07-07-2008 3:27 PM
Hi board,
I have heard of the concept to use roles with "Organizational Values" only and no other authorization values contained. Similar the idea to exclude special authorization objects from common roles and combine them in dedicated special ones to prevent accidential "double usage".
The first may help to control the overall number of roles coming up after deriving single/composite roles for many levels.
My questions are:
- Is it technically feasible (for a large-scale company)?
- What is your experience?
- Drawbacks?
Kind regards and many thanks for your help,
Richard
07-07-2008 3:51 PM
Hi there,
that was fast, amazing. Thanks a lot and my appologies for not finding the other thread from the beginning. I can see drawbacks, nevertheless it is still temptating due to the fact that derivation for over 30 countries will produce a huge number of roles. Not from the system performance point of view, just to handle this amount will be painful.
Given the assumtion that it is not a good idea to use "Org Value Roles", are you deriving on on composite or on single level?
Kind regards,
Richard
07-07-2008 3:39 PM
07-07-2008 3:42 PM
07-07-2008 3:51 PM
07-07-2008 3:41 PM
Hi Richard,
There are a few pointers on the drawbacks in the following post:
That should answer your questions. I think it's fair enough to say that in my experience, the majority of companies which have implemented this have increased complexity and reduced security over a standard build. Some have made it work well as they have put appropriate controls in place.
07-07-2008 3:51 PM
Hi there,
that was fast, amazing. Thanks a lot and my appologies for not finding the other thread from the beginning. I can see drawbacks, nevertheless it is still temptating due to the fact that derivation for over 30 countries will produce a huge number of roles. Not from the system performance point of view, just to handle this amount will be painful.
Given the assumtion that it is not a good idea to use "Org Value Roles", are you deriving on on composite or on single level?
Kind regards,
Richard
07-07-2008 3:57 PM
I was not even aware that it is possible to derive at composite role level.
We make limited us of derived roles, and only in cases where there is certainty that the process is the same accross the orgs and will remain so. Even with that, it still does not work exactly for all fields and all scenarios over time.
Cheers,
Julius
07-07-2008 4:15 PM
> Hi there,
>
> that was fast, amazing. Thanks a lot and my appologies for not finding the other thread from the beginning. I can see drawbacks, nevertheless it is still temptating due to the fact that derivation for over 30 countries will produce a huge number of roles. Not from the system performance point of view, just to handle this amount will be painful.
>
> Given the assumtion that it is not a good idea to use "Org Value Roles", are you deriving on on composite or on single level?
>
> Kind regards,
>
> Richard
Hi Richard,
It is a very tempting approach, but completely wrecks the standard auth concept and unless you are 100% tight on controlling it, can get very messy.
A good way of looking at it is that you have 2 roles - one contains transactions & the other one a big bucket of authorisations which support those transactions. That bucket invariably contains more authorisations than the transactions require. Given that it is at the authorisation object level that the important security is provided, this method has it's drawbacks........
If you have organisational complexity then you should look elsewhere to simplify.
By consolidating your roles (e.g. if we take a risk based design approach, typically around 80% of an accountants role will be the same anywhere in the business) and building at a higher level, you need to create fewer variants (which you might be able to use derived roles for).
Put the effort in the design stage and it will pay dividends later on down the line.
Building at a higher level than task also forces the business to look at roles and responsibilities and to standardise as much as possible.
Cheers
Alex
07-07-2008 9:41 PM
At the top of this forum page, there is a "sticky" thread with a collection of memorable discussions and threads which contain usefull information. A number of them are authorization design related, and the one with the subject "Security Design" will also be interesting for you if you have not read it yet.
It certainly was for me
Cheers,
Julius
07-07-2008 9:59 PM
Julius, Alex,
you are gorgeous. Many thanks for your efforts!
Kind regards,
Richard