1 00:00:08,700 --> 00:00:22,300 Identity and access management welcome to the identity of the 2 00:00:22,300 --> 00:00:24,900 center podcast I'm Jeff and that's Jim. 3 00:00:24,900 --> 00:00:29,800 Hey Jim hey Jeff, how you doing? I'm good yourself living. 4 00:00:30,000 --> 00:00:32,400 The dream baby. I can't believe it's already the 5 00:00:32,400 --> 00:00:36,200 middle of June. I know we had weather in the 70s 6 00:00:36,200 --> 00:00:37,900 this week. It was fantastic. 7 00:00:38,300 --> 00:00:41,500 Yeah, that was an in see Georgia, right? 8 00:00:41,500 --> 00:00:44,000 So and I'm in Chicago, are we had some fantastic weather too 9 00:00:44,100 --> 00:00:46,600 so it's been quite nice. Yeah. 10 00:00:46,600 --> 00:00:49,800 You don't get this every year. So you got to enjoy a volunteer. 11 00:00:50,200 --> 00:00:52,400 Plus we're home because they're not really traveling right now. 12 00:00:52,500 --> 00:00:54,700 So, you know, that's even better, I guess. 13 00:00:55,100 --> 00:00:59,000 And I spent the last, you know, 15 of the last 20 years 14 00:00:59,000 --> 00:01:01,900 complaining about I'm going to traveling I do, and now I'm 15 00:01:01,900 --> 00:01:07,300 starting to really miss it. The heart wanders and yearns for 16 00:01:07,300 --> 00:01:14,000 the airlines in the delicious airline food, thickener stake, I 17 00:01:14,000 --> 00:01:19,000 will go with chicken. So today for a topic we have one 18 00:01:19,000 --> 00:01:22,400 that's actually listener submitted, our friend Andrew. 19 00:01:22,400 --> 00:01:26,800 See he writes as I was listening to your podcast and my current 20 00:01:26,800 --> 00:01:28,900 everyday work. I was wondering if you guys 21 00:01:28,900 --> 00:01:31,800 would do a podcast on lessons learned from past role mining 22 00:01:31,800 --> 00:01:33,600 engagements. Craziest request. 23 00:01:33,600 --> 00:01:37,700 For example, have to Figure out how to consolidate up to 400,000 24 00:01:37,700 --> 00:01:39,700 role. Entitlement combinations, things 25 00:01:39,700 --> 00:01:41,700 you could have done differently and tips for analysts like 26 00:01:41,700 --> 00:01:46,400 myself and what to look for or approaches to take, which I 27 00:01:46,400 --> 00:01:47,700 think sounds like an awesome topic. 28 00:01:47,700 --> 00:01:49,700 What do you think? I think it's a great topic. 29 00:01:49,700 --> 00:01:54,200 I mean, every client we work with, they want to achieve this 30 00:01:54,400 --> 00:01:58,500 vision of our back. A couple ways to get there. 31 00:01:58,900 --> 00:02:01,200 It's a lot of work. There's a lot of foundational 32 00:02:01,200 --> 00:02:04,600 elements but eventually you end up in this place called roll - 33 00:02:04,800 --> 00:02:08,199 Which we're going to get into pretty heavily today. 34 00:02:08,300 --> 00:02:10,500 Yeah, and they helped us with that conversation. 35 00:02:10,500 --> 00:02:13,100 We've brought in another member of the crack I'd entropy. 36 00:02:13,100 --> 00:02:15,700 I am team. He's Helio Gomez. 37 00:02:15,700 --> 00:02:20,000 I am architect extraordinaire. Welcome Helio a gym, Jeff. 38 00:02:20,000 --> 00:02:21,900 Thank you for having me. Thanks for joining us. 39 00:02:22,000 --> 00:02:23,600 Yeah, thank you very much. Hey, Leah, where are you? 40 00:02:23,600 --> 00:02:24,900 Okay, right now you're in Florida. 41 00:02:25,200 --> 00:02:27,500 I am in Tampa, Florida, just got back here. 42 00:02:27,700 --> 00:02:30,400 Okay, so we're wondering the guest house in the spike in 43 00:02:30,400 --> 00:02:31,600 cases. Now we know 44 00:02:44,200 --> 00:02:50,100 Jim has been going around licking doorknobs. 45 00:02:56,000 --> 00:02:57,900 Well, I'm glad you're able to join us because, you know, 46 00:02:57,900 --> 00:03:01,000 you've been working on this stuff for a long time and I 47 00:03:01,008 --> 00:03:04,200 think your insights going to be very valuable and hopefully, 48 00:03:04,200 --> 00:03:06,100 Andrew gets But I, this and other people are listening as 49 00:03:06,100 --> 00:03:08,400 well. But before we dive into that 50 00:03:08,400 --> 00:03:10,900 topic, just want to make a note that identifier started this 51 00:03:10,900 --> 00:03:12,900 week. I should be. 52 00:03:13,000 --> 00:03:14,300 Let's see, today's Thursday actually. 53 00:03:14,300 --> 00:03:18,600 So I was supposed to be flying to London today, because I was 54 00:03:18,600 --> 00:03:20,400 going to cut short the trip because I was supposed to go 55 00:03:20,400 --> 00:03:24,500 watch, cago Cubs, play the st. Louis Cardinals in London 56 00:03:24,500 --> 00:03:28,000 Stadium in London, but that has obviously been canceled. 57 00:03:28,100 --> 00:03:31,500 So quite disappointed about that this point, but I would have 58 00:03:31,500 --> 00:03:34,200 been in Denver otherwise for the attend a conference. 59 00:03:34,800 --> 00:03:37,100 But now it's all virtual. So it started this week. 60 00:03:37,600 --> 00:03:40,900 Listen to a few of the different presentations so far, it's going 61 00:03:40,900 --> 00:03:44,900 pretty well, Jim Have. You listened to any yet? 62 00:03:45,300 --> 00:03:50,500 I'm tuned in anything yet but definitely planning to mean, you 63 00:03:50,500 --> 00:03:55,100 know it, I love conferences not just for the sessions but for 64 00:03:55,100 --> 00:03:58,900 the rubbing elbows this is we're not rubbing elbows with people 65 00:03:58,900 --> 00:04:01,800 anymore. I guess we still have the 66 00:04:01,800 --> 00:04:04,600 session so I'm gonna get in there and dive in. 67 00:04:04,700 --> 00:04:10,200 Soon as possible. Yeah so check out Ian Glaser had 68 00:04:10,200 --> 00:04:14,100 one earlier this week and his big pronouncement was that 69 00:04:14,100 --> 00:04:16,800 Samuel was dead and I don't want to go into it because I want to 70 00:04:16,808 --> 00:04:20,100 steal his Thunder but you made some good points around it and 71 00:04:20,399 --> 00:04:22,800 give that a little tease in case someone wants to check that out. 72 00:04:22,800 --> 00:04:25,800 On the adenovirus website sounds like we have a topic for a feel 73 00:04:25,800 --> 00:04:28,600 so yeah. I mean I wish he had made that 74 00:04:28,600 --> 00:04:32,000 pronouncement right before our last episode which was with Eve 75 00:04:32,000 --> 00:04:34,800 and we're talking about sam'l and kind of why it's So 76 00:04:34,800 --> 00:04:36,900 important. Well, that's why it's such an 77 00:04:36,900 --> 00:04:40,500 interesting topic because it's a little of a quick baby headline. 78 00:04:41,800 --> 00:04:45,200 So maybe we should have like a versus episode and get even Ian 79 00:04:45,200 --> 00:04:46,000 on. Same time. 80 00:04:46,000 --> 00:04:48,400 They can just you know duke it out. 81 00:04:48,800 --> 00:04:52,400 Isn't there to are too much friends with each other to Duke 82 00:04:52,400 --> 00:04:56,500 it out though, but it would be would be an interesting 83 00:04:56,700 --> 00:04:59,300 dialogue. I think I'd like to do something 84 00:04:59,300 --> 00:05:01,400 like yeah. Like a versus you know defend 85 00:05:01,400 --> 00:05:03,100 your position. May be a debate or something 86 00:05:03,100 --> 00:05:05,100 like that. I Be cool. 87 00:05:05,200 --> 00:05:07,200 I think if, you know, maybe we'll put that out there for you 88 00:05:07,200 --> 00:05:09,800 have a, some somebody who's listed in and wants to take part 89 00:05:09,800 --> 00:05:13,700 in some like that or has an idea, you know, maybe we can put 90 00:05:13,700 --> 00:05:15,600 something together. So like that, with maybe some 91 00:05:15,600 --> 00:05:17,300 help from the listeners. And you know, if that's 92 00:05:17,300 --> 00:05:20,400 something that you find interesting, email us at 93 00:05:20,400 --> 00:05:25,300 questions at identity at the center.com and, you know, we'll 94 00:05:25,300 --> 00:05:27,500 see what comes out of it. Speaking of emailing us, they 95 00:05:27,500 --> 00:05:30,800 got a really nice note from Craig and New Zealand from the 96 00:05:30,800 --> 00:05:35,300 future. So you Don't say he's a 97 00:05:35,300 --> 00:05:36,700 listener. He's been listening for you 98 00:05:36,700 --> 00:05:38,100 know, the last year or so which is great. 99 00:05:38,100 --> 00:05:41,200 And we're coming up on our year anniversary and that was a nice 100 00:05:41,200 --> 00:05:44,000 thing to her to receive especially when it comes from 101 00:05:44,000 --> 00:05:48,700 the future - yeah I'm sure you meant it was time stamp June 102 00:05:48,700 --> 00:05:52,100 19th when he sent it from his home. 103 00:05:52,400 --> 00:05:54,200 Yeah. And as it traveled the 104 00:05:54,200 --> 00:05:56,800 microseconds to a different time zone. 105 00:05:57,600 --> 00:06:00,500 It landed in June 18th. Yes, I don't know if what 106 00:06:00,500 --> 00:06:01,600 happened mean. I read it. 107 00:06:02,000 --> 00:06:04,000 What happens to me? Do I like is this a Back to the 108 00:06:04,008 --> 00:06:07,000 Future? Do I disappear from the picture 109 00:06:07,000 --> 00:06:09,400 or you've broken the space-time Continuum? 110 00:06:09,500 --> 00:06:11,000 That's it. All right. 111 00:06:11,000 --> 00:06:12,900 Well why don't we get into don't bindle? 112 00:06:12,900 --> 00:06:18,000 Yeah I'm ready man let's just an exciting topic so I think we 113 00:06:18,000 --> 00:06:21,900 probably ought to start and get Helios started here. 114 00:06:22,100 --> 00:06:26,000 We get him talking a little bit. So always start with just what 115 00:06:26,000 --> 00:06:29,700 is roll my knee Helio. So I think of roll, Miley has 116 00:06:30,200 --> 00:06:32,800 really analyzing the entitlements that you have 117 00:06:32,800 --> 00:06:37,500 within your Or identity system across all of your applications 118 00:06:37,800 --> 00:06:42,400 analyzing those getting a combination of what may possibly 119 00:06:42,400 --> 00:06:47,200 be connected based on different features about the user 120 00:06:47,200 --> 00:06:51,600 different attributes sets and what possibly could be a role. 121 00:06:51,700 --> 00:06:55,900 And then once we take the output of that, we very simply can 122 00:06:55,900 --> 00:06:58,900 build our rolls off of what we see from the mining help. 123 00:06:58,900 --> 00:07:02,900 Yes, absolutely. So much kind of analytic driven, 124 00:07:03,300 --> 00:07:08,500 you know, the the During the process to kind of come up with 125 00:07:08,500 --> 00:07:15,100 hey this these combination of entitlements are held by people 126 00:07:15,100 --> 00:07:19,200 who have this and comment. So maybe these seven accounts, 127 00:07:19,200 --> 00:07:26,200 entitlements along to 95% of the people who are in the HR 128 00:07:26,200 --> 00:07:28,600 department. Would you like to turn this into 129 00:07:28,600 --> 00:07:34,700 a roll and then you can apply your human evaluation toward Or 130 00:07:34,700 --> 00:07:35,800 not. That's a good idea. 131 00:07:35,800 --> 00:07:38,000 Is that what you would say? Absolutely. 132 00:07:38,000 --> 00:07:40,700 Yeah. And what I'd like to do is 133 00:07:40,700 --> 00:07:43,500 contrast that with what I call roll engineering. 134 00:07:43,700 --> 00:07:47,900 And so this is kind of a, so I consider role mining to be kind 135 00:07:47,900 --> 00:07:52,400 of Bob's up using the data to determine a result. 136 00:07:52,400 --> 00:07:56,900 And when I think of tops down, roll engineering, it's hey, we 137 00:07:56,900 --> 00:08:01,100 know that people fit a grouping of, they work in HR, and we know 138 00:08:01,100 --> 00:08:04,400 that everybody who works in h.r. needs access to these. 139 00:08:04,600 --> 00:08:07,300 You systems and needs this level of access. 140 00:08:07,300 --> 00:08:11,700 So let's create a role that when somebody new joins HR we 141 00:08:11,700 --> 00:08:15,700 automatically give them that role or we start to say that you 142 00:08:15,700 --> 00:08:19,300 know there are five different types of users that use this 143 00:08:19,300 --> 00:08:23,900 application or these sets of applications and let's bundle as 144 00:08:23,900 --> 00:08:28,600 create a role that bundles all that access together so that the 145 00:08:28,600 --> 00:08:31,300 business users don't have to pick out all the individual 146 00:08:31,300 --> 00:08:34,200 entitlements that they need to do their job. 147 00:08:34,200 --> 00:08:36,900 They can. Just pick one role or two roles 148 00:08:37,200 --> 00:08:39,299 that kind of the way you think of it as well. 149 00:08:40,299 --> 00:08:42,000 Yeah absolutely. And one of the interesting 150 00:08:42,000 --> 00:08:44,600 things about roll mining as well as those roles that you've 151 00:08:44,600 --> 00:08:48,500 engineered when you go and do your role mining analysis, you 152 00:08:48,500 --> 00:08:51,500 may find that what you thought was a role that you should 153 00:08:51,500 --> 00:08:55,400 engineer really isn't, or what you thought wasn't should say. 154 00:08:55,408 --> 00:08:58,200 It's really taking those to wait, like you said, taking your 155 00:08:58,200 --> 00:09:01,500 human element and applying that to the output of your role 156 00:09:01,500 --> 00:09:03,000 mining. That's really going to be the 157 00:09:03,000 --> 00:09:07,700 most beneficial, right? Actually, our back as a 158 00:09:07,700 --> 00:09:10,000 discipline is more of an art than a science. 159 00:09:10,000 --> 00:09:13,100 Or maybe it's just the combination of the two that, you 160 00:09:13,108 --> 00:09:15,100 know, I think between roll Mining and roll engineering, the 161 00:09:15,100 --> 00:09:19,400 way that I like to describe it is, it's a technical way to 162 00:09:19,400 --> 00:09:23,000 create a logical construct technical in the mining aspects, 163 00:09:23,300 --> 00:09:27,500 logical in the engineering of how that would look at a 164 00:09:27,508 --> 00:09:29,400 constant level. Absolutely. 165 00:09:29,700 --> 00:09:36,000 So, Andrew asked us to point out kind of Crazy examples and he 166 00:09:36,400 --> 00:09:39,900 said you know you looking for role mining to actually 167 00:09:39,900 --> 00:09:44,900 consolidate 400,000 entitlement so I guess I'll throw it back to 168 00:09:44,900 --> 00:09:47,500 Helio. Is that how roll mining works? 169 00:09:47,500 --> 00:09:51,200 Is that actually consolidate entitlements, it does to an 170 00:09:51,200 --> 00:09:52,200 extent. Really what? 171 00:09:52,200 --> 00:09:55,200 I like to think of how roles are going to function in my system. 172 00:09:55,200 --> 00:09:57,900 It's not so much. Consolidating the underlying 173 00:09:57,900 --> 00:10:00,400 entitlements. It's obfuscating the so you take 174 00:10:00,400 --> 00:10:05,300 those groups of entitlements that are they might be D groups 175 00:10:05,300 --> 00:10:09,700 or some field in a column in a database or something along 176 00:10:09,700 --> 00:10:13,600 those lines and permission sets of whatever applications. 177 00:10:14,000 --> 00:10:17,100 Your typical end user is not going to have any understanding 178 00:10:17,100 --> 00:10:20,000 of what that means. So building your roles is really 179 00:10:20,000 --> 00:10:25,100 going to give you that end user facing like verbiage that's 180 00:10:25,100 --> 00:10:28,200 going to be helpful to them to really understand what they're 181 00:10:28,200 --> 00:10:29,700 dealing with what they're requesting. 182 00:10:29,700 --> 00:10:32,600 What they're approving, what their certifying. 183 00:10:32,900 --> 00:10:36,500 So building those As is really help you in that aspect more 184 00:10:36,500 --> 00:10:41,300 than anything else I find. And consolidation, of course, is 185 00:10:41,300 --> 00:10:43,700 one of the things that we're going to get from. 186 00:10:43,700 --> 00:10:46,900 That is we're going to have 400,000 entitlements it. 187 00:10:46,900 --> 00:10:50,000 We're going to maybe put those into maybe a hundred thousand 188 00:10:50,000 --> 00:10:52,700 rolls or maybe 50 rolls, or maybe 500 rolls. 189 00:10:53,200 --> 00:10:57,600 But really what you're trying to do is make it data that can be 190 00:10:57,600 --> 00:11:01,000 consumed by your end user that can then be used in the other 191 00:11:01,000 --> 00:11:03,800 processes that we're going to have in our I am system, that's 192 00:11:03,800 --> 00:11:06,100 really important. I think, you know, an important 193 00:11:06,100 --> 00:11:09,500 part of that is wrapping metadata around rolls. 194 00:11:09,500 --> 00:11:13,500 So in other words, defining information, friendly, business 195 00:11:13,500 --> 00:11:16,800 name, or friendly business description around the role or 196 00:11:17,000 --> 00:11:21,400 defining an owner of roll. Who gets to decide, you know, be 197 00:11:21,400 --> 00:11:24,900 part of the approval process or part of the review, process for 198 00:11:24,900 --> 00:11:30,900 who gets that role. Went to make a another point 199 00:11:30,900 --> 00:11:35,000 about roles because this is kind of one of the The internal 200 00:11:35,000 --> 00:11:38,200 debates that I have in my head, a lot of our clients, one of the 201 00:11:38,200 --> 00:11:43,100 first things we like to do is take a look at their information 202 00:11:43,100 --> 00:11:45,600 security policies. And a lot of times, those 203 00:11:45,600 --> 00:11:50,200 clients have, the principle of least privilege as one of their 204 00:11:50,200 --> 00:11:55,200 security policies and if taken literally, that means that you 205 00:11:55,200 --> 00:11:57,700 don't give somebody access that they don't need. 206 00:11:58,200 --> 00:12:05,000 Now if the system does analysis and tells me that 95% of The 207 00:12:05,000 --> 00:12:09,400 people in h.r. have these all these accesses you want to give 208 00:12:09,400 --> 00:12:13,100 it to the other five percent of people say, if I follow least 209 00:12:13,100 --> 00:12:16,600 privilege the answer's, no real Essence 100%. 210 00:12:16,700 --> 00:12:19,900 I don't want to do it because they don't need it or they would 211 00:12:19,900 --> 00:12:22,900 have already asked for it doing their job without it. 212 00:12:24,300 --> 00:12:28,100 So part of me says if you're following least privilege, don't 213 00:12:28,100 --> 00:12:30,500 do that. But then I also the counter 214 00:12:30,500 --> 00:12:33,300 argument to that is, well, should they follow least 215 00:12:33,300 --> 00:12:38,200 privilege for Every type of access or is it a burden on the 216 00:12:38,200 --> 00:12:42,500 business now to manage access and really least privilege is 217 00:12:42,500 --> 00:12:46,500 more applicable when it comes to privileged access or, you know, 218 00:12:46,500 --> 00:12:50,200 powerful access. However, we wanted to find that. 219 00:12:50,200 --> 00:12:54,000 And I think that's, you know, I guess where I'm coming down 220 00:12:54,000 --> 00:12:57,600 recently is that I think is a more appropriate use of the 221 00:12:57,600 --> 00:13:01,700 principle of least privilege has to apply it only for privileged 222 00:13:01,700 --> 00:13:05,100 access or administrative access. In Jeff? 223 00:13:05,100 --> 00:13:06,700 What are you? What are your thoughts there? 224 00:13:07,200 --> 00:13:09,500 Yeah I think it's a risk decision, right? 225 00:13:09,700 --> 00:13:14,800 If if the person doesn't have access to the cafeteria menu and 226 00:13:14,800 --> 00:13:18,200 you know it's part of the role consolidation great. 227 00:13:18,300 --> 00:13:23,500 If it's somebody who has you know admin access to the AWS 228 00:13:23,500 --> 00:13:24,300 console. Okay. 229 00:13:24,300 --> 00:13:25,700 That's totally different. Right? 230 00:13:25,900 --> 00:13:28,700 So right I feel the second way there that you were talking 231 00:13:28,700 --> 00:13:30,900 about Jim it's more of a risk decision you know. 232 00:13:30,900 --> 00:13:34,300 Don't waste time fighting a battle over something silly. 233 00:13:34,400 --> 00:13:38,300 And inconsequential and focus instead on the stuff that makes 234 00:13:38,500 --> 00:13:42,800 makes you either more secure and you know reduces risk or greatly 235 00:13:42,800 --> 00:13:46,400 improves the user experience or ideally all of them, right? 236 00:13:46,900 --> 00:13:51,000 So Hélio would do organizations that you've worked with, how 237 00:13:51,000 --> 00:13:56,000 common is it for them to use? Roll mining as a tool and and 238 00:13:56,700 --> 00:13:59,500 how, how is that approach to the usually, like a whole project 239 00:13:59,500 --> 00:14:02,800 around a, we're going to do roll Mining and it's going to several 240 00:14:02,800 --> 00:14:06,500 months, or is it something that Just kind of get ingrained in 241 00:14:06,500 --> 00:14:08,700 the operations of things will roll. 242 00:14:08,700 --> 00:14:11,800 My name's really more part of your program than it is like a 243 00:14:11,808 --> 00:14:14,700 simple process. So you can't just jump right 244 00:14:14,700 --> 00:14:17,200 into roll Mining and say hey we're going to do roll mining. 245 00:14:17,400 --> 00:14:19,000 You have to lay the foundation there. 246 00:14:19,300 --> 00:14:24,100 So on my projects where we're implementing a new solution, we 247 00:14:24,100 --> 00:14:26,900 have nothing to begin with. We're all my name's, not usually 248 00:14:26,900 --> 00:14:29,600 even on the table for those kind of projects, it's the more 249 00:14:29,600 --> 00:14:33,000 mature identity systems that are in place. 250 00:14:33,000 --> 00:14:36,300 They've connected to A majority of their applications at least 251 00:14:36,300 --> 00:14:41,000 they're heavy use applications and they're trying to understand 252 00:14:41,400 --> 00:14:44,200 just move to that next level with identity. 253 00:14:44,200 --> 00:14:47,900 I with their identity process. That's really where we want to 254 00:14:47,900 --> 00:14:50,400 get and that's where we're going to get the role mining type 255 00:14:50,400 --> 00:14:54,600 projects. Now, with as far as how many of 256 00:14:54,600 --> 00:14:59,800 my projects at least at least 75 80 percent have that on their 257 00:14:59,800 --> 00:15:04,000 road map for part of their? There's now are we there yet 258 00:15:04,000 --> 00:15:06,400 with all of them. No, but we know that that's 259 00:15:06,400 --> 00:15:08,700 where we want to get. So once we get all of our 260 00:15:08,700 --> 00:15:12,600 applications in we're definitely looking down that path. 261 00:15:13,300 --> 00:15:15,900 So it is a common thing. We all want to get to that. 262 00:15:15,900 --> 00:15:18,800 Perfect are back world where we have everything going through 263 00:15:18,800 --> 00:15:22,200 roles but it's not something you're going to get two on the 264 00:15:22,500 --> 00:15:23,400 right. Yeah. 265 00:15:23,400 --> 00:15:26,300 And you know, I feel like sometimes when we when we have 266 00:15:26,300 --> 00:15:29,900 these conversations, you take such an identity and access 267 00:15:29,900 --> 00:15:33,200 Management Consultant perspective to these things. 268 00:15:33,200 --> 00:15:36,900 So actually, as you're talking, I was like, we might need to 269 00:15:36,908 --> 00:15:40,500 even take a step back and talk about what our roles. 270 00:15:40,500 --> 00:15:44,500 Because to me, this is one of those terms that we Jeff and I 271 00:15:44,900 --> 00:15:46,900 conduct a lot of workshops together. 272 00:15:47,300 --> 00:15:51,500 We get into these conversations in the word role is used so 273 00:15:51,500 --> 00:15:53,400 differently in different organization. 274 00:15:53,400 --> 00:15:56,800 I think this is one of the topics we discussed in a past 275 00:15:56,800 --> 00:16:01,000 podcasts, but terms of our back and what we're talking about 276 00:16:01,000 --> 00:16:04,700 with roles now is kind of the I think that the modern idea And 277 00:16:05,600 --> 00:16:09,400 governance and administration review of a role which is that 278 00:16:09,700 --> 00:16:14,400 it's a bundle of accounts and entitlements that can span 279 00:16:14,400 --> 00:16:19,400 across applications if you have. You know, there's a if you took 280 00:16:19,400 --> 00:16:22,800 like a an application Centric Focus. 281 00:16:22,900 --> 00:16:25,700 So in other words, you have a centralized I am system. 282 00:16:26,100 --> 00:16:29,100 That term role still gets used that I get a role to an 283 00:16:29,100 --> 00:16:33,100 application. That's really what we're talking 284 00:16:33,100 --> 00:16:36,200 about with role. Mining is By combining those 285 00:16:36,200 --> 00:16:42,400 roll, those those types of roles or groups or I think we've been 286 00:16:42,400 --> 00:16:46,400 referring to as accounts and entitlements and bundling those 287 00:16:46,400 --> 00:16:51,600 into a role within the IGA or I am system. 288 00:16:51,600 --> 00:16:55,600 It's kind of a grouping of a council entitlements and do a 289 00:16:55,600 --> 00:16:57,500 bundle. I guess we use the term bundle 290 00:16:57,500 --> 00:17:01,300 of kind of making that up and that's still that's the role 291 00:17:01,300 --> 00:17:02,900 that we're talking about, right. Jeff. 292 00:17:02,900 --> 00:17:04,400 Do you have anything to add to that? 293 00:17:04,900 --> 00:17:08,099 Now I mean I think it's, you know, this is nomenclature 294 00:17:08,099 --> 00:17:09,099 right? You have to make sure there was 295 00:17:09,099 --> 00:17:14,000 speaking the same language so role could be an entitlement, 296 00:17:14,400 --> 00:17:18,099 you know, within a system. It could also be a collection of 297 00:17:18,099 --> 00:17:21,900 entitlements within a system. It can also be a collection of 298 00:17:21,900 --> 00:17:25,599 entitlements across different systems and I don't think 299 00:17:25,599 --> 00:17:29,400 there's any right answer because every organization has a 300 00:17:29,400 --> 00:17:33,300 different number of rolls a different number of entitlements 301 00:17:33,300 --> 00:17:34,500 and different number of applications. 302 00:17:34,600 --> 00:17:38,200 It's you know I like to think about it to make it easier to 303 00:17:38,200 --> 00:17:40,500 start at a top-down type of approach. 304 00:17:40,500 --> 00:17:45,500 Where, you know, the question becomes much simpler to ask is 305 00:17:45,500 --> 00:17:48,600 the person an employee or as a person not an employee. 306 00:17:48,600 --> 00:17:52,200 That's usually a lot easier to answer to me from a role 307 00:17:52,200 --> 00:17:55,900 perspective than to say is this person a level one programmer, 308 00:17:55,900 --> 00:17:58,500 or a little to print programmer, right or something along those 309 00:17:58,500 --> 00:18:01,000 lines. So I like approaching it from 310 00:18:01,000 --> 00:18:03,500 two different angles because I feel like there are 311 00:18:03,500 --> 00:18:06,600 attribute-based rolls Is attribute, based access control 312 00:18:06,600 --> 00:18:09,900 or a back and then there's role-based Access Control, 313 00:18:10,100 --> 00:18:12,200 right? Our back, which is typically 314 00:18:12,200 --> 00:18:16,900 assigned more at the job function or, you know, job 315 00:18:16,900 --> 00:18:21,500 family or job group type, and I like, kind of combined the both. 316 00:18:21,500 --> 00:18:26,900 I'm an employee as an attribute, who works in Chicago as another 317 00:18:26,900 --> 00:18:31,800 attribute who works in it, as part of security, right? 318 00:18:31,800 --> 00:18:34,500 And the combination of those four different things. 319 00:18:34,800 --> 00:18:39,200 Between those give me a collection of entitlements, some 320 00:18:39,200 --> 00:18:42,400 based on roles because I have an employee in some based on roles 321 00:18:42,400 --> 00:18:45,700 because I'm in Chicago and some because I'm part of maybe 322 00:18:45,700 --> 00:18:50,000 information security, right? So I think it's important that 323 00:18:50,000 --> 00:18:53,600 when you're constructing these. You think about it from what 324 00:18:53,600 --> 00:18:56,800 makes sense of the organization. You know, a huge organization 325 00:18:56,800 --> 00:19:01,500 with a ton of different departments locations and, you 326 00:19:01,508 --> 00:19:05,700 know, user types, meaning employee contractor Intern 327 00:19:05,700 --> 00:19:08,800 student. You know, however, that you 328 00:19:08,808 --> 00:19:10,900 know, that you make all the different types of people within 329 00:19:10,900 --> 00:19:16,200 the organization will drive. A lot of how complex or not 330 00:19:16,200 --> 00:19:18,000 complex, Your Role structure needs to be. 331 00:19:18,000 --> 00:19:20,200 If you need a lot of granularity, a lot of flex, the 332 00:19:20,200 --> 00:19:23,800 flexibility you're going to need to drive it to be more, you 333 00:19:23,800 --> 00:19:25,800 know, attribute-based along those lines. 334 00:19:25,800 --> 00:19:28,000 And then, you start to look at the applications on the bottom, 335 00:19:28,000 --> 00:19:33,600 up to say, okay, we had this new application and this is the 336 00:19:33,600 --> 00:19:36,500 specific. Emissions or entitlement that go 337 00:19:36,700 --> 00:19:39,300 for this specific role and then you start to do that across 338 00:19:39,300 --> 00:19:41,700 applications Etc. So I like to tackle from both 339 00:19:41,700 --> 00:19:45,200 sides but to me it's easier to start from the top down and 340 00:19:45,200 --> 00:19:47,900 figure out what's Birthright. What do all employees get, do 341 00:19:47,900 --> 00:19:49,600 not immune. Not employees or contractors? 342 00:19:49,600 --> 00:19:52,400 They get the same thing. No, okay let's move on to the 343 00:19:52,400 --> 00:19:55,500 next one. Speaking to the nomenclature 344 00:19:55,500 --> 00:19:59,100 thing, one thing I found in a lot of projects is the word role 345 00:19:59,100 --> 00:20:02,800 as mentioned means different things to different people, but 346 00:20:02,800 --> 00:20:06,400 when you start talking to Ministers, using the sap as an 347 00:20:06,400 --> 00:20:11,000 example, what we call an entitlement and in the identity 348 00:20:11,000 --> 00:20:16,100 management systems in sap, that is what they call a roll. 349 00:20:16,300 --> 00:20:20,400 So, in sap role is an entitlement and I, in and 350 00:20:20,400 --> 00:20:22,600 identity management systems for the most part. 351 00:20:22,900 --> 00:20:27,600 So you really need to set down that this is the jargon. 352 00:20:27,600 --> 00:20:29,800 We're going to use in this conversation at the beginning. 353 00:20:30,300 --> 00:20:33,100 Otherwise everybody will be on a different page than to be able 354 00:20:33,100 --> 00:20:36,400 to explain the concept. Right, here's here's what we're 355 00:20:36,400 --> 00:20:38,600 going for. Are we all on the same page 356 00:20:38,600 --> 00:20:42,500 here? Yeah, I think that's why I was 357 00:20:42,500 --> 00:20:46,600 kind of even pointing out, you know, we're using that term. 358 00:20:46,700 --> 00:20:49,100 So from a nomenclature standpoint, we're using that 359 00:20:49,100 --> 00:20:52,700 term. How it's typically used in the 360 00:20:53,400 --> 00:20:58,400 IGA space, Jeff mentioned you know a my employee or my program 361 00:20:58,400 --> 00:21:02,600 level 1 program level to do, I work in the Austin office or in 362 00:21:02,600 --> 00:21:05,500 the New York office? Well, What I can have multiple, 363 00:21:05,500 --> 00:21:10,000 I have different angles of things of where I work. 364 00:21:10,000 --> 00:21:13,100 And what role I do within the company, I'm going to pull your 365 00:21:13,100 --> 00:21:15,600 contractor, I have multiple roles as well. 366 00:21:15,600 --> 00:21:20,700 I think what we're talking about here is, you know, kind of 367 00:21:20,700 --> 00:21:25,000 provisioning of access roles that that's kind of how I think 368 00:21:25,008 --> 00:21:30,000 within the governance faces. Bundling, it counts in a times 369 00:21:30,000 --> 00:21:34,300 that I can be provisioned that access to the end systems that 370 00:21:34,300 --> 00:21:38,100 are To access to this is something that I wanted to kick 371 00:21:38,100 --> 00:21:43,000 back to Helio because you know, you've been spending the last. 372 00:21:43,000 --> 00:21:45,300 I don't know how long you don't. Normally, we ask all of our 373 00:21:45,300 --> 00:21:49,700 guests, you live, how they got into, I am and maybe we should 374 00:21:49,700 --> 00:21:52,500 ask that of you, but also I wanted to point out that, you 375 00:21:52,500 --> 00:21:57,000 know, you've been focused on this El Point technology for 376 00:21:57,200 --> 00:22:00,200 what, the last decade. I've been working with sale 377 00:22:00,200 --> 00:22:03,100 point for about six, seven years now, okay. 378 00:22:03,400 --> 00:22:08,000 And You know, one of the things that I wanted to point out run 379 00:22:08,000 --> 00:22:12,200 into a lot is what? Well, first move, maybe you can 380 00:22:12,200 --> 00:22:16,300 do for me real quick. Would be to Define. 381 00:22:16,300 --> 00:22:19,300 I think they use the terms. It roles and business rules. 382 00:22:19,300 --> 00:22:21,000 Were the difference between those two? 383 00:22:21,200 --> 00:22:23,600 Yeah. So an IT role is a collection of 384 00:22:23,600 --> 00:22:26,800 entitlements. So you have your various 385 00:22:26,800 --> 00:22:30,100 adgroups your sap roles privileges from all of your 386 00:22:30,100 --> 00:22:33,300 other applications all combined into an IT role. 387 00:22:33,900 --> 00:22:37,900 Where, as a Business role is more of a collection of 388 00:22:37,900 --> 00:22:40,700 identities, so that could be based off of. 389 00:22:40,700 --> 00:22:45,700 To use Jeff's example, you have employees business role, you 390 00:22:45,700 --> 00:22:49,200 have contractors, they're a business role, you have people 391 00:22:49,200 --> 00:22:51,400 with the location of Chicago. That's a business role in 392 00:22:51,400 --> 00:22:53,400 Atlanta and Tampa and wherever else. 393 00:22:53,700 --> 00:22:55,700 So your business roles are collections of people. 394 00:22:56,000 --> 00:22:59,100 Your, it roles are collections of entitlements, you can assign 395 00:22:59,100 --> 00:23:01,400 the, it roles to the business roles. 396 00:23:01,600 --> 00:23:05,500 You're going to sign the business roles the Identities. 397 00:23:05,500 --> 00:23:15,700 And then people write things about I am, is that there's so 398 00:23:15,700 --> 00:23:18,000 many different ways to take all these words, right? 399 00:23:18,100 --> 00:23:21,100 That's the way that sale Point, does it absolutely another idea 400 00:23:21,100 --> 00:23:26,900 of under does it who know figure it out right now? 401 00:23:26,900 --> 00:23:30,000 It's there is no standard. I don't think when it comes that 402 00:23:30,000 --> 00:23:32,400 kind of thing, right? So you have to be able to 403 00:23:32,400 --> 00:23:35,500 understand the construct. Glee of what it is you're trying 404 00:23:35,500 --> 00:23:38,200 to do. And then how was the technology 405 00:23:38,200 --> 00:23:41,200 going to help you get there? Write whatever they call it. 406 00:23:41,500 --> 00:23:45,700 This, you know, the end goal is to provide access to the right 407 00:23:45,700 --> 00:23:48,800 person at the right time. You know, for the right systems 408 00:23:48,800 --> 00:23:52,200 and if you do it more efficiently through groupings, 409 00:23:52,200 --> 00:23:53,300 right? That's another, you know, 410 00:23:53,300 --> 00:23:55,900 sometimes it's a group, it's used is the terminology. 411 00:23:56,200 --> 00:23:57,700 That's, that's really kind of the end goal. 412 00:23:57,900 --> 00:24:02,700 So so here's one thing, I wanted to point out, so I want to stay 413 00:24:02,700 --> 00:24:06,600 on this airplane example, because I'm sure that it works. 414 00:24:06,900 --> 00:24:09,900 I know that it works this way. So one thing is, let's say we 415 00:24:09,900 --> 00:24:12,900 take that role mining example. We talked about for Andrew 416 00:24:12,900 --> 00:24:17,700 where, you know, runs a data analysis and minds and says you 417 00:24:17,700 --> 00:24:23,800 know, 95% of the people in h.r. Have these three adgroups would 418 00:24:23,800 --> 00:24:26,400 you like to just give that to a hundred percent of you? 419 00:24:26,400 --> 00:24:29,000 Say yes. So now all the people in h.r. 420 00:24:29,000 --> 00:24:33,900 have these three adgroups and Southpoint considers that and I 421 00:24:33,900 --> 00:24:38,900 tiro Alright, those three groups now, wouldn't it also be true 422 00:24:38,900 --> 00:24:44,100 that if I was assigned those three adgroups that sell point 423 00:24:44,100 --> 00:24:46,900 would Mal? Think I'm in that role? 424 00:24:47,300 --> 00:24:51,000 Even if I can use those groups by other methods. 425 00:24:51,500 --> 00:24:56,300 Yeah, so point will detect that you have those three adgroups 426 00:24:56,300 --> 00:24:58,700 and that you are assigned to that role, which is actually 427 00:24:58,700 --> 00:25:02,000 quite helpful. When you come to do, say a 428 00:25:02,000 --> 00:25:06,600 certification is instead of Showing the certifier. 429 00:25:06,800 --> 00:25:11,000 Hey, they have these three adgroups that you have no idea 430 00:25:11,000 --> 00:25:12,400 what they actually do. They show. 431 00:25:12,400 --> 00:25:15,400 Hey, they have this role. Does that make sense? 432 00:25:15,400 --> 00:25:17,600 Now, you can also get to the entitlement level 2 in a 433 00:25:17,608 --> 00:25:19,800 certification if you wanted to so you could see those. 434 00:25:21,100 --> 00:25:25,000 But yes, absolutely. We will in sale Point detect 435 00:25:25,000 --> 00:25:27,600 that you have the real. Even if you were not directly 436 00:25:27,600 --> 00:25:30,600 assigned the role through like a request or through a Birthright, 437 00:25:30,700 --> 00:25:34,800 nice hot one, one client who actually if that was the A case 438 00:25:34,800 --> 00:25:37,700 they collected, those three the bundled. 439 00:25:37,700 --> 00:25:41,400 Those three roles they would add a fourth element, fourth 440 00:25:41,400 --> 00:25:44,700 entitlement, which was kind of like, what we call it a fake 441 00:25:44,700 --> 00:25:48,500 entitlement. So that it wouldn't be detected 442 00:25:48,500 --> 00:25:52,700 in that it wouldn't be, you know, somebody who got those 443 00:25:52,700 --> 00:25:56,000 other three. My, some other method, not by 444 00:25:56,000 --> 00:25:59,900 assignment of the roll, it wouldn't be detected by cell 445 00:25:59,900 --> 00:26:03,100 Point as them having that role. Have you ever seen that before? 446 00:26:03,700 --> 00:26:07,600 I have not But I'd be interested in looking at that system, okay? 447 00:26:09,500 --> 00:26:12,900 We have a little bit of homework to go into because that makes a 448 00:26:12,900 --> 00:26:15,000 lot of sense or as a terrible idea. 449 00:26:15,000 --> 00:26:20,300 I'm not sure what are the things I'll say is, we get all kinds of 450 00:26:20,300 --> 00:26:23,100 different requirements and sometimes we have to do a little 451 00:26:23,100 --> 00:26:25,500 bit differently. Yeah. 452 00:26:26,100 --> 00:26:31,200 So Helio um when's it to shift the conversation to roll 453 00:26:31,200 --> 00:26:34,400 governance, you know? Surf. 454 00:26:34,500 --> 00:26:39,400 Occation of the, what a, what a role gives somebody and then who 455 00:26:39,600 --> 00:26:41,700 is in their role, what have you seen? 456 00:26:41,700 --> 00:26:45,000 What are the typical processes you see with your clients in 457 00:26:45,000 --> 00:26:48,700 terms of, you know, what role governance routines are in 458 00:26:48,700 --> 00:26:52,800 place? Well, so in using the sale Point 459 00:26:52,800 --> 00:26:55,300 example as well. So one of the things that we're 460 00:26:55,300 --> 00:26:59,400 going to want to do is to your point maintain that role. 461 00:26:59,400 --> 00:27:02,700 Like I build this roll through roll mining today. 462 00:27:03,000 --> 00:27:06,500 That doesn't mean that in Months that role is still going to be 463 00:27:06,500 --> 00:27:09,300 valid. And in three years, it's 464 00:27:09,300 --> 00:27:14,100 probably not going to be valid. So there are tools to allow us 465 00:27:14,100 --> 00:27:16,700 to do that. We can continue to run the role 466 00:27:16,700 --> 00:27:19,800 modeling analysis has analyses. It's go with analyses. 467 00:27:20,700 --> 00:27:23,700 So we can continue to run the role mining analyses so that we 468 00:27:23,700 --> 00:27:28,200 can validate our roles that way. But we also have the ability to 469 00:27:28,200 --> 00:27:31,500 certify the contents of the Roll. 470 00:27:31,500 --> 00:27:33,800 So we could do it. What's called a roll. 471 00:27:34,500 --> 00:27:38,500 Ian certification which is typically performed by the roll 472 00:27:38,500 --> 00:27:42,300 owner will get a list of all the roles that we own and the 473 00:27:42,300 --> 00:27:46,400 contents of those roles and say, hey, yeah, we don't need this ad 474 00:27:46,400 --> 00:27:50,700 group in this role anymore because whatever reason we don't 475 00:27:50,700 --> 00:27:52,500 need it. Yet that application is no 476 00:27:52,500 --> 00:27:56,600 longer a thing. It could be that we don't want 477 00:27:56,600 --> 00:28:00,000 to give that access to people in h.r. anymore, but we want to 478 00:28:00,000 --> 00:28:03,200 maintain those roles so that we're not proliferating 479 00:28:03,500 --> 00:28:06,400 incorrect. Idle moments to everybody. 480 00:28:06,600 --> 00:28:08,900 So that's a very important concept. 481 00:28:08,900 --> 00:28:10,800 Yeah, I think that is key part, right? 482 00:28:10,800 --> 00:28:13,900 Is roles change over time. So you need some way in some 483 00:28:13,900 --> 00:28:17,900 process to make sure that the contents of that role are still 484 00:28:17,900 --> 00:28:21,000 accurate. Especially if you're relying on 485 00:28:21,000 --> 00:28:25,100 roles to Grant access to, right? Otherwise now, the mistakes you 486 00:28:25,100 --> 00:28:27,800 make are ones you choose. He's there macro in nature, 487 00:28:27,800 --> 00:28:30,500 right? Oh great, 4,000 people right 488 00:28:30,500 --> 00:28:31,600 now. Have accident thing that they 489 00:28:31,600 --> 00:28:34,600 shouldn't have access to any more because nobody was seeing 490 00:28:34,600 --> 00:28:37,900 the roll itself and the construction or composition of 491 00:28:37,900 --> 00:28:38,900 it. So I think that's a really 492 00:28:38,900 --> 00:28:41,300 important thing. This was the reason that I say 493 00:28:41,300 --> 00:28:45,200 that, that your identity system is not a one-off. 494 00:28:45,200 --> 00:28:47,400 It's a program. It's a process. 495 00:28:47,400 --> 00:28:50,100 You have to keep maintaining it. You need to get that That Never 496 00:28:50,100 --> 00:28:53,600 Dies preach on brother. Yeah, there's one thing that I 497 00:28:53,600 --> 00:28:57,600 think that's important is when you're going to, you know, 498 00:28:57,600 --> 00:29:00,900 speaking kind of the governance of roles is that it's a lot 499 00:29:00,900 --> 00:29:05,800 easier to not only create but mandrels is Or cleaning up data. 500 00:29:05,900 --> 00:29:08,900 As you're going along, right? Getting rid of things that you 501 00:29:08,900 --> 00:29:12,800 don't need anymore. Adgroups that I have no members, 502 00:29:12,800 --> 00:29:15,500 you know, roles that don't have any members things like that. 503 00:29:15,500 --> 00:29:18,700 So that's another way to help kind of streamline. 504 00:29:18,700 --> 00:29:21,400 The system itself not only from performance perspective, but 505 00:29:21,400 --> 00:29:24,900 from a just a reducing, the quantity of things to manage is 506 00:29:25,100 --> 00:29:27,500 take a look at the data itself and make sure that you're 507 00:29:27,500 --> 00:29:30,600 keeping it clean as you go along or even before you even get into 508 00:29:30,600 --> 00:29:34,300 rule doing a cleanup exercise first before you start building 509 00:29:34,300 --> 00:29:35,900 out. Out roles for things that don't 510 00:29:35,900 --> 00:29:38,100 exist, right? I'll tell a lot of my customers. 511 00:29:38,100 --> 00:29:40,900 Hey, we don't want to do roll mining until we've done at least 512 00:29:40,900 --> 00:29:44,400 one certification campaign to know that the entitlements they 513 00:29:44,400 --> 00:29:46,900 users have now are the right ones. 514 00:29:47,200 --> 00:29:50,000 Nope, there's no point to mining the entitlements that the 515 00:29:50,000 --> 00:29:51,500 entitlement to the wrong entitlements. 516 00:29:52,000 --> 00:29:54,500 Yeah, great Point. Yeah, the thing I was going to 517 00:29:54,500 --> 00:29:58,000 add, you know, I think that you guys just moved made the point 518 00:29:58,000 --> 00:30:01,400 of garbage in garbage out, that's spot-on. 519 00:30:01,700 --> 00:30:06,100 I think the other thing is, you know, The business has got to be 520 00:30:06,100 --> 00:30:10,400 a part of this. So if you think that roll, roll 521 00:30:10,400 --> 00:30:17,000 Mining and roll, engineering, can be an it only job or it lead 522 00:30:17,000 --> 00:30:20,000 and the business isn't really taking ownership. 523 00:30:20,100 --> 00:30:22,900 It's only going to go so far. I think you can you know, 524 00:30:23,300 --> 00:30:28,600 provision basic Access VPN email stuff like that. 525 00:30:28,600 --> 00:30:32,400 Based on, you know, very simple roll patterns. 526 00:30:32,500 --> 00:30:36,100 However if you want to get into Do you know what people do in 527 00:30:36,100 --> 00:30:40,500 the business and really making access management more 528 00:30:40,500 --> 00:30:42,700 efficient? You got to get the business 529 00:30:42,700 --> 00:30:46,100 involved and then you've got to get the metadata on the rolls, 530 00:30:46,100 --> 00:30:47,700 right? You've got to have good 531 00:30:47,700 --> 00:30:52,900 descriptions, you've got to have owners for roles and it's it's 532 00:30:52,900 --> 00:30:56,000 not a once and done thing. It's something that's going to 533 00:30:56,000 --> 00:31:00,600 have to be Revisited pretty often so it requires a little 534 00:31:00,600 --> 00:31:03,900 investment upfront, it's like changing the oil in your car, 535 00:31:03,900 --> 00:31:07,600 you know, you Have to all the maintenance on your car. 536 00:31:07,700 --> 00:31:10,500 You do the maintenance so that the car doesn't blow up. 537 00:31:11,300 --> 00:31:15,300 And I think that kind of the same principle with with roll 538 00:31:15,300 --> 00:31:18,500 governance. We made the point earlier that 539 00:31:18,800 --> 00:31:21,100 you really want the names of the roles, you really want the 540 00:31:21,100 --> 00:31:23,000 descriptions of the Rope to be right? 541 00:31:23,000 --> 00:31:25,700 Because those are going to be and user-facing, that we'd be 542 00:31:25,700 --> 00:31:27,300 correct. That people understand what 543 00:31:27,300 --> 00:31:29,000 they're doing. No good saying, hey, can you 544 00:31:29,000 --> 00:31:31,900 approve access to this? If when I look at it I go I 545 00:31:31,908 --> 00:31:33,600 don't know what that is. Okay, approved. 546 00:31:35,500 --> 00:31:37,300 I think this is really weird. We're a good. 547 00:31:37,300 --> 00:31:42,000 I am program manager steps in because it's the business. 548 00:31:42,400 --> 00:31:46,900 It's their data, right? And the technology and the roles 549 00:31:46,900 --> 00:31:49,400 and all the stuff that goes around, it is typically provided 550 00:31:49,400 --> 00:31:52,600 by it or an IT person when, you know, maybe even with them. 551 00:31:53,500 --> 00:31:57,200 But there needs to be structure and order to the way things are 552 00:31:57,200 --> 00:31:59,200 done. You know, when I've done roll 553 00:31:59,200 --> 00:32:01,900 catalogs in the past, for example, you know, I would 554 00:32:01,900 --> 00:32:05,900 develop here is here is the minimum acceptable level of 555 00:32:05,900 --> 00:32:09,800 quality that I will take you know for a roll named a role 556 00:32:09,800 --> 00:32:13,700 description you know anything like that and if it didn't meet 557 00:32:13,800 --> 00:32:18,000 at least you know that minimum level of quality then it would 558 00:32:18,400 --> 00:32:20,800 get sent back right either. I would work directly with the 559 00:32:20,808 --> 00:32:23,900 business and say, hey we need a better name for this or, you 560 00:32:23,900 --> 00:32:26,700 know, are you sure your users will understand what this means, 561 00:32:26,700 --> 00:32:28,200 right? Things like that rather than 562 00:32:28,200 --> 00:32:31,700 just kind of taking the easy way out where you dump all the 80 563 00:32:31,700 --> 00:32:34,300 user, all the ad group names, you know? 564 00:32:34,500 --> 00:32:38,200 Are probably not reader-friendly. 565 00:32:38,700 --> 00:32:40,700 We don't want to play. We don't want fqdn is in there, 566 00:32:41,200 --> 00:32:42,200 right? Yeah, exactly. 567 00:32:42,200 --> 00:32:44,700 So it gets important because this is part of this. 568 00:32:45,100 --> 00:32:47,800 The opposite is just better. If you just call a roll the 569 00:32:47,800 --> 00:32:52,200 accounting role or the Accounting Group like times, do 570 00:32:52,200 --> 00:32:55,800 you see that the Accounting Group in AV and then it gets 571 00:32:55,800 --> 00:32:59,900 used for so many things that you know you're afraid to or maybe 572 00:32:59,900 --> 00:33:03,000 it's called you know, accounting finance and like it was 573 00:33:03,300 --> 00:33:07,000 basically set up For some project, nobody remembers 574 00:33:07,000 --> 00:33:09,500 exactly what it was originally intended for. 575 00:33:09,500 --> 00:33:13,600 But been used so many times and now they can't delete it or 576 00:33:13,600 --> 00:33:18,300 clean it up or identify an owner because it's just, it's just a 577 00:33:18,300 --> 00:33:20,800 mess. So it's been really all it. 578 00:33:20,800 --> 00:33:22,700 Does is give you access to do your time card. 579 00:33:23,200 --> 00:33:26,600 Well, maybe that's what it was originally and now it's like 580 00:33:26,600 --> 00:33:35,800 everybody. If you don't the structure and 581 00:33:35,800 --> 00:33:38,300 order, I mean, you have to think about how do you want to present 582 00:33:38,300 --> 00:33:41,400 the data to your users and then tackle it backwards from there 583 00:33:41,400 --> 00:33:44,200 and say, okay, you know what are the capabilities of the IJ 584 00:33:44,200 --> 00:33:45,700 platform that we're using to present this? 585 00:33:45,700 --> 00:33:48,200 Or, you know, it could even be in your itsm tool, right? 586 00:33:48,200 --> 00:33:49,800 A lot of organizations may use service. 587 00:33:49,800 --> 00:33:53,800 Now, for example, to present the request to the user. 588 00:33:54,200 --> 00:33:58,000 So you need to take into account what can the Technology support 589 00:33:58,000 --> 00:34:01,300 and then design access catalog? That is user-friendly off of 590 00:34:01,300 --> 00:34:03,400 that. But I still feel the business is 591 00:34:03,400 --> 00:34:04,600 part of that. Italy. 592 00:34:04,600 --> 00:34:06,600 They own the roles. They should be part of the 593 00:34:06,600 --> 00:34:10,600 sign-off process, as part of here's what's going to be named. 594 00:34:10,900 --> 00:34:13,400 Here's the description. Here are the specific 595 00:34:13,400 --> 00:34:16,400 permissions associated with that and then periodically, they 596 00:34:16,400 --> 00:34:18,500 should be asked to review that to make sure that still 597 00:34:18,500 --> 00:34:21,100 accurate, you know, maybe it's yearly, you know, maybe it's 598 00:34:21,100 --> 00:34:22,199 shorter. If it's something that may be 599 00:34:22,199 --> 00:34:25,400 privileged access or sometimes, but I don't feel like this is 600 00:34:25,400 --> 00:34:29,600 something that to do it, right? Is fair to just toss it over the 601 00:34:29,600 --> 00:34:32,000 it wall. And say here, itu deal with it. 602 00:34:32,000 --> 00:34:33,900 The business needs to be part of this process for it to be 603 00:34:33,900 --> 00:34:35,600 successful. Yeah, absolutely. 604 00:34:35,800 --> 00:34:38,900 That's right, when everybody agrees. 605 00:34:40,400 --> 00:34:42,699 It's also important to it, you know, I think a lot of 606 00:34:42,699 --> 00:34:46,100 organizations want to get to our back 100%. 607 00:34:46,100 --> 00:34:48,900 It's really hard, right? If it wasn't hard, everyone 608 00:34:48,900 --> 00:34:52,300 would be doing it. So I think it's a goal to get 609 00:34:52,300 --> 00:34:54,800 there but I don't think that you should shoot for 100 percent. 610 00:34:54,800 --> 00:34:57,200 I think you should shoot for something far more attainable, 611 00:34:58,500 --> 00:34:59,800 you know. However you want to define 612 00:34:59,800 --> 00:35:03,900 success and maybe it is at the macro level like employee or not 613 00:35:03,900 --> 00:35:07,900 employed Yeah, and maybe that's is as good as you think that is 614 00:35:07,900 --> 00:35:10,400 realistic and the first year or maybe even two years, right? 615 00:35:10,400 --> 00:35:15,300 And then from there as your I am program develops, becomes more 616 00:35:15,300 --> 00:35:18,100 mature and you're getting all this data back from tools that 617 00:35:18,100 --> 00:35:19,100 you've been working on implementing. 618 00:35:19,100 --> 00:35:23,100 If you didn't have an IJ system before, you can start to, you 619 00:35:23,100 --> 00:35:26,100 know, do some more rolls off that or even attribute-based, 620 00:35:26,900 --> 00:35:27,900 you know, will actually cough that. 621 00:35:27,900 --> 00:35:30,700 But I don't think 100% is a realistic goal. 622 00:35:30,800 --> 00:35:34,300 I think shooting for somewhere on the lines of, you know, 80% 623 00:35:34,400 --> 00:35:37,700 Percent is good. Enough is a good Target to hit 624 00:35:37,700 --> 00:35:39,700 because you what you don't want to do is spend an inordinate 625 00:35:39,700 --> 00:35:45,100 amount of time trying to, you know, address a 5% problem, 626 00:35:45,100 --> 00:35:46,700 right? Or even, well, I think it's a 627 00:35:46,707 --> 00:35:50,300 program manager. My attitude would be all right 628 00:35:50,300 --> 00:35:53,400 for the it rolls. I need to, I need to get this, 629 00:35:53,400 --> 00:35:55,700 right? I need to have this, be the 630 00:35:55,700 --> 00:35:59,000 gold, the gold standard, and then I have to create a 631 00:35:59,008 --> 00:36:05,900 capability so that the business can also You know, come up the 632 00:36:05,900 --> 00:36:09,600 level of gold standard, but I'm not going to drag them Kicking 633 00:36:09,600 --> 00:36:11,700 and Screaming into the are back future. 634 00:36:11,700 --> 00:36:17,100 If they're satisfied with, you know, doing entitlements are 635 00:36:17,100 --> 00:36:19,600 going through. The Grog don't want to invest 636 00:36:19,600 --> 00:36:24,300 the time. Then you know, my My Philosophy 637 00:36:24,300 --> 00:36:25,800 at all. This is that I tease 638 00:36:25,800 --> 00:36:31,100 responsibility is to provide the tools and provide the processes 639 00:36:31,100 --> 00:36:34,000 so that business can manage access. 640 00:36:34,400 --> 00:36:37,800 I think by having to go Center having the tools and having a 641 00:36:37,800 --> 00:36:41,300 process for, you know creating roles and assigning roles. 642 00:36:41,300 --> 00:36:45,000 And recertifying roles you're doing, your job is and I am a 643 00:36:45,000 --> 00:36:47,100 program manager. Drying, people, kicking 644 00:36:47,100 --> 00:36:49,900 screaming is not going to work or not going. 645 00:36:49,900 --> 00:36:52,600 If they're not taking us seriously, you're fighting a 646 00:36:52,600 --> 00:36:56,800 losing battle and you're going to get into that area where they 647 00:36:56,800 --> 00:36:58,500 just think of somebody else's job. 648 00:36:59,200 --> 00:37:04,000 And it's not like I say it's a lot easier to dance with two. 649 00:37:04,300 --> 00:37:07,700 Dance Partners than just one. Yeah, the other thing that you 650 00:37:07,700 --> 00:37:12,400 don't want to do to go back to Andrew sees question, we had 651 00:37:12,400 --> 00:37:16,100 400,000 entitlements. We don't want to get so granular 652 00:37:16,100 --> 00:37:18,300 with our roles that we end up having five hundred thousand 653 00:37:18,300 --> 00:37:22,300 rolls to maintain. Yeah, that's a great point. 654 00:37:22,300 --> 00:37:26,000 There has to be some level of. Hey, this is, this is what we 655 00:37:26,000 --> 00:37:30,200 want to maintain, and if we get to to granular with it, that 656 00:37:30,200 --> 00:37:32,000 we're going to have a role for every entitlement. 657 00:37:32,000 --> 00:37:35,400 And then some roles for every other thing, And then you end up 658 00:37:35,400 --> 00:37:39,100 with 500. 600 700 thousand rolls to maintain and you just made a 659 00:37:39,107 --> 00:37:41,100 bigger mess for yourself. Yes. 660 00:37:41,200 --> 00:37:45,100 I don't believe that but it's so many of the organizations that 661 00:37:45,100 --> 00:37:48,100 we work with and I go in and ask them how many 80 groups they 662 00:37:48,100 --> 00:37:50,000 have? It's more than the number of 663 00:37:50,000 --> 00:37:52,200 users that they have really what? 664 00:37:52,200 --> 00:37:54,800 That tells it and I'm trying to security groups not just 665 00:37:55,200 --> 00:37:58,800 distribution lists. That tells me that they've got a 666 00:37:58,800 --> 00:38:00,500 lot of groups that somebody created. 667 00:38:00,500 --> 00:38:02,800 Nobody loves. Nobody cares about Emily's. 668 00:38:03,000 --> 00:38:06,700 Keeping them know. You feels like they own them and 669 00:38:06,700 --> 00:38:09,300 that's a problem. If you get in the same position 670 00:38:09,300 --> 00:38:12,100 with rolls, you just going to create another nightmare 671 00:38:12,100 --> 00:38:15,700 scenario and that's where our cleanup campaigns come into 672 00:38:15,700 --> 00:38:19,400 place, whether it's through access certifications or whether 673 00:38:19,400 --> 00:38:21,000 it's through. Just looking at the groups and 674 00:38:21,000 --> 00:38:23,700 say Hey, Nobody's in these groups do we actually need our 675 00:38:23,700 --> 00:38:25,600 is really going to help Nets hurt. 676 00:38:25,600 --> 00:38:28,100 You got to do that up front. Gotta get that, gotta put in the 677 00:38:28,100 --> 00:38:30,300 legwork, to get to where you want to get. 678 00:38:30,900 --> 00:38:34,000 I kind of always felt to that with cleanup campaigns. 679 00:38:34,200 --> 00:38:37,200 There's some cleanup that you should just do even before you 680 00:38:37,200 --> 00:38:40,500 put in, I am system and then there's other clean up that the 681 00:38:40,500 --> 00:38:43,700 IM system through the certification campaigns. 682 00:38:44,000 --> 00:38:47,200 For example, can really help you out with, but some of the things 683 00:38:47,200 --> 00:38:51,500 like just cleaning up, all the empty adgroups doesn't seem like 684 00:38:51,500 --> 00:38:54,100 you need an expensive. I am system to do that. 685 00:38:54,100 --> 00:38:56,000 You can just go through and clean them up. 686 00:38:56,400 --> 00:38:56,800 Yep. Yet. 687 00:38:56,800 --> 00:38:58,200 Here's a script to go, pull back. 688 00:38:58,200 --> 00:39:01,800 All the groups that have no members and, and if you have an 689 00:39:01,800 --> 00:39:05,300 attribute on the ad group, for owner, And half of them are 690 00:39:05,300 --> 00:39:08,400 empty. You know go through and start 691 00:39:08,400 --> 00:39:11,300 filling them in otherwise we can even send the kid. 692 00:39:11,300 --> 00:39:13,700 Who you gonna send the recertification campaign to? 693 00:39:14,200 --> 00:39:16,300 Yeah, absolutely. Having that ownership level 694 00:39:16,300 --> 00:39:19,000 whether it's just for certification campaigns or it's 695 00:39:19,000 --> 00:39:23,800 for Access reviewer. Access request having an owner 696 00:39:23,900 --> 00:39:27,600 up front in a river. Whatever other application we're 697 00:39:27,607 --> 00:39:29,700 talking about is very, very helpful. 698 00:39:29,800 --> 00:39:30,700 Yeah. It's usually one of the first 699 00:39:30,700 --> 00:39:33,400 things that, you know, gets asked, as you know. 700 00:39:33,400 --> 00:39:37,300 Okay, who owns this This right, and no time like the present to 701 00:39:37,300 --> 00:39:39,300 figure out who owns it because you're gonna need it down the 702 00:39:39,300 --> 00:39:42,400 road anyway. So it's a, it's a cheap easy way 703 00:39:42,400 --> 00:39:44,600 to get started. Might not be, maybe not be easy, 704 00:39:44,600 --> 00:39:47,400 if you have a lot of them. But you know, it's a cheap way 705 00:39:47,400 --> 00:39:49,900 to get started right look through, figure out who owns it, 706 00:39:50,100 --> 00:39:53,200 you know, assigned, de-facto ownership, if there isn't any 707 00:39:53,200 --> 00:39:55,600 historical record, maybe it's based off a ticket, whoever 708 00:39:55,600 --> 00:39:58,000 requested it, you know, becomes the owner. 709 00:39:58,400 --> 00:40:00,600 And then everything to is maintaining that ownership to 710 00:40:00,600 --> 00:40:03,600 over the over the group, for example, if someone leaves your 711 00:40:03,600 --> 00:40:06,800 organization, You know, I had a role in the past where if an 712 00:40:06,800 --> 00:40:10,200 owner left their manager would receive would become ownership 713 00:40:10,200 --> 00:40:13,500 inherit it automatically, until they decided to, you know, who 714 00:40:13,500 --> 00:40:15,200 they wanted to go out, get it to that way. 715 00:40:15,200 --> 00:40:18,900 We always had an owner and for a given group or given 716 00:40:18,900 --> 00:40:21,400 entitlement, and if we can't figure out who the owner is, 717 00:40:21,500 --> 00:40:24,000 it's Jim. That's right. 718 00:40:24,000 --> 00:40:25,600 Senate Senator Jim, we'll figure it out. 719 00:40:25,600 --> 00:40:28,800 First in the Mailroom, just pick the person who runs the mailroom 720 00:40:28,800 --> 00:40:32,500 and assign it to them. All right. 721 00:40:32,500 --> 00:40:35,100 Did we cover everything that that we Want to cover today. 722 00:40:35,500 --> 00:40:36,900 Feel like they covered a lot of ground. 723 00:40:37,100 --> 00:40:39,200 I hope we answered Andrews question. 724 00:40:39,500 --> 00:40:44,200 Yeah, I hope that Andrew feels that way so I'm sure he'll let 725 00:40:44,200 --> 00:40:45,800 us know if not. It will be happy to tackle it 726 00:40:45,800 --> 00:40:47,900 again. Absolutely. 727 00:40:48,100 --> 00:40:49,900 All right, well I think we're going to go ahead and leave it 728 00:40:49,908 --> 00:40:52,800 there for now. Is there any final words of 729 00:40:52,800 --> 00:40:56,500 wisdom that Helio you? Or Jim wanna bring up before we 730 00:40:56,508 --> 00:40:58,900 wrap up? I'm not a very wise person. 731 00:41:01,600 --> 00:41:04,100 No, just thanks to everybody. Who's been listening is sending 732 00:41:04,100 --> 00:41:07,600 out. Mel, you know that likes the 733 00:41:07,600 --> 00:41:11,900 show or questions and keep them coming, because it makes it 734 00:41:11,900 --> 00:41:14,700 really easy to figure out what to talk about when we get these 735 00:41:15,900 --> 00:41:18,900 types of notes, really appreciate it and it's more 736 00:41:18,900 --> 00:41:20,800 interesting for you because we're talking about what you 737 00:41:20,800 --> 00:41:23,800 want to talk about. So rather than, you know, Jim 738 00:41:23,800 --> 00:41:25,900 and I put our heads together, you know, we'd rather talk about 739 00:41:25,900 --> 00:41:27,200 things that are important to folks out there. 740 00:41:27,200 --> 00:41:31,400 So be sure to take advantage of that email questions at identity 741 00:41:31,400 --> 00:41:34,100 at the center.com, or look, Jim or II. 742 00:41:34,300 --> 00:41:36,500 Up on LinkedIn and she just a note there, you know, we're 743 00:41:36,500 --> 00:41:39,700 happy to engage and, you know, we're in the I am world just 744 00:41:39,700 --> 00:41:43,700 like a hope most of the folks listening, you know, here are so 745 00:41:44,000 --> 00:41:47,000 we appreciate it and I think with that, we're going to go 746 00:41:47,000 --> 00:41:52,800 ahead and call it a wrap and hope everyone stays happy and 747 00:41:52,800 --> 00:41:56,000 healthy and we'll talk with you all in the next one. 748 00:42:04,600 --> 00:42:07,700 You've been listening to the identity of the center podcast 749 00:42:08,000 --> 00:42:10,800 for more episodes of visit identity at the center.com.