Show Me the Money (Feeling Entitled)
by Deborah Volk on April 8th, 2009

It has become popular during these challenging economic times to wonder and speculate about the root cause of that sinking feeling in everyone's financial stomach. Were the lenders so greedy that they overlooked basic risks by lending left and right or were the home buyers so greedy that they overlooked basic risks by going into debt with insane loads? My money (the green, eco-friendly variety) is on both; everyone had a hand in the cookie jar via chopped-up CDOs but you have to dig deeper. After all, we're searching for roots and in my humble opinion the source of the malaise is a feeling of entitlement. Are we entitled to be entitled? Some cheeky Brits think so, especially when it comes to February 29th on leap years:
I wish it was as easy to shake off the entitlement feeling as singing a silly song! How does this all related to identity and access management, you may ask? I am yomping 'round to that.

It's worth noting that the definition of a term entitlement crosses two domains - the identity administration domain where the entitlement is defined and the access management domain where the entitlement is applied and enforced. The IT Manager entitlement is defined on the identity domain as any employee who works in the IT department and has direct reports. The right of IT Manager to view the real-time web-based dashboard of server status in a company's datacenter is applied and enforced by the access domain.

Entitlements fall into two classes: coarse-grained and fine-grained. Coarse-grained entitlements are broadly defined aspects of a business whereas fine-grained entitlements are specific rules originating in a particular business process. Coarse-grained entitlements are usually implemented as groups or roles; Full-Time Employee, IT Manager and IT Manager in San Francisco are examples. Fine-grained entitlements are rules comprising a policy in a specific business context. An example of a fine-grained entitlement may be "IT managers who work in the London office, bring their pet iguana to work on 29th of February and have the first name of Alistair"; these special people may then be entitled to have lunch with Gordon Ramsay. (Can you imagine Gordon Ramsay in the IT department? What in the [bleep] are you doing with this server? Get that [bleep] donkey outta there. You're in the datacenter shaking hands like the [bleep] president of the United States of America, what was that all about)

The challenge with entitlements is that their lifecycle in the context of an identity management system is often left unmanaged. Let's consider an example. In a mythical organization El Caro Corp, we've got sales representatives that have access to two applications - the company's CRM app and another app in HR that keeps track of their compensation. The representatives are assigned to territories that are geographical boundaries within which they are allowed to call on customers. A territory might be as small as a city of London or as large as the entire country of Russia. Sales representatives join and leave the company, territories remain the same. El Caro, like everyone else on the planet, has Windows on the desktop and Active Directory (AD) in their backyard. El Caro decides to define territories in one place, namely as groups in Active Directory, and have all applications that need to know about the territories and what reps belong to what territory draw this information from AD.
How do the representatives become members of a territory (one or more groups in AD) ? Manual process would be cumbersome and expensive, lots of paperwork, approvals and emails floating around. El Caro had a solution - let the identity management tool deal with this. Load all existing territories and their members into the identity management database and presto, we're done...but not quite. The real fun begins when a new territory becomes available, an existing territory splits into new territories or a territory goes away (it was a small island that got flooded, ok?). In the absence of an identity managemen tool, these territory changes would be accomplished by an AD administrator creating new groups, moving people in and out of groups and so on; having the identity management side in the mix makes this much harder.

If you squint, you'll notice that a territory is an entitlement. Entitlements have a lifecycle of their own. Just like applications and users, when new entitlements become available due to a change in business conditions, they are on-boarded onto the identity management tool. The on-boarding process may be simple or complex but it is a process. The entitlements then undergo changes and are eventually off-boarded from the identity management tool. In a recently released whitepaper (registration required) we've described the challenge of administering entitlements specifically in the context of having them live in an identity management world. Give it a read and (as our British friends might say) Bob's your uncle!

Posted in Change Management, Identity Management, Access Management    Tagged with entitlements, lifecycle, whitepapers


Leave a Comment

2012 (1)
2011 (2)
2010 (2)
2009 (64)
March (11)
April (18)
May (18)
June (4)
July (1)
August (1)
September (5)
October (5)
December (1)