1 00:00:09,700 --> 00:00:13,000 You're listening to the identity of the center podcast, this is 2 00:00:13,000 --> 00:00:15,600 the show that talks about identity and access management 3 00:00:15,700 --> 00:00:18,600 and making sure you know who has access to what let's get 4 00:00:18,600 --> 00:00:26,400 started. Welcome to the identity of the 5 00:00:26,407 --> 00:00:28,700 center podcast, I'm Jeff and that's Jim. 6 00:00:28,700 --> 00:00:30,600 Hmm. Hey, Jeff, how's it going? 7 00:00:30,900 --> 00:00:32,500 That's a bad yourself. Good. 8 00:00:32,500 --> 00:00:34,900 Good, you know, I feel like a big complainer. 9 00:00:34,900 --> 00:00:38,700 We always one of our favorite inside jokes is, oh, you bet 10 00:00:38,700 --> 00:00:42,500 sounds like a personal problem. Well, I've got good weather 11 00:00:42,500 --> 00:00:44,300 problems, right? I'm I'm sitting here 12 00:00:44,300 --> 00:00:48,600 complaining, because his mid-40s, and the rain has 13 00:00:48,600 --> 00:00:52,200 finally stopped. It has been rainy and, and cool, 14 00:00:52,700 --> 00:00:56,300 and have the United. It's is under some kind of 15 00:00:56,300 --> 00:00:59,500 blizzard warning or digging out us know. 16 00:00:59,500 --> 00:01:02,200 I know you're in Chicago, you haven't had the best, whether it 17 00:01:02,200 --> 00:01:04,200 has been difficult. So, you know, I think for a 18 00:01:04,208 --> 00:01:07,400 large swath of the United States over the last several weeks and 19 00:01:07,400 --> 00:01:10,100 yeah, Chicago has been pretty snowy. 20 00:01:10,100 --> 00:01:11,800 I think. I think we're close to setting a 21 00:01:11,800 --> 00:01:15,700 record for like number of consecutive days with, with 22 00:01:15,700 --> 00:01:19,200 measurable snowfall at least in the Chicago area, which is where 23 00:01:19,200 --> 00:01:21,700 I'm at. So, you know, and then obviously 24 00:01:21,700 --> 00:01:24,300 our friends down in Texas are certainly having some struggles 25 00:01:24,300 --> 00:01:26,800 with Power issues. So for those who are listening, 26 00:01:26,800 --> 00:01:30,700 it is Friday, February, 19th as Jim and I are sitting here kind 27 00:01:30,700 --> 00:01:32,800 of talking about this. So if you want to look back in 28 00:01:32,800 --> 00:01:35,300 the and The Archives of the internet, right? 29 00:01:35,300 --> 00:01:37,100 You can probably kind of figure out what was going on in the 30 00:01:37,100 --> 00:01:41,900 world back then but yeah it the weather has been challenging but 31 00:01:42,000 --> 00:01:44,300 I am hopeful. I'm seeing above freezing 32 00:01:44,300 --> 00:01:47,900 temperatures on the radar and on the forecast as soon as maybe 33 00:01:47,900 --> 00:01:50,700 even this weekend or maybe next week, always plan a trip down to 34 00:01:50,700 --> 00:01:52,500 CancĂșn. I don't think anybody will 35 00:01:52,500 --> 00:01:55,300 protest outside for your house. Old, man. 36 00:01:55,600 --> 00:01:58,700 Oh, was that, that's not what you meant by the power issues, 37 00:01:58,700 --> 00:02:00,800 in Texas. Oh, you meant something else. 38 00:02:01,000 --> 00:02:03,200 Sorry we usually don't go there on this show. 39 00:02:03,400 --> 00:02:06,300 We usually don't get political but yes, that that was not a 40 00:02:06,300 --> 00:02:10,699 good look for a certain individual and the the Texas 41 00:02:10,699 --> 00:02:12,400 political Spectrum, which is put that way. 42 00:02:13,700 --> 00:02:16,500 So what I'm going to talk about today I'd like to talk about 43 00:02:16,500 --> 00:02:20,400 role-based access control and all things associated. 44 00:02:20,400 --> 00:02:23,100 What do you think of that? I think that as a gigantic can 45 00:02:23,100 --> 00:02:26,900 of worms and I think we you should do it because roles are 46 00:02:26,900 --> 00:02:29,700 something that we hear a lot from our clients as something 47 00:02:29,700 --> 00:02:32,500 that they want to get into. And it can be a little bit 48 00:02:32,500 --> 00:02:36,300 confusing sometimes because there's a lot of, you know, 49 00:02:36,300 --> 00:02:41,300 different competing directions that maybe things want to go in 50 00:02:41,300 --> 00:02:44,000 from a role perspective, right? You've got role-based Access 51 00:02:44,000 --> 00:02:46,800 Control, you've got attribute based Access Control, you've got 52 00:02:46,800 --> 00:02:50,300 policy based Access Control. There's a lot of acronyms and 53 00:02:50,300 --> 00:02:51,800 we're going to get into that today. 54 00:02:52,200 --> 00:02:55,200 So I think what we want to kind of start off with the Is, you 55 00:02:55,200 --> 00:02:59,600 know, this is our thoughts and how you get started to eat this 56 00:02:59,600 --> 00:03:03,100 elephant, one bite at a time because it is, certainly a tends 57 00:03:03,100 --> 00:03:05,900 to be a rather large project for a lot of organizations. 58 00:03:05,900 --> 00:03:09,600 And a lot of times you are starting from, maybe not the 59 00:03:09,600 --> 00:03:11,700 best from a data quality perspective. 60 00:03:11,700 --> 00:03:14,400 And you may have to, you know, have a lot of kind of push and 61 00:03:14,400 --> 00:03:15,700 pull to kind of get things up hill. 62 00:03:15,800 --> 00:03:19,100 Yeah, I mean it's what complication topic the most for 63 00:03:19,100 --> 00:03:22,500 me is that there's not a industry standard definition 64 00:03:22,500 --> 00:03:26,200 like we, if you ask somebody who's As in, there's a I am 65 00:03:26,200 --> 00:03:27,800 practitioner. What is multi-factor 66 00:03:27,800 --> 00:03:30,900 authentication mean? You get the same answer every 67 00:03:30,900 --> 00:03:33,800 time. You ask somebody what a role is 68 00:03:34,000 --> 00:03:37,500 you get a different answer every time and that's because a couple 69 00:03:37,500 --> 00:03:40,300 things from an organizational standpoint. 70 00:03:40,900 --> 00:03:44,700 We talk about roles differently application, even within an 71 00:03:44,700 --> 00:03:47,400 organization, you might have application teams talking about 72 00:03:47,400 --> 00:03:50,900 roles within their applications and then you talk to the. 73 00:03:50,900 --> 00:03:53,300 I am team or the active directory Gene and they're 74 00:03:53,300 --> 00:03:56,200 talking about roles that. Totally different level. 75 00:03:56,700 --> 00:04:00,600 And then from an authentication, side of the house or this is an 76 00:04:00,600 --> 00:04:04,400 identity management side of the house, whether that you're using 77 00:04:04,400 --> 00:04:08,100 roles to drive provisioning to apps, or you're interpreting 78 00:04:08,100 --> 00:04:11,700 those roles at the time of authentication to confer access. 79 00:04:12,200 --> 00:04:18,700 And I think we had a an episode one of our original episodes 80 00:04:18,700 --> 00:04:22,800 back when we used to do a lot of Jeff Jeff and Jim episodes where 81 00:04:22,800 --> 00:04:25,700 we talked about kind of some of the most Confusing terms and 82 00:04:25,700 --> 00:04:29,400 identity access management and roles was probably number one. 83 00:04:29,400 --> 00:04:34,000 Yeah, that that highly liberal use of the word roles. 84 00:04:34,000 --> 00:04:37,800 You know, can certainly complicate the way that things 85 00:04:37,800 --> 00:04:40,500 get defined. So we're going to dive into it 86 00:04:40,500 --> 00:04:42,500 here and I think it's probably important before we get too far 87 00:04:42,508 --> 00:04:44,500 along. Here is really when we're going 88 00:04:44,500 --> 00:04:49,000 to talk about role-based access control or our back is that 89 00:04:49,000 --> 00:04:52,000 we're really focusing on the provisioning side of things not 90 00:04:52,000 --> 00:04:54,500 necessarily the authentication side of things because like 91 00:04:54,800 --> 00:05:00,100 There are sometimes some definition of roles being 92 00:05:00,100 --> 00:05:01,800 assigned at the authentication level. 93 00:05:02,300 --> 00:05:04,600 What we're really talking about provisioning and really more 94 00:05:04,600 --> 00:05:07,700 authorizations. So why don't we dive right into 95 00:05:07,700 --> 00:05:10,200 it? And why don't we start with what 96 00:05:10,200 --> 00:05:13,800 is a rule Jim Murray. And so I'd say like if we're to 97 00:05:13,800 --> 00:05:17,400 give it a dictionary definition, it's really the collection of 98 00:05:17,400 --> 00:05:22,900 one or more entitlements or groups, bundled together and 99 00:05:22,900 --> 00:05:27,300 assigned to one or more. People in order to confer access 100 00:05:27,300 --> 00:05:29,900 to a system. So there's a couple elements 101 00:05:29,900 --> 00:05:36,200 there one is that it's a grouping of access rights and 102 00:05:36,200 --> 00:05:41,900 it's assigned to people or it could be to non-human account. 103 00:05:41,900 --> 00:05:46,400 So maybe people isn't the right term, it's identities, but it 104 00:05:46,400 --> 00:05:47,900 confers access. Right? 105 00:05:47,900 --> 00:05:53,500 So the point of putting a roll together is to bundle access and 106 00:05:53,500 --> 00:05:55,600 so when we talk about Even Frameworks. 107 00:05:55,600 --> 00:05:58,700 We look at that. It has an access pattern. 108 00:05:58,700 --> 00:06:01,500 Yes, or no, right. That's an important piece of. 109 00:06:01,900 --> 00:06:04,600 There's not an access pattern around a roll. 110 00:06:04,600 --> 00:06:07,700 Then there's not much sense in developing a roll. 111 00:06:07,900 --> 00:06:09,500 Yeah. And I think one of the ways that 112 00:06:09,500 --> 00:06:11,300 I've heard it described in the past that I kind of like it 113 00:06:11,300 --> 00:06:13,900 really, it maybe oversimplifies it, but I think it's okay for 114 00:06:13,900 --> 00:06:18,200 this conversation is think of roles as a bundle of sticks. 115 00:06:18,300 --> 00:06:20,100 Right? Each stick kind of has its own, 116 00:06:20,100 --> 00:06:23,000 maybe unique properties, and you might pick up and have different 117 00:06:23,000 --> 00:06:26,000 bundles of sticks. And you might have just one 118 00:06:26,000 --> 00:06:29,400 stick in your bundle, right? But, you know, each of those 119 00:06:29,400 --> 00:06:32,000 things, could essentially be an entitlement and that bundle ends 120 00:06:32,000 --> 00:06:34,800 up becoming what we kind of refer to commonly as a roll. 121 00:06:36,100 --> 00:06:40,300 So now that we kind of set the stage of what is a roll, why 122 00:06:40,300 --> 00:06:44,100 would someone who want to go down this? 123 00:06:44,200 --> 00:06:48,200 This hellscape that it's sometimes be of setting up 124 00:06:48,200 --> 00:06:49,800 access rules for their organization. 125 00:06:50,000 --> 00:06:53,600 When I think about roles, I generally, think of, you know, 126 00:06:53,600 --> 00:06:56,200 the kind of the framework that You think about this is there's 127 00:06:56,200 --> 00:06:58,800 two types of roles and we're going to use some terms, right? 128 00:06:58,800 --> 00:07:02,800 And some of these terms are used or not used by different vendors 129 00:07:02,800 --> 00:07:07,000 organizations, but the two main ones for me, our Birthright 130 00:07:07,000 --> 00:07:09,900 roles and requestable roles. And when you think about 131 00:07:09,900 --> 00:07:14,200 Birthright rolls, the idea is that you can automatically 132 00:07:14,200 --> 00:07:18,300 assign access to a person based on something about them. 133 00:07:18,300 --> 00:07:21,900 Some attribute about that person they're an employee. 134 00:07:22,000 --> 00:07:24,400 They work for a certain department or they work in a 135 00:07:24,407 --> 00:07:27,100 certain Certain location. Usually this is going to be an 136 00:07:27,100 --> 00:07:31,100 attribute that is stored on their profile, whether that's in 137 00:07:31,100 --> 00:07:34,400 the HR System or something. That's maintained outside, the 138 00:07:34,400 --> 00:07:39,000 HR System but it's data-driven that they are all this 139 00:07:39,000 --> 00:07:41,700 classification and because of that they should have this 140 00:07:41,700 --> 00:07:44,300 access and that whole process can be automated. 141 00:07:44,600 --> 00:07:47,500 However, request will roles are something that we don't have 142 00:07:47,500 --> 00:07:49,500 that that driver of some attribute. 143 00:07:49,500 --> 00:07:51,600 That's going to say whether or not the person should have 144 00:07:51,600 --> 00:07:55,300 access and is ultimately a bundle that bundle Sticks that 145 00:07:55,300 --> 00:07:58,800 we want to make available and it's for convenience sake. 146 00:07:58,900 --> 00:08:01,100 And so having that bundle of sticks. 147 00:08:01,100 --> 00:08:05,600 Now, somebody in ideally in the business is going to have to 148 00:08:06,100 --> 00:08:11,200 either request or approve or both that access for a person or 149 00:08:11,200 --> 00:08:13,500 for like we said a non-person identity. 150 00:08:13,700 --> 00:08:18,100 You know the more you try to narrow size these definitions 151 00:08:18,100 --> 00:08:20,700 the more it just sounds like a bunch of words so I'm probably 152 00:08:20,700 --> 00:08:24,900 going to stick to more the simple definition but If you 153 00:08:24,900 --> 00:08:27,400 have a request for roles that bundle of sticks that you're 154 00:08:27,400 --> 00:08:32,500 going to give to a person, you're doing it in a way that 155 00:08:32,500 --> 00:08:37,200 the business can understand what that that bundle is our. 156 00:08:37,200 --> 00:08:39,500 You're either going to tie it back to some job function or 157 00:08:39,500 --> 00:08:42,400 maybe to a job overall. Yeah, I think you know, maybe 158 00:08:42,400 --> 00:08:45,300 let's stick with the bundle of sticks concept here is, you 159 00:08:45,308 --> 00:08:47,600 know, if you think you're on you're walking around and you 160 00:08:47,600 --> 00:08:50,800 know whatever Village and when you're born you're given a 161 00:08:50,808 --> 00:08:53,100 bundle of sticks, right? That's just what you get, that's 162 00:08:53,100 --> 00:08:55,600 a Birthright roll. It could be, you know, whatever 163 00:08:55,600 --> 00:08:59,300 that little sticks might look like and then maybe you go to, 164 00:08:59,300 --> 00:09:03,500 you know, the shop inside your village and you see a bunch of 165 00:09:03,500 --> 00:09:07,100 different bundles of sticks sitting behind the counter and 166 00:09:07,100 --> 00:09:09,700 you say to the shopkeeper. Hey, I want that bundle of 167 00:09:09,700 --> 00:09:11,600 sticks, right? So that would be more of the 168 00:09:11,600 --> 00:09:14,800 requestable role. So maybe we can, you know, that 169 00:09:14,800 --> 00:09:17,400 maybe a little again, little bit too simple, but I kind of like 170 00:09:17,400 --> 00:09:19,000 it, at least for the purpose of this conversation. 171 00:09:19,700 --> 00:09:23,200 And, you know, it's important to mention the business look like 172 00:09:23,200 --> 00:09:27,000 he just did because it's Very difficult to do rolls and it's 173 00:09:27,100 --> 00:09:29,300 compounded. If you do not have the business 174 00:09:29,300 --> 00:09:33,700 involvement as part of the definition of what those roles 175 00:09:33,700 --> 00:09:37,500 look like, who can have them, who's going to approve them, 176 00:09:37,800 --> 00:09:39,300 right? How do you make things that are? 177 00:09:39,800 --> 00:09:42,600 You know, appropriate for the business to understand because 178 00:09:42,600 --> 00:09:45,900 really at the end of the day, it's the businesses data and 179 00:09:45,900 --> 00:09:50,000 it's the businesses rolls it. And by extension, the identity 180 00:09:50,000 --> 00:09:52,800 access management team or technologies that are associated 181 00:09:52,800 --> 00:09:56,500 with that team are there to kind of Port the business and to make 182 00:09:56,500 --> 00:09:58,800 them make help them make more informed decisions. 183 00:09:58,800 --> 00:10:02,200 So it's important to understand that this is not an easy task, 184 00:10:02,200 --> 00:10:04,600 it is something that a lot of organizations struggle with. 185 00:10:04,800 --> 00:10:09,000 They are usually year long or multi-year projects depending on 186 00:10:09,000 --> 00:10:13,300 how complex the access Matrix might look like within an 187 00:10:13,300 --> 00:10:14,600 organization. So, that's something to 188 00:10:14,600 --> 00:10:16,900 certainly consider as part of this is not easy. 189 00:10:17,000 --> 00:10:19,600 And that's okay, right? We mentioned, it's an elephant. 190 00:10:19,700 --> 00:10:21,800 You got to start eating, that elephant, one bite at a time. 191 00:10:22,300 --> 00:10:24,500 And this is this, these are some ideas. 192 00:10:24,600 --> 00:10:26,600 On how we want to get started on that contrast. 193 00:10:26,700 --> 00:10:29,400 What that, what we just talked about with the organization that 194 00:10:29,400 --> 00:10:32,600 doesn't have roles, and they really struggle to get identity 195 00:10:32,600 --> 00:10:35,800 and access management into a good place, where the business 196 00:10:35,800 --> 00:10:39,500 can make informed decisions about who should have access to 197 00:10:39,500 --> 00:10:43,500 what, and they're looking at, you know, a list of groups are, 198 00:10:43,900 --> 00:10:48,400 you know, entitlements that are not put in plain English and not 199 00:10:48,400 --> 00:10:52,300 tied back to business functions. For example, it's hard for them 200 00:10:52,300 --> 00:10:56,800 to decide who should get The access and then part of doing 201 00:10:56,800 --> 00:11:00,500 role management. Effectively is reviewing roles 202 00:11:00,500 --> 00:11:05,000 reviewing the access that people have on a periodic basis and if 203 00:11:05,000 --> 00:11:09,400 you're reviewing and you don't understand, you're probably not 204 00:11:09,400 --> 00:11:12,900 going to start removing access that you don't understand what 205 00:11:12,900 --> 00:11:17,500 it actually is and since we have your employee, not have the 206 00:11:17,500 --> 00:11:19,900 access that they need to perform their job. 207 00:11:19,900 --> 00:11:23,600 So what ends up happening is that people rubber-stamp during 208 00:11:23,600 --> 00:11:29,000 the access Requests and reviews. So that's a place that roles can 209 00:11:29,000 --> 00:11:30,600 be. Very valuable, especially roles 210 00:11:30,600 --> 00:11:31,500 of gun. Right? 211 00:11:31,500 --> 00:11:33,700 Are you name them in a way? That makes sense. 212 00:11:33,900 --> 00:11:38,300 You write descriptions descriptions should tie back to 213 00:11:38,400 --> 00:11:44,700 what, you know, what access this role confers and you have owners 214 00:11:44,700 --> 00:11:48,300 of those roles so they can do roll reviews effectively. 215 00:11:48,500 --> 00:11:51,200 So we've talked a little bit about our back or role-based 216 00:11:51,200 --> 00:11:53,100 Access Control. What does that mean? 217 00:11:53,300 --> 00:11:56,900 I think we For my money, when I talk about our back, it's the 218 00:11:57,200 --> 00:12:03,100 overall process of role management and how roles Drive 219 00:12:03,500 --> 00:12:07,300 the access that people get. So it's, it's looking at it from 220 00:12:07,300 --> 00:12:11,700 kind of a 360-degree perspective from how you get the rolls, how 221 00:12:11,700 --> 00:12:16,100 those roles help Drive access, how people interact with those 222 00:12:16,100 --> 00:12:16,900 roles. Again. 223 00:12:16,900 --> 00:12:19,700 Like we've been talking about its kind of we touched on a lot 224 00:12:19,700 --> 00:12:24,300 of the different aspects of what makes a good role and it's 225 00:12:24,300 --> 00:12:26,100 something Thing that the business can understand, they 226 00:12:26,100 --> 00:12:29,800 can assign to people. And then those roles really 227 00:12:29,800 --> 00:12:32,800 become the basis. For the assignment of who gets 228 00:12:32,800 --> 00:12:35,300 access to what what would you add to that? 229 00:12:35,700 --> 00:12:36,900 You pretty much covered everything. 230 00:12:36,900 --> 00:12:39,600 You know I think if we go back to the bundle of sticks, 231 00:12:39,600 --> 00:12:42,400 role-based access control is, how do you create that bundle of 232 00:12:42,400 --> 00:12:44,400 sticks, right? Which sticks are going to go 233 00:12:44,400 --> 00:12:48,400 into the bundle and does that bundle make sense? 234 00:12:48,600 --> 00:12:52,000 Do the owners of those individual sticks agree to 235 00:12:52,000 --> 00:12:54,000 become part of that bundle, right? 236 00:12:54,900 --> 00:12:58,700 And this is an area that that does take some finesse. 237 00:12:58,700 --> 00:13:01,700 This is more of a this is not necessarily technology problem. 238 00:13:02,300 --> 00:13:06,300 This is more of a business process and trying to make sure 239 00:13:06,300 --> 00:13:09,900 that you convert the Active Directory Group that is labeled, 240 00:13:10,100 --> 00:13:17,000 you know, I T Dash PR D Dash, you know, a PP 004, you know, 241 00:13:17,500 --> 00:13:19,500 translates into something that actually makes sense. 242 00:13:19,600 --> 00:13:23,200 Oh right, that is the server or the application that controls 243 00:13:23,500 --> 00:13:24,800 the cafeteria. You. 244 00:13:25,400 --> 00:13:27,900 All right. So being able to make that 245 00:13:27,900 --> 00:13:32,100 translation and put that in front of people to have them 246 00:13:32,100 --> 00:13:35,000 make those informed decisions. As we're really role-based 247 00:13:35,000 --> 00:13:37,200 access control and the Frameworks that go around it. 248 00:13:37,200 --> 00:13:40,500 I think make the most sense, I know we've also talked a little 249 00:13:40,500 --> 00:13:44,400 about a back or attribute based Access Control. 250 00:13:44,700 --> 00:13:47,900 How is that different from role-based Access Control? 251 00:13:48,100 --> 00:13:50,500 One of the things we said early on is, we're going to focus more 252 00:13:50,500 --> 00:13:53,900 on the provisioning side. And so I think we're talking 253 00:13:53,900 --> 00:13:55,900 about a back. In provisioning, we're talking a 254 00:13:55,900 --> 00:14:00,600 lot about that. Birthrate automation of access 255 00:14:00,600 --> 00:14:05,600 accounts where I really see a back as where I see 256 00:14:06,300 --> 00:14:09,200 organizations using it as more on the authentication side. 257 00:14:09,200 --> 00:14:13,800 In other words, applications are being given rather than here's 258 00:14:13,800 --> 00:14:16,800 the access to person has a given profile information about a 259 00:14:16,808 --> 00:14:20,000 person with a lot of attributes and that the applications that 260 00:14:20,008 --> 00:14:22,700 can then interpret those attributes. 261 00:14:22,900 --> 00:14:24,400 However, they see fit in other words. 262 00:14:24,500 --> 00:14:29,600 The the decision point is that the application in terms of what 263 00:14:29,600 --> 00:14:34,800 access those attributes confer. So very much like, you know, 264 00:14:34,900 --> 00:14:39,400 policy-driven again, kind of on the provisioning side of the 265 00:14:39,400 --> 00:14:42,100 house I think is really the interpretation of those 266 00:14:42,100 --> 00:14:46,400 attributes for automating the provisioning of access. 267 00:14:46,600 --> 00:14:47,600 Yeah, I think you hit it right there. 268 00:14:47,600 --> 00:14:50,600 You know sometimes a back is also known as P back or policy 269 00:14:50,600 --> 00:14:55,100 based Access Control. It's more of a runtime or Time 270 00:14:56,100 --> 00:14:59,200 assignment of access. What's interesting to me is that 271 00:14:59,200 --> 00:15:03,200 it really kind of layers on top potentially of role-based Access 272 00:15:03,200 --> 00:15:07,000 Control right if you're driving data into the application? 273 00:15:07,000 --> 00:15:10,600 Say, you know, here is Jeff and he's in Chicago that attribute 274 00:15:10,600 --> 00:15:14,500 of me being in Chicago. May actually map back to a role 275 00:15:14,500 --> 00:15:18,300 within the application, but it's not being granted to me ahead of 276 00:15:18,300 --> 00:15:22,000 time because the application is determining determining, you 277 00:15:22,000 --> 00:15:25,300 know, in a more real time based on the With indication the 278 00:15:25,300 --> 00:15:29,100 authorization streams, what I should have access to versus 279 00:15:30,000 --> 00:15:32,600 something that I've always had access to, which might be, you 280 00:15:32,600 --> 00:15:34,600 know, that role that kind of sits behind it. 281 00:15:34,800 --> 00:15:38,100 I think, what's similar in both Concepts is that you have 282 00:15:38,100 --> 00:15:42,100 centralized management of that data, which is going to 283 00:15:42,100 --> 00:15:44,800 ultimately Drive the access in role-based. 284 00:15:44,800 --> 00:15:50,300 You're determining what data drives people to be in what 285 00:15:50,300 --> 00:15:53,800 roles and then you're telling the applications put people in 286 00:15:53,800 --> 00:15:57,400 these roles Versus you just handing the data to the 287 00:15:57,400 --> 00:16:00,900 application and the application is deciding what access that 288 00:16:00,900 --> 00:16:04,100 person should have based on those roles and so. 289 00:16:04,100 --> 00:16:07,800 But in both cases, you're centralizing that authorization 290 00:16:07,800 --> 00:16:11,800 data there is a scenario also where applications are 291 00:16:12,100 --> 00:16:16,000 completely doing their own authorization Management Group 292 00:16:16,000 --> 00:16:18,000 managing, enrollment or whatever you want to call. 293 00:16:18,400 --> 00:16:20,200 You want to call it or they call it. 294 00:16:21,200 --> 00:16:24,400 What I think is, that's usually a very early. 295 00:16:24,500 --> 00:16:27,700 Maturity step. That's where you have a lot of 296 00:16:27,700 --> 00:16:30,700 applications that kind of grown up on their own. 297 00:16:30,900 --> 00:16:34,300 And maybe you've done kind of a level 1 integration, where 298 00:16:34,300 --> 00:16:36,600 you're doing single sign-on between the application. 299 00:16:37,000 --> 00:16:40,800 But you haven't really started to pull the authorization out of 300 00:16:40,800 --> 00:16:44,900 apps and manage it at least manage the data centrally. 301 00:16:45,200 --> 00:16:49,900 And so, that's kind of a, you know, step two or Phase 2 in 302 00:16:50,100 --> 00:16:52,900 kind of centralized in your applications, is that 303 00:16:52,900 --> 00:16:55,100 centralized management of offer. Relation. 304 00:16:55,800 --> 00:17:00,500 But Jeff, my could I mean one thing I wanted to do earlier was 305 00:17:01,400 --> 00:17:06,099 my little rant as in my rent, goes back to when we talk about, 306 00:17:06,099 --> 00:17:08,599 what is our back, right? And kind of, how do you get that 307 00:17:08,599 --> 00:17:12,700 bundle of sticks? And you know, that the two 308 00:17:13,200 --> 00:17:19,700 methodologies that have gotten the most thought are around role 309 00:17:20,200 --> 00:17:25,099 mining. So kind of the Starting with the 310 00:17:25,099 --> 00:17:28,800 data and kind of building roles that way and roll engineering. 311 00:17:28,800 --> 00:17:31,100 So kind of the top down approach in other words, a business 312 00:17:31,100 --> 00:17:35,200 saying, you know, we need to roll that does X, Y, and Z and 313 00:17:35,200 --> 00:17:40,100 then kind of building a roll around then and, you know, my 314 00:17:40,100 --> 00:17:43,300 ran, I'll just, you know, put it in black and white terms. 315 00:17:43,300 --> 00:17:46,700 I think role my role. My name doesn't provide a lot of 316 00:17:46,708 --> 00:17:51,300 value at least when I've seen it in and, you know, I'm sure this 317 00:17:51,300 --> 00:17:53,500 will get a lot of heat of. We had a forum where people who 318 00:17:53,500 --> 00:17:55,200 just a winner. Stupid. 319 00:17:55,200 --> 00:17:58,500 You know, we got in so much value out of it, but, you know, 320 00:17:58,500 --> 00:18:02,900 when I've seen examples of role mining working, it's, you know, 321 00:18:03,000 --> 00:18:06,900 taking that data that you have about users entitlements and it 322 00:18:07,100 --> 00:18:11,300 saying looks like you've got an access pattern here that 80% of 323 00:18:11,300 --> 00:18:15,200 the people in this department have why not give that access to 324 00:18:15,200 --> 00:18:21,000 a hundred percent of people? And so my thinking is because we 325 00:18:21,500 --> 00:18:24,000 don't want to give people access that they don't need, right? 326 00:18:24,000 --> 00:18:25,600 It's funny. Percent of the people don't have 327 00:18:25,600 --> 00:18:27,700 that role. That they're not banging on our 328 00:18:27,700 --> 00:18:30,500 door saying, we need that roll. Why would you create that 329 00:18:30,500 --> 00:18:33,100 rolling? Give that access to those 20% of 330 00:18:33,100 --> 00:18:36,200 the people. What are your thoughts on that? 331 00:18:36,200 --> 00:18:37,700 I mean, principle of least privilege. 332 00:18:37,700 --> 00:18:40,700 Every time you go into an organization, it seems like 333 00:18:40,800 --> 00:18:44,300 let's say 90% of the time. They've got a principle of least 334 00:18:44,300 --> 00:18:47,200 privilege baked into their policies and standards around 335 00:18:47,200 --> 00:18:50,300 information security. So I don't see why you would 336 00:18:50,300 --> 00:18:52,900 want to give anyone access that they don't need. 337 00:18:53,100 --> 00:18:56,600 Let's take a couple parts here. I want to get into this because 338 00:18:57,400 --> 00:19:02,100 that was literally next question was are back and compete against 339 00:19:02,100 --> 00:19:05,100 that concept of least. Privilege. 340 00:19:05,400 --> 00:19:09,700 They are competing Concepts. So what we're, you know, we're 341 00:19:09,700 --> 00:19:11,900 talking with folks, you know, and having these kind of 342 00:19:11,900 --> 00:19:16,600 conversations, it's okay, you know, we want to be more 343 00:19:16,600 --> 00:19:20,200 role-based and oh, by the way, we have this policy that says, 344 00:19:20,300 --> 00:19:21,700 you know, we're least privilege. Okay. 345 00:19:21,700 --> 00:19:26,600 Well, which is it because if you're assigning roles that have 346 00:19:26,600 --> 00:19:30,100 access has two things that people don't need, then you're 347 00:19:30,100 --> 00:19:32,300 violating the concept of least privilege and that's usually 348 00:19:32,300 --> 00:19:36,400 kind of a thinking machine. When we're talking customers 349 00:19:36,400 --> 00:19:38,800 and, and kind of thinking, okay, well, house is actually going to 350 00:19:38,808 --> 00:19:41,200 work. And I think this kind of goes 351 00:19:41,200 --> 00:19:44,800 back to the whole roll mining on the roll engineering exercise as 352 00:19:44,800 --> 00:19:48,200 well. Because I do see some value in 353 00:19:48,200 --> 00:19:53,800 the role mining but I don't see and I see the value of the Roll 354 00:19:53,800 --> 00:19:56,400 engineering and I think that they're most effective when 355 00:19:56,400 --> 00:20:00,000 they're done together. If you're trying to do one or 356 00:20:00,000 --> 00:20:03,400 the other, I think it's a lot more difficult to see the True 357 00:20:03,400 --> 00:20:06,100 Value out of it because The way I see it is, you know role 358 00:20:06,100 --> 00:20:10,500 mining is basically digging deep into these applications or 359 00:20:10,500 --> 00:20:13,300 systems trying to figure out what are all the different 360 00:20:13,300 --> 00:20:16,100 access rights. That could be in place for that 361 00:20:16,100 --> 00:20:20,500 application and then basically just coming up with inventory. 362 00:20:20,500 --> 00:20:23,600 So the mining is, you know, you're going it out into this, 363 00:20:23,600 --> 00:20:26,200 you know, this this mind and down into the shaft and you're 364 00:20:26,200 --> 00:20:29,800 trying to find, you know, the different nuggets of gold ore 365 00:20:30,000 --> 00:20:33,000 and those gold or might be different entitlements within 366 00:20:33,000 --> 00:20:36,000 the application. It's great that you found them. 367 00:20:37,000 --> 00:20:39,400 But what do you do about it? And I think that's where roll 368 00:20:39,400 --> 00:20:42,600 engineering comes in, is okay. Now that you know what those 369 00:20:42,600 --> 00:20:45,600 nuggets are, what are we going to do about it? 370 00:20:45,600 --> 00:20:49,700 Do we take this gold and refine it down to this purpose, right? 371 00:20:49,700 --> 00:20:53,400 Or do we leave this as a raw material for some other purpose? 372 00:20:53,400 --> 00:20:57,000 So I see the role mining more as a Recon effort. 373 00:20:57,100 --> 00:20:59,800 Let's figure out what's out there which is good right? 374 00:20:59,800 --> 00:21:01,400 You want to know? Because if you're trying to 375 00:21:01,400 --> 00:21:04,700 protect an application and you don't protect you Applicant, you 376 00:21:04,708 --> 00:21:08,300 know, the rights that allow edit access to a database table and 377 00:21:08,500 --> 00:21:10,800 things go Haywire. That's not going to be good 378 00:21:10,800 --> 00:21:12,400 either. So you kind of have to know both 379 00:21:13,300 --> 00:21:15,700 and then the engineering comes from working with the 380 00:21:15,700 --> 00:21:16,800 businesses. They okay. 381 00:21:17,000 --> 00:21:19,500 Let's talk about what are we going to give access to people 382 00:21:20,300 --> 00:21:23,900 and then does that, how does that work with these privileged? 383 00:21:23,900 --> 00:21:27,800 And the concept of rules because there certainly is a lot of 384 00:21:27,800 --> 00:21:29,900 risk-based decisions that. I think that can be made there 385 00:21:30,000 --> 00:21:33,400 around, you know, let's, let's take the cafeteria menu for 386 00:21:33,400 --> 00:21:37,300 example. We really care if everyone has 387 00:21:37,300 --> 00:21:40,500 access to that, you know, maybe it was not granted and it's a 388 00:21:40,508 --> 00:21:42,900 certain people, maybe it was a mistake or maybe it's a new app 389 00:21:42,900 --> 00:21:46,300 that just didn't get back filled to two people who were here 390 00:21:46,300 --> 00:21:49,100 before the app, right? Probably not right. 391 00:21:49,100 --> 00:21:51,600 The risk is low. Do we really care for having 392 00:21:51,600 --> 00:21:54,000 chicken on Friday or, you know, or ribs or whatever? 393 00:21:54,000 --> 00:21:58,700 Maybe you know, that's okay. But if there are more sensitive 394 00:21:58,700 --> 00:22:03,000 accesses then yeah you probably do care and maybe the role that 395 00:22:03,000 --> 00:22:05,700 you thought would be good for For an entire team or a 396 00:22:05,708 --> 00:22:10,000 department, needs to be split up because you want to keep with 397 00:22:10,000 --> 00:22:12,600 that, you know, concept of least privilege. 398 00:22:12,600 --> 00:22:15,700 So I think there are I think there's value in the role 399 00:22:15,700 --> 00:22:17,900 Engineering in the mining and the mining isn't just finding 400 00:22:17,900 --> 00:22:20,100 the applications, right? It's also or the entitlements 401 00:22:20,100 --> 00:22:23,200 that it can also be what do the people have? 402 00:22:23,200 --> 00:22:26,400 And I see that as just an intelligence report that comes 403 00:22:26,400 --> 00:22:29,500 back to eventually someone in the engineering side of things 404 00:22:29,500 --> 00:22:32,200 whether it's the role owner, the role developer, you know, 405 00:22:32,200 --> 00:22:34,800 whatever it might be, whatever persons handling that Say okay. 406 00:22:34,800 --> 00:22:36,500 Yeah. Jim and Geoff, both have this 407 00:22:36,500 --> 00:22:41,800 access, but General Jin has this other access but Jeff doesn't is 408 00:22:41,800 --> 00:22:43,700 that appropriate? Maybe it is. 409 00:22:43,700 --> 00:22:44,800 Maybe it isn't. Right. 410 00:22:44,900 --> 00:22:47,300 And I think, you know, whatever the differences are comes down 411 00:22:47,300 --> 00:22:49,100 to risk. If it's because Jim can knows 412 00:22:49,100 --> 00:22:52,100 that we're having chicken on Friday and Jeff walks into the 413 00:22:52,100 --> 00:22:54,600 cafeteria, you know, back in the day when we could actually go 414 00:22:54,600 --> 00:22:57,600 into into buildings. You know, any surprise when the 415 00:22:57,608 --> 00:23:01,100 menu comes up, maybe that's a risk were willing to accept or 416 00:23:01,100 --> 00:23:04,400 maybe I'm just really picky eater and I need to have Have 417 00:23:04,600 --> 00:23:07,100 the menu in front of me before, I'm going to waste my time 418 00:23:07,100 --> 00:23:09,100 walking down the cafeteria, just to find out, we're having the 419 00:23:09,100 --> 00:23:11,500 same old thing. So, that's how I kind of look at 420 00:23:11,500 --> 00:23:13,100 it. You know, between the two, I 421 00:23:13,100 --> 00:23:16,400 think, if you take a real philosophical approach, that's 422 00:23:16,400 --> 00:23:17,800 probably not the right approach, right? 423 00:23:17,800 --> 00:23:21,200 It's good. Value out of doing a data 424 00:23:21,200 --> 00:23:25,900 mining. And, you know, we use the 425 00:23:25,900 --> 00:23:31,700 cafeteria menu example because Nobody cares, right? 426 00:23:32,400 --> 00:23:34,600 Everybody has access to the cafeteria menu. 427 00:23:34,600 --> 00:23:38,000 Like, no one, no one should care anyway. 428 00:23:40,300 --> 00:23:43,500 But they're, you know, made me think of a few things. 429 00:23:43,500 --> 00:23:47,500 One was I saw a really good presentation and then we'll know 430 00:23:47,500 --> 00:23:51,500 who attributed to, but it got into have access management, 431 00:23:51,500 --> 00:23:56,400 fatigue managers getting so many requests for Access that 432 00:23:57,000 --> 00:23:59,600 eventually just started rubber-stamping because they 433 00:23:59,600 --> 00:24:01,400 didn't have have time to think about it. 434 00:24:01,400 --> 00:24:02,900 You know, we're all busy during the day. 435 00:24:02,900 --> 00:24:06,200 We're doing our job. Then you layer on all this kind 436 00:24:06,200 --> 00:24:08,700 of red tape. But if you really boil that down 437 00:24:08,700 --> 00:24:13,600 to only send a question to the approver, when it's actually 438 00:24:13,600 --> 00:24:18,600 something that is worthy of an actual review, then you can get 439 00:24:18,600 --> 00:24:23,000 to the point where you actually have deep thought put into it. 440 00:24:23,000 --> 00:24:26,000 So you never asked about the cafeteria menu, but you always 441 00:24:26,000 --> 00:24:29,900 ask about access to sap or whatever. 442 00:24:30,100 --> 00:24:33,400 The financial system are and then it's, you have to decide 443 00:24:33,400 --> 00:24:37,600 everything in between whether or not that requires somebody to 444 00:24:38,200 --> 00:24:43,300 review that approval. Another thought I've run into 445 00:24:43,300 --> 00:24:47,500 overtime is with least privilege applying that to privileged 446 00:24:47,500 --> 00:24:50,300 access menu. So it's kind of the same concept 447 00:24:50,300 --> 00:24:54,500 around assigning. What is the risk to the access? 448 00:24:54,500 --> 00:24:57,500 And that's an area where roles can be very valuable, right? 449 00:24:57,600 --> 00:25:02,800 Because You know, if you have, I think philosophically speaking 450 00:25:02,800 --> 00:25:04,900 anyway, you should have fewer rolls than you have 451 00:25:04,900 --> 00:25:06,500 entitlements, right? Yeah, ideas. 452 00:25:06,500 --> 00:25:10,100 Should be you're bundling those sticks and you're not creating 453 00:25:10,600 --> 00:25:13,400 more bundles of sticks actually, there were sticks. 454 00:25:13,700 --> 00:25:19,000 So, if you can get to that smaller number, it becomes an 455 00:25:19,000 --> 00:25:23,700 exercise that is more feasible. In terms of actually assigning a 456 00:25:23,700 --> 00:25:27,000 risk value. Something that can be used to 457 00:25:27,000 --> 00:25:31,400 determine what are the Operator controls around that, around 458 00:25:31,400 --> 00:25:34,400 that access you touched on the design, their right a little bit 459 00:25:34,400 --> 00:25:35,800 around. You know, what are these bundles 460 00:25:35,800 --> 00:25:38,500 look like? How does someone get started 461 00:25:38,500 --> 00:25:43,300 designing roles or going down? The are back or a back path for 462 00:25:43,300 --> 00:25:46,300 their organizations? Well, I think it's, I think it's 463 00:25:46,300 --> 00:25:50,100 probably like a lot of I am things and you have to look at 464 00:25:50,500 --> 00:25:52,700 trying to get your low-hanging fruit first. 465 00:25:52,700 --> 00:25:54,200 Great. As I always think about with our 466 00:25:54,200 --> 00:25:56,500 back, is you start talking about? 467 00:25:57,000 --> 00:26:00,800 Are back with people. I tend to think, people think 468 00:26:00,800 --> 00:26:03,900 it's all or nothing, right? You're either doing everything 469 00:26:03,900 --> 00:26:06,200 through our back here, doing nothing through our back and 470 00:26:06,800 --> 00:26:10,200 when you see organizations that are actually on the are back 471 00:26:10,200 --> 00:26:13,300 path, they usually never have to finish line right there. 472 00:26:13,300 --> 00:26:17,100 Doing a lot of things with our bag and where I think 473 00:26:17,100 --> 00:26:21,200 organizations to get the most value is the things that they 474 00:26:21,200 --> 00:26:24,100 can automate. So it's that Birthright access 475 00:26:24,200 --> 00:26:28,200 getting someone started on day one so that they Whatever it is 476 00:26:28,200 --> 00:26:33,700 80% of the access that they need in order to do their job and 477 00:26:33,700 --> 00:26:39,100 then beyond that, it's now you have to start getting into the 478 00:26:40,000 --> 00:26:43,100 tougher stuff. So building those roles that are 479 00:26:43,500 --> 00:26:47,600 around functional teams or functional jobs within the 480 00:26:47,600 --> 00:26:51,300 organization and tying off the access, and it really requires 481 00:26:51,300 --> 00:26:55,600 somebody with expertise on what is the access that you need in 482 00:26:55,600 --> 00:26:57,500 order to make that successful. Successful. 483 00:26:57,700 --> 00:27:01,100 And so you need to pull in people from the business and 484 00:27:01,300 --> 00:27:07,200 really where I think I am teams and it teams should spend their 485 00:27:07,200 --> 00:27:09,900 time. There is with the business units 486 00:27:09,900 --> 00:27:14,400 that really want to step to the table and invest the time to do 487 00:27:14,400 --> 00:27:16,400 this. So in other words, if somebody's 488 00:27:16,400 --> 00:27:19,400 going to play along, you're going to get a lot further than 489 00:27:19,400 --> 00:27:23,000 if you feel like you're dragging them into it and there you're 490 00:27:23,200 --> 00:27:25,400 making them do something that they don't want to do. 491 00:27:25,600 --> 00:27:30,100 I think, And those other groups that are not participating. 492 00:27:30,100 --> 00:27:33,000 You see this success as being bred by the teams that are 493 00:27:33,000 --> 00:27:36,100 participating, they'll want to participate as well. 494 00:27:36,300 --> 00:27:40,000 So that's kind of I think the approach is think big but know 495 00:27:40,000 --> 00:27:43,000 that you have to kind of start small and where you start is 496 00:27:43,000 --> 00:27:46,900 with the low-hanging fruit stuff you can automate from and then 497 00:27:46,900 --> 00:27:50,400 when it gets into the tougher stuff, you know, first work with 498 00:27:50,400 --> 00:27:54,000 the teams that really see the value and are willing to invest 499 00:27:54,000 --> 00:27:56,100 their time into making this successful. 500 00:27:56,200 --> 00:27:59,400 Yeah, I like the The concept of starting big and starting micro, 501 00:28:00,300 --> 00:28:02,500 you know, maybe it's macro micro so, right? 502 00:28:02,500 --> 00:28:06,300 When I say that what I mean, is, you know, let's figure out. 503 00:28:06,400 --> 00:28:09,600 Are you an employee, right? It's kind of a basic decision. 504 00:28:09,600 --> 00:28:12,500 Maybe your, maybe an employee. Maybe you're a contract or maybe 505 00:28:12,500 --> 00:28:14,100 you're a vendor or an intern, you know, whatever. 506 00:28:14,100 --> 00:28:17,900 Maybe start with those giant rolls that you can answer 507 00:28:17,900 --> 00:28:22,100 relatively easily and try to figure out if there are things 508 00:28:22,100 --> 00:28:23,900 that are in common that all employees. 509 00:28:23,900 --> 00:28:27,100 Get, maybe it's VPN access. Great. 510 00:28:27,300 --> 00:28:29,000 Now, you've got something, you can edit that maybe it is the 511 00:28:29,008 --> 00:28:31,500 cafeteria schedule, right? Maybe it's a company intranet 512 00:28:31,500 --> 00:28:34,000 site, something like that. So you start with these very 513 00:28:34,000 --> 00:28:37,400 broad roles and that's okay because you got to start 514 00:28:37,400 --> 00:28:42,600 somewhere and then I like to start by dogfooding rolls with 515 00:28:42,600 --> 00:28:44,900 my own team. So what I mean by that is 516 00:28:44,900 --> 00:28:48,700 designing roles for my own organization and seeing what 517 00:28:48,700 --> 00:28:52,500 works, what doesn't work so that I can really kind of refine the 518 00:28:52,500 --> 00:28:56,000 process before I go to the next area, right? 519 00:28:56,100 --> 00:28:57,900 Another business unit other team Etc. 520 00:28:57,900 --> 00:29:02,500 And I would certainly start with teams that are friendly to, you 521 00:29:02,500 --> 00:29:05,200 know, this this process. It's a lot easier with a willing 522 00:29:05,200 --> 00:29:08,500 partner, that's for sure. And knowing that, you know, 523 00:29:08,600 --> 00:29:10,500 you're there to try and help it and that there are going to be 524 00:29:10,500 --> 00:29:12,500 pain points, right? Let's figure it out together but 525 00:29:12,500 --> 00:29:16,500 the idea is to at some point roll this out to the rest of the 526 00:29:16,500 --> 00:29:21,400 organization and being able to design those roles and figure it 527 00:29:21,400 --> 00:29:23,800 out from a macro micro type of way. 528 00:29:23,800 --> 00:29:27,300 I like that approach personally because I think You don't push 529 00:29:27,300 --> 00:29:29,200 off the value. That might that you might be 530 00:29:29,200 --> 00:29:31,300 getting by trying to design a whole bunch of rolls at the 531 00:29:31,308 --> 00:29:34,200 department level. You can get value out of our the 532 00:29:34,200 --> 00:29:35,400 employer their contractor, right? 533 00:29:35,400 --> 00:29:37,100 That could be enough to make a difference. 534 00:29:37,600 --> 00:29:40,600 And you can say all employees, when they on board, they get an 535 00:29:40,600 --> 00:29:43,900 active directory account with these two adgroups and this 536 00:29:43,900 --> 00:29:46,900 Office 365 or Microsoft 365 license. 537 00:29:47,500 --> 00:29:51,700 That might be, you know, a good enough win to solve a couple of 538 00:29:51,700 --> 00:29:54,000 pain points, maybe from an onboarding perspective, right? 539 00:29:54,000 --> 00:29:58,000 It shows that you have Have some capability to get this done for 540 00:29:58,008 --> 00:29:58,900 right? So you start to build 541 00:29:58,900 --> 00:30:01,700 confidence, he organization and that, you know, the money and 542 00:30:01,700 --> 00:30:04,100 the time that's being invested into this is working. 543 00:30:04,100 --> 00:30:06,400 So I think that is, you know, a big part of it. 544 00:30:06,700 --> 00:30:09,900 And then, you basically make a circle bigger from there or you 545 00:30:09,900 --> 00:30:12,300 make the circle smaller from there, depending which angle 546 00:30:12,300 --> 00:30:14,200 you're approaching from. And you can do both at the same 547 00:30:14,200 --> 00:30:17,800 time, you know, with with the proper, you know, management 548 00:30:17,800 --> 00:30:19,100 around how you'd like that to work. 549 00:30:19,600 --> 00:30:22,900 I think I really like your house of growing. 550 00:30:22,900 --> 00:30:25,600 Your own dog food. I think that works really well 551 00:30:25,600 --> 00:30:29,600 with the And your, whatever your I am group or some small 552 00:30:29,600 --> 00:30:33,100 contained group, I would say that I key generally is one of 553 00:30:33,100 --> 00:30:37,900 the hardest departments to take on in terms of Designing roles 554 00:30:37,900 --> 00:30:41,600 for, you know, system administrators database 555 00:30:41,600 --> 00:30:43,500 administrator. That's where I'd like becomes 556 00:30:43,500 --> 00:30:47,500 almost impossible and so you might feel like you're swimming 557 00:30:47,500 --> 00:30:52,700 Upstream. If if you start with it, other 558 00:30:53,300 --> 00:30:55,700 departments can be more stable HR. 559 00:30:56,000 --> 00:31:00,500 Finance things like that because they those roles generally tend 560 00:31:00,500 --> 00:31:05,200 to not change as much overtime as some someone and I can do or 561 00:31:05,200 --> 00:31:08,100 be as cost in that group. Yeah, that's the point. 562 00:31:08,100 --> 00:31:11,300 I think, you know, IIT is this is probably the hardest. 563 00:31:12,300 --> 00:31:14,300 And if you can start with something simple, write your 564 00:31:14,300 --> 00:31:17,200 ear, again, showing the values sooner rather than trying to 565 00:31:17,200 --> 00:31:18,300 tackle the really hard stuff, right? 566 00:31:18,300 --> 00:31:21,600 Get the 80% that will get value out of the stuff that you do 567 00:31:21,600 --> 00:31:23,900 know. And then either punt or figure 568 00:31:23,900 --> 00:31:25,700 out later down the road. How you're going to handle the 569 00:31:25,700 --> 00:31:28,000 rest? And, you know, it's okay, I 570 00:31:28,000 --> 00:31:30,500 think to not have a role for every single thing that's out 571 00:31:30,500 --> 00:31:32,100 there. That's just, that's the real is, 572 00:31:32,100 --> 00:31:34,200 you know, the realistic way to a kind of approach. 573 00:31:34,200 --> 00:31:37,400 This is different teams, different organizations, 574 00:31:37,400 --> 00:31:39,500 different business units, different geographies. 575 00:31:39,700 --> 00:31:44,000 Those will all play into whether or not a are back. 576 00:31:44,000 --> 00:31:46,000 Model makes sense. Right? 577 00:31:46,100 --> 00:31:50,600 You may have a more mature role based access control for certain 578 00:31:50,600 --> 00:31:52,500 teams on a less mature in other areas. 579 00:31:53,100 --> 00:31:55,600 Using the console we've kind of talked about, maybe it really 580 00:31:55,600 --> 00:31:58,600 only has An employee role. Whereas, you know, Finance maybe 581 00:31:58,600 --> 00:32:01,100 has an employee role and a finance role. 582 00:32:01,100 --> 00:32:03,000 And you know what accounts, receivable World, write 583 00:32:03,000 --> 00:32:05,100 something like that and I think that's okay. 584 00:32:05,400 --> 00:32:09,400 You just have to be able to manage it effectively and know. 585 00:32:09,800 --> 00:32:13,800 And when no one know when and where to pick your battles I 586 00:32:13,800 --> 00:32:15,300 would say. One other thought I was having 587 00:32:15,300 --> 00:32:18,900 is we were talking about something like finance and we 588 00:32:18,900 --> 00:32:23,000 think about, you know, Erp systems a lot of times they'll 589 00:32:23,000 --> 00:32:25,900 already have a complex role structure. 590 00:32:26,100 --> 00:32:29,500 Then the Erp system. And so I think as an I am 591 00:32:29,500 --> 00:32:34,000 practitioner when you're looking to do, Enterprise are back, you 592 00:32:34,000 --> 00:32:36,300 have to kind of set what your scope is. 593 00:32:36,500 --> 00:32:40,200 I think is a dangerous place to you know, volunteer that you're 594 00:32:40,200 --> 00:32:43,500 going to go into the application to solve the role needs within 595 00:32:43,500 --> 00:32:45,100 the app. You have to start with an 596 00:32:45,100 --> 00:32:49,700 expectation that the app has good enough application Level 597 00:32:49,700 --> 00:32:55,100 roles but you know, so I think that's an important point and 598 00:32:55,100 --> 00:32:57,700 the other thing I was going Going to say is just that, you 599 00:32:57,708 --> 00:33:00,500 know, I think finances really good place to start because 600 00:33:00,500 --> 00:33:03,600 that's where you're also going to find a lot of segregation of 601 00:33:03,600 --> 00:33:08,400 Duties types issues and the IGA platforms that can really, you 602 00:33:08,400 --> 00:33:11,000 know, identity governance and administration platforms that 603 00:33:11,000 --> 00:33:16,800 can tend to help build our back models and manage our back. 604 00:33:17,800 --> 00:33:20,800 They do a pretty good job generally speaking in terms of 605 00:33:20,800 --> 00:33:24,400 identifying segregation of Duties and then baking those 606 00:33:24,400 --> 00:33:27,300 into the access request. Access review process. 607 00:33:27,300 --> 00:33:31,800 So kind of get a double benefit if you focus on on that area and 608 00:33:31,800 --> 00:33:35,600 you're able to roll in s0 D as part of role management. 609 00:33:35,700 --> 00:33:37,700 I'm glad you mentioned segregation of Duties because 610 00:33:37,700 --> 00:33:40,600 that's something that we definitely see a lot especially 611 00:33:40,600 --> 00:33:43,200 in you know Erp and finance apps, things like that. 612 00:33:44,000 --> 00:33:49,100 And that's usually where we see relatively decent if not good. 613 00:33:49,300 --> 00:33:52,200 You know, controls around what the roles do because there is 614 00:33:52,200 --> 00:33:57,200 some you know, more judicious. Thinking around who should have 615 00:33:57,200 --> 00:33:58,800 access to what in a financial systems. 616 00:33:58,800 --> 00:34:03,100 Those sorts of things where we see a lot of organizations, kind 617 00:34:03,100 --> 00:34:06,100 of fall down is cross application, ssds. 618 00:34:06,200 --> 00:34:09,699 So they may be really good at managing sap and, you know, 619 00:34:09,699 --> 00:34:11,800 having the appropriate checks and balances there. 620 00:34:12,199 --> 00:34:17,699 But where the challenge comes in is if you have, you know, across 621 00:34:17,699 --> 00:34:20,000 different applications. So maybe not only are you an 622 00:34:20,000 --> 00:34:23,600 administrator in sap. Maybe you're also an 623 00:34:23,600 --> 00:34:25,900 administrator on this other application. 624 00:34:26,000 --> 00:34:28,900 That is kind of outside the purview of finance. 625 00:34:28,900 --> 00:34:31,800 That makes a toxic combination, you know, something. 626 00:34:32,800 --> 00:34:35,100 Introduces more risk to a certain process, you know, 627 00:34:35,107 --> 00:34:37,600 things like that. So this is I think also an area 628 00:34:37,600 --> 00:34:42,600 where there is the potential to leverage roles and the different 629 00:34:42,600 --> 00:34:45,300 axis controls. Once you're aware them to say, 630 00:34:45,300 --> 00:34:48,900 hey we have more visibility now of what people have access to 631 00:34:48,900 --> 00:34:50,800 and what they can do. Not only within a system but 632 00:34:50,800 --> 00:34:53,500 across systems. Does that make sense? 633 00:34:53,900 --> 00:34:56,600 Do we want to keep that going or do we need to think of A control 634 00:34:56,600 --> 00:34:59,700 to, you know, address that I think when we have these 635 00:34:59,700 --> 00:35:03,800 conversations it's one other thing that has everyone who's 636 00:35:03,800 --> 00:35:07,300 listening these to keep in mind is that, you know, we try to 637 00:35:07,300 --> 00:35:09,700 make it as generic advice, right? 638 00:35:09,700 --> 00:35:11,900 Or a generic copy. They were talking about, but 639 00:35:12,100 --> 00:35:15,500 especially when it comes to, like roll management at the 640 00:35:15,500 --> 00:35:19,400 segregation of Duties within Erp system, it's going to be a lot 641 00:35:19,400 --> 00:35:23,200 different for 500 person, organization versus a 50,000 642 00:35:23,200 --> 00:35:27,300 person organization and You know, he's going to have to take 643 00:35:27,300 --> 00:35:31,400 the advice and then kind of feed it in as one data point, but I'm 644 00:35:31,400 --> 00:35:35,600 sure either way are our fellow. I am practitioners out there. 645 00:35:35,600 --> 00:35:39,300 They become expert at doing within their organization and 646 00:35:39,300 --> 00:35:41,400 kind of are able to take these data points. 647 00:35:41,700 --> 00:35:43,800 It's something where we're really talking here around, kind 648 00:35:43,800 --> 00:35:46,700 of like guiding principles. And how do we, how do we move 649 00:35:46,700 --> 00:35:49,400 forward with this? It is very hard to do. 650 00:35:49,800 --> 00:35:52,700 You know, I said it before, these are generally at least a 651 00:35:52,707 --> 00:35:55,800 year, multi-year long projects to do. 652 00:35:56,000 --> 00:35:59,400 The mining right, finds the entitlements, and then figure 653 00:35:59,400 --> 00:36:01,200 out. What do they do? 654 00:36:01,200 --> 00:36:03,700 Do they make sense? How are we going to, you know, 655 00:36:03,700 --> 00:36:05,700 construct, those bundles of sticks, right? 656 00:36:05,700 --> 00:36:09,300 Those sorts of things. So, it is difficult and it is 657 00:36:09,300 --> 00:36:12,000 something that can be done, but don't get, you know, don't get 658 00:36:12,000 --> 00:36:16,400 to, I think Lost In The Weeds if especially if you can start to 659 00:36:16,600 --> 00:36:19,400 address some of the macro type of roll situations. 660 00:36:19,900 --> 00:36:22,400 So maybe we should talk a little bit about some of the guiding 661 00:36:22,400 --> 00:36:26,800 principles for role management that we've kind of Talked about, 662 00:36:26,800 --> 00:36:29,300 you know, around here in this conversation but also maybe some 663 00:36:29,300 --> 00:36:30,400 more things we haven't mentioned yet. 664 00:36:30,400 --> 00:36:34,100 Maybe we can start with what makes a good role versus not a 665 00:36:34,107 --> 00:36:36,200 good role. One of the things there is a 666 00:36:36,200 --> 00:36:39,200 good role is going to be used a lot. 667 00:36:39,800 --> 00:36:43,600 The business is going to understand what it does and it's 668 00:36:43,600 --> 00:36:46,500 going to apply to more than one person. 669 00:36:46,800 --> 00:36:50,900 It's going to confirm more than one small piece of access. 670 00:36:51,800 --> 00:36:55,300 So the Moores used the more people applies to the better. 671 00:36:55,300 --> 00:36:57,800 The role is Is what are some of your thoughts are? 672 00:36:58,000 --> 00:36:59,900 Yeah, I like to keep it simple, right? 673 00:36:59,900 --> 00:37:01,700 Don't create roles unless you need them. 674 00:37:01,900 --> 00:37:03,800 Gets it's the same thing. As you know, don't create an 675 00:37:03,800 --> 00:37:05,100 active directory group, you don't need it. 676 00:37:05,107 --> 00:37:08,200 Don't create, you know, any type of entitlement you're just 677 00:37:08,200 --> 00:37:09,600 creating more work for no reason. 678 00:37:09,600 --> 00:37:13,200 So, take a look at the way things are constructed and 679 00:37:13,200 --> 00:37:15,500 figure out if you actually need to spend the time doing it. 680 00:37:15,500 --> 00:37:19,100 And maybe, you know, if one person has this access and they 681 00:37:19,100 --> 00:37:21,000 use it, you know so infrequently. 682 00:37:21,000 --> 00:37:23,500 Maybe it does make sense to leave out of a roll and make it 683 00:37:23,500 --> 00:37:27,700 more, you know, on demand. Requestable or however, you kind 684 00:37:27,700 --> 00:37:29,800 of like to work through that. So I think that makes sense, 685 00:37:30,000 --> 00:37:32,700 right? What about a framework. 686 00:37:32,700 --> 00:37:35,900 So we've talked a little bit about Birthright and requestable 687 00:37:35,900 --> 00:37:39,200 roles, and I feel like that's a pretty good framework to kind of 688 00:37:39,207 --> 00:37:42,900 start with when it comes to getting started with, how do you 689 00:37:42,900 --> 00:37:46,200 want to, you know, figure out which bundles of sticks, you 690 00:37:46,200 --> 00:37:48,400 want to create and how they're going to be constructed. 691 00:37:48,800 --> 00:37:51,500 Maybe we can, we can talk a little about that, right? 692 00:37:51,500 --> 00:37:53,500 Yeah. I mean, I think a framework 693 00:37:53,500 --> 00:37:57,900 means a way of thinking about, About a problem and something 694 00:37:57,900 --> 00:38:02,100 that is reusable and solvable. So to me, it's setting yourself 695 00:38:02,100 --> 00:38:06,300 up with a series of questions that you can ask about, you 696 00:38:06,300 --> 00:38:09,700 know, as kind of a workflow almost of questions you would 697 00:38:09,700 --> 00:38:13,700 ask yourself in terms of building roll, is it a good 698 00:38:13,700 --> 00:38:16,000 Earth re-roll? That's what you would want, 699 00:38:16,000 --> 00:38:18,200 ideally, right? Because I think you want to 700 00:38:18,700 --> 00:38:22,800 automate access where possible if not. 701 00:38:22,800 --> 00:38:24,800 Can you make a good requestable roll? 702 00:38:25,100 --> 00:38:27,600 And if not does Even make sense to have as a role. 703 00:38:27,600 --> 00:38:31,500 So, kind of questions you get, as yourself are, can I define 704 00:38:31,500 --> 00:38:33,800 the user type? So if we're using the example of 705 00:38:33,800 --> 00:38:37,800 interns, yes, I can, you know, interns are distinct group of 706 00:38:37,800 --> 00:38:43,200 people does an authentic authentication or authoritative 707 00:38:43,200 --> 00:38:49,300 Source exist for that user type. So maybe in our HR System we 708 00:38:49,300 --> 00:38:51,900 have in turn as it goes ignition. 709 00:38:52,100 --> 00:38:54,500 If we do, we can still go down that path. 710 00:38:54,500 --> 00:38:59,800 That it could be A, you know, we could still be going down the 711 00:38:59,800 --> 00:39:01,400 path of having a birth very role. 712 00:39:01,800 --> 00:39:05,600 If it's not in the in the authoritative Source like the 713 00:39:05,600 --> 00:39:09,100 work they system or the HR System, then it would have to be 714 00:39:09,100 --> 00:39:12,100 a request Will Roll, right? There's no way to automate the 715 00:39:12,100 --> 00:39:14,800 idea that somebody is is in that grouping. 716 00:39:15,700 --> 00:39:18,500 Another question would be kind of defining entitlement pattern 717 00:39:18,500 --> 00:39:22,500 or access pattern. So in other words do interns 718 00:39:22,500 --> 00:39:27,200 actually have to you know, access the same Soup of data 719 00:39:27,400 --> 00:39:30,900 across all the entire intern population or do those is there 720 00:39:30,900 --> 00:39:34,400 some subset of data within the organization that they do all 721 00:39:34,400 --> 00:39:37,700 need access to? And then is the membership 722 00:39:37,700 --> 00:39:40,500 volatile. So example, I'm going to give 723 00:39:40,500 --> 00:39:43,600 here is that I worked with an organization that they would 724 00:39:43,600 --> 00:39:45,800 change their cost centers very frequently. 725 00:39:45,800 --> 00:39:49,000 And so even though it seemed like at one point your cost 726 00:39:49,000 --> 00:39:52,000 center could be used, it was coming from an authoritative 727 00:39:52,000 --> 00:39:54,400 Source. It did Define some access 728 00:39:54,400 --> 00:39:56,500 patterns because if you're in a certain Cost centers. 729 00:39:56,500 --> 00:40:00,100 It kind of meant that you needed access to certain things. 730 00:40:00,300 --> 00:40:04,700 However, it was volatile it change so often for people as 731 00:40:04,700 --> 00:40:07,100 they did. These re organizations that it 732 00:40:07,100 --> 00:40:09,500 actually did not make a good roll. 733 00:40:09,500 --> 00:40:14,700 So if the interns hype is usually not volatile, right? 734 00:40:14,700 --> 00:40:17,300 People are yes they're interns and then they can move on to 735 00:40:17,300 --> 00:40:20,500 something else or leave the organization but they're not 736 00:40:20,500 --> 00:40:23,300 switching different types of in Terms all the time. 737 00:40:23,600 --> 00:40:27,500 If they are then it would potentially As qualified as, you 738 00:40:27,500 --> 00:40:31,100 know, potential birth re-roll, that to me is what the framework 739 00:40:31,100 --> 00:40:34,300 is all about is being able to kind of walk yourself through a 740 00:40:34,300 --> 00:40:37,800 questionnaire and being able to determine whether or not you're 741 00:40:37,800 --> 00:40:42,400 creating a birth rate role of requestable roll or you know 742 00:40:42,400 --> 00:40:45,600 that population doesn't make for a pretty good roll. 743 00:40:45,800 --> 00:40:47,200 Yeah. I think you touched on a couple 744 00:40:47,200 --> 00:40:49,500 of important things there and especially around data quality 745 00:40:49,600 --> 00:40:53,600 and coming from HR and other authoritative sources like 746 00:40:53,600 --> 00:40:58,100 workday sap, Oracle etcetera. Is, you know, a lot of these 747 00:40:58,100 --> 00:41:02,000 access decisions are going to be driven by the quality, and the 748 00:41:02,000 --> 00:41:04,200 timeliness of the data in those systems. 749 00:41:04,200 --> 00:41:06,600 So that's something that you also want to take into 750 00:41:06,600 --> 00:41:10,200 consideration when you're talking about how these roles 751 00:41:10,200 --> 00:41:12,100 are going to be constructed. And then, where is the data 752 00:41:12,100 --> 00:41:16,300 going to come from and, and from in, from when right, if someone 753 00:41:16,300 --> 00:41:20,500 gets loaded into work day, the day of their higher that might 754 00:41:20,500 --> 00:41:23,100 not be a good spot to drive automation from a Birthright, 755 00:41:23,100 --> 00:41:25,200 real perspective to maybe that you know, things end up being 756 00:41:25,200 --> 00:41:27,600 more of a request. Double role because you don't 757 00:41:27,600 --> 00:41:30,600 have the data in the time that you need it to be most 758 00:41:30,600 --> 00:41:31,700 effective. So I think that's something that 759 00:41:31,700 --> 00:41:34,300 also kind of consider, you know, any talk about automation, 760 00:41:34,300 --> 00:41:35,400 right? And I think this is something 761 00:41:35,400 --> 00:41:38,600 that you grow into. You don't want to automate all 762 00:41:38,600 --> 00:41:40,900 the things all the time. You probably want to pick where 763 00:41:40,900 --> 00:41:43,200 you get the biggest bang and where you feel the most 764 00:41:43,200 --> 00:41:46,600 comfortable and safe from a maturity standpoint, to be able 765 00:41:46,600 --> 00:41:48,600 to assign access in an automated fashion. 766 00:41:48,600 --> 00:41:50,900 You don't want to, you know, create a role and it has the 767 00:41:50,900 --> 00:41:53,300 wrong access it and they just gave it to everybody and put 768 00:41:53,300 --> 00:41:54,600 your organization at risk. Yeah. 769 00:41:54,600 --> 00:41:56,900 There's something else there with the The, the automation 770 00:41:56,900 --> 00:42:03,300 pieces, typically organizations are getting that data from an HR 771 00:42:03,300 --> 00:42:07,400 System, right? So those HR processes get bound 772 00:42:07,400 --> 00:42:10,700 to your prophecies for assigning access, right? 773 00:42:10,700 --> 00:42:15,000 So there is some some governance required there and that kind of 774 00:42:15,000 --> 00:42:18,400 also comes down to how stable that that data is right? 775 00:42:18,400 --> 00:42:21,100 If it's being changed. If you know, you're trying to 776 00:42:21,100 --> 00:42:27,000 drive access off of something that you know, the Code or job 777 00:42:27,000 --> 00:42:29,800 code. There's job codes wind up 778 00:42:29,800 --> 00:42:32,900 changing every couple of years. You could, you know, create 779 00:42:32,900 --> 00:42:33,800 Havoc. Yeah. 780 00:42:33,800 --> 00:42:35,300 Absolutely. It's got to be. 781 00:42:35,700 --> 00:42:38,400 This is where the tight integration between HR and I am 782 00:42:38,400 --> 00:42:42,400 really kind of hits the most because it's okay to make those 783 00:42:42,400 --> 00:42:44,700 changes. What's not okay, is to not let 784 00:42:44,700 --> 00:42:47,500 the, I am team know and those changes are being made because 785 00:42:47,500 --> 00:42:49,400 that certainly affects me a lot of things down the stream. 786 00:42:49,400 --> 00:42:53,200 So you had a good relationship with HR HR, It Whatever the 787 00:42:53,200 --> 00:42:55,700 right, you know, term is for your organization and where that 788 00:42:55,800 --> 00:42:58,200 Authoritative data is coming from makes sense, and maybe it's 789 00:42:58,200 --> 00:43:01,200 not HR, right? Maybe contractors or vendors are 790 00:43:01,200 --> 00:43:04,200 managed by Finance team or maybe they're not being managed at 791 00:43:04,200 --> 00:43:05,700 all. See it a lot, too. 792 00:43:06,200 --> 00:43:10,500 So trying to design around those types of issues, you know, we're 793 00:43:10,500 --> 00:43:12,400 not going to have the answer right here in this conversation, 794 00:43:12,400 --> 00:43:15,700 but at least bring it up so that it can be addressed as part of 795 00:43:15,700 --> 00:43:17,200 what is the overall rule strategy? 796 00:43:17,400 --> 00:43:19,900 That's right. So I think, you know, we've 797 00:43:19,900 --> 00:43:22,000 covered quite a bit today and it, you know, there's some other 798 00:43:22,000 --> 00:43:24,900 things that we probably could probably touch on, you know, you 799 00:43:24,900 --> 00:43:27,100 want to have measurable. Results when it comes to that 800 00:43:27,100 --> 00:43:29,300 you don't want to create rules that are unnecessary, right? 801 00:43:29,300 --> 00:43:32,500 Keeping it simple making sure that their roles are easily 802 00:43:32,500 --> 00:43:35,300 understood. So using plain language to 803 00:43:35,300 --> 00:43:39,200 describe what the role is and what it does, you know, that'll 804 00:43:39,200 --> 00:43:42,900 help people not only request it but also approve it and 805 00:43:43,100 --> 00:43:46,600 hopefully that you get out of the rubber stamping situation 806 00:43:46,600 --> 00:43:49,700 where, you know, a manager or whoever is responsible for the 807 00:43:49,700 --> 00:43:51,000 access. You know. 808 00:43:51,000 --> 00:43:53,300 Just says yeah, it's okay because of apathy, they don't 809 00:43:53,300 --> 00:43:57,100 care or because of fear, right? There may be afraid to take away 810 00:43:57,100 --> 00:44:00,100 something because someone can't do their job and it ends up to 811 00:44:00,100 --> 00:44:03,300 become a, you know, 3M call on a Saturday or something like that. 812 00:44:03,300 --> 00:44:07,400 I think you also think about the fact that you know, people 813 00:44:07,400 --> 00:44:09,600 retire and leave the organization over time. 814 00:44:09,600 --> 00:44:13,100 Other people are going to inherit that ownership of roles 815 00:44:13,100 --> 00:44:16,000 and they need to be able to inherit them and understand what 816 00:44:16,000 --> 00:44:18,400 they do. Yapping, The Inheritance is a 817 00:44:18,408 --> 00:44:21,400 strategy that if a lot you don't want to break the chain, right? 818 00:44:21,400 --> 00:44:26,700 So if someone owns a role and they lead the organization, My 819 00:44:26,700 --> 00:44:29,700 basic philosophy is okay that person's manager should now 820 00:44:29,700 --> 00:44:32,200 become the owner of that role on the till they tell me who is 821 00:44:32,200 --> 00:44:35,700 going to do it instead of them. So that way you don't have this 822 00:44:35,700 --> 00:44:38,100 role hanging out there that doesn't have an owner or has a 823 00:44:38,107 --> 00:44:40,200 gap, you know, in some way, whether it's approval structure, 824 00:44:40,200 --> 00:44:42,900 whatever. So I think being able to come up 825 00:44:42,900 --> 00:44:45,600 with, you know, standard processes around, that doesn't 826 00:44:45,600 --> 00:44:48,200 mean that they permanently own it, but someone has to own it 827 00:44:48,500 --> 00:44:51,800 and you want to make sure that, you know, you keep that link 828 00:44:52,300 --> 00:44:54,600 between the two things in place. Yeah. 829 00:44:54,600 --> 00:44:56,600 And you mentioned something about Measurable. 830 00:44:56,600 --> 00:45:03,400 I think that can be using some measures or some metrics. 831 00:45:03,900 --> 00:45:08,200 As you're rolling out, roles to know how many roles have owners 832 00:45:08,200 --> 00:45:11,100 or even if you're a little kid, like groups, they have owners 833 00:45:11,100 --> 00:45:14,400 that they have descriptions, that are, are usable, you know, 834 00:45:14,400 --> 00:45:17,500 you can use that to make sure that you're closing the Gap. 835 00:45:17,500 --> 00:45:21,400 But then also, as you've really gotten a head of steam around 836 00:45:21,600 --> 00:45:26,200 using rolls, how many rolls are, you know, how many, People 837 00:45:26,200 --> 00:45:29,300 belong in a roller. How often is that role assigned? 838 00:45:29,600 --> 00:45:35,400 What you find, if you have low use of a roll, it's probably one 839 00:45:35,400 --> 00:45:37,100 that you want to reach out to the business. 840 00:45:37,100 --> 00:45:38,900 Say hey, do you still need this right? 841 00:45:38,900 --> 00:45:42,300 See that you're not using it very often or there's only one 842 00:45:42,300 --> 00:45:45,600 member of the role is just you know, is this something that's 843 00:45:45,600 --> 00:45:48,300 worth us? Investing our time into having a 844 00:45:48,300 --> 00:45:51,100 role like this? Maybe it is, maybe it isn't. 845 00:45:51,100 --> 00:45:55,700 But that that's where that data can potentially, you know, use 846 00:45:55,900 --> 00:45:58,700 Is metrics. Don't only have to be to 847 00:45:58,700 --> 00:46:01,000 communicate out to the organization and hey this is 848 00:46:01,000 --> 00:46:02,600 what a, what a great job we're doing. 849 00:46:02,600 --> 00:46:06,300 But also having those metrics to do a better job of managing 850 00:46:06,300 --> 00:46:07,300 yourself. Yep. 851 00:46:07,300 --> 00:46:09,000 Fulfilling that role accessed rewrite. 852 00:46:09,000 --> 00:46:12,100 Sometimes you got to do some pruning and that's healthy and a 853 00:46:12,100 --> 00:46:13,500 way to keep it, you know, manageable. 854 00:46:13,500 --> 00:46:16,900 So I totally agree with that. We've been going on for quite a 855 00:46:16,900 --> 00:46:20,200 while here, role-based access control and, and other things 856 00:46:20,200 --> 00:46:22,700 around it. Is there anything that you want 857 00:46:22,700 --> 00:46:25,700 to bring up before we decide to call it for this week? 858 00:46:25,900 --> 00:46:30,200 We did talk a little bit about it, but I think the technology 859 00:46:30,200 --> 00:46:33,600 side of this is really the identity governance and 860 00:46:33,600 --> 00:46:37,200 administrator IGA space. And so, you know, if you're kind 861 00:46:37,200 --> 00:46:40,500 of looking to do additional research, one thing I would also 862 00:46:40,500 --> 00:46:42,200 say when it comes to roles, right? 863 00:46:42,400 --> 00:46:44,500 Taking it from this philosophical discussion that 864 00:46:44,500 --> 00:46:48,700 we've had today and turning it into something that's going to 865 00:46:48,700 --> 00:46:53,100 be very tangible and restart using specific terms of me 866 00:46:53,100 --> 00:46:56,400 specific. Things is your To adopt 867 00:46:56,400 --> 00:46:58,800 technology. I recommend that if you're going 868 00:46:58,800 --> 00:47:02,700 to adopt that technology that you try to adopt the practices 869 00:47:02,700 --> 00:47:07,400 and best practices built into that technology, IGA is the 870 00:47:07,400 --> 00:47:11,300 space that typically does role management. 871 00:47:12,100 --> 00:47:13,800 And so I just wanted to point that out. 872 00:47:13,800 --> 00:47:18,400 That if you go down the route of say, implementing a cell Point 873 00:47:18,400 --> 00:47:23,100 type system, they have definitions on what roles are 874 00:47:23,100 --> 00:47:25,600 business, roles, application roles things like that. 875 00:47:25,900 --> 00:47:29,400 Use that terminology try to adhere to their best practices 876 00:47:29,400 --> 00:47:32,200 as well because if not you're going to kind of be swimming 877 00:47:32,200 --> 00:47:34,000 Upstream. Yeah that's a good point. 878 00:47:34,000 --> 00:47:36,400 You know you buy a lot of these Technologies not only for the 879 00:47:36,408 --> 00:47:39,500 technology itself but the process that comes with it, 880 00:47:39,500 --> 00:47:41,200 right? And this is what those 881 00:47:41,200 --> 00:47:45,600 Technologies. Do sale points, avian clear sky, 882 00:47:45,600 --> 00:47:47,100 a whole bunch of these other IGA players. 883 00:47:47,100 --> 00:47:50,900 They have a process that they follow and generally it works 884 00:47:50,900 --> 00:47:52,600 otherwise their application will work. 885 00:47:52,600 --> 00:47:55,300 So you want to try and stay within the bounds of that and 886 00:47:55,300 --> 00:47:57,700 try it. I decided to adopt those those 887 00:47:57,700 --> 00:48:00,400 processes into your business so that you're not having to get 888 00:48:00,400 --> 00:48:03,900 into this world of customization and exceptions. 889 00:48:03,900 --> 00:48:06,500 And, you know, all the kind of things that come out of using 890 00:48:06,500 --> 00:48:09,300 technology in a way that it wasn't meant to be used, which 891 00:48:09,600 --> 00:48:11,500 you certainly want to try and avoid as much as possible. 892 00:48:11,700 --> 00:48:12,300 Yeah. All right. 893 00:48:12,300 --> 00:48:14,100 Well, I think that's a pretty good spot that maybe we can 894 00:48:14,100 --> 00:48:16,300 leave it for this week. I feel could cover a lot of 895 00:48:16,300 --> 00:48:20,200 ground, on our back, a back P back and I'll bunch of other 896 00:48:20,200 --> 00:48:21,700 acronyms. I'm sure that we threw in there 897 00:48:21,700 --> 00:48:26,400 as well, so don't forget that you can, you know, Visit us on 898 00:48:26,400 --> 00:48:29,700 the web at identity at the center.com you can see us on 899 00:48:29,700 --> 00:48:33,800 Twitter at idac podcast. And with that we're going to go 900 00:48:33,800 --> 00:48:36,400 ahead and talk with you all in the next one. 901 00:48:36,500 --> 00:48:42,400 Thanks for listening. Thanks for listening to the 902 00:48:42,400 --> 00:48:45,200 identity at the center podcast. If you like what you heard, 903 00:48:45,200 --> 00:48:48,500 don't forget to subscribe and visit us on the web and identity 904 00:48:48,500 --> 00:48:49,800 at the center.com.