What is an Optimal Minimum Cardinality Requirement for Roles? (Q&A)

Owned by David Doret
Last updated: 02-10-2021
3 min read

Draft, please contribute

Question

What is a Optimal Minimum Cardinality Requirement for Roles ?

Short Answer

It depends (a typical expert answer). If you desperately need a number, pick 5 but please read at the very least the conclusion at the bottom of this article.

Full Answer

The economic impact of RBAC

Role management has a total cost. To estimate this cost, we should considering the full lifecycle of roles, the time spent by role owners and role engineers to plan, model, configure, maintain, and eventually delete roles. We should also estimate the role management IT infrastructure and probably a multitude of other items. Similarly, role-based access management creates value as it increases productivity and strengthens security in the organization. For a detailed economical study of RBAC, cf. https://open-measure.atlassian.net/wiki/spaces/BIB/pages/1166999553).

In theory, the optimal minimum cardinality requirement for roles is the threshold that optimizes the economical impact of RBAC, i.e. value - cost.

The cost of minuscule roles

Asking what is the optimal minimum cardinality requirement implies that too small roles may have a negative economical impact, that is to say the productivity and security benefits such roles bring to the organization are lower than the role’s cost.

Obviously, if a role had no member, it would only incur costs. The threshold should thus be greater than 0.

The value of (some) minuscule roles

At first glance, it may appear that a role with only one member has a negative economic impact. Obviously, granting the access permission directly to the user would produce the same result, so why bother create a role and incur additional costs?

But let’s deepen this superficial analysis and consider a key role in the organization: the CFO. The CFO has a set of unique access permissions that are probably highly sensitive. For instance, she may approve important financial transactions. The CFO changes every few year. If her access permissions were granted individually, how would you know which ones where linked to the CFO function? Especially if she cumulates other functions. Finally, when a new CFO is appointed, you certainly want to assure a smooth and efficient transition, something that is facilitated with a role.

Similarly, what is the true for the CFO is probably true for all CxO managers and possibly for other key roles in the organization.

In consequence, roles are not of equal value. While it is certainly true that single member roles may have negative economic impact, it is certainly also true that key functions in the organization deserve a single member role.

Are role management costs identical across organizations?

The cost of roles is dependent on the organization processes and the role management IT infrastructure.

Some organizations may have a highly manual and expensive role management process. This should lead one to set the Optimal Minimum Cardinality Requirement higher.

Other organizations may have an efficient and partly automated role management process. This should lead one to set the Optimal Minimum Cardinality Requirement lower.

Are teams and functions of identical sizes across organizations and industries?

The average team or function size within organizations vary. Some industries have vertical while others have horizontal organizations.

Conclusion

Considering all these factors, it would be wrong to state that a universal Optimal Minimum Cardinality Requirement exists. But simply answering: “it depends” wouldn’t help IAM practitioners instead. Thus, I propose the following approach:

  • Make a quick data analysis of your role model.

  • Do you currently suffer from Role Explosion? If small roles are not an issue in your organization, you should consider to not set a Minimum Cardinality Requirement. Instead, keep an eye on the evolution of your role model from time to time.

  • If you do believe you have a problem with small roles, your statistical analysis will give you a sound basis on which to set a Minimum Cardinality Requirement.

  • If you don’t have any data (that can’t be true) and must set an arbitrary number, then choose 5.

  • But please, make it a guideline and train your role engineers to recognize key roles that may be worth creating even though they are below the threshold, otherwise your new policy may have an adverse effect on the productivity of your CxO managers.

Bibliography

Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.

This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.