Role Explosion

Everybody knows RBAC, the Role-Based Access Control. The principle is simple, the theory behind it seems to be sound and it is very popular. The problem is that is does not scale. RBAC is fine for few tens of roles. But as the number of connected systems grow, the number of roles grows as well. Organization with thousand employees can easily end up with few of thousands of roles. The difficult problem of managing thousand employees will be transformed to even more difficult problem of managing few thousands of roles.

The reasons are quite understandable but they are far from being obvious:

This is known as role explosion. It is fatal for IDM projects. A project that started with good intention to simplify user management will end with a role structure that is much more difficult to maintain then before.

Static RBAC model usually cannot be used to efficiently handle role explosion. There are some solutions, but none of it is a panacea:

Practical enterprise IDM solution will most likely need all of these mechanisms, not just one. And especially a good, experienced team of people using these mechanism. Because every IDM deployment is different and one size does not fits all.