Pam is on a roll

Between her open letter to application vendors and roles versus rules, Pamela Dingle is kicking up a lot of dirt. I tend to agree with most of her points as I have written about here. However her following point bothers me; I’m not saying I disagree with it completely but it sits oddly with me:

In the case where two roles are assigned to the same person, but should never be simultaneously applicable, Enterprises have limited choices. If, however, there is a layer in between the consumer and the provider that lets you mask roles based on user-chosen context, in my mind this problem goes away. I don’t see how you can do it without the user part — but perhaps I’m just not thinking hard enough

 

Granting the user a choice, in fact, requiring the user to choose their context is not something that an enterprise in this day and age can do lightly.  It requires a constant monitoring capability.  It requires a method to unwind the user’s privilege set at any point in time into business digestible policy statements. It requires a way to map user action, their total privilege set and enterprise/business policy to each other – not easily done.   Trust, verify and then cross-validate.  In this litigious hyper-audited world, I am not sure that enterprises can realistically enable user-chosen contexts without a raft of infrastructure that, today, is not well integrated enough.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.