Papers & Articles

Problems with Access Control of Business Information in Modern Enterprises

Limitations of the Active Directory Roles (AD or LDAP)

 

The Active Directory contains Identity and Authentication information (See Section 1 “Active Directory Role based Authorization is Ineffective); but they also attempt to classify the members of an enterprise into standard roles so that they can be used to authorize access to facilities and information stores. The figure (above) shows the level of granularity in a reasonable list of AD Roles of an organization.

Business requires that people work in small or medium sized teams, often on multiple project teams and functional teams concurrently. Unlike the military where a rank and their unit defines everything about a soldier and establishes clear inviolable boundaries; company are, and must be, flexible so that interdisciplinary teams are formed as needed and disbanded when the objective is completed. In business this happens through “delegation of authority”. It is therefore very possible to have:

• People work temporarily under the direction of someone they may never have worked for before, or
• People work temporarily for someone who in some manner may occupy a lower level in the formal organization, or
• People with diverse expertise and reporting organizations who need to work closely on a project or task.

This puts pressure on the AD Roles and its management. The business side makes these assignments and changes often and rapidly. It is easy to see that keeping these changes synchronized with the AD management is a coordination nightmare. Many businesses have taken to setting up business focused “IM”, or Information Management, to ensure that all of the content being published by the projects and business functions are targeted for the right slots in the right storage bins. Since enterprise systems have many silo applications and their data stores, this kind of effort is really outdated. The real value addition by such IM teams would actually be to ensure that compliance policies are being applied without exception, that business is able to find stuff quickly; duplicates or incorrect updates are cleared out as permissible by compliance; and ensuring that the information is being transmitted according to security and legal compliance policies.

The figure (above) shows how quickly even simple tasks in a project can traverse multiple AD Roles and how the mapping of AD Roles to Project Roles across an enterprise can be unmanageable. This is just the way of life at a global company today. Business recognizes a large number of granular roles in each of their project types and other functional activity that are not visible to the AD structure. Even if there was close coordination and these “roles” were transferred to the AD and Identity management organization it is impossible to keep this straight because the specific roles and assignments in each project are constantly changing or being tailored to meet the immediate needs. This is not an additional complexity; it is just a reality that must be addressed by a modern business information system that caters to a global organization, without levying additional burden on business professionals.

At this point, we discussed information as a static object. But the reality is that most content that is used in a business is matured from initial authoring, to drafts that are reviewed, to a completed document that is approved and used for the project task or used to direct work on other tasks. Subsequently the same content is also published to the project as a whole at which point it can become a record. All types of content – technical, commercial, contractual – fall into this pattern.

Current practice is to ignore what is not published into the repositories. But this is not a safe practice. Many projects in a global enterprise are subject to, even early in their lifecycle, to various explicit and implied confidentiality agreements. Therefore their content, at any stage of maturity, is subject to these confidentiality covenants. Allowing drafts to be out of access to compliance officers, or not ensuring care and control even in the early stages is not a good idea. Even the project team members that work closely with the main author need ready access to early drafts for their inputs and edits – which implies that they need to be able to find them at any time. Today, people will email these drafts around leading to confusion about versions (keep in mind the early drafts are not usually in the repositories; and if they were they would be classified under general AD roles which means that managers who may not view that work-in-process now have access to it and may make incorrect conclusions). An IT Director at a major oil company shared with this author; that project task members in his company have taken to squirreling away their drafts in their personal drives or on key chain memory sticks to avoid the drafts falling in the hands of managers.





Enterprises have fallen into the habit of managing applications as opposed to managing “business Information” for the purposes of progressing the core business. The unintended consequence of this application rationale has been that business information is managed in silo’d data stores connected with their native applications. Sure, standards have a long way to ease interoperability but the IT eco-system has tended to balkanize the application and information space thereby contributing to these silos. What this figure (above) shows is that as people work around any specific business purpose or context, they will create, consume, and communicate disparate content using disparate media and applications. Where there is a well enforced AD environment this content and the AD Roles end up various data stores.

Later, when people go look for this content they need to federate their search to find content that matches their search criteria. For any business user that means that the returns will likely include multiple results from multiple similar projects or functional activities. It is then up to the business users to go figure out which of these results belong to the same project; which of them are relevant to the same phase of the project, and the chain of events that surround something of interest they find in the results. Consider how disparate business information is managed today.

 

Emails:

• Individual users store Emails in their Outlook folders
• IT stores the same for each user in the Exchange server and
• IT may archive the .pst files
• If an Email is converted to a document it is then also stored as a record for RM purposes

Documents:

• Individuals save them on their C; drive or My Documents
• IT keeps a copy of certain folders in the main servers
• DMS – Document Management System are used to store copies of these documents and access is provided according to the AD Roles
• Projects are forced to keep a common area or a shared drive so they can view and access their project documents because the AD Roles and project roles are not aligned

Meeting Notes:

• Meeting notes are maintained in different ways in every company, and within each company
  • As Outlook or Lotus meeting (calendar) events
  • As Word or Excel documents
  • In custom data bases as text (unstructured) content
  • Notes are stored within each user’s machine as an .ics file or as a web page – without any connection with other email, document or data that relate to the same task or business context
• Task assignments that arise from each meeting or other workflows are not stored (there is no easy way to even organize these tasks and meetings in Outlook) in any ways that allows them to be treated as records directly without converting them into some other format. Do we really want our business professionals to be worrying about file formats and conversion and such? Shouldn’t these kinds of activities be behind an “iphone” type of a simple but elegant integrated platform that de-facto takes into account the information management aspects on behalf of the project or business governance needs and lets the business person get on with it?
• Scheduling meetings is still a chore with people having to look up calendars of the invitees (usually it is difficult to see the calendars of all the invitees even if they are fellow employees because visibility is limited to people from the same group or functional unit). The reality is that project meetings are required most often among people from dispersed or diverse functional disciplines. So, email and telephone tagging is most common place. Surely the project roles should play a vital part in coordination activities.

Data:
Business or project related data is the essential source for most of the insights that find their way into the documentation and emails. We are talking about data found in Excel sheets, web pages created by business or technical solutions, connections to data warehouses and other data bases.

A snapshot of data used in creating a document, or referred to in an email, is as important as piece of record that needs to be managed with the same level of access control from the business perspective as the actual documents, meeting notes, or emails. And yet this is an elusive capability as it is an essential one for data integrity.

Multiple copies of emails and documents proliferate.
No linkage of documents, data, calendar events, and meeting notes to emails are maintained in relation to the business context for which they were created or used.