Role Based Access Control Heineken Netherlands

Abstract

The administration of users and their related permissions in the IT environment is a complex and expensive task. The growing number and variety of applications, combined with the manual administration of related permissions results in an enormous administrative burden and lack of control. An effect of this situation is the accumulation of permissions by the employees, causing significant security risks. The implementation of Identity and Access Management (IAM) provides a solution for this undesired situation. Heineken Netherlands therefore initiated the IAM-project. Business drives for this IAM-project are; business facilitation, cost containment, operational efficiency, risk management, governance, and regulatory compliance. The identity management part of IAM focuses on the question who the user is, the access management part focuses on what the user is allowed to do. The use of Role Based Access Control (RBAC) for the realization of access management is common practice. Roles in such a role model can be seen as an abstraction of the user-permission relationship. The creation of a role model proved to be the major hurdle for the implementation of RBAC. For this purpose the RBAC-project was initiated at Heineken Netherlands, resulting in this report. The project started with the analysis of existing literature and best practices, resulting in a new RBAC terminology and the selection of four approaches for the design of a role model. Furthermore, the Heineken organization was analyzed, resulting in nine perspectives of which three were selected to form the foundations of the roles. Heineken preferred a hybrid approach for the design of the role model; however, a methodology for a hybrid approach was not yet described in literature before. Therefore a hybrid methodology was designed, containing seven steps to create the role model. As a part of the hybrid methodology, a new optimization algorithm was also introduced. The project continued with the customization of the hybrid methodology by incorporating the selected approaches and perspectives, resulting in the final Heineken Methodology. The validation of the Heineken methodology was done by conducting a pilot project at the Accounts Receivable Department of the Financial Shared Services Center. In conclusion, the RBAC-project provided a well founded, customized, and validated Heineken methodology to design the desired companywide role model. To my knowledge this is the first described study which implements a truly hybrid approach making use of a newly developed terminology and optimization algorithm. The implementation of the Heineken methodology within the pilot area resulted in a role model with 8 roles for 64 employees, reducing the number of assignments by 70%. This low number of roles and assignments enhances the control and maintainability of the role model and access management in general. The role model is now fully implemented as part of the IAM-project of Heineken Netherlands.Software TechnologyElectrical Engineering, Mathematics and Computer Scienc