originally posted: https://axiomatics.com/blog/how-abac-can-help-solve-the-jml-problem

Organizations are constantly evolving, with new employees joining, existing employees moving around the company, and some leaving. This dynamic environment necessitates continuous access management to sensitive data, which entails frequent granting and revoking of permissions. Consequently, employees often end up with more access than they need, often called access creep. This can lead to additional risk and possible compliance violations.

Attribute-based access control (ABAC) can help manage and centralize these numerous roles effectively, mitigating the challenges associated with the Joiner, Mover, and Leaver (JML) lifecycle.

The Joiner problem

When new employees join, they are often assigned static roles with predefined permissions that may not align with their actual responsibilities. This occurs as often employees inherit cloned role sets based on existing employees in the company who have gained additional permissions throughout their time at the company. Therefore causing unnecessary increased access levels for the role they are starting out at in the organization.

Moreover, manual provisioning delays can cause inefficiencies and increase the risk of over-provisioning or under-provisioning, potentially exposing sensitive data to unauthorized individuals.

How ABAC helps

ABAC facilitates dynamic onboarding by automatically evaluating the new employees’ attributes, such as department, job title, and location, to determine appropriate access in real-time.

For instance, if a software engineer in the engineering department needs access to specific files, ABAC evaluates attributes like:

• department = Engineering

• jobTitle = Software Engineer

• location = InOffice

• employmentStatus = Active

to permit or deny access dynamically if they align with company policies.

Watch this demo to see how this works in action:

The decision engine will dynamically and in real-time grant access if:

• The user’s department matches the department required by the resource.

• The user’s job title is listed as one of the roles allowed to access the resource.

• The user’s location is within the approved locations for accessing the resource.

• The user’s employment status is active

Therefore, ensuring that employees receive the right level of access without over-provisioning, enhancing security and efficiency during the onboarding process.

The Mover problem

When employees transition to new roles or departments, their old permissions are rarely removed, leading to role bloat and unnecessary access levels. Employees end up collecting roles as they move within the organization, retaining access to information that is no longer relevant to their current responsibilities. It also makes it difficult to provide temporary access to a resource to support a business need. For example, if an insurance agent needs to take claims from a city outside of their region due to a natural disaster.

This is due to the fact static role models struggle to adapt quickly to these changes, complicating access management and increasing security risks. When talking with prospects this is something many of them struggle with — one of them even citing that an employee with a tenure over five years has the average of 85 roles assigned to them.

How ABAC helps

ABAC addresses this issue by automatically updating access permissions when an employee’s attributes change. It automatically evaluates the new attributes and adjusts access by revoking permissions no longer applicable and granting new ones.

For example with a static approach, if an employee moves from one city to the next, we must manually look to see if she still has access to certain information. But with ABAC, if a software engineer moves to the QA team their attributes are changed instantly. Old permissions are automatically revoked and new ones are granted based on the updated attributes.

In this demo, we walk through how ABAC helps solve the mover problem:

This dynamic adjustment ensures that employees only have access to information pertinent to their current locations, employee status, and more, reducing role bloat and improving overall security.

The Leaver problem

Departing employees often retain access longer than necessary due to inefficient de-provisioning processes, posing significant compliance and security risks. This extended access can lead to insider threats and complicate auditing efforts, as organizations struggle to ensure that all permissions are correctly revoked.

How ABAC helps

ABAC ensures prompt de-provisioning by automatically revoking access when an employee’s status changes to inactive. This immediate denial of access occurs without requiring manual updates, significantly reducing the risk of insider threats and compliance violations. ABAC simplifies the de-provisioning process, ensuring that no residual permissions remain and that departing employees’ access is swiftly and effectively revoked.

Here we go through a demonstration to show how easy the leaver problem is solved by using an ABAC solution:

Why should we pay attention to the JML problem?

Organizations must be vigilant about the joiner, mover, leaver cycle because it introduces an ever-growing number of roles to manage diverse and unique combinations of permissions. As employees join, move within, and leave the organization, new roles are created to address specific edge cases and unique access needs. This results in a sprawling and unmanageable role hierarchy, a phenomenon known as role explosion.

Role explosion poses significant risks and challenges for organizations. It complicates access management, increases administrative burden, and can lead to inefficiencies and security gaps. Regular recertification and reassessment of roles become necessary to ensure that access permissions remain aligned with business needs and compliance requirements. This ongoing process demands significant time and effort, making it difficult to maintain streamlined operations.

How ABAC helps

ABAC offers a solution to alleviate both the JML problem and role explosion. Unlike role-based access control (RBAC), ABAC provides more granular and dynamic access control by considering various attributes such as user roles, actions, resources, and environmental conditions. By implementing ABAC, organizations can reduce the proliferation of roles, as access decisions are made based on attributes rather than fixed roles.

ABAC centralizes and standardizes access control policies, making it easier to manage permissions across the organization. This approach not only simplifies the integration of new employees and changes in roles but also enhances security by ensuring consistent and context-aware access controls. As a result, organizations can achieve better scalability, flexibility, and compliance, ultimately supporting their overall agility and security posture.

Conclusion

Policy-driven authorization, particularly through ABAC, provides a robust framework for managing the joiner, mover, and leaver lifecycle. By dynamically adjusting access permissions based on real-time attributes, ABAC enhances organizational security, reduces administrative overhead, and ensures that employees have the appropriate level of access throughout their tenure. This approach not only addresses current identity and access management (IAM) challenges but also lays a solid foundation for future security innovations and resilience.

Ready to gain more knowledge on policy-driven authorization? Here are some additional resources that look at this topic:

• Webinar: How ABAC streamlines Joiner, Mover, and Leaver Problems

• What are entitlements and how can they be enforced?

• State of Authorization: Playbook Edition (newly updated!)