role modelers is a business decision. On the other hand only those permissions can be exposed, which are offered by the underlying systems. Clearly this is the domain of the information object owner / application or system architect.<br />
<br />
Moreover in those cases where the underlying systems offer their own role models and especially in situations when roles on system level are in use by an implemented access management already application- or system roles can be squeezed in between the permission on the bottom level and the </span></span><span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;"><i>business role </i></span><br />
<span lang="EN-GB" style="font-size: 12pt;"><br />
<span style="font-family: "Trebuchet MS", sans-serif;"> in the center. As in the essential model there is no reason for the introduction of an application role, some extra discussion will be required in order to find a set of rules for crafting good application roles - but elsewhere.</span></span><h3 style="text-align: left;">
<span style="font-family: "Trebuchet MS", sans-serif;">Applying and granting</span></h3>
<span lang="EN-GB" style="font-size: 12pt;"><span style="font-family: "Trebuchet MS", sans-serif;">
Those were just the (simple) processes of model maintenance. Perhaps I should provide an online tool prototype to demonstrate how it may work in reality. Still missing are the processes which lead to an assignment of roles to persons respectively their digital identities. Granting access to Information objects by assigning roles to individuals is not trivial as it more often than not involves some carefully crafted workflow. These processes are not yet covered here. They will follow in my next post. So please stay tuned.
</span></span><span style="font-family: "Trebuchet MS", sans-serif;">
</span><br />
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-family: "Trebuchet MS", sans-serif;"></span></div>
<strong></strong></div>
Horst Waltherhttp://www.blogger.com/profile/03381708015477095465noreply@blogger.com0tag:blogger.com,1999:blog-1261371701213231895.post-49417942801268744532011-06-21T10:36:00.013+02:002014-03-13T15:11:09.736+01:00essential IM processes<div dir="ltr" style="text-align: left;" trbidi="on">
<span lang="EN-GB" style="font-family: "Trebuchet MS"; font-size: 12pt;">If we restrict our considerations to essential processes (see <a href="http://genericiam.blogspot.com/2010/08/modelling-fundamentals.html"><i>Modelling fundamentals</i></a>) there are mainly the identity maintenance processes to be taken into account. Only when we (later) extend our view to the physical implementation processes like provisioning, reconfirmation (re-certification), format transformation, reconciliation among different data storages and the like come into play.</span><br />
<br />
<span lang="EN-GB" style="font-family: "Trebuchet MS"; font-size: 12pt;">The first and most fundamental object to be considered of course it the <i>digital identity</i> or just <i>identity</i>. Under the assumption, that the organisation and an individual's contract relationship with the organisation is modelled elsewhere (outside of the IM and the AM) just the <i>functional role</i> (<i>business role</i>) and the <i>constraint</i> are left to be taken into account.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-nbcSoucA7SU/TgBe9_Vj5sI/AAAAAAAAMw0/0th3SO1ARd8/s1600/IM-objects.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="http://1.bp.blogspot.com/-nbcSoucA7SU/TgBe9_Vj5sI/AAAAAAAAMw0/0th3SO1ARd8/s200/IM-objects.png" height="151" width="200" /></a></div>
<span lang="EN-GB" style="font-family: "Trebuchet MS"; font-size: 12pt;"><br />
</span><span lang="EN-GB" style="font-family: "Trebuchet MS"; font-size: 12pt;">There is probably not much left to be said about the digital identity as I devoted an own BLOG post to it here (<a href="http://genericiam.blogspot.com/2010/06/identity.html"><i>http://genericiam.blogspot.com/2010/06/identity.html</i></a>) nearly one year ago.</span><br />
<br />
<span lang="EN-GB" style="font-family: "Trebuchet MS"; font-size: 12pt;">But what's about the business role? I also called it - perhaps more straightforward - the <i>functional role</i>. It just expresses the functions out of the functional (static) business model which are bundled in the functional role. I will probably dedicate one future post to the way <i>how to find functional roles</i>.</span><br />
<br />
<span lang="EN-GB" style="font-family: "Trebuchet MS"; font-size: 12pt;">And there is the strange remaining object, called <i>constraint</i>. What's that? In this object we collect all additional constraining and determining information like authorisation limits, organisational unit (OU), region, contract type (fixed term employee, interim manager, contractor, …) or the like. This information is certainly necessary. Only if it is wise to stuff them all into one object and calling it constraint is left to the modeller's discretion to decide. For now and for the sake of simplicity I will not split it off into its probable components but leave it untouched.</span><br />
<br />
<span lang="EN-GB" style="font-family: "Trebuchet MS"; font-size: 12pt;">How to derive processes now? Well, obviously we need some maintenance processes, the CRUD processes (create, read, update & delete). But it all starts with an event. Otherwise there will never be a need to start a process.</span><br />
<br />
<span lang="EN-GB" style="font-family: "Trebuchet MS"; font-size: 12pt;">For the creation the triggering event is the very moment when an individual starts a relationship with the organisation. So whenever an individual enters the enterprise ecosystem 1<sup>st</sup> time its <i>digital identity</i> is created.</span><br />
<br />
<span lang="EN-GB" style="font-family: "Trebuchet MS"; font-size: 12pt;">This should be done regardless if it is a user or not as being a user represents a class of roles already. </span><br />
<br />
<a href="http://3.bp.blogspot.com/-lrvOPI6Inrc/TgBZKmY35VI/AAAAAAAAMwo/6h0oAH_NDSM/s1600/enterprise_ecosystem.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="http://3.bp.blogspot.com/-lrvOPI6Inrc/TgBZKmY35VI/AAAAAAAAMwo/6h0oAH_NDSM/s200/enterprise_ecosystem.png" height="200" width="190" /></a><span lang="EN-GB" style="font-family: "Trebuchet MS"; font-size: 12pt;">As an example the activity <i>employee.create</i> is among the 1<sup>st</sup> steps of an on-boarding process within HR. The equivalent is true for CRM, PRM & IAM.</span><br />
<br />
<span lang="EN-GB" style="font-family: "Trebuchet MS"; font-size: 12pt;">The <i>digital identity</i> hereby is the individual's digital sibling. Its lifetime is determined by the lifetime of the enterprises interest in it and / or by legal or regulatory requirements.</span><br />
<br />
<span lang="EN-GB" style="font-family: "Trebuchet MS"; font-size: 12pt;">The <i>digital identity</i> is global and unique within the enterprise ecosystem during its life span - or the identities' space-time-continuum, if you prefer science fiction slang. It just carries the minimal necessary set of identifying attributes.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-lrvOPI6Inrc/TgBZKmY35VI/AAAAAAAAMwo/6h0oAH_NDSM/s1600/enterprise_ecosystem.png" style="margin-left: 1em; margin-right: 1em;"><br />
</a></div>
<span lang="EN-GB" style="font-family: "Trebuchet MS"; font-size: 12pt;">So 3 fundamental business process groups remain for now which are tied to the digital identity:</span><br />
<ul>
<li><span lang="EN-GB" style="font-family: "Trebuchet MS"; font-size: 12pt;">on-boarding,</span></li>
<span lang="EN-GB" style="font-family: "Trebuchet MS"; font-size: 12pt;">
<li>off-boarding &</li>
<li>change processes</li>
</span></ul>
<span lang="EN-GB" style="font-family: "Trebuchet MS"; font-size: 12pt;">They are split of by the type of the digital identity.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-xgWZwc67TSE/TgBfjjI3PbI/AAAAAAAAMw4/x6fsHHl13DA/s1600/IM-processes.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-xgWZwc67TSE/TgBfjjI3PbI/AAAAAAAAMw4/x6fsHHl13DA/s640/IM-processes.png" height="179" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-JQ742qz6P6w/TgBZfg5ZOWI/AAAAAAAAMws/rDUnwfwrMhQ/s1600/maintain_identity.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"> </a></div>
<span lang="EN-GB" style="font-family: "Trebuchet MS"; font-size: 12pt;"> </span><span lang="EN-GB" style="font-family: "Trebuchet MS"; font-size: 12pt;">These processes differ slightly by the type of digital identity to reflect the difference of the underlying relationship between the organisation and the individual.</span></div>
Horst Waltherhttp://www.blogger.com/profile/03381708015477095465noreply@blogger.com1tag:blogger.com,1999:blog-1261371701213231895.post-19030360099486038112011-06-13T17:21:00.008+02:002014-03-13T15:14:13.273+01:00How to find IAM processes<div dir="ltr" style="text-align: left;" trbidi="on">
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;"></span><span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;">Just recently I made an eye opening experience. While delivering experts advice to a customer in a large IAM project I was asked if I could confirm that the set of IAM process descriptions that was delivered by a colleague of mine was correct, complete and compelling.</span><span style="font-family: Trebuchet MS;"><br /></span><span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;">Hmm, my colleague is an experienced practitioner. He did this job several times before. He knew what he did. I trust his expertise. So I asked him how he derived them.</span><br />
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;">"<i>Well I just know that you need these processes. And taking into account the special situation at this customer's site this is the most reasonable result</i>" he argued.</span><br />
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;">"<i>But they couldn't have appeared from nowhere. There must be a convincing and compelling way to rigorously derive them from the situation we are in</i>" my customer replied.</span><br />
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;">This was déjà vu. Here it was again - the demand for a generic set of processes for the Identity- & Access Management. So I felt we finally should come up with an answer. And I tried. It goes like that "</span><br />
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;">First step is getting some order into the seemingly unlimited number of possible IAM processes by grouping them. The Processes of the Identity Management " not surprisingly - may be grouped in several ways. Her I propose the following sequence:</span><br />
<ol start="1" type="1">
<li><span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;">into Identity Management & Access Management</span></li>
<span lang="EN-GB" style="font-size: 12pt;"><span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">into operational and managerial processes</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">into essential and physical processes</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span></span></ol>
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;">
</span><h3 style="text-align: left;">
<span style="font-family: "Trebuchet MS", sans-serif;">1. Separating Identity Management from Access Management</span></h3>
<span lang="EN-GB" style="font-size: 12pt;"><div style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-7uzrowCkS4c/TfYYeWenq7I/AAAAAAAAMv4/zQlz7F8Ebcg/s1600/IAM%253DIM%252BAM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://3.bp.blogspot.com/-7uzrowCkS4c/TfYYeWenq7I/AAAAAAAAMv4/zQlz7F8Ebcg/s320/IAM%253DIM%252BAM.png" height="161" width="320" /></span></a></div>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span><span style="font-family: "Trebuchet MS", sans-serif;">Identity management has a justification <i>sui generis</i>. It needs not to be regarded as an appendix of security management or just the precondition for Access Management.</span><br />
<span style="font-family: "Trebuchet MS", sans-serif;">Access management - of course - can be and should be built on top of Identity management.</span><br />
<span style="font-family: "Trebuchet MS", sans-serif;">The key question however is where to draw the line between IM and AM.</span><br />
<span style="font-family: "Trebuchet MS", sans-serif;">The digital identity, i.e. the object "identity" clearly is in scope of IM. Out of scope of IM and of AM on the other hand are the objects "organisation", "contract type" and "contract". They should be modelled elsewhere in the enterprise model. </span><br />
<span style="font-family: "Trebuchet MS", sans-serif;">But what's about the business role? It defines the functions an identity is meant to perform in relation to the organisation. And defining the relationship should be still considered as a part of the IM. To my opinion it is more safely located in the IM than in the AM.</span></span><h3 style="text-align: left;">
<span style="font-family: "Trebuchet MS", sans-serif;">2. Subdividing into operational and managerial processes</span></h3>
<span lang="EN-GB" style="font-size: 12pt;"><ul>
<li><span style="font-family: "Trebuchet MS", sans-serif;">1<sup>st</sup> rule: keep processes short: "<i>the best way to manage workflow is to avoid it</i>"</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Operational processes tend to follow this rule.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">However in the back office they tend to grow ever longer.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Regulation, compliance issues and security concerns are the drivers.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">There are just a few operational AM processes: <i>identify</i>, <i>authenticate</i> and <i>authorise</i></span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">IM processes are purely managerial by their nature.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">There will hardly be any strategic IAM processes found ever.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">The bulk of the processes are managerial by their very nature.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span></ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-gqQfpMOs7jk/TfYqZf8cNvI/AAAAAAAAMwE/uU_ic2hla9c/s1600/operational_managerial_strategic.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://4.bp.blogspot.com/-gqQfpMOs7jk/TfYqZf8cNvI/AAAAAAAAMwE/uU_ic2hla9c/s200/operational_managerial_strategic.png" height="200" width="185" /></span></a></div>
<h3>
<span style="font-family: "Trebuchet MS", sans-serif;">3. Order by essential and physical processes</span></h3>
<span style="font-family: "Trebuchet MS", sans-serif;">Follow the rule: essential system 1<sup>st</sup> − physical ring 2<sup>nd</sup>. Meaning you start with the stable essential core of processes. And only if this set is complete, they are followed by the more volatile physical ring.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-pSjfY9QF798/TfYqicGZTAI/AAAAAAAAMwI/w4uMD7jGkBM/s1600/essential_physical.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://2.bp.blogspot.com/-pSjfY9QF798/TfYqicGZTAI/AAAAAAAAMwI/w4uMD7jGkBM/s200/essential_physical.png" height="200" width="200" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-7uzrowCkS4c/TfYYeWenq7I/AAAAAAAAMv4/zQlz7F8Ebcg/s1600/IAM%253DIM%252BAM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "Trebuchet MS", sans-serif;"></span></a><br /></div>
<span style="font-family: "Trebuchet MS", sans-serif;">Hereby essential processes …</span><br />
<ul>
<li><span style="font-family: "Trebuchet MS", sans-serif;">represent the business' intended behaviour.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">They can be identified assuming "perfect technology"</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">They need not to care for transport, translation or audit activities.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">They are implementation independent.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">They form a durable core of the business.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">They only change if business changes</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">example: administer and use the essential business functionality</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span></ul>
<span style="font-family: "Trebuchet MS", sans-serif;">Whereas physical processes …</span><br />
<ul>
<li><span style="font-family: "Trebuchet MS", sans-serif;">are introduced to deal with the imperfect outside world.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Here transport, translation & audit processes are introduced.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Physical processes are implementation dependent.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">They are more volatile and subject to frequent change.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">When re-implemented the physical ring will be different while the essential core may stay unchanged.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">example: integrate, transport, transform and "provision" to deal with the "cruel dirty world" outside.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span></ul>
<span style="font-family: "Trebuchet MS", sans-serif;">In my next post I will follow my own recipe by applying it to the Identity Management (IM) first. This should be the easy part - with harder parts to come.</span><br />
<span style="font-family: "Trebuchet MS", sans-serif;"></span><br /></span><span style="font-family: "Trebuchet MS", sans-serif;"></span><br /></div>
Horst Waltherhttp://www.blogger.com/profile/03381708015477095465noreply@blogger.com0tag:blogger.com,1999:blog-1261371701213231895.post-68391514194990062652011-06-10T17:38:00.004+02:002015-03-25T15:50:55.296+01:00Objects of the corporation - slightly revised<div dir="ltr" style="text-align: left;" trbidi="on">
<span lang="EN-GB" style="font-size: 12pt;"><span style="font-family: "Trebuchet MS", sans-serif;">
Looking back to the </span><a href="http://genericiam.blogspot.com/2010/07/objects-of-corporation.html"><span style="font-family: "Trebuchet MS", sans-serif;">Objects of the corporation</span></a><span style="font-family: "Trebuchet MS", sans-serif;">, which I defined back in 2010-07-05, I felt the need for some minor adaptations in order to comfortably derive the elementary actions for its manipulation from this model.</span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;"></span><br /></div>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span><span style="font-family: "Trebuchet MS", sans-serif;">
</span><span style="font-family: "Trebuchet MS", sans-serif;">
</span><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/-MAIb7ZOZw0k/UCpupxSylaI/AAAAAAAAR8Y/_qp3Lde6bpo/s1600/IAM_non_IAM-objects.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://4.bp.blogspot.com/-MAIb7ZOZw0k/UCpupxSylaI/AAAAAAAAR8Y/_qp3Lde6bpo/s640/IAM_non_IAM-objects.png" height="561" width="640" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "Trebuchet MS", sans-serif;">IAM-objects & non-IAM-objects</span></td></tr>
</tbody></table>
<span style="font-family: "Trebuchet MS", sans-serif;"><span lang="EN-GB" style="font-size: 12pt;">
</span>
<span lang="EN-GB" style="font-size: 12pt;"></span></span><br />
<h2 style="text-align: left;">
<span style="font-family: "Trebuchet MS", sans-serif;">Everything starts with an agreement …</span></h2>
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;">
We only care about the digital identity in the corporate context if it maintains any kind of relationship with the organization or an organizational unit (OU).<br /><br />
Let’s state therefore: the <b><i>identity</i></b> has closed a <i><b>contract </b></i>with the <b><i>organization</i></b>, not necessarily a legally binding agreement; whereas usually it is. Although not in focus of the Identity Management the digital <i><b>identity</b></i>’s lifespan within the corporation starts with an agreement. There may be more than one of them like a freelancer contract and a bank account creating a customer-supplier relationship or an employment contract and the membership in the workers council.<br /><br />
To take full advantage of the possibilities to automate role assignment we could later resolve the fine structure of the object <b><i>organization</i></b>. For now however it may be sufficient to deal with a monolithic object.<br /><br />
Contracting is usually done according to a standard <b><i>contract type</i></b> covering at least one standard position, e.g. sales representative of securities trader. Each of these standard job descriptions covers at least one <b><i>functional role</i></b>.<br /><br />
The <b><i>functional role</i></b> just specifies functions to be performed. What still is missing is the <b><i>information object</i></b> to be accessed. Therefore the <i><b>business role</b></i> needs to be localized by further <i><b>constraints </b></i>in order to bind it to specific <b><i>permissions</i></b>. The result is stored in the <b><i>business role</i></b>. There are of course many more <b><i>business roles</i></b> than <b><i>functional roles</i></b>, accessing different incarnations of the same <i><b>information object</b></i> type.<br /><br />
According to the RBAC definition <b><i>permission</i></b> is an <i><b>operation </b></i>on an (<i><b>information</b></i>) <i><b>object</b></i>.</span><br />
<h2 style="text-align: left;">
<span style="font-family: "Trebuchet MS", sans-serif;">… and ends up in an "authorization".</span></h2>
<span style="font-family: "Trebuchet MS", sans-serif;"><span lang="EN-GB" style="font-size: 12pt;">
The <i><b>identity</b>’s</i> access to an <b><i>information object</i></b> - expressing the use of the object - is stored in the <i><b>authorization </b></i>object. There may be one or more </span><span lang="EN-GB" style="font-size: 12pt;"><i><b>authorization </b></i></span></span><span style="font-family: "Trebuchet MS", sans-serif;"><span lang="EN-GB" style="font-size: 12pt;">object per <b><i>identity</i></b>.<br /><br />
<b><i>Constraints</i></b> may be specified in the same agreement as the function or in additional agreements and applied to the <i><b>business role</b></i>. For example the amount of money, a bank clerk is allowed to sign a credit contract for, may be limited. Or the authority to purchase material may be limited to a specific organizational unit.<br />
</span>
</span></div>
Horst Waltherhttp://www.blogger.com/profile/03381708015477095465noreply@blogger.com0Hamburg, Deutschland53.556866 9.99462253.2550405 9.362908 53.8586915 10.626336tag:blogger.com,1999:blog-1261371701213231895.post-92012408150855706822011-03-10T22:31:00.003+01:002014-03-13T15:23:04.292+01:00Incompetence<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<div class="MsoNormal" style="margin: 6pt 0cm;">
<i style="mso-bidi-font-style: normal;"><span lang="EN-GB" style="font-family: "Trebuchet MS"; font-size: 12pt;">This post will be essentially in German as it deals with some German language idiosyncrasies. Although I have the strong and irrefutable impression, that we do have this cognitive dissonance in the English language universe as well I would like to leave it to a more <b style="mso-bidi-font-weight: normal;">competent</b> person to comment on the confusing use of the word <b style="mso-bidi-font-weight: normal;">competence</b>.</span></i></div>
<div class="MsoNormal" style="margin: 6pt 0cm;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://lh6.googleusercontent.com/-tEnxlU6ryk4/TXlFXoWyA2I/AAAAAAAAMbE/sEDJbFy7Ioc/s1600/conflictmanagement-04a83.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="163" src="https://lh6.googleusercontent.com/-tEnxlU6ryk4/TXlFXoWyA2I/AAAAAAAAMbE/sEDJbFy7Ioc/s200/conflictmanagement-04a83.jpg" width="200" /></a></div>
<span style="font-family: "Trebuchet MS"; font-size: 12pt;">Die junge Disziplin des Identity- & Access Managements (IAM) bringt Welten zusammen. Nein, ich will nicht schon wieder auf dem Punkt hinaus, dass diese häufig der IT zugeschobene Aufgabe rein <a href="http://horst-walther.blogspot.com/2010/07/iam-purely-organizational-task.html">organisatorischen Charakter</a> hat. Organisation und Personal allerdings lebten bisher offensichtlich ebenfalls in verschiedenen Welten. Erkennbar wird das an der <b style="mso-bidi-font-weight: normal;">Kompetenz</b>.</span></div>
<div class="MsoNormal" style="margin: 6pt 0cm;">
<span style="font-family: "Trebuchet MS"; font-size: 12pt;">Ich habe mich – bevor ich mich daran gemacht hatte, diese Zeilen zu schreiben - gefragt, ob ich <b style="mso-bidi-font-weight: normal;">kompetent</b> genug bin, über die <b style="mso-bidi-font-weight: normal;">Kompetenz</b> und ihre schillernde und verwirrende Verwendung in Unternehmen zu schreiben. Aber wenn es niemand sonst tut, will ich mich gerne opfern.</span></div>
<div class="MsoNormal" style="margin: 6pt 0cm;">
<span style="font-family: "Trebuchet MS"; font-size: 12pt;">Habt Ihr schon einmal Stelleanzeigen gelesen? Sicher nur aus Versehen und nebenbei. Denn ein wirklicher Crack lässt sich ansprechen und sucht nicht in formelhaft gestalteten Angeboten. Da ist dann, wenn Techniker gesucht werden, immer wieder die Rede davon, dass sie bitte schön auch die nötige „<b style="mso-bidi-font-weight: normal;">Sozialkompetenz</b>“ mitbringen mögen. Das will uns sagen, dass sie die Fähigkeit haben sollen, dem Gegner ins Auge zu sehen und mit ihm eine mehr oder weniger zivilisierte Debatte führen zu können. Darüber dürfen dann aber andere <b style="mso-bidi-font-weight: normal;">Kompetenzen</b> nicht zu kurz kommen, etwa die vorausgesetzte <b style="mso-bidi-font-weight: normal;">Basiskompetenz</b>, die <b style="mso-bidi-font-weight: normal;">Fachkompetenz</b>, formale, hierarchische und soziokulturelle <b style="mso-bidi-font-weight: normal;">Kompetenzen</b>.</span></div>
<div class="MsoNormal" style="margin: 6pt 0cm;">
<span style="font-family: "Trebuchet MS"; font-size: 12pt;">Ganz anders die Orgs (nein nicht Orks!), der Personenkreis also, der sich mit der Organisation von Unternehmen befasst – so es ihn denn wirklich gibt: Hier meint <b style="mso-bidi-font-weight: normal;">Kompetenz</b> die mit einer bestimmten Stelle verbundenen Berechtigungen und Pflichten. „<i style="mso-bidi-font-style: normal;">Haben sie überhaupt die <b style="mso-bidi-font-weight: normal;">Kompetenz</b>, einen Bürodrucker zu bestellen?</i>“ oder „<i style="mso-bidi-font-style: normal;">Da hat der Kollege Meier seinen <b style="mso-bidi-font-weight: normal;">Kompetenzrahmen</b> mal wieder voll aus geschöpft!</i>“.</span></div>
<div class="MsoNormal" style="margin: 6pt 0cm;">
<span style="font-family: "Trebuchet MS"; font-size: 12pt;">Während Personal also vom <i style="mso-bidi-font-style: normal;">Können</i> spricht, reden die Orgs vom <i style="mso-bidi-font-style: normal;">Dürfen</i> – und beide verwenden dabei ein- und dasselbe Wort. Wie ist das eigentlich in der übrigen Welt – da draußen jenseits der Büromauern? Befragen wir doch einmal die Weisheit der Massen: Wikipedia sagt uns: „<b style="mso-bidi-font-weight: normal;">Kompetenz</b> (lateinisch <i>competere</i>: zusammentreffen, ausreichen, zu etwas fähig sein) steht für:</span></div>
<div class="MsoNormal" style="margin-left: 36pt; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt; text-indent: -18pt;">
<span style="font-family: "Trebuchet MS"; font-size: 12pt;">•<span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "Times New Roman";"> </span></span><b><span style="font-family: "Trebuchet MS"; font-size: 12pt;">Fähigkeit</span></b><span style="font-family: "Trebuchet MS"; font-size: 12pt;">, Handlungskompetenz (beruflich) </span></div>
<div class="MsoNormal" style="margin-left: 36pt; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt; text-indent: -18pt;">
<span style="font-family: "Trebuchet MS"; font-size: 12pt;">•<span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "Times New Roman";"> </span></span><b><span style="font-family: "Trebuchet MS"; font-size: 12pt;">Fähigkeiten</span></b><span style="font-family: "Trebuchet MS"; font-size: 12pt;"> und Fertigkeiten allgemein (Psychologie), </span></div>
<div class="MsoNormal" style="margin-left: 36pt; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt; text-indent: -18pt;">
<span style="font-family: "Trebuchet MS"; font-size: 12pt;">•<span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "Times New Roman";"> </span></span><b><span style="font-family: "Trebuchet MS"; font-size: 12pt;">Fähigkeiten</span></b><span style="font-family: "Trebuchet MS"; font-size: 12pt;"> und Fertigkeiten (Pädagogik) </span></div>
<div class="MsoNormal" style="margin-left: 36pt; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt; text-indent: -18pt;">
<span style="font-family: "Trebuchet MS"; font-size: 12pt;">•<span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "Times New Roman";"> </span></span><b><span style="font-family: "Trebuchet MS"; font-size: 12pt;">Sprachwissen</span></b><span style="font-family: "Trebuchet MS"; font-size: 12pt;"> im Gegensatz zum Sprachkönnen (Sprachwissenschaft), </span></div>
<div class="MsoNormal" style="margin-left: 36pt; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt; text-indent: -18pt;">
<span style="font-family: "Trebuchet MS"; font-size: 12pt;">•<span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "Times New Roman";"> </span></span><b><span style="font-family: "Trebuchet MS"; font-size: 12pt;">Fähigkeit</span></b><span style="font-family: "Trebuchet MS"; font-size: 12pt;"> von Zellen, außerhalb der Zelle vorliegende DNA aufzunehmen (Mikrobiologie), </span></div>
<div class="MsoNormal" style="margin-left: 36pt; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt; text-indent: -18pt;">
<span style="font-family: "Trebuchet MS"; font-size: 12pt;">•<span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "Times New Roman";"> </span></span><span style="font-family: "Trebuchet MS"; font-size: 12pt;">die mit einer bestimmten Stelle verbundenen <b>Berechtigungen</b> und Pflichten (Organisation), </span></div>
<div class="MsoNormal" style="margin-left: 36pt; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt; text-indent: -18pt;">
<span style="font-family: "Trebuchet MS"; font-size: 12pt;">•<span style="font-size-adjust: none; font-stretch: normal; font: 7pt/normal "Times New Roman";"> </span></span><b><span style="font-family: "Trebuchet MS"; font-size: 12pt;">Zuständigkeit</span></b><span style="font-family: "Trebuchet MS"; font-size: 12pt;"> von Behörden oder Gerichten (Verwaltung) </span></div>
<div class="MsoNormal" style="margin: 6pt 0cm;">
<br /></div>
<div class="MsoNormal" style="margin: 6pt 0cm;">
<span style="font-family: "Trebuchet MS"; font-size: 12pt;">Alle sind sich einig – nur Organisation und Verwaltung fallen aus dem Rahmen. Und das soll gut gehen? Na ja bisher konnte man einander ja fein aus dem Weg gehen. Aber IAM lässt nun wieder zusammen wachsen, was zusammen gehört. Personal und Organisation müssen erstmalig miteinander reden und sich sogar auf eine gemeinsame Sprachregelung einigen. </span></div>
<div class="MsoNormal" style="margin: 6pt 0cm;">
<span style="font-family: "Trebuchet MS"; font-size: 12pt;">Und hier kommt es zum <i style="mso-bidi-font-style: normal;">clash of cultures</i>. Wir kennen doch den alten Konflikt um Rollen und Berechtigungen. Da gibt es das Lager das meint, eine direkte Berechtigungsvergabe an Personen sei out. Erst müsse man die Rolle definieren, die sie im organisatorischen Ablauf innehat. Die Rolle drückt aus, was sie zu tun hat und muss folglich mit den notwendigen Rechten ausgestattet sein. Dann muss man dem Individuum – am besten im Anstellungsvertrag – nur noch die Rolle zuweisen und alles ist paletti.</span></div>
<div class="MsoNormal" style="margin: 6pt 0cm;">
<span style="font-family: "Trebuchet MS"; font-size: 12pt;">Das war gut gemeint – aber nur die halbe Wahrheit. Neben der (fachlichen) Rolle bestimmen noch weitere Dimensionen (durchaus orthogonal zu verstehen) die Zuweisung von Rechten: Region, Nation, Organisationseinheit, Vertragsart, Mandat und ggf. Weitere. Das sind alles Beschränkungen (<i style="mso-bidi-font-style: normal;">constraints</i>), die die über die Rolle vergebenen Berechtigungen weiter einschränken. Und hier kommt dann auch jene ominöse <b style="mso-bidi-font-weight: normal;">Kompetenz</b> ins Spiel.</span></div>
<div class="MsoNormal" style="margin: 6pt 0cm;">
<span style="font-family: "Trebuchet MS"; font-size: 12pt;">Was ist damit gemeint? Stellt Euch vor, ein Kreditsachbearbeiter, hat das Mandat Kredite bis zur Höhe von 500.000 Euro zu vergeben. Bis zu einer Höhe von 2 Mio. darf es sein Chef, weil der die ganze Kreditabteilung leitet und darüber muss der Gesamtvorstand entscheiden. Das ist nicht unrealistisch – so etwas gibt es. Und dieser Verfügungsrahmen wird dann mit <b style="mso-bidi-font-weight: normal;">Kompetenz</b> bezeichnet. </span></div>
<div class="MsoNormal" style="margin: 6pt 0cm;">
<span style="font-family: "Trebuchet MS"; font-size: 12pt;">Wenn wir nun die Skills der Rolle Kreditsachbearbeiter definieren wollen und für ihn eine gewisse <b style="mso-bidi-font-weight: normal;">Fachkompetenz</b> vorschreiben, damit die Personalabteilung die Stelle richtig ausschreiben und besetzen kann – dann haben wir den Salat. </span></div>
<div class="MsoNormal" style="margin: 6pt 0cm;">
<b style="mso-bidi-font-weight: normal;"><span style="font-family: "Trebuchet MS"; font-size: 12pt;">Kompetenz</span></b><span style="font-family: "Trebuchet MS"; font-size: 12pt;"> ist also ein ganz blödes Wort – zumindest eine höchst unglückliche Wahl.</span></div>
<div class="MsoNormal" style="margin: 6pt 0cm;">
<span style="font-family: "Trebuchet MS"; font-size: 12pt;">Was aber dann dafür nehmen? Schließlich gehören treffende Bezeichnungen zur <b style="mso-bidi-font-weight: normal;">Kernkompetenz</b> eines Modellierers. Also ich bin für <b style="mso-bidi-font-weight: normal;">Mandat</b>, oder doch <b>Befugnis</b>? – Was meint Ihr?</span></div>
<div class="MsoNormal" style="margin: 6pt 0cm;">
<br /></div>
<div class="MsoNormal" style="margin: 6pt 0cm;">
<br /></div>
</div>
Horst Waltherhttp://www.blogger.com/profile/03381708015477095465noreply@blogger.com3tag:blogger.com,1999:blog-1261371701213231895.post-65992055656063985162010-08-22T11:07:00.004+02:002014-03-13T15:27:18.970+01:00Modelling fundamentals<div dir="ltr" style="text-align: left;" trbidi="on">
<span lang="EN-GB" style="font-family: "Trebuchet MS"; font-size: 12pt;"><a href="http://1.bp.blogspot.com/_q1HPM5zbGnw/THDjrtFMu_I/AAAAAAAAK10/p5BcaAl_TpA/s1600/Essential+Systems+Analysis3.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="http://1.bp.blogspot.com/_q1HPM5zbGnw/THDjrtFMu_I/AAAAAAAAK10/p5BcaAl_TpA/s320/Essential+Systems+Analysis3.png" height="320" width="226" /></a>I once mentioned, that follow the <b>essential systems modeling</b> (esm) principles. As not everybody necessarily will be aware of what this term is about I feel obliged to explain it here.<br />
<br />
The <b><i>Essential Systems Modeling Methodology</i></b> was defined and applied by Stephen M. McMenamin and John F. Palmer back in the year 1984. It was published in a book surprisingly called essential systems analysis (<i>McMenamin, S. & Palmer, J., Essential Systems Analysis, Yourdon Press Prentice Hall, Englewood Cliffs, NJ, 1984.</i>).<br />
<br />
McMenamin & Palmer use an <b>event-oriented</b> approach to process modelling. Their purpose is to identify the "essential (elementary or atomic) processes" being performed and their relationships to the events that drive the business. According to Steve McMenamin and John Palmer essential systems can be detected by the following <i>gedankenexperiment</i> …</span><ul>
<li><span lang="EN-GB" style="font-family: "Trebuchet MS"; font-size: 12pt;">"<i>If we had perfect implementation technology (e.g., a computer with infinite speed, unlimited memory, transparent interface, no failures, and no cost), which of the requirements would still need to be stated?</i>"</span></li>
<span lang="EN-GB" style="font-family: "Trebuchet MS"; font-size: 12pt;">
<li>Every requirement that is still necessary in spite <b>perfect technology</b> is an essential requirement.</li>
</span></ul>
<span lang="EN-GB" style="font-family: "Trebuchet MS"; font-size: 12pt;">The prime purpose of esm is to remove <b>legacy implementation artifacts</b> from the model in order to prevent them from influencing future models. And this ability is exactly my motivation why I want to present this methodology here. In the 1<sup>st</sup> attempt of the GenericIAM community to derive a generic process model from existing implemented physical models turned out to be surprisingly difficult; in fact it terribly failed. Or as I stated earlier: <i>In fact it turned out, that especially the most experienced practitioners faced difficulties in getting to the next layer of abstraction.</i></span><h3 style="text-align: left;">
<span style="font-family: "Trebuchet MS", sans-serif;">How to derive the target implementation model in a 4-step Process</span></h3>
<span lang="EN-GB" style="font-family: "Trebuchet MS"; font-size: 12pt;">McMenamin and Palmer recommend to follow a 4-step specification process:<br />
<ol>
<li>Analysis of the current system</li>
<ul>
<li>build a model of the actual implementation of the current system.</li>
<li>This is the physical system like it is implemented in reality - the <b>current physical</b> system.</li>
</ul>
<li>Analysis of the fundamental concepts of the current system:</li>
<ul>
<li>Deriving of the essence out of the current system.</li>
<li>All implementation specific artifacts are removed in this step.</li>
<li>Using "perfect technology" as the guiding principle.</li>
<li>The result is the <b>current essential</b> system.</li>
<strong>
</strong></ul>
<li>Include new requirements into the essential model:</li>
<ul>
<li>Build the new essential model by adding new requirements.</li>
<li>This model represents all functional requirements.</li>
<li>Ideally it is still free of any design- and implementation consideration.</li>
<li>The result is the <b>new essential</b> system.</li>
</ul>
<li>Design the new physical model:</li>
<ul>
<li>Build the implementation model of the new system.</li>
<li>The result is the <b>new physical</b> system.</li>
</ul>
</ol>
Finding the essence by this modelling cycle removes <b>implementation artifacts</b> leaving us with the pure functional essence.<br />
<br />
The 3rd step in this approach is represents the core of the requirements definition. Here the essential business requirements are documented stating <b>what</b> has to be implemented without defining <b>how</b> it will be done.<br />
<br />
This separation enables us to implement the same unchanged essential system using different target technologies. Even when using the same technology maintaining the essential model may turn out to be very helpful. When significant changed are applied to the essential (=functional) model the optimal new physical model may be implemented by a considerably different design that the current physical model.</span><h3 style="text-align: left;">
<span style="font-family: "Trebuchet MS", sans-serif;">Avoiding technical "folklore" by assuming "perfect technology</span>"</h3>
<span lang="EN-GB" style="font-family: "Trebuchet MS"; font-size: 12pt;">The assumption of <b>perfect technology</b> leads to the following model characteristics: <br />
<ul class="blueball">
<li><b>Inside the system</b> there are neither errors nor processing or waiting times.</li>
<li>No <b>audit</b>-, <b>translation</b>- or <b>transport</b> processes are necessary.</li>
<li>But the <b>environment</b> of the system is considered as imperfect - <i>as is</i>.</li>
<li>Along the systems boundary a ring of audit-, translation- and transport processes connects to this real world - the <b>physical ring</b>.</li>
</ul>
<br />
There are more rules, which help us composing the essential systems model, are:<br />
<ul class="blueball">
<li>Essential Processes may be triggered by an external or a time <b>event</b>.</li>
<li>Fundamental essential processes yield an externally useful <b>result</b>.</li>
<li>Administrative essential Processes store their results in an <b>essential store</b> to be used by a fundamental essential process.</li>
<li>Essential Processes communicate asynchronously via essential stores - they are <b>time decoupled</b>.</li>
<li>Essential processes may be expanded to form <b>nested essential models</b> on a lower layer; essential models in turn may be collapsed to serve as essential processes on a higher level.</li>
<li>At the lowest level the essential processes represent <b>elementary activities</b>.</li>
<li>The elementary activities can be found by discovering <b>state transitions</b> of the fundamental (persistent) business objects.</li>
<li>Elementary activities typically bundle all actions, which are done by one processor without a <b>necessary interruption</b>.</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/_q1HPM5zbGnw/THDl5_4eNEI/AAAAAAAAK2Q/FVud1EouuPc/s1600/essential_modelling.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/_q1HPM5zbGnw/THDl5_4eNEI/AAAAAAAAK2Q/FVud1EouuPc/s400/essential_modelling.png" height="247" width="400" /></a></div>
In order to form business processes elementary activities are grouped by their inherent business relationship.<br />
<br />
The business relationship is expressed in the value chain and can be taken from there.<br />
<br />
Business processes behave like travelling guests<br />
<ul class="blueball">
<li>they are created by an <b>event</b>,</li>
<li>they are themselves <b>transient</b> objects.</li>
<li>they undergo several <b>state transitions</b>.</li>
<li>they change their <b>state</b> by elementary activities.</li>
<li>they carry along their <b>local knowledge</b> about triggering events, acting processor, affected business objects.</li>
<li>after delivery they <b>terminate</b> their active life by may be archived.</li>
</ul>
Equipped with this methodology and keeping these rules in mind in my next post I try to do my first cautious steps to derive essential <b>IAM processes</b> - which hopefully will turn out to be truly generic.</span><br /></div>
Horst Waltherhttp://www.blogger.com/profile/03381708015477095465noreply@blogger.com0tag:blogger.com,1999:blog-1261371701213231895.post-61249985848081047922010-08-17T12:24:00.014+02:002014-03-13T15:31:42.300+01:00objects, subjects & actions<div dir="ltr" style="text-align: left;" trbidi="on">
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;">As from a purely static picture we will never be able to derive the dynamics, i.e. processes, clearly time has come for some dynamic considerations.<br />
<br />
Remembering the RBAC definition of permissions as ‘actions on objects’ we are clearly still missing that someone who performs these actions, the actors. Hence these special objects, which are able to act, turn into subjects: </span><br />
<h3 style="text-align: left;">
<span style="font-family: "Trebuchet MS", sans-serif;">In processes subjects (actors) act on objects.</span></h3>
<span lang="EN-GB" style="font-size: 12pt;"><div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/_q1HPM5zbGnw/TGqop4fd_nI/AAAAAAAAK0U/haGy7hdSxcE/s1600/action.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://1.bp.blogspot.com/_q1HPM5zbGnw/TGqop4fd_nI/AAAAAAAAK0U/haGy7hdSxcE/s320/action.png" height="320" width="226" /></span></a></div>
<span style="font-family: "Trebuchet MS", sans-serif;">Subjects may be users or managers<br />
<br />
Managers are owners or clerks.<br />
</span><ul>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Owners are responsible</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Clerks act on behalf of owners</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Owners delegate to clerks</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span></ul>
<br /><span style="font-family: "Trebuchet MS", sans-serif;">
Subjects act or react<br />
</span><ul>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Their activity triggers an event</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Reactions often are decisions (like approvals)</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span></ul>
<div style="margin-left: 18pt;">
<span style="font-family: "Trebuchet MS", sans-serif;">What now is the difference between acting and reacting? Does any subject really act on its own discretion?</span></div>
<br /><span style="font-family: "Trebuchet MS", sans-serif;">
</span><div style="margin-left: 18pt;">
<span style="font-family: "Trebuchet MS", sans-serif;">Keeping in mind that we only regard events triggered by subjects which are confined in the IAM system any action which are triggered by external events can be regarded as actions.</span></div>
<br /><span style="font-family: "Trebuchet MS", sans-serif;">
</span><div style="margin-left: 18pt;">
<span style="font-family: "Trebuchet MS", sans-serif;">Follow-up actions whose events were triggered by preceding actions can be regarded as re-actions.</span></div>
<br /><span style="font-family: "Trebuchet MS", sans-serif;">
Time may act as a (virtual) subject<br />
</span></span><ul style="text-align: left;"><span lang="EN-GB" style="font-size: 12pt;">
<li><span style="font-family: "Trebuchet MS", sans-serif;">Time acts on behalf of the organization</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Time triggers a predefined action</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">The action is driven by a policy</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Time-triggered events are common</span></li>
</span></ul>
<h3>
<span style="font-family: "Trebuchet MS", sans-serif;">events</span></h3>
<span lang="EN-GB" style="font-size: 12pt;"><div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/_q1HPM5zbGnw/TGqpL9mDPvI/AAAAAAAAK0c/5pb7xUFuGng/s1600/events.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://3.bp.blogspot.com/_q1HPM5zbGnw/TGqpL9mDPvI/AAAAAAAAK0c/5pb7xUFuGng/s320/events.png" height="320" width="223" /></span></a></div>
<span style="font-family: "Trebuchet MS", sans-serif;">I mentioned the term ‘event’. Events trigger the dynamic, the make the system move.<br />
</span><ul>
<li><span style="font-family: "Trebuchet MS", sans-serif;">actions (and whole processes) are triggered by events.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">There are events …</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span><ul>
<li><span style="font-family: "Trebuchet MS", sans-serif;">fired by embedding business processes. </span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">created by an subject</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">triggered by time</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">fired by state transitions</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span></ul>
</ul>
<span style="font-family: "Trebuchet MS", sans-serif;">Events from outside the IAM system we call business events. Without business events there would be no need for the entire IAM system.</span></span><h3 style="text-align: left;">
<span style="font-family: "Trebuchet MS", sans-serif;">Request & approval</span></h3>
<span lang="EN-GB" style="font-size: 12pt;"><span style="font-family: "Trebuchet MS", sans-serif;">Let’s have a closer look to the action itself. What happens when an individual applies for access to an object? It requests access. In an abstract view a subject requests an object. As done before we can derive an object from this relationship: the ‘request’.</span><div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/_q1HPM5zbGnw/TGqrPOsLqfI/AAAAAAAAK0w/hi9zD9p7C_A/s1600/request.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://4.bp.blogspot.com/_q1HPM5zbGnw/TGqrPOsLqfI/AAAAAAAAK0w/hi9zD9p7C_A/s320/request.png" height="320" width="242" /></span></a></div>
<ul>
<li><span style="font-family: "Trebuchet MS", sans-serif;">The request is a <b>transient</b> object but it may well be persisted.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">It is the central <b>workflow </b>object found in IAM systems.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">It can be understood as the <b>instantiation</b> of a process type.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">The request is created by an <b>event</b>, e.g. …</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span><ul>
<li><span style="font-family: "Trebuchet MS", sans-serif;">when a <b>subject</b> requests access to an object.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">when <b>time</b> has come to re-validate a role / privilege.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">when the defined response <b>period</b> has been passed without an activity (escalation)</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">…</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span></ul>
</ul>
<br /><span style="font-family: "Trebuchet MS", sans-serif;">
Who now approves a request? As a general rule the owner of the requested object has to decide whether to approve or to deny.</span><div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/_q1HPM5zbGnw/TGqqpx4IlPI/AAAAAAAAK0o/6m-JVwGRFCw/s1600/request_approval.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://4.bp.blogspot.com/_q1HPM5zbGnw/TGqqpx4IlPI/AAAAAAAAK0o/6m-JVwGRFCw/s320/request_approval.png" height="320" width="274" /></span></a></div>
<ul>
<li><span style="font-family: "Trebuchet MS", sans-serif;">The objects’ owner decides on the request</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Hereby he changes its state</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">States are:</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span><ul>
<li><span style="font-family: "Trebuchet MS", sans-serif;">new</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">approved</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">rejected</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">escalated</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span></ul>
<li><span style="font-family: "Trebuchet MS", sans-serif;">We can expect as many requests as there are object owners.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span></ul>
<span style="font-family: "Trebuchet MS", sans-serif;">To make the situation even more complicated - objects owner may delegate the decision to someone else or activate a policy which acts on behalf of him following pre-defined rules.<br />
</span></span><h3 style="text-align: left;">
<span style="font-family: "Trebuchet MS", sans-serif;">Subjects decide on requests</span></h3>
<span lang="EN-GB" style="font-size: 12pt;"><span style="font-family: "Trebuchet MS", sans-serif;">Let’s summarize:<br />
</span><div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/_q1HPM5zbGnw/TGqzCrJRkaI/AAAAAAAAK1Q/HP058i1nxcI/s1600/decision.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://4.bp.blogspot.com/_q1HPM5zbGnw/TGqzCrJRkaI/AAAAAAAAK1Q/HP058i1nxcI/s320/decision.png" height="320" width="320" /></span></a></div>
<ul>
<li><span style="font-family: "Trebuchet MS", sans-serif;">In workflows subjects (actors) act on objects</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">The acting subjects may be owners or a clerk</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Owners are responsible</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Clerks act on behalf of owners</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Owners delegate to clerks</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Owners may pre-define their decisions by activating policies.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Subjects act or react</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Their activity triggers an event</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Reactions often are approvals</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span></ul>
</span><h3 style="text-align: left;">
<span style="font-family: "Trebuchet MS", sans-serif;"><br /></span> </h3>
<h3 style="text-align: left;">
<span style="font-family: "Trebuchet MS", sans-serif;">Every object has an owner</span></h3>
<span style="font-family: "Trebuchet MS", sans-serif;"></span><br />
<span lang="EN-GB" style="font-size: 12pt;"><span style="font-family: "Trebuchet MS", sans-serif;">The guiding key concept is the concept of ownership, assigning the responsibility for an object to its owner:<br />
</span><br />
<ul>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Each object as one <b>owner</b></span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">The owner is <b>responsible</b> for the object</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">The owner may delegate object management to a <b>custodian</b>.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">The owner may temporarily <b>transfer</b> ownership (full responsibility) to delegate.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">Owners <b>differ</b> considerably from one organization to another</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">This apparent complexity is a result of <b>customizing</b> a simple model</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span></ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/_q1HPM5zbGnw/TGqyMywdqnI/AAAAAAAAK1E/ywZtlhHgXUY/s1600/owner.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://1.bp.blogspot.com/_q1HPM5zbGnw/TGqyMywdqnI/AAAAAAAAK1E/ywZtlhHgXUY/s320/owner.png" height="100" width="320" /></span></a></div>
<span style="font-family: "Trebuchet MS", sans-serif;">In my next post I should try to identify elementary action which we later may use to compose IAM processes.<br />
<br />
But before doing that I like to insert a few words on the modelling approach we use here: the ‘essential systems modeling’.<br />
<br />
It therefore may be worth to stay tuned.</span></span><span style="font-family: "Trebuchet MS", sans-serif;"></span><br /></div>
Horst Waltherhttp://www.blogger.com/profile/03381708015477095465noreply@blogger.com0tag:blogger.com,1999:blog-1261371701213231895.post-1139623435560205952010-07-28T14:33:00.003+02:002014-03-13T16:42:19.618+01:00Business layer<div dir="ltr" style="text-align: left;" trbidi="on">
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;"></span><span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;">Do you remember the company “Business Layers”? It was among the 1st who implemented a user provisioning software, called “day one”. What a perfect name for a company! Expressing their very business purpose - to promote privilege assignment from the technical level one level up to the <i>business layer</i> – in their corporate name. But later they successfully sold to Netegrity who successfully sold to CA who put all into a big melting pot and not much of the original ideas and products remained.</span><br />
<span style="font-family: "Trebuchet MS", sans-serif;"></span><br />
<span style="font-family: "Trebuchet MS", sans-serif;"><span lang="EN-GB" style="font-size: 12pt;">Last Sunday while jogging though the quiet very early morning Ha</span><span lang="EN-GB" style="font-size: 12pt;">mburg this company came into my mind again when I was suddenly missing – well – the <i>business layer</i>.</span></span><br />
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;">To explain it a bit more in-depth let’s have a look at the NIST original RBAC definition:</span><br />
<span lang="EN-GB" style="font-size: 12pt;"><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><img border="0" src="http://2.bp.blogspot.com/_q1HPM5zbGnw/TFAinrZROiI/AAAAAAAAKzk/bQjeF_JtvBE/s320/permission.png" style="margin-left: auto; margin-right: auto;" /></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: Trebuchet MS; font-size: xx-small;">(Source: Ferraiolo, Sandhu, Gavrila: A Proposed Standard for Role-Based Access Control, 2000) </span></td></tr>
</tbody></table>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/_q1HPM5zbGnw/TFAinrZROiI/AAAAAAAAKzk/bQjeF_JtvBE/s1600/permission.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><span style="font-family: "Trebuchet MS", sans-serif;"></span></a><br /></div>
<div style="text-align: right;">
<span style="font-family: "Trebuchet MS", sans-serif; font-size: xx-small;"></span> </div>
<span style="font-family: "Trebuchet MS", sans-serif;">Here the roles are introduced as an abstraction of the users who might be – no, typically are – different individuals whereas the role, which is tied to a list of resources, might stay unchanged. Hereby the role factors out the commonality of the individuals with respect to the permission assignment. As the RABAC concept is widely known and even mostly understood there is no need to further explain, that roles can be assigned temporarily on session basis and can themselves be ordered in a hierarchy. Permissions by RBAC are defined as ‘operations on objects’, equivalent to ‘actions on resources’ and so on.</span><br />
<span style="font-family: Trebuchet MS;"></span><br />
<span style="font-family: "Trebuchet MS", sans-serif;">These resources however are the real physical resources. So they are not ERP-system or ERP-system.general_ledger or or ERP-system.general_ledger.accounts_payable but SAP FI or JD Edwards EnterpriseOne.GL or Microsoft Dynamics NAV.genel.accpay. Whereas the corporation on the <i>business layer</i> simply has defined that this role should have read-/write-access to the accounts payables.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/_q1HPM5zbGnw/TFAiySoKG0I/AAAAAAAAKzs/3e94jNzX2Vk/s1600/generic_permission.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://2.bp.blogspot.com/_q1HPM5zbGnw/TFAiySoKG0I/AAAAAAAAKzs/3e94jNzX2Vk/s320/generic_permission.png" height="173" width="320" /></span></a></div>
<span style="font-family: "Trebuchet MS", sans-serif;">So at this side of the equation an abstraction is missing too. Like the role abstracts the individual (represented by the digital identity) some ‘generic resource’ should abstract the ‘real physical resource’. By this intermediate layer we could reduce the necessary number of roles and hence reduce overall complexity.</span><br />
<span style="font-family: "Trebuchet MS", sans-serif;">And allow business people to model roles on the <i>business layer</i>.</span><br />
<span style="font-family: "Trebuchet MS", sans-serif;"></span><br />
<span style="font-family: "Trebuchet MS", sans-serif;">O.K., how now should we call this new object? Generic object, virtual object, abstract object? Hmmm … but what is your opinion? Can you eventually follow and agree to my esoteric thoughts?</span></span><span style="font-family: "Trebuchet MS", sans-serif;"></span><br /></div>
Horst Waltherhttp://www.blogger.com/profile/03381708015477095465noreply@blogger.com0tag:blogger.com,1999:blog-1261371701213231895.post-45915865913009433162010-07-05T13:34:00.018+02:002014-03-13T16:44:45.144+01:00Objects of the corporation<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-voehZyntxAo/UFhhow72JnI/AAAAAAAASEo/VDg7nNIdndE/s1600/role_abstraction.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="font-family: "Trebuchet MS", sans-serif;"></span></a><br /></div>
<h3 class="separator" style="clear: both; text-align: left;">
<span style="font-family: "Trebuchet MS", sans-serif;">
<span lang="EN-GB">1. The User: Identity uses a Resource</span></span></h3>
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif;">
</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif;"><a href="http://4.bp.blogspot.com/-gCwP4Z2ThMs/UFgx4lHj8tI/AAAAAAAASBo/LQ-Bt700zdc/s1600/user.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-gCwP4Z2ThMs/UFgx4lHj8tI/AAAAAAAASBo/LQ-Bt700zdc/s200/user.png" height="123" width="200" /></a></span></div>
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif;">
In many corporations digital identities first pop up as users. It is a short form of expressing that the digital identity is tied to resources: It „uses“ resources. It does so by performing activities.
This relation from the digital identity to the resource may carry attributes. It may be perceived as a derived object: the user. </span><br />
<span style="font-family: "Trebuchet MS", sans-serif;"></span><br />
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif;">Another a synonym is account. But to be precise in terms of semantics it is more about the use rather than the user. </span><br />
<span style="font-family: "Trebuchet MS", sans-serif;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-cmUuLSAwiwc/UFgyWU4wLJI/AAAAAAAASBw/jNqPxn7n9n8/s1600/authorisation.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://2.bp.blogspot.com/-cmUuLSAwiwc/UFgyWU4wLJI/AAAAAAAASBw/jNqPxn7n9n8/s200/authorisation.png" height="123" width="200" /></span></a></div>
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif;">In terms of the Access Management (AM) however it deems to be more appropriate to name the relationship “is authorized to use” and the resulting derived object “authorization”. </span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "Trebuchet MS", sans-serif;"></span><br /></div>
<h3>
<span style="font-family: "Trebuchet MS", sans-serif;">
2. The operation: authorization to operate on the resource</span></h3>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/--i3wSmF5S3U/UFgyx0zvSLI/AAAAAAAASB4/htPW8DlhW0w/s1600/operation2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://1.bp.blogspot.com/--i3wSmF5S3U/UFgyx0zvSLI/AAAAAAAASB4/htPW8DlhW0w/s200/operation2.png" height="121" width="200" /></span></a></div>
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif;"></span><br />
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif;">
Users may be authorized to operate on resources: In other words: they are performing operations. This relation in turn may carry attributes. Again a derived object can be defined: the operation.</span><br />
<span style="font-family: "Trebuchet MS", sans-serif;"></span><br />
<h3>
<span style="font-family: "Trebuchet MS", sans-serif;">
<span lang="EN-GB">
3. Permission = operations on Resources</span></span></h3>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-mSGaYOiYj70/UFhhBzndsyI/AAAAAAAASEY/u-HVZJ3hXb0/s1600/permission.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://1.bp.blogspot.com/-mSGaYOiYj70/UFhhBzndsyI/AAAAAAAASEY/u-HVZJ3hXb0/s200/permission.png" height="160" width="200" /></span></a></div>
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif;">
According to the RBAC framework [Ferraiolo and Kuhn, 1992] operations on resources (objects) may be labeled with permissions.
Permission is an approval of a mode of access to a resource. Sometimes permissions are called “entitlements”.
More generally they are defined as “operations on objects” –just a different wording for “operations on resources”. </span><br />
<span style="font-family: "Trebuchet MS", sans-serif;"></span><br />
<h3>
<span style="font-family: "Trebuchet MS", sans-serif;">
<span lang="EN-GB">
4. The Identity belongs to an organization</span></span></h3>
<span lang="EN-GB"><a href="http://4.bp.blogspot.com/-u1nHKTK8BMU/UFhhTKdR3uI/AAAAAAAASEg/CPG-0jeBRaY/s1600/role.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://4.bp.blogspot.com/-u1nHKTK8BMU/UFhhTKdR3uI/AAAAAAAASEg/CPG-0jeBRaY/s200/role.png" height="123" width="200" /></span></a><span style="font-family: "Trebuchet MS", sans-serif;">Once we have referred to RABC the obvious need pops up to define another object: the role.
Digital Identities don’t exist in isolation. In fact, if no one would be interested in its ID and / or its attributes. It wouldn’t make any sense to care much for a digital identity – unless it has a relationship to an organization: In a way the digital identity belongs to an organization as it plays a role there.
There might be more than one elementary relationship – usually an agreement or a contract. And there are many possible specializations of this relationship. Again this relationship may carry attributes. And – not surprisingly - it turns to a derived object: the individual role.
It might sound a bit academic but it is worthwhile to emphasize that a role characterizes a type of relationships:
</span></span><br />
<ul><span lang="EN-GB"><span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">The role is a predefined class of a relationship a digital identity may have to an organization.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">When the role is assigned to a digital identity, parameters are set to form the authorization.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span></span></ul>
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif;">
This type vs. actual discrimination turns out to be useful general modeling principle. There are many possible specializations of the relationship class role and its incarnation authorization. Examples are employees' contracts, freelancers' contracts, partner- or customer-contracts. Obviously more than one such relationship may exist at the same time: means a digital identity may be assigned several roles.
</span><br />
<h3>
<span style="font-family: "Trebuchet MS", sans-serif;">
<span lang="EN-GB">
5. The role</span></span></h3>
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif;">
</span><span lang="EN-GB"><a href="http://2.bp.blogspot.com/-voehZyntxAo/UFhhow72JnI/AAAAAAAASEo/VDg7nNIdndE/s1600/role_abstraction.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://2.bp.blogspot.com/-voehZyntxAo/UFhhow72JnI/AAAAAAAASEo/VDg7nNIdndE/s320/role_abstraction.png" height="160" width="320" /></span></a><span style="font-family: "Trebuchet MS", sans-serif;">Let’s explore the nature of roles a bit deeper. The role type obviously is an abstraction.
It resembles very much the product which abstracts the contract. Keep in mind that the very justification of a product is to have a chunk of pre-built business which makes it easier to close a contract. Hence the role relates to the authorization like products to contracts. And the authorization looks similar to an employee contract.
Let’s summarize:
</span></span><br />
<ul><span lang="EN-GB"><span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">The product generalizes the contract. It is a contract type (aka product).</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">The contract in turn instantiates the product (or contract type).</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">The role generalizes the authorization.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">The authorization in turn instantiates the concept of a role.</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span></span></ul>
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif;">
Both may in fact be combined into one agreement. They also may as well be left separate for the ease of handling. Recognizing the close relationship between roles and contracts may help us finding appropriate roles by looking at the related contracts. If there is a contract there might as well be a role or more to be identified. If there are roles defined there must be at least one contract – regardless whether documented or not. Hence not only employees also customers, suppliers or any partners may receive roles as well.
The role and the contract may well be one agreement (collapse to one). But for practical reasons we could give the contract a fine structure.
</span><br />
<ul><span lang="EN-GB"><span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">a contract defines the relationship</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">a role defines incarnation details</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">the contract’s details then are expressed by several roles</span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span></span></ul>
<span style="font-family: "Trebuchet MS", sans-serif;"><span lang="EN-GB">
</span>
</span><br />
<h3>
<span style="font-family: "Trebuchet MS", sans-serif;">
<span lang="EN-GB">
6. Role vs. authorization</span></span></h3>
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif;">
At our starting point we took the naïve approach of an individual (represented by its digital identity) uses resources and derived the use as the relationship object to contain the relevant information about the use. For our purpose we called it the authorization.
Next we recognized that there was room for some abstraction. The role now carries all the abstract use. The instantiation of this role – we called it the authorization – has then to keep all the actual information: the link to the digital identity, to the role, start- and end-dates and the like.
</span><br />
<h3>
<span style="font-family: "Trebuchet MS", sans-serif;">
<span lang="EN-GB">
7. The whole picture</span></span></h3>
<span lang="EN-GB"><span style="font-family: "Trebuchet MS", sans-serif;">
By considering the identity’s relationship to two different objects – namely to the resource and to the organization we received two distinct branches which should belong to one tree.
<br />
</span><span style="font-family: "Trebuchet MS", sans-serif;">
</span><span style="font-family: "Trebuchet MS", sans-serif;">
</span><span style="font-family: "Trebuchet MS", sans-serif;">
</span><span style="font-family: "Trebuchet MS", sans-serif;">
</span><span style="font-family: "Trebuchet MS", sans-serif;">
</span><table style="width: 100%;"><tbody>
<tr><td><div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-w2HPrlSEsD4/UFiL0EG5b0I/AAAAAAAASE8/50KYguM8sVY/s1600/role_assignment.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://2.bp.blogspot.com/-w2HPrlSEsD4/UFiL0EG5b0I/AAAAAAAASE8/50KYguM8sVY/s200/role_assignment.png" height="135" width="200" /></span></a></div>
</td><td><div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-VUjGMTCSxu4/UFiL_68tyDI/AAAAAAAASFE/e1b6m383R1k/s1600/role_authorisation.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /><span style="font-family: "Trebuchet MS", sans-serif;"></span></a></div>
<span style="font-family: "Trebuchet MS", sans-serif;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-nObB-3CwxAI/UFiMOQbBROI/AAAAAAAASFM/bWIzJROu2IY/s1600/direct_authorisation.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://3.bp.blogspot.com/-nObB-3CwxAI/UFiMOQbBROI/AAAAAAAASFM/bWIzJROu2IY/s200/direct_authorisation.png" height="168" width="200" /></span></a></div>
</td></tr>
<tr></tr>
</tbody></table>
<span style="font-family: "Trebuchet MS", sans-serif;">
Both have two objects in common: the identity and the authorization. Combining them however needs to rethink the reason for doing so. If the role abstracts the authorization it should be the role too who defines of the operations on the corporation’s resources. </span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-VUjGMTCSxu4/UFiL_68tyDI/AAAAAAAASFE/e1b6m383R1k/s1600/role_authorisation.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://4.bp.blogspot.com/-VUjGMTCSxu4/UFiL_68tyDI/AAAAAAAASFE/e1b6m383R1k/s320/role_authorisation.png" height="222" width="320" /></span></a></div>
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif;">Meanwhile the whole picture has grown and became more complex. But it still is far from being complete.
It is worth to have a closer look to the role as the way we use this concept here differs a bit from the common use in daily life.
The role as we defined it here is expressed solely in business terms. That’s why some call it a business role.
But in daily life, if we talk about the role some plays in a corporation, our perception is more one of the function person has for that particular corporation. So here the function is the role a person plays – so why not call it the functional role?
Following this definition however we receive a role which is not information rich enough to contain all privilege determining dimension. If for example your functional role is to be a salesperson you may be restricted to a certain sales area or to a certain group of products. So there is something beyond the functional role constraining their full potential. Let’s call it the constraint for now – and go more into depth later. So we split up the “organization” into functional roles and constraints. </span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/--6sEOFBDygI/UFiNVB4fKKI/AAAAAAAASFU/p779M1xjGu4/s1600/role_split.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "Trebuchet MS", sans-serif;"><img border="0" src="http://4.bp.blogspot.com/--6sEOFBDygI/UFiNVB4fKKI/AAAAAAAASFU/p779M1xjGu4/s320/role_split.png" height="225" width="320" /></span></a></div>
<span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif;">More even the picture offered here still expresses the static relationships only. It still does not distinguish between objects and subjects (actors). And the concept of ownership still needs to be introduced.
</span></div>
Horst Waltherhttp://www.blogger.com/profile/03381708015477095465noreply@blogger.com2tag:blogger.com,1999:blog-1261371701213231895.post-41177221506282299782010-06-30T13:41:00.017+02:002014-03-13T16:45:43.499+01:00the identity<div dir="ltr" style="text-align: left;" trbidi="on">
<span lang="EN-GB" style="font-size: 12pt;"><span style="font-family: "Trebuchet MS", sans-serif;">Summarizing the work done before I try to identify the fundamental objects which are involved in IAM processes and the derived objects which describe the relationships of these fundamental objects.<br />
<br />
</span><a href="http://4.bp.blogspot.com/_q1HPM5zbGnw/TCu2LNyWrEI/AAAAAAAAKXE/n44h2NkO_zc/s1600/identity.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><span style="font-family: "Trebuchet MS", sans-serif;"><img alt="" border="0" src="http://4.bp.blogspot.com/_q1HPM5zbGnw/TCu2LNyWrEI/AAAAAAAAKXE/n44h2NkO_zc/s200/identity.png" id="BLOGGER_PHOTO_ID_5488680874676759618" style="cursor: pointer; float: right; height: 146px; margin: 0px 0px 10px 10px; width: 145px;" /></span></a><span style="font-family: "Trebuchet MS", sans-serif;">When we talk about <b>identity management</b> topics not surprisingly the term <b>identity</b> pops up. It seems to be a good idea therefore to start with it. What is the identity after all?</span></span><ul>
<li><span lang="EN-GB" style="font-family: "Trebuchet MS", sans-serif; font-size: 12pt;">In philosophy Identity is the sameness of two things. </span></li>
<span lang="EN-GB" style="font-size: 12pt;"><span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;">In object-oriented programming Identity is a property of objects that allows the objects to be distinguished from each other. </span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span></span></ul>
<span lang="EN-GB" style="font-size: 12pt;"><span style="font-family: "Trebuchet MS", sans-serif;">But in Identity Management …</span><ul>
<li><span style="font-family: "Trebuchet MS", sans-serif;">“<i>We usually speak of identity in the singular, but in fact subjects have multiple identities.” </i></span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span>
<li><span style="font-family: "Trebuchet MS", sans-serif;"> “<i>These multiple identities or personas, as they are sometimes called, …</i>”. </span></li>
<span style="font-family: "Trebuchet MS", sans-serif;">
</span></ul>
<span style="font-family: "Trebuchet MS", sans-serif;">The sum of all these <b>personas</b> makes up the identity.<br />
In turn personas are to be understood as its projection to the space of information demand in a specific context. The digital representation of this persona is what we call a digital identity.<br />
<br />
The fundamental concept of identity management hence is the <b>digital identity</b>. In this context digital identity is defined as a minimal set of information (attributes) necessary to unambiguously identify an individual or a technical object. By this definition the digital identity is the “less rich” sibling” of the (real) identity.<br />
<br />
This simple definition has some importance when it comes to data protection: the identity must not disclose more information about the individual than necessary for its identification. This <b>minimal disclosure</b> principle is hence rooted deeply in the very definition of the digital identity. Consequently it should apply to ID-cards (ID on a card) as well.<br />
<br />
</span><a href="http://4.bp.blogspot.com/_q1HPM5zbGnw/TCu677G3aoI/AAAAAAAAKXc/RVSrk8hlTlo/s1600/enterprise_ecosystem.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><span style="font-family: "Trebuchet MS", sans-serif;"><img alt="" border="0" src="http://4.bp.blogspot.com/_q1HPM5zbGnw/TCu677G3aoI/AAAAAAAAKXc/RVSrk8hlTlo/s200/enterprise_ecosystem.png" id="BLOGGER_PHOTO_ID_5488686109522619010" style="cursor: pointer; float: left; height: 188px; margin: 0px 10px 10px 0px; width: 200px;" /></span></a><span style="font-family: "Trebuchet MS", sans-serif;">The digital identity’s <span style="font-weight: bold;">lifetime </span>is determined by the period the individual is of importance for the organization. So, when an individual interacts with the enterprise ecosystem the first time, its digital identity is created, regardless whether it is a "user" of the enterprises resources or not. Being a user indicates a specific relationship already: the usage of resources. The digital identity’s life ends when it is no longer of interest for the organization – or when an official regulation demand a termination.</span></span><span style="font-family: "Trebuchet MS", sans-serif;"></span><br /></div>
Horst Waltherhttp://www.blogger.com/profile/03381708015477095465noreply@blogger.com0