Between her open letter to application vendors and roles versus rules, Pamela Dingle is kicking up a lot of dirt. I tend to agree with most of her points as I have written about here. However her following point bothers me; I’m not saying I disagree with it completely but it sits oddly with me:
In the case where two roles are assigned to the same person, but should never be simultaneously applicable, Enterprises have limited choices. If, however, there is a layer in between the consumer and the provider that lets you mask roles based on user-chosen context, in my mind this problem goes away. I don’t see how you can do it without the user part — but perhaps I’m just not thinking hard enough
Granting the user a choice, in fact, requiring the user to choose their context is not something that an enterprise in this day and age can do lightly. It requires a constant monitoring capability. It requires a method to unwind the user’s privilege set at any point in time into business digestible policy statements. It requires a way to map user action, their total privilege set and enterprise/business policy to each other – not easily done. Trust, verify and then cross-validate. In this litigious hyper-audited world, I am not sure that enterprises can realistically enable user-chosen contexts without a raft of infrastructure that, today, is not well integrated enough.