User Access Modeling: How to Design Permission Roles

Permission roles, also known as user roles or IAM roles, are a set of IT privileges intended for a specific group of users, such as members of the same team or department. By bundling permissions together into roles, admins can grant new users all the access they need in one go, which saves a lot of time. In addition, a permission role model grants increased visibility into who in the organization has access to what.

Users need IT permissions in order to do their job. But when admins assign privileges individually to each user, it quickly leads to chaos. Manual permission management is not only slow, labor-intensive and prone to errors: It leaves you with no idea who has access to what or who made which changes.

Instead, organizations should follow a consistent and ideally automated process for granting access rights to users. Automated permission management increases efficiency, transparency and security.

But in order to automate your permission management, you first need to establish which users need which permissions. This is where permission roles come in: By grouping together users with similar access needs, the organization can define appropriate baseline permissions for employees in specific departments or locations.

There are multiple advantages to using permission roles to model user access:

Permission roles work by grouping together IT privileges based on factors like department, location or position/rank. There are two basic question an organization needs to answer when designing permission roles:

When a new user is added to a permission role, they automatically receive access rights intended for that role. In other words, admins no longer have to individually provision each new accounts and equip them with right privileges. Similarly, when a user is removed from a role, they automatically lose access to the resources associated with it. This simplifies offboarding and makes sure that no important steps or orphaned accounts are overlooked.

To add permission roles to Active Directory, Microsoft recommends the AGDLP principle: First, you create global user groups that correspond to the different business roles in your organization. Then, you add these user groups to local permission groups, each of which governs one specific permission. By following this structure, you can easily see which permissions are included in a role by checking its list of group memberships (assuming you gave your groups helpful names).

In order to use permission roles across multiple systems – such as your local AD, Microsoft 365 and different business apps – you need a central platform for identity & access management which can implement the necessary changes in all target systems. IAM solutions also have the advantage of allowing you to automatically assign users to roles by drawing on your HR database.

Before you can decide which resources your users should be allowed to access, you first need to figure out which assets there are on your network. This may sound obvious, but many organizations never bother to create a detailed inventory of the data, software and hardware that makes up their IT infrastructure.

The only way to make informed decisions about user access is if you’re working off of accurate and up-to-date information. So the first step to creating permission roles is to create an inventory of your IT assets. This process often leads to surprising discoveries, such as workarounds and unsanctioned tools your departments have been using to deal with limitations in your official infrastructure, a.k.a shadow IT.

Once you have a clear picture of all the data, systems and assets your employees could theoretically access, the next logical question to answer is: Who needs what? Which information is relevant for which staff members? What is the best way to group employees together based on their access needs.

Most businesses model their permission roles after their organizational structure, since users in the same department typically need access to the same resources. However, depending on the scale and make-up of your enterprise, a different approach might make more sense for you.

A general model for permission roles based on your organizational structure could look like this:

After establishing which and how many different roles you need to model access for your organization, it’s time to equip your roles with permissions.

One way to decide which access rights should be included in a role is to look at the existing privileges those users hold: Check which permissions are shared by all or most members of the group and add them to the role. This process is known as role mining and is something an automated IAM platform can help you with.

But beware: Just because your users currently have access to data or an application doesn’t mean they actually need access. Your users should only hold permissions that are essential for their work.

After designing your permission roles and equipping them with the intended privileges, you can now use the role model to simplify the provisioning process for new users.

At the most basic level, the permissions intended for different roles can serve as a checklist detailing which privileges IT admins have to assign to new employees in different departments. But since manual provisioning is both time-consuming and prone to errors, it would be more helpful to follow an automated workflow.

In Active Directory, you can use the AGDLP group structure to model access based on your permission roles: By adding a new user to the right role group, they automatically receive all permissions nested within it. However, if you want to expand the use of role-based provisioning to cover both on-prem, cloud and third party apps, you need a dedicated identity & access management platform.

IT environments are constantly changing. Similarly, the responsibilities of employees are forever in flux. As a result, permission roles need to be continuously adjusted to the changing circumstances of the organization: New privileges may have to be added, old privileges may have to be removed.

Permission roles should be an up-to-date representation of the resources your users need for their work. Outdated and unnecessary permissions put sensitive information at risk through both cyberattacks and insider threats such as employee data theft.

Are you looking to simplify your access management by implementing permission roles? No problem! tenfold helps you design and implement permission roles by analyzing the existing privileges in your organization. Once set up, our no code IAM solution serves as your central, automated hub for managing access rights across all IT systems, from your on-prem Windows network to Microsoft 365 and business apps like SAP ERP.

So why choose tenfold over other IAM providers? Easy: While other tools require you to script the workflows and integrations you need yourself, tenfold comes with a suite of prebuilt plugins that can be set up with just a few clicks. Thanks to this revolutionary approach, you can automate your permission management in a matter of weeks rather than months or years! See for yourself by signing up for a free trial.