Modeling User Roles
I noticed an interesting question on the UML forum which I think a lot of people are struggling with, therefore I took the effort to put it on my blog.
The problem was the following:
- You have a set of use cases and a large set of roles.
- The stakeholders are not only interested in the use cases as such, but they also want to see which role has which responsibility. In other words : Who can do what?
You could take up the minimum authorisation level in the preconditions of the different use cases, but this has as a drawback that you don't have any comprehensive overview.
So use cases are not sufficient. People with a requirements background tend to propose solutions which imply that you start introducing an actor per role and build huge inheritance trees of actors. You can see this illustrated in the following figure:
The drawback of this however is that this quickly becomes a whole mess if you have a huge number of roles.
Instead of trying to model everything using a use case diagram, the solution is to use a class diagram.
The idea I like to introduce is based on RBAC (Role Based Access Control). This is a simplified view :
Roles are made up of operations, which group functions.
The solution is to draw an object diagram (using a UML class diagram) and to create 'Function' objects that have a name that links to the UC (e.g. a function "Withdraw money " to refer to the "Withdraw money" use case).
If you feel that your use case names are not stable enough, then add a prefix (e.g. UC1) to uniquely identify the use case.
Next, you can create 'Role' objects that are referring (using an association relationship) to those functions. One such a role object can be "administrator" for example.
In case you have too many functions, group them into 'operations' and instead of drawing an object diagram with roles and functions, draw a object diagram with roles and operations.
Depending on the level of detail of the uses cases you'll either choose to refer to functions (level of detail : low) or operations (level of detail : high).
If you're afraid to create a spider web of relations between roles & functions (or operations), you can use different diagram instances where you model 3 roles per diagram for example (to make sure it's very readable and understandable).
When properly layed out, such diagrams can also be presented to your stakeholders. Roles and functions are a language they can understand.
This is a very simple example of such a diagram:
This is the most elegant solution, based on UML class diagrams and RBAC. It's not a good idea to model this using use case diagrams. UML has different diagrams, and nowhere it is written that you should be restrained to using use case diagrams when modeling requirements.
Hi There are few ways to
Hi
There are few ways to start a role base project. It depends on factors as # of users, # of systems , # of security Admins , budget, auditors, company needs and more.
Usually, companies are trying to approach this project, using the current resources and do this project manually, without any external consultancy or experience, best practices and methodologies
By taking the manual approach, you can generate few roles, usually, the basic enterprise roles or departmental roles, but then , you will find that you need to generate many other roles, by analyzing many users, resources , access rights and working and interviewing with many business managers, a process that can take 24-48 months for an organization with 10k users.
I have been managing 10-15 RBAC projects and involved in about 50 others, in USA & Europe, and I can share with you the high level best practices.
Cleansing
1. Mapping the company systems, and business model.
2. Set the RBAC targets - # of roles, workflows etc
3. Import current access rights and perform a mini cleansing project – 3-4 weeks
4. Doing role engineering on very polluted data, will product roles, but vary dirty roles.
5. It is better to spend few weeks on cleansing till you feel that you managed to clean the major faulty access rights
6. Use smart AUDIT tools to analyze your current access rights model and advice you what access rights are suspected
7. Use compliance and policy check tools (Segregation of duty etc) to perform the cleansing
8. Use a workflow for Access-Rights Certification – (example Eurekify/Sage)
Role Engineering:
Use tools that can help you creating roles by analyzing your current access right. There are few tools in the market as Eurekify/Sage.
Run all the techniques that this tool provide and analyze the results.
Use a tool that has a built in workflow for Role Approval
Audit your roles and make sure that the roles are normalized
highly recommended to use automated solutions to audit your roles
Build compliance rules to validate the roles.
and more..
Role Management
Ensure that you will be able to modify and alter the roles easily
build or use a solution that will help you to manage and maintain the roles
keep in mind that roles are dynamic and will change
Role certification / re –certification
Make sure that you have a workflow to certify / recertify roles
record and archive all the changes
Build reports that will help you to manage and control your roles and results.
Hope it helps
Regards
Ilan Sharoni
Director - Eurekify