Open in app

Sign in

Write

Sign in

Identity and Access Management — Nested Groups and Multiple Roles

Navigating the Maze of Nested Groups and Multiple Roles in Modern Identity Management

John Robertson
4 min readOct 17, 2023

Identity and Access Management (IAM) is no longer a straightforward affair. Gone are the days when a simple username and password sufficed. Today, IAM is a complex web of roles, permissions, and groups, all intricately designed to safeguard an organisation’s most valuable asset — its data. But as we layer on these security measures, we also introduce complexity, and that complexity can sometimes be a double-edged sword. Two areas that exemplify this are nested groups and multiple roles.

Nested groups are like Russian Matryoshka dolls, a group within a group, within another group. On the surface, it seems like an efficient way to manage permissions. Add a user to one group, and they automatically inherit the permissions of all the groups nested within it. It’s a neat, tidy package. But here’s where it gets tricky. The more layers you add, the harder it is to keep track of who has access to what. You might think you’re giving someone permission to enter the lobby, but through a series of nested groups, they end up with a key to the bridal suite. It’s a security loophole that’s easy to overlook but can have serious consequences.

Multiple roles add another layer of complexity. In today’s fast-paced work environment, it’s common for employees to wear multiple hats. You might have someone who’s part of the finance team, dabbles in HR, and even takes on some marketing tasks. To facilitate this multi-role function, you assign them various roles in your IAM, Finance and HR systems. Each role comes with its own set of permissions, designed to help the employee perform their job efficiently. Yet, herein lies the dilemma. When you combine these roles, you might inadvertently give them permissions that should never go together. For example, the ability to initiate and approve a financial transaction is a clear violation of Segregation of Duties (SoD) — a fundamental principle designed to prevent fraud and errors.

So how do we navigate this maze? The first step is visibility. If you can’t see it, you can’t manage it. Modern Identity and Access Governance (IAG) solutions come with robust monitoring features that can alert you in near-real-time about potential SoD conflicts or other security risks. These tools are invaluable for keeping track of who has access to what and can help you spot problems before they escalate.

Regular audits are also essential, and modern IAG tools can help there too. An organisation must make it a habit to review all user accounts, roles, and group memberships — an arduous and error-prone task for humans. They must find any conflicts or anomalies and have them resolved. Was it an oversight? A lack of understanding of how permissions interact? Whatever the cause, it must be identified and addressed to prevent future occurrences. Fortunately, modern IAG tools can also assist them with actioning and subsequently verifying that the appropriate remediations take place.

Automation can be a lifesaver when it comes to managing complex IAM systems. Manual administration is not only time-consuming but also prone to errors. Automated IAG solutions can scan the organisation’s entire business systems landscape, flagging potential SoD conflicts or issues arising from nested groups. Be aware though, that automation is not a silver bullet. It’s a tool that can help you manage complexity, but it can’t replace sound governance practices. You still need a human in the loop to review automated findings and make the final decisions. The people responsible for managing the organisation’s IAM and its business systems need to understand the complexities involved and the risks they pose. They should be well-versed in best practices and stay up-to-date with the latest trends and technologies. An educated IAG team supported by modern IAG tooling is your first line of defence against the risks posed by the interplay of IAM and the labyrinth of an organisation’s modern business systems.

The complexities of modern IAM, exemplified by nested groups and multiple roles, are a necessary evil in today’s digital age. They offer the flexibility and granularity needed to manage diverse and dynamic business environments but also introduce risks — particularly when it comes to the principle of Segregation of Duties. However, with the right combination of IAG tools, practices, and people, these risks can be effectively managed. So, while complexity in IAM is inevitable, chaos is not.

Disclaimer

The author is employed by Gathid Software and Griffith University. The perspectives and insights shared in this article are the author’s own and might not align with the stances or beliefs of the author’s associated company or its affiliates. The content is presented without any guarantees regarding its precision or relevance. Readers should exercise their own judgment when interpreting the information provided.

Access Management
Identity Management
Identity And Access
Identity Governance
Data Access Governance

--

--

John Robertson

Written by John Robertson

4 Followers

IT Security Software Engineer, Solutions Architect, IT-Industry advocate, mentor and leader.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams