A Role Based Access Control (RBAC) model is an essential Enterprise Information Management foundation.

A Role Based Access Control (RBAC) model attaches business defined roles to classifications of content. When the content is defined in a functional model structure the RBAC model fits extremely well and becomes an elegant and simple way to implement secure access.

The first step in implementing an RBAC model is to define a strong functional model. By strong I mean not a mix of subject and functional, but as close to a functional model as possible. That is to say organize your high-level folders according to their purpose, not the subject they are about.  

Once the functional structure is created then to each function, sub-function or folder, assign roles the business will use to access that content at that level and at any level below that. Roles would be like a "Manager", "Director" or employees or "Staff" for a business area.  Access would be Read-only, Write, Delete or Administrate.  

Access to documents is via a role not by individual permissions.  Employees, contractors or vendors gain access to folders and documents by being assigned to a role.  The role then gives them access to all folders and documents to which that role has been attached.

When new people are added to the organization they are added to roles and this gives them instant access to the documents. When they are terminated from an organization or no longer need access to the content, they are removed from roles and this instantly removes them from access to the content.

Examples of roles include: CEO, CEO Executive Administrator, CFO, Senior Financial Manager, Director, or Finance Staff. These are names defined by the business area and are created while reviewing the functional structure and who is expected to have access to which content.

Adding or removing people from roles is a responsibility of the business area and an organization should use a tool that allows business teams to manage these roles on the organization's directory access structure.  

We couldn't find a tool that provides this simple functionality so we built one.  Essentially it provides a simplified view for a business area of the roles to which they have authority to manipulate and allows them to add and remove people from these roles.  When selecting people they can must choose from either the internal or external branch of the corporate directory.

The tool has a substantial amount of security built into, to provide complete auditability to changes made to the access control for business content.  For example when staff are added to roles, a notification is sent to two senior managers, and the manager for information security in the organization, as a precaution against conflict of interest from senior managers who have access change request authority, improperly requesting access be provided to themselves.

Adding or remove roles and role assignments to folders should be left as the responsibility of the content server tool technical administration team, often called the systems administration team.

Business area changes to roles or role assignments to folder structures should be discussed and reviewed with both the Information Management and Information Technology teams.  This review should be brief and straightforward and confined to ensuring access control standards and naming standards are followed consistently in the organization.  

There is much to be discussed about the RBAC model for an Enterprise Information Management program, but the important summary points are that it works most elegantly and simply on a Functional Model. Secondly, roles are defined and self administered by the business area for adding and removing staff.

Don't kid yourself, your current shared files structure encourages and allows the individual to create a shared file structure that matches the kinds of things they are working on based on their current perspective.  Oh, that's great.  What happens if they leave or move somewhere else in the company?  Who's going to reorient their files and documents so they match how the business area needs it to make use of the value they created while in that role?

Why don't you create a structure that is of a different nature rather than the individual's personal view; something that will have longevity and stand the test of time?  Maybe something that is purpose based rather than personality based.  Then when an individual joins they can create their own view into the common structure that matches the way they think but it is temporal and doesn't affect the common structure and they can change it when their needs change, or if they leave, it can just be deleted because it was only temporary.

For example, If I have responsibilities for a particular program, I will then organize my content under that program including all of its projects.  I will probably use provided templates and then will create folders for the Program and related Project Budgets, a Folder for Contracts and as well one for Plans.

Engage a Rabid Fan

The presentation is done and the materials are being packed up.  The attendees are filing out, grabbing the last gulp of coffee with their bags and coats and I am invariably approached by several people who would like to discuss an EIM or ECM failure for which they were a leader or a passenger.  

Usually the conversation starts with how solid the platform was and how much proof of concept was done, how capable the technical staff were and that all levels in the technology team were fully supportive.  

After the discussion about technical strength of the solution is complete, I ask who the sponsor was, and from which department or business area?  Invariably the sponsor was from Information Technology (IT), and from senior levels.

Re-inventing the back end of the organization with a correctly architected Enterprise Content Management (ECM) or Enterprise Information Management (EIM) solution is innovative and game-changing; providing a competitive advantage for the digital and information-driven age, but it is also gut-wrenching and disruptive and the change will bring out the fighters and naysayers at all levels in the organization, including at the executive table.

To sell this concept throughout the organization, to support you in the tough times you will need a rabid fan who is not from IT and who is perceived as not technology-savvy.  This has to be a believer at the most senior level who understands the value of the change and can sell that value even if you are not around. Of course you believe the value.  It is a conflict of interest not to. But your rabid fan will also be someone who believes; someone to support the project when the whispering starts just before and just after critical meetings.  They will sow the seeds of vision when others sow the seeds of doubt.

Once you have defined the approach you will take start looking through the organization and approaching leaders who are respected and are from anywhere but IT.  Do not take no for an answer. Be persistent. Sometimes it takes a few meetings to explain the value and for you to provide convincing arguments for your commitment and focus to the end benefits that will be shared by your sponsor, that your sponsor will experience in their business area, that your sponsor will use when they are defending the project in those times when support hangs in the balance.

Your business sponsor helps you with your business case, reviewing over risks, assumptions, costs and resources.  Most importantly they will provide the business benefits, in their words. These will be in their vernacular, no matter who imperfect or technically awkward.  These will be the words they will be comfortable repeating many times in many conversations around the boardroom table, down the hallway or at the water cooler.

The business sponsor will also be your rabid fan when you present to the executive.  When the business case is done and it contains their words about the benefits they expect the project to deliver, they will help you review over the presentations to the executive and they will be there.

The executive is used to Information Technology (IT) chasing silver bullets and getting caught in the feature trap.  Oh IT is good at disguising it, trying to make those features sound like benefits, but it is hard to hide and easy to spot when you do not have an IT perspective.  

What the Executive wants to hear, especially involving something  as earth-shifting and as monumental a change such as this, is benefits from a Business area leader.  They want to hear the business sponsor stand up and say “Steve is going to deliver these benefits to me”  and those benefits must be in the Business Sponsors words, their vernacular, their descriptions, even if technically not perfectly correct.  

The Executive want to hear that the one who has the vision is not someone who is going to be distracted chasing squirrels. They want to hear that the person who is taking responsibility for what the program or project is delivering is a business person who sees the investment in resources to support IT as a valuable trade-off with other valuable programs and those values will make the business stronger, more productive, more cost effective, more competitive; whatever the value is.  

In order to get the EIM / ECM project off the ground, you need a non-IT sponsor who has worked with you to build the business case (covered in several other blogs) and presentation (also covered in other blogs) and who will stand up in front of the Executive and declare the long-term value and return on the investment.  You need that sponsorship and you need that representation at the Executive table.

That sponsorship needs to be with you not only when there are the peak periods and it is getting launched, but also when things get into the valleys and challenges appear.  You need a rabid fan.

If The C-Suite Really Knew How it Got There

Standing in a CEO’s office pointing at the paper on the desk, you ask, as a sliver of view into the productivity in the organization, do you know the path that one of those documents took to your desktop?

It was emailed between several people as an attachment and someone spent 45 minutes looking for what they thought was the best version, but couldn’t find the most current updates.  Someone else then took 35 minutes to re-create it.  Someone spent 25 minutes comparing versions just to be sure. Then someone else re-purposed it into a different format and that took 15 minutes. 

Before you argue that didn’t happen to this document, maybe not this one, but to hundreds around the organization it is happening every day, every hour and minute of the day.  And it is a 25% productivity hit. 

We organize our structured data and tightly manage our databases, and who has access to what data elements, but our unstructured content, whether a Fortune 500 or smaller company, follows the same approach it has followed for the last thirty years, where folders and documents are randomly created in siloes with small organizational groups.  Security is cumbersome and relegated to antiquated ways of managing access.  We invest in tools that help us find whatever we are looking for wherever it is and that is a beautiful bandaid and expensive, and not a solution.

For an enterprise to manage its information in an appropriate manner involves three foundations:

(1) A common information structure with parent-child relationships, not unlike those in structured databases but of a slightly different nature, and these need to be in a common structure for each uniquely functional area of the enterprise. The functional unit is less susceptible to organizational change and it is impractical from a governance and access control management perspective to have one structure across the entire enterprise

(2) An industrial-strength content management tool because these common structures are not how individuals think about their work or their path to their information on a daily basis. So the content management tool provides each person with their own unique way of viewing the common information, but one person’s preference does not affect the other’s views and does not affect the common structure.  

(3) Access control is based on roles, where roles are managed in the central directory and each role points to a folder or set of folders to which that role has access depending on what it does in the organization and each business unit manages who is in their own roles and roles can be shared across business areas if that business area chooses to allow another role to access their folder or set of folders. This becomes a much simplified but more secure approach to Governance of information, whose concept is greatly complicated by disorganized information in a non-functional structure.

These three foundational pieces will provide an enterprise with appropriate organization of its information so that it is collaborative, productive and digitally competitive. In fact it could be argued that an organization cannot make a digital transformation until it makes an information transformation.

Recall that Google and the other search engines only have access to less than 1% of the world’s information. The rest of it, more than 99%, is behind enterprise firewalls and it is a horrific mess of disorganized silos whose methods and approaches to enterprise information management have not changed since the advent of computers and the users were permitted to right-mouse-click create a new folder at any level and thereby introduce entropy into the enterprise information management structure to the point where today in over 90% of the worlds enterprises, a disorganized approach to enterprise information management introduces a 25% waste in productivity across the board. 

If the C-Suite knew how those documents got there and the gyrations taken in their path, and the lost time that could be applied to other productive activities, there might be some impetus to get something done.