The present disclosure relates generally to an identity management system, and more specifically to techniques for performing role lifecycle management in an identity management system.
For an enterprise comprising multiple target systems with multiple resources provided by the target systems, an identity management system may be used to define and control how users of the enterprise interact with the various enterprise resources. The identity management system may enable various roles to be defined and assigned to users. When a role is assigned to one or more users, the users become members of the role. A role may also be associated with one or more entitlements, where an entitlement defines the manner in which a member of the role can interact with one or more targets systems of the enterprise. For example, a manager role may be defined that grants a member of that role read and write access to an inventory database of the enterprise. As a result of this role assignment, members of the manager role (e.g., entities who have been assigned the manager role) may access the inventory database and can read information from or to write information to the inventory database.
Conventional identity management systems typically do not put many restrictions on how roles are created within the enterprise. As a result, over time, multiple roles may get created that have similar parameters, such as similar membership, similar entitlements, or other role-associated parameters. This not only makes the management of roles within the enterprise difficult but it also exposes the enterprise to security risks. For example, consider a situation where an entitlement given to a user is to be removed or revoked, a task that is typically performed manually by a system administrator. In an environment comprising multiple roles with overlapping or similar parameters, this becomes a non-trivial task because the same entitlement could be given to the user via multiple different roles and it may not be possible for the system administrator to identify all such roles in a timely manner. This in turn may result in a user retaining unauthorized entitlements thereby exposing the enterprise systems to increased risk. The problem is further compounded as the number of users, number of roles, number of entitlements, and the number of target systems and resources increases. Moreover, unnecessary computing resources are allocated for creating and maintaining roles with redundant parameters.
Some conventional tools exist for checking membership and entitlement information associated with a role when the role is being assigned to a user, or for checking if a role being assigned to the user has already been assigned to the user, but these tools do not provide a solution to the various problems discussed above.