Trial lock

This Research is for Members Only

Not a member? Unlock a free sample of our research now!

Already a member?

Sign in now

Security icon

Simplify Identity and Access Management

Leverage risk- and role-based access control to quantify and simplify the IAM process.

Unlock a Free Sample

View Storyboard

Solution Set Storyboard Thumbnail


  • Kassim Dossa, Director of Procurement and IT, AgeCare Investments Ltd.
  • Mike Layton, Director – Enterprise Services & Information Systems, Baylor College of Medicine
  • Jon Cutler, Chief Information Security Officer, Marshall University
  • 5 anonymous contributors

Your Challenge

  • Identity and access management (IAM) is the foundation of all usability within the environment and needs to be well defined and documented. Every organization has users, and every user needs access.
  • Organizations have watched their systems become more entangled as more processes are moved to the cloud and more security threats present themselves.
  • Auditing a long list of users is a tedious task that nobody wants to do. Unclassified data exacerbates the problem.

Our Advice

Critical Insight

  • Role-based access control (RBAC) doesnt have to be hard.
    Document the information that people inherently know. Having a strong repository of permission-role and user-role assignments is key to ensuring that the RBAC process lives on and remains effective despite changes within the organization.
  • Focus on permission and role engineering.
    Managing identity and access starts with identifying and classifying what requires access, taking into account where it exists and identifying who needs access to it. This first process is termed permission engineering. The latter part is termed role engineering. While not covered in this research, it will be explored in future iterations.
  • The primary goal should be to minimize privilege creep.
    RBAC improves the efficiency of managing IAM by reducing the amount of privilege creep that exists among the users of the organization. When roles are designed, the principle of least privilege is employed, and therefore users are granted only the roles, and consequently permissions, required to do their job.

Impact and Result

  • Our research will lay the groundwork for establishing a centralized, effective, and efficient system for managing identity and access. We will help organizations take back control of their IAM environment by creating and implementing a RBAC model.
  • Working with the tools associated with this research will help create a repeatable, simplified auditing process and minimize the amount of entitlement sprawl.
  • This research will educate readers on selecting and implementing IAM vendors and will assist in producing vendor RFPs and shortlisting vendors to help ensure that selected vendor solutions offer capabilities required by the organization (e.g. multi-factor authentication) based on business goals, compliance, and other gaps, and will offer integration functionality with the different cloud vendors (e.g. SaaS) used by the organization.

Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should simplify identity and access management, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

1. Audit and classify existing data

This phase will assist users with cleaning their current user directory and laying the foundations for implementing a more robust process for managing identities and access.

2. Implement a risk- and role-based access control model

This phase will guide readers through the process of creating and implementing a RBAC model. This includes the definition of metrics that can be used to refine future iterations of the RBAC model.

3. Create an RBAC maintenance plan

This phase covers best practices regarding exception handling and maintaining the RBAC system over time.

4. Consider an IAM vendor

This phase explores the selection and implementation of an IAM solution. Several tools are available to assist project owners with this typically challenging task.

Guided Implementations

This guided implementation is a seven call advisory process.

Guided Implementation #1 - Audit and classify existing data

Call #1 - Establish a data classification scheme and apply it to application functions.

Guided Implementation #2 - Implement a risk- and role-based access control model

Call #1 - Build role hierarchy.
Call #2 - Establish separation of duties constraints.
Call #3 - Define metrics.

Guided Implementation #3 - Create an RBAC maintenance plan

Call #1 - Create a maintenance plan for the RBAC process.

Guided Implementation #4 - Consider an IAM vendor

Call #1 - Discuss vendor options.
Call #2 - Create an implementation plan for acquiring or changing an IAM solution.

Onsite Workshop

Discuss This Workshop

Book Your Workshop

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Complete Level Setting

The Purpose

  • Create the foundations for implementing a more robust method for managing identity and access within the organization.

Key Benefits Achieved

  • Insight into how to best clean up the current user directory
  • An understanding of the misuse impact of the permissions given to users




Define the goals of identity and access management (IAM).

  • Defined goals for IAM

Classify application functions.

  • Data classification scheme for applications

Identify the misuse impact of each permission.

  • Foundation for using risk to justify future access assignment decisions

Discuss role-based access control (RBAC) methodology.

Module 2: Create the RBAC Model

The Purpose

  • Develop a documented and formalized RBAC model.

Key Benefits Achieved

  • A more robust method for managing IAM
  • Documented access matrix for future reference




Identify the best approach for creating roles.

  • A plan for implementing a role engineering exercise

Define cardinal constraints through discussion.

  • Documented role constraints

Identify mutually exclusive pairs of roles with an affinity map.

  • Documented role constraints

Assign users to roles.

  • Repository for permission-role and user-role assignments

Module 3: Analyze the Results

The Purpose

  • Identify risk-aware metrics for measuring the effectiveness of the RBAC model over time.
  • Build a maintenance schedule.

Key Benefits Achieved

  • The development of risk-aware metrics allows for the measurement of the effectiveness of the RBAC model over time
  • A plan for completing and implementing the RBAC model




Discuss the risk evaluations of roles and users.

  • Risk-aware metrics

Define risk threshold for users.

  • Risk-aware metrics

Set targets for metrics through a group discussion.

  • Risk-aware metrics

Discuss an exception-handling process.

  • Maintenance plan

Build a maintenance schedule through group discussion.

  • Maintenance plan

Module 4: Plan for the Transition

The Purpose

  • Outline best practices for selecting and implementing an IAM solution from a vendor.

Key Benefits Achieved

  • A plan for contacting vendors and assessing their solutions against business requirements and goals




Determine your target IAM framework.


Identify alignment with use cases.


Prioritize your solution requirements based on your business, architecture, and performance needs.


Create an RFP to submit to vendors.


Identify the resourcing plan for your IAM implementation.

  • IAM vendor procurement plan

Determine start times and accountability with a RACI chart.

  • IAM RACI chart

Finalize IAM roadmap and action plan.

  • IAM roadmap and action plan