"The Time

Identity & Access Has Role

Management,
& Role-Based Access Control
Come" .
Management

Matthew Collinson
Why are we here today?

Traditional models of access control consist of point or

application-specific solutions that make management,
reporting and compliance extremely costly and unwieldy.
Moving to Identity & Access Management, Role Management
(RM) and Role-Based Access Control (RBAC) brings the
focus back to the business by defining access purely in terms
of business requirements.
It streamlines the user access lifecycle, simplifies the
enforcement of Segregation of Duties (SoD) and supports the
organisation's reporting and compliance activities.

2 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

This Session’s Agenda

• Identity & Access Management – an overview

• IAM Business Case Example
• Access control – today’s business challenges
• What are RM & RBAC?
• Who are the stakeholders?
• What are the benefits?
• Do’s & Don’ts
• Deloitte Methodologies – a snapshot

3 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

Identity & Access
Management – an
overview
Definitions: Identity

• Identity (Digital Identity): the digital representation of a user, including a unique

identifier, credentials, common profiles and entitlements
• The complete digital identity of an individual may be scattered across multiple repositories
within an enterprise, with no hard links between the various pieces
Core Identity Attributes:
• First Name, Last Name, Unique Identifier

Account Credentials:
• Login ID and password
• SecurID card, other strong authentication factors

Common Profiles:
• Job Functional Roles
• Business Unit
• Office Location
• Manager/Supervisor

New in Window

Entitlements:
Limited Contri- Full
Read Design SharePoint Services
Access* bute Control
(version 3)?
Update Personal Web
Parts ü ü ü No

Add/Remove Personal
ü ü ü No

• Permission levels, access rights

Web Parts
Manage Person al
Views ü ü ü No

Approve Items
ü ü New

Person User’s Digital ID • Access control items Delete Versions

View Versions
ü
ü
ü
ü
ü
ü
ü
New

New

Cancel Checkout
ü ü No

Open Items
ü ü ü ü New

View Items
ü ü ü ü No

Delete Items
ü ü ü No

5 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

Definitions: Authentication, Authorization

• Authentication: the process of establishing the validity of an identity claim

– “Gets you in the front door”

• Authorization: the process of determining the appropriate rights and privileges

for a given identity
– Determines “what you are allowed to touch/see, once inside”

• Multi-factor authentication: using a combination of two or more factors

(something you know/have/are) to authenticate a user to achieve a higher level
of authentication assurance
– Note: Username and password does not count as two-factor authentication!

6 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

Definitions: SSO, Federation

• SSO (Single Sign On, a.k.a. Reduced Sign-On, Simplified Sign-On)

– Access control method which enables a user to authenticate once to gain access to
multiple systems

• Identity Federation
– Standards-based method of
exchanging identity information
across autonomous security
domains (organizations) Vendor

– Facilitates SSO across separate

enterprises or security domains

7 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

Definition: Identity and Access Management

• Identity and Access Management (IAM) is a set of business processes, information, and
technology for the creation, maintenance and use of people’s digital identities within
the bank and eventual termination of that identity in a controlled and secure manner.

8 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

IAM Services – Conceptual View

9 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

IAM: Business value perspective

Business Facilitation Security & Risk Operational Efficiency Cost

Management

Improved user experience

and business integration Managing business risks Efficient operations, high Cost and productivity
capabilities: through effective and quality services: impacts:
“Build once, deploy often” demonstrable controls “Better, faster, cheaper” “Deliver more for less”

Reduced Sign-On,
registration and password
self-services for internal
users
Consistent and
streamlined user
provisioning processes
with automated workflow
(escalation and approval
points)
Business integration and
large technology roll-outs
Consistent security policy
enforcement and
automated controls
(protection of customer
data)
Identity lifecycle
administration (accurate
and timely terminations
and access management)
Improved privacy and
regulatory compliance
Effective logging,
comprehensive auditing
and timely reporting
Improved service levels
(user management and
provisioning) and
good quality of service
Streamlined security
administration & reporting
Flexible infrastructure for
rapid deployment of
applications (enablement
of shared services and
Service-Oriented
Architecture)
User productivity cost
savings due to:
Quicker provisioning
processes
Reduced time for
password re-sets
Single Sign-On
Reduced cost of:
User Administration
and Provisioning
Helpdesk (password
management)
Security Administration
(auditing, reporting)
Avoiding uncoordinated
and overlapping
application development
efforts.

10 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

 IAM Program - Key Success Factors
• Recognize business ownership of IAM

• Recognize the size of the problem

 Inventory of identity objects
 High ratio of accounts to individuals

• Build a clearly defined, realistic roadmap which:

 Leads towards the target architecture: common/re-usable services
 Leverages good work already done, or in flight
 Allows for better decision making
 Results in cross pollination of strategies allowing for more enterprise-focused, scalable solutions

11 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

IAM Business
Case Example
Our analysis of business needs indicated that Identity and Access Management
problems need to be addressed and the time is right now.

Business Problems: Observations

 Delayin onboarding (user access provisioning)
causes unacceptable loss of productivity.
 BU’s are constantly asking for the ability to manage Enterprise Solution
User groups and roles for their users.
Experience  Too Provisioning Automated creation,
many IDs and passwords to remember. modification and deletion of
Service
 Usersare frustrated with login and password issues user accounts and related
access attributes.
when dealing with externally hosted applications.

 Many applications require user profile/group Allows end users manage

User
management capabilities. In the absence of an Management their profile/access information
enterprise solution, they develop tactical solutions. via self-service or delegated
Service
administration (i.e. designated
 Tacticalsolutions increase overall spent and managers) interfaces.
Application
Delivery complicate the existing IT challenges.
 Simplified Sign-On is a common requirement for Federated Provides seamless
Sign-On authentication across
applications, but there is no enterprise solution.
organizations, where a 3rd
party application relies on
Client credentials.
 Auditfinding: current user administration processes
Web Access Provide Simplified Sign-On
are not consistent and lack effective controls. and policy-based access
Management
 Lack control to Intranet or web
of automated role/group assignment for users resources.
Risk and results in excessive privileges (accumulated access).
Compliance  Access control mechanisms developed by individual
applications are inconsistent, difficult to manage and
report on (to demonstrate compliance).

13 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

 Detailed review and analysis of needs enabled us to prioritize the IAM services
based on cost benefit analysis and available alternatives. The Provisioning and
User Management Services were identified as a high priority.
IAM Services: Key Findings and Priorities
Service Key Findings Priority
Provisioning Service • Large potential for cost savings High
Identity Management

• Significant contribution to risk management & compliance

• No existing solutions or viable alternatives.

User Management Service • Large potential for cost savings High

• Significant contribution to efficient application delivery (as a key
shared service in the SOA framework)
• No existing solutions or viable alternatives.

Federated Sign-On • Some potential for cost savings, mostly in application delivery Medium
Access Management

• Enterprise-wide adoption could be challenging due to difficulties

with external application integration (multiple vendors).
• Point solutions are being considered to address immediate
needs.
Web Access Management • Low potential for cost savings. Low
• There are alternative (low cost) solutions to address SSO.
• The Intranet Strategy makes the need for this service less
compelling.

14 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

The implementation of the Provisioning and User Management services will require $13.1M of investment over 5 years,

which includes $2M of one-time process/application integration costs and $0.9M of annual run costs.

Incremental Solution Costs over 5 years

Component Value ($M) Assumptions

24 Intel/Linux servers costing $20,000 will be used as a hardware/OS

Hardware 0.5
Capital

platform to run all core components of the solution

Provisioning software will be required for 50,000 users at $25 per user
Software 1.3 (based on industry average price)

Approximately 3 external consultants for 55 weeks will be required

External Consulting
Expenses

2.2
Non-Capital

Internal project team will include Project Manager, Architect and

Internal FTE Expenses 1.0 implementation/testing specialists at an average cost of $100/ hr

Integration Costs 2.0 Application integration and process integration will require involvement of
internal staff outside of the project team, estimated at 8 FTEs.
One-time Total 7.0

Hardware & Software Hardware maintenance cost is estimated at 10% of Hardware Cost and
0.3
Annual

Maintenance Software maintenance cost is estimated at 20% of Software Cost

Operational Run Costs 0.9 Annual hardware capitalization and overhead are estimated at 55% of total
hardware costs. Plus 4 FTE’s at $150K/year for ongoing support.
Annual Total 1.2

One-time Total (year 0) 7.0

Annual Costs (over 5 years) 6.2

Total Notional Costs (over 5 years) 13.1

15 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

Cost benefits, which are estimated at 4.3M/year, are resulted from productivity cost savings and reduction of Vendor

costs, due to the automation in access provisioning, password management and access administration.
Annual Incremental Benefits
Cost Component Value ($M) Benefits Calculations / Assumptions
Assumptions
At a minimum, 1 day of delay can be eliminated by implementing an automated provisioning
system resulting in an on-going productivity savings of $1.5M/year.
User Productivity Cost Approximately 13,475 non-retail employees are transferred or hired every year and on-
Savings (faster on- 1.5 – 4.5 boarding takes approximately 5-21 days.
Provisioning

While 50% of the time spent by new employees and transferees is on reviewing
boarding) manuals, training, orientation, etc., the remaining 50% are assumed to be unproductive.
Average employee salary is assumed to be $30 per hour.

Reduction of Vendor With the implementation of the provisioning solution, services provided by 4 FTEs (access
services at Vendor, including login ID creation) would not be required.
FTEs (Access 0.6 Currently, access provisioning team at Vendor includes 18-20 FTE’s.
Provisioning) Average fully loaded salary of Vendor staff (if billed to Client directly) is $150,000 p.a.

Using self-service password reset functionality, the request volume for help desk password
resets would reduce by 90%. This will yield approximately $2M/year in cash flow savings.
User Management

Reduction of Vendor Approximately 168,000 password reset requests per year are processed by Vendor for
Workload (Password 2.0 – 2.2 Active Directory, Email, Host, Novell, RLAN and Web Based Applications.
Average cost of processing one password request is $15.
Management) It is assumed that the benefit realization will be 50% for the first year and 75% for the
second year. From year 3 the benefit realization is assumed to be 100%.

Reduction of Vendor With the implementation of the Delegated Administration, services provided by 1 FTEs
FTEs (Access 0.2 (access administration at Vendor) would not be required.
Administration) Average fully loaded salary of Vendor (if billed to Client directly) is $150,000 per annum.

Total Annual Benefits 4.3 – 7.6 Notes:

1. For most benefits, the benefit realization for first year is assumed to be less than 100%.
Total Benefits (over 5 years) 19.1 – 33.9 2. Ranges are based on low and high estimate projections. The lower end represents a
conservative approach and the higher end represents a more optimistic calculation.

16 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

The implementation of the Provisioning and User Management services form a compelling business case: 3.5 years pay back

and Net Present Value of cash flow is estimated at $3.4M, as the most conservative estimate.

Incremental Costs and Benefits over 5 years

Component Value ($000) Cumulative
Cumulative Costs and Benefits
Costs and Benefits

Total Notional Costs $13,137 20,000,000

15,000,000
Total Discounted Costs1 $12,026 10,000,000
5,000,000
Total Benefits2 $19,139 – $33,854 -
(5,000,000)
Total Discounted Benefits1, 2 $15,466 - $27,341 (10,000,000)
(15,000,000)
Net Present Value of Cash Flow1, 2 $3,439 - $15,315 2007 2008 2009 2010 2011 2012
Cumulative Discounted Investment Cumulative Discounted Benefits
Cumulative Net Value

Discounted Cash Flow

3.5 yrs - 1.75 yrs
Payback1, 2

Return on Investment 22% - 62%

Notes:
1. The Weighted Cost of Capital is assumed to be 7%
2. Ranges are based on low and high estimate projections. The lower end represents a conservative approach and the higher end represents a
more optimistic calculation.

17 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

In addition to significant financial returns, the implementation of the Provisioning and User
Management services will contribute to better business facilitation, enhance application
delivery capabilities and improve compliance and risk management posture of Client.

Qualitative Benefits
Faster on-boarding process leading to improved user experience and productivity.

User Increased end-user productivity and better user experience (due to delegation and self-service)
Experience

Reduced cost of tactical solutions development and avoiding unnecessary support costs.

Application Flexible SOA infrastructure for rapid deployment of applications.

Delivery

Improved compliance and risk management posture due to automated and effective controls for
identity life cycle administration (timely de-provisioning).

Streamlined security administration and audit/compliance reporting.

Risk and
Compliance Improved data quality and integrity for identity information.

Improved application access controls due to more accurate and timely role/group assignment in
applications.

18 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

 In order to maximize business benefits and achieve quick wins, our recommendation is to start with the Provisioning Service,
then proceed with the Password Self-service and continue with the Role-based Access Provisioning and Delegated
Administration.
Provisioning:
Core User Provisioning
Benefits
Faster on-boarding process –
Productivity Gain $1.5M/yr
Increased productivity and
employee satisfaction.
Integration with (connectors to):
ACF2
AD
Scope
ED
Novell
Feed from PeopleSoft (events)
Basic workflows, basic roles
UI only for Administrators
19 "The Time Has Come"
Implementation Roadmap
User Management:
Password & Identity Self-Service
Reduced FTE (Vendor costs) for
Password Management - $0.5M/yr
Improved User Experience.
Faster on-boarding process –
Productivity Gain $1.5M
Increased productivity and
employee satisfaction.
Password synchronization for all
connected platforms, initiated
from the provisioning engine.
Password change Self-service.
Password re-set Self-service
(forgotten password function).
Identity Self-service to update
basic attributes (contact info).
Provisioning:
Role-based Access Provisioning
Reduced FTE (Vendor costs) for
Access Provisioning - $0.5M/yr
Automated controls for Identity
Lifecycle administration.
Streamlined reporting; improved
regulatory compliance posture.
Reduced FTE (Vendor costs) for
Password Management - $0.5M
Improved User Experience.
Faster on-boarding process –
Productivity Gain $1.5M
Increased productivity and
employee satisfaction.
Job codes from PeopleSoft are
mapped to enterprise roles.
Multiple BU-specific roles are
defined and mapped to specific
access entitlements (e.g. AD
groups, ED groups, etc.).
Complex workflows for approval,
RFI and notification
© 2008 Deloitte Touche Tohmatsu
User Management:
Delegated Administration
Reduced FTE (Vendor costs) for
Access Administration - $0.2M/yr
Reduced cost of application
development (SOA services).
Reduced FTE (Vendor costs) for
Access Provisioning - $0.5M
Automated controls for Identity
Lifecycle administration.
Streamlined reporting; improved
regulatory compliance posture.
Reduced FTE (Vendor costs) for
Password Management - $0.5M
Improved User Experience.
Faster on-boarding process –
Productivity Gain $1.5M
Increased productivity and
employee satisfaction.
Administrative roles are defined
to allow for multiple tiers of
administration.
Delegated Administration UI.
Access controls are defined to all
delegated administrators to
manage only users (and
attributes) in their scope.
 It was identified that many projects and initiatives across Client are asking for Identity Management and
Access Management capabilities.

IAM Business Needs

Service Specific Business Needs
Provisioning Service Current provisioning & de-provisioning processes are not consistent, not timely and lack
Identity Management

Core User Auditing &

automation as reported in audit findings.
Provisioning Reporting Access provisioning processes require automation to eliminate manual steps and
Role-based access resulting high set-up costs.
provisioning Workflow
Business units are asking for faster on-boarding process for their employees.

User Management Service Multiple applications require User Profile & Group Management capabilities. Role-based Access
Delegated Identity Control is strategic vision at Client.
Administration Self-service Business units want to control assignment of roles/groups to their users, hence require
Password delegated administration.
Self-Service

Federated Sign-On Over 150 external applications deliver some sensitive data that can be accessed from home
Access Management

without involving Client authentication. Robust authentication controls are required.

Authentication Secure
Token Svc Risk and audit concerns related to gaps in de-provisioning processes for externally hosted
applications (e.g. Iron Mountain).
Users are frustrated with numerous credentials required for externally-hosted applications.

Web Access Management Seamless authentication and access control mechanisms are required to provide granular and
selective access to Intranet and web resources.
Authentication Authorization Intranet Portal roadmap requires SSO and Access Management

Monitoring & Secure Simplified Sign-On from desktop is a business requirement for many application projects.
Reporting Token Svc

20 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

 The Identity and Access Management services have various sets of associated benefits, however some services have less

compelling costs benefits and already have alternative strategies in place to address the priority needs.

IAM Services: Analysis of Benefit Drivers and Alternatives

Service Drivers / Benefit Categories Alternatives Solution Costs
Cost Savings – One Time - $3.4M
Provisioning Service
Identity Management

Annual Run - $0.8M

Core User Auditing & User Productivity –
Provisioning Reporting Process Integration -
Risk / Compliance – $1.1M
Role-based access
provisioning Workflow • No viable alternatives to perform
automated identity lifecycle.

Cost Savings – • Some tactical solutions in Retail, One Time =

User Management Service
Wealth and Intranet Portal to manage Provisioning + $1.6M
Delegated Identity User Productivity – user profiles and group information. Annual Run =
Administration Self-service Provisioning + $0.4M
Risk / Compliance –
Password Application Integration
• No alternatives at the Enterprise level.
Self-Service - $0.9

Cost Savings – • Some proprietary mechanisms are One Time - $2.5M

Federated Sign-On
Access Management

currently in use to achieve SSO across Annual Run - $0.7M

Secure User Productivity – external domains.
Authentication • Point solutions are being considered to
Application Integration
Token Svc
Risk / Compliance – ` address immediate needs.
- $0.7M

Web Access Management Cost Savings – • The current strategy is to use One Time - $2.7M
Kerberos/SPNEGO. Annual Run - $0.6M
Authentication Authorization User Productivity – • The Intranet Portal strategy will be able
Application Integration
to provide access control to Web
Risk / Compliance – - $1.1M
applications and resources at the
Monitoring & Secure
portal level.
Reporting Token Svc

Low Degree of Medium Degree of High Degree of

21 "The Time Has Come" compelling benefits ©benefits
compelling 2008 Deloitte Touche Tohmatsu
compelling benefits
Access Control –
Today’s Business
Challenges
Today’s Business Challenges

Operational Compliance IT & Business

Inefficiencies Management Alignment

• Delay in getting • Challenges in • Multiple reporting

“required and establishing the systems
correct”access – right access to the
leading to loss of right people • Inconsistency in
productivity application of
• Resource intensive Enterprise Security
• Complex approval attestation process policies, processes
processes requiring across disparate
multiple personnel • Challenges in systems
and manual identifying job
workarounds – functions and • Effective Change
increased cost of enforcement of SoD Management
operations

23 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

What are RM
and RBAC?
How do we define “role”?

A role defines functions performed by and access privileges

granted to a group of users, sharing the same job, position or
performing the same tasks.
Access Privileges

System

Employees Role Functions

Directory
• Approve
Supervisor Invoices
• Monitor Staff Database
• Base Access

E-mail

Internet

25 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

Types of Roles: Job vs. Function

Job Roles Function Roles

– Roles based on Job Title – eg. - Roles based on Job Function eg.
– Supervisor Role – Approve Invoices Role
– Service Associate Role – Monitor Staff Role
– Analyst Role – Report Status Role
– Example: Many Users to One Job Role – Example: Many Users to Many Function
Roles

Approve
User 1 User A
Invoices

User 2 Supervisor User B Monitor Staff

Report
User 3 User C
Status

26 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

Role-Based Access Control (1)

A method of defining, managing and enforcing access control privileges

through the use of roles between end user and permission assignments.

Process 1 Permissions
Today’s
Process 2
Access Control:
Request
by process Process 3

User(s) Direct

Permissions
Tomorrow’s
Access Control: Role(s)
Request
RBAC
User(s)

27 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

Role-Based Access Control (2)

RBAC is a mechanism which limits resource access (system, application

etc) based on a user’s job functions.
– Users do not “own” objects for which they are allowed access.
– Access rights are granted via roles, which serves as layer of
abstraction between users and IT objects.
– Protection policies are unavoidably imposed on all users – there is
no concept of a “superuser”.

Privileges

Users Roles Operations Resource

n:n n:n n:n

28 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

Who are the
stakeholders?
Stakeholder Groups
Acquirers
CXO
End Users
Risk Assessors
Management

Application IT Audit
Owners
Users

Enterprise
Business
Architecture
Owners

Human
Resources
Help Desk
IT
Operations
Support User
Administration
Staff

Maintainers
Administrators
30 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu
What are the
benefits?
In the Board Room…

Allows the enterprise to address “Pain Points”and business initiatives –

from the IT Manager to the CxO

ü  $ 
Regulatory Governance Increased Increased Business
Compliance & Security Productivity Service Level Facilitation
• SOD • Consistent & Cost • User self
• Reach global
requirements security policy Reduction service
• Immediate customers
• Role-based • Focused,
system-wide • Eliminate
access personalized • Tighter
access redundant
• Least privilege content supplier
updates administration
access tasks • Delegated relationships
• Real-time • Consistent Administration
identity data • Reduce • More
visibility and helpdesk • Comprehensive productive
disclosure • Automated risk profile view
burden partnerships
• Basic mitigation • Password
• Fast employee
compliance • Enterprise SoD management
ramp-up
reporting

32 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

At the coal face…

Before After

Request for one user, one Reduced set of access –

application at a time but approved

Role pre-approved – easier to use,

Model role after access provided
streamlined process for access

SOD between application Easier reporting

Multiple options to select from

Access defined in business terms
to provide user access

33 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

Do’s & Don’ts
Do’s & Don’ts

The effectiveness of an RM / RBAC implementation is dependent upon your

ability to get the project moving, successfully completing development, and
institutionalising RBAC in your culture.
– Accept the fact that all the information may not be there to start
– Plan up front – with as much detail as you can
– Implementing RBAC requires the convergence of business and
technology – with the emphasis on business
– Take advantage of communication opportunities with various groups in
the organisation
– Implementing RBAC is a culture-changing event
– Maintain management support throughout the project

and finally…
It’s a Journey – you’ll learn along the way!

35 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

Deloitte Methodologies
– a snapshot
IAMethodsTM – overview

IAMethodsTM is an iterative, architecture-centric and use case-driven set of processes,

procedures, and accelerators for transforming business requirements into delivered
solutions. The methodology defines a project lifecycle with phases, threads, work packages
and milestones with decision points for aligning the delivered solution with business needs.
Emphasis is placed on collaborative definition and validation of stakeholder requirements via
early delivery of working prototypes which are developed through iterative steps into the
deployed IAM solution.

37 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

The IAMethodsTM Framework

38 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

Role Management for Enterprise (RM4E) Methodology
Inception Elaboration Construction Transition
Solution Design

Define RM4E Vision Establish RM4E

Governance Model Develop enterprise
RM4E Pilot Results
roles for the
Summary
business units
Design RM4E
Conceptual Pilot Group
selection Deploy roles, RM4E Organization
Architecture processes and Deployment
technology roadmap
RM4E Process and
Evaluate/Select Role Design
Technology

• Deploy roles, processes

Solution Delivery

• Build Development • Test Processes and

environment technology and technology in
production environment
• Develop RM4E Deployment • Prepare Test Report
framework
• Prepare deployment design
• Develop Knowledge transfer
plan • Conduct Knowledge transfer
Project & Change Management

Project/Change Management Framework

• Project Management • Detailed Schedule • Project closure

Framework
• Change Management
Strategy

39 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu

RM4E Implementation
Key activities: Build roles for organizational groups (standard, repeatable process)
2
Jumpstart
 Begin RM4E
implementation
 Understand LOB functions
and system access
 Initiate role design
 Select technology (Role
Engineering, Role Lifecycle
Management)
1 5
Initial
Activities
 Set stage for RBAC
implementation
 Gather and review LOB
information
 Gather, review & assess
LOB system access
information
40 "The Time Has Come"
3 Development
 Conduct detailed role
4
development
Role Validation
 Design RM4E processes & Approval
 Design technology solution
 Test roles, processes and
 Provide training technology
 Identify exception
 Finalize roles with all
appropriate individuals and
groups
 Obtain approval on roles
Deployment
 Deploy enterprise roles
 Deploy RBAC processes,
Methodology procedures, and guidelines
 Deploy technology
 Finalize LOB RBAC
implementation
© 2008 Deloitte Touche Tohmatsu
 © Deloitte Touche Tohmatsu, 2008. All rights reserved.
Liability limited by a scheme approved under Professional Standards Legislation.
Confidential This document and the information contained in it are confidential and should not be used
or disclosed in any way without our prior consent.