Combining business and IT roles has a strange familiarity

Kevin Kampman has added his opinion to latest RBAC thread.  Kevin makes an interesting point:

Another challenge is to clarify what a role represents. A business role is an articulation of a business relationship or responsibility. A technical or IT role is a set of privileges or tools that are used to accomplish the business role. Business roles map to IT roles. If you try and merge the two into one, you come up with an IT role. It becomes difficult to ascertain what it was or is intended to accomplish, and it becomes inflexible, bound to an application.

This reminds me of Alan Cooper’s The Inmates are running the Asylum.  Cooper makes the point that anything coupled with a computer becomes a computer.  This includes but is not limited to: alarm clocks, cars, ATMs, and naval warships.  (Come on admit it, you too have ripped a hotel alarm clock out of the wall because you couldn’t figure out how to shut it off; we’ve all done it.)  Cooper’s overall point is that the Designer must be extremely careful in her design choices so as to not lose the intent and spirit of the original object before it got coupled with a computer.

The same holds true in Identity-land.  Identity program teams must be clear with each other and the enterprise as to their goals for roles.  If they are looking to strengthen the organizational structure itself, then business roles, in a stand-alone fashion, are what is called for.  If the teams want to deliver permission aggregation into coherent policy, then IT roles are needed.  That being said, if an identity program team finds itself swirling the two together, they have likely hamstrung the advantages they sought to gain, inappropriately using roles to solve all of the problems of context and intent.

As the team at Burton Group furthers the conversation about relationships, I think we (the collective we of enterprises, vendors, and service integrators) will see that the challenges of context and intent are addressed by relationship management and that roles, both business and IT, have a part in addressing those challenges.

Context and Intent: Nishant kicks the RBAC hornet’s nest

At the end of Tim Weil’s presentation on RBAC at Catalyst last month, Nishant asked a basic question: is the NSIT RBAC model sufficient and complete?  Not receiving a satisfactory answer, he has taken his question to the blogosphere.

Nishant’s question touches upon two of the hobgoblins of identity: context and intention.  I talked about issues of context years ago in an unrefined form.

This week I have been out here in Utah working at Burton Group’s headquarters trying to figure out what I will be researching in the coming quarters.  I have not found my research topics yet, but in conversations with the team it is becoming clear to me that lurking behind a lot of the topics we’d like to dig into are the problems of describing context and recognizing intentionality.  We’ll see what the coming months of research uncover.