On Glossary Management…

Talking to several customers where there is a strong desire for complete glossary management capabilities for entitlements being managed in their warehouse of user identities, I’ve come to realize that a major problem for them today is that most entitlements, especially around mainframes & target platforms such as Active Directory & Unix, are not clearly understood by the various lines of business when they perform their quarterly attestation reviews. More importantly, there are no tools available in the market today that provide a centralized view for creating (or importing existing glossaries, since most customers especially in the financial sector pay top dollar to create glossary definitions, all maintained in excel spreadsheets) and subsequently managing glossary definitions. The management piece is interesting since it is tied to adding security features that allow multiple owners across different businesses to manage glossary definitions, that can later be leveraged by not just an attestation solution, but also by provisioning solutions and other downstream applications that require end users to thoroughly understand the meaning of cryptic entitlements (such as a concise definition of a RACF group membership or the true meaning of an SAP role), before performing certain tasks.

This solution would truly provide an enterprise wide capability to effectively manage glossary definitions across applications and target systems, at the same time providing a means to attest to the validity of the entitlements themselves. According to another large banking customer, there is an entitlement creep that takes place in an organization across time, and these entitlements are never re-considered and remediated in the target systems. A mechanism to truly understand the meaning and whether the entitlement is indeed needed or not, is called for.

This begs for another question, in addition to regular glossary management capabilities (CRUD), do glossaries need to be audited when they are defined or modified? This would require strong historical reporting capabilities so that any additions/modifications made by designated “glossary owners” to glossaries are recorded in a centralized dashboard. Versioning and revert capabilities should also be provided, allowing glossary owners to switch back and forth between definitions if required. Moreover, glossary owners would then be required to attest glossaries, and most importantly, the  true need for all entitlements pertaining to a target system or application, to provide comprehensive evidence to auditors that unwanted entitlements are actually being revoked and/or consolidated from the target systems on a regular basis.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: