A step up from using groups, role-based access control enables privileges to be assigned to institutional roles assigned to individuals. Even though this is the brass ring of access control, leading an initiative to define the policy and process guiding this infrastructure is daunting. Questions arise, such as who should be represented in the roles system? You may find you have more than one organizational chart, so which one do you use? Who should decide the roles structure and make the policy decisions? For which resources will you be assigning privileges? And will you list all the roles and their access rights or have the supervisors/area managers assign rights given a set of boundaries? The outcome of the former could be a list of exceptions, and the outcome of the latter could be a pattern that leads to a set of defaults, clustering around the distinct roles. But there is no one way. This panel will explore this complex issue and provide a number of perspectives on how to plan for such an effort.
Leading an Effort to Define Roles