User Role & Permission Design: How to Model IT Access

Are you looking to simplify your permission management through a role-based access control model? Before you can start to automate user provisioning, you first need to choose which privileges different user groups should receive by creating permission roles. Don’t worry: It’s easier than it sounds! Learn how to design your own permission roles with our 5 step guide.

What Are Permission Roles?

Permission roles, also known as user roles or IAM roles, are a set of IT privileges intended for a specific group of users, such as members of the same team or department. By bundling permissions together into roles, admins can grant new users all the access they need in one go, which saves a lot of time. In addition, a permission role model grants increased visibility into who in the organization has access to what.

Why Do I Need Permission Roles?

Users need IT permissions in order to do their job. But when admins assign privileges individually to each user, it quickly leads to chaos. Manual permission management is not only slow, labor-intensive and prone to errors: It leaves you with no idea who has access to what or who made which changes.

Instead, organizations should follow a consistent and ideally automated process for granting access rights to users. Automated permission management increases efficiency, transparency and security.

But in order to automate your permission management, you first need to establish which users need which permissions. This is where permission roles come in: By grouping together users with similar access needs, the organization can define appropriate baseline permissions for employees in specific departments or locations.

There are multiple advantages to using permission roles to model user access:

  • Easily provision new users

  • Foundation for user lifecycle automation

  • Keep access rights consistent for users with the same role

  • Increased visibility into what a user can access

  • Adjust access quickly by assigning a different role (for individual users) or editing a role (for multiple users)

Permission roles are key component in both role-based access control models and identity governance and administration (IGA) on the whole.

How Do Permission Roles Work?

Permission roles work by grouping together IT privileges based on factors like department, location or position/rank. There are two basic question an organization needs to answer when designing permission roles:

  • 1

    How many different roles are needed to model our organizational structure?

  • 2

    Which permissions should be included in each role?

When a new user is added to a permission role, they automatically receive access rights intended for that role. In other words, admins no longer have to individually provision each new accounts and equip them with right privileges. Similarly, when a user is removed from a role, they automatically lose access to the resources associated with it. This simplifies offboarding and makes sure that no important steps or orphaned accounts are overlooked.

Permission Roles in Active Directory

To add permission roles to Active Directory, Microsoft recommends the AGDLP principle: First, you create global user groups that correspond to the different business roles in your organization. Then, you add these user groups to local permission groups, each of which governs one specific permission. By following this structure, you can easily see which permissions are included in a role by checking its list of group memberships (assuming you gave your groups helpful names).

In order to use permission roles across multiple systems – such as your local AD, Microsoft 365 and different business apps – you need a central platform for identity & access management which can implement the necessary changes in all target systems. IAM solutions also have the advantage of allowing you to automatically assign users to roles by drawing on your HR database.

Role and Permission Design in 5 Steps

1

Inventory IT Assets

Before you can decide which resources your users should be allowed to access, you first need to figure out which assets there are on your network. This may sound obvious, but many organizations never bother to create a detailed inventory of the data, software and hardware that makes up their IT infrastructure.

The only way to make informed decisions about user access is if you’re working off of accurate and up-to-date information. So the first step to creating permission roles is to create an inventory of your IT assets. This process often leads to surprising discoveries, such as workarounds and unsanctioned tools your departments have been using to deal with limitations in your official infrastructure, a.k.a shadow IT.

2

Examine Organizational Structure

Once you have a clear picture of all the data, systems and assets your employees could theoretically access, the next logical question to answer is: Who needs what? Which information is relevant for which staff members? What is the best way to group employees together based on their access needs.

Most businesses model their permission roles after their organizational structure, since users in the same department typically need access to the same resources. However, depending on the scale and make-up of your enterprise, a different approach might make more sense for you.

A general model for permission roles based on your organizational structure could look like this:

  • Organization: first, determine universal rights every employee should have as well as resources everyone should have access to.

  • Location: If your company operates across multiple offices/branches, it’s best to reflect this structure in your role model, as each branch will be using its own data sets.

  • Department: The next step is to define roles based on the specific needs of each department, such as access to customer data for the Sales team and financial information for Accounting.

  • Job/Rank: If necessary, you can create further roles within departments based on rank or position. For example, you could grant all team members read-access to documents, but limit write-access to managers.

3

Group Default Permissions into Roles

After establishing which and how many different roles you need to model access for your organization, it’s time to equip your roles with permissions.

One way to decide which access rights should be included in a role is to look at the existing privileges those users hold: Check which permissions are shared by all or most members of the group and add them to the role. This process is known as role mining and is something an automated IAM platform can help you with.

But beware: Just because your users currently have access to data or an application doesn’t mean they actually need access. Your users should only hold permissions that are essential for their work.

Aside from automated user provisioning, permission roles should also help you avoid unwanted access to sensitive information. When designing permission roles, it’s important to follow the principle of least privilege.

Whitepaper

Best Practices for Access Management In Microsoft® Environments

Our in-depth guide explains how to manage access securely and efficiently from a technical and organizational standpoint, including tips for implementation, reporting and auditing.

4

Automate User Provisioning

After designing your permission roles and equipping them with the intended privileges, you can now use the role model to simplify the provisioning process for new users.

At the most basic level, the permissions intended for different roles can serve as a checklist detailing which privileges IT admins have to assign to new employees in different departments. But since manual provisioning is both time-consuming and prone to errors, it would be more helpful to follow an automated workflow.

In Active Directory, you can use the AGDLP group structure to model access based on your permission roles: By adding a new user to the right role group, they automatically receive all permissions nested within it. However, if you want to expand the use of role-based provisioning to cover both on-prem, cloud and third party apps, you need a dedicated identity & access management platform.

5

Monitor & Adjust Permission Roles

IT environments are constantly changing. Similarly, the responsibilities of employees are forever in flux. As a result, permission roles need to be continuously adjusted to the changing circumstances of the organization: New privileges may have to be added, old privileges may have to be removed.

Permission roles should be an up-to-date representation of the resources your users need for their work. Outdated and unnecessary permissions put sensitive information at risk through both cyberattacks and insider threats such as employee data theft.

tenfold: Your No-Code Solution for Role-Based Permission Management

Are you looking to simplify your access management by implementing permission roles? No problem! tenfold helps you design and implement permission roles by analyzing the existing privileges in your organization. Once set up, our no code IAM solution serves as your central, automated hub for managing access rights across all IT systems, from your on-prem Windows network to Microsoft 365 and business apps like SAP ERP.

So why choose tenfold over other IAM providers? Easy: While other tools require you to script the workflows and integrations you need yourself, tenfold comes with a suite of prebuilt plugins that can be set up with just a few clicks. Thanks to this revolutionary approach, you can automate your permission management in a matter of weeks rather than months or years! See for yourself by signing up for a free trial.

Free Trial

Our No-Code Solution Makes IAM Easy.
Start Your Free Trial Today!

About the Author: Joe Köller

Joe Köller is tenfold’s Content Manager and responsible for the IAM Blog, where he dives deep into topics like compliance, cybersecurity and digital identities. From security regulations to IT best practices, his goal is to make challenging subjects approachable for the average reader. Before joining tenfold, Joe covered games and digital media for many years.