How do I prepare for an RBAC program? (Part 2, Socially)

In a previous blog post we went through how to prepare your IAM team for an Access Consolidation project technically. If you've read my previous blog posts outlining why an RBAC (or other Access Consolidation program) can be difficult, you'll already know that these projects are as Social as they are technical. That means you'll need to prepare for the social aspects of these efforts as well. And to do that you'll want to...

1. Find and/or create champions beyond your IAM team

You will need to engage people outside of the IAM organization and have them make decisions about the contents of your roles. Sometimes they will be your peers but often they will be your boss's boss's peers (or “Grandboss” to steal a term from my wife). Depending on how your organization views hierarchies it may be necessary to have these conversations initiated by someone senior to your IAM organization. Even if it isn't ultimately necessary it will make your job easier to have support from senior leadership.

2. Identify initial teams to work with for role creation

The first teams that you work with are key to building momentum and refining the skills and deliverables used for further engagement, preferably with amenable partners. Optimally your first engagements should be with teams that you already have a good working relationship with, since IAM teams tend to fall under IT or Cybersecurity departments this may be a good choice. It’s worth noting though that these teams typically are not highly valuable targets for role creation due to their small sizes and heterogenous access. If you have good relations with the leadership of organizations that have high volumes of access requests and/or sizeable access certifications they may be good choices as well, but you will need to weigh their ability to understand the problem and solution against the impact of creating a role for their organization. The unfortunate truth is that the closer an organization is to understanding the solution, the less likely they are to need it.

3. Prepare yourself and your team

Most people in the IAM space come from a a technical background, typically with software or IT backgrounds. The RBAC programs require extensive socialization which I've written about here and here. Your team will need to meet with small teams of relatively senior people to sell them on the value proposition of role creation and ensure that they make decisions on the contents of their roles. You'll want to identify someone who can do this on behalf of your team and make sure they're up to the work.



In my previous post on preparing for an RBAC effort I ended it by saying that the preparation was optional. That's true for the technical details, especially if you intend to bring in expertise to assist in the technical work and don't have the bandwidth to perform them. Unfortunately, the social preparation outlined above is less optional. RBAC is unavoidably a social endeavor, but it is one that you can prepare for, and the payoff is well worth it.

If you're looking to start your organizations RBAC journey or get it back on the right track from a previous effort, and you want to ensure its success, reach out to us and we'll get you started.