Posted on Tue, Dec 08, 2009 @ 05:27 PM
Gartner published a great research report on Entitlement Life Cycle Management: The Evolution of Role Life Cycle Management. Besides defining the difference between business and technical roles, Earl Perkins (the author) points out that roles are really all about assigning fine-grained access permissions (entitlements) to users based on their job function.
He states, "a discussion of roles can easily overlook an important point: The real effort to assign the appropriate levels of access actually rests at the granular level of the entitlement. An entitlement (also called by various audiences a "privilege," "permission," "access right" or "authorization") is currently the most granular construct for assigning the level of access to a job function based on enterprise access policies. In other words, an entitlement is the means by which an enterprise assigns a particular level of access to an IT-based resource, whether it is information in a database, a transaction in an application or a command in an IT system. A role is one method by which these entitlements may be grouped or aggregated to make the process of assigning those entitlements more efficient."
Well stated Earl. While technical and provisioning roles benefit an organization as an efficient IT security administration tool for automating the creation of accounts in user directories, this approach isn't able to understand a user's relationship with the organization in terms of the function that a user performs for the business and can map the specfic entitlements that are appropriate to the functional role. Enterprise business roles have evolved to achieve this objective.