| 
A Sensible Approach to Access Control in Configuration Management PDF Print E-mail
Monday, 29 January 2007
When we think of access control, or when we reflect on the privileges and permissions granted to those who might access project management software.  Access to the software project and its configuration is one that warrants careful thought and can have an impact on the overall success of the project.

Access control in software development is part of the gate keeping:  who should and should not have access to the project and project information. It can be a proactive way of controlling configuration management and software development.  

Here are four points of consideration when approaching access control for your software development or configuration management efforts.
1.  Treat Access Control As An Important Part of Your Project.
There are many levels of knowledge and skill used in software development. Orchestrating whose knowledge to use, and when to use it, is effectively implemented by controlling access to the project through the permissions and privileges that you grant.

Too often, careful consideration of access control gets cursory attention.  It can and should be an instrumental part in holding back the curtain until the time is right on the project.

 Who has access, and who does not, should change as the project milestones change. Granting an end user full access to a project for its whole duration may be unwise.  Allowing certain developers access to a part of the project unrelated to them is also unwise.

The concept of least-privileges is one that is embraced by many in the development community.  Least privileges user account (LUA) refers to the smallest set of privileges needed to perform the user's tasks.  It is a concept that Microsoft uses in its software development and is a key means of control.

You may establish demos for clients and end-users for them to see your progress along the way. Depending on the client, you may be careful as to how often you offer these demos and at what duration this access is allowed.

Think of access control as being fluid: it changes according to the needs of the project. Do not keep the privileges the same for the project's lifecycle. Change them according to the flexible review of what you need and insure that your project or configuration management software easily allows such flexibility.

One of the most cited reasons that enterprise-wide IT projects go astray is because they do not match up to the true needs of the end-users.  Those who access the project are part of a narrow group. 

By bringing end-users into the project to test-drive it early on and often, you strengthen their "buy-in".  This enables you to plan and develop a quality product.

Also, bring in the middle managers, the shop floor personnel, and whoever else might have a good idea of what is needed and be able to provide meaningful feedback during the process, so the end result of the software development results in a very quality product.

Allow them to log in and have a look, and capture their feedback for your own good. Choose project management software that is user-friendly and easy to peek into the project and leave feedback.   Feedback at regular milestones can make the project rock!

2.  Access Control Is an Effective Means of Controlling the Software Development Process
In fact IEEE-Std-729-1983 tells us that software configuration management entails "controlling the change of these items [in the system] throughout their lifecycle.

Just as a sculptor keeps his masterpiece covered before it is unveiled to the public, so must development teams keep their projects selectively covered. Revealing too much too soon has its security risks.  Controlling how much you reveal is good practice and enables valuable feedback, as discussed earlier.  How many passwords to disseminate is a balancing act. Being too liberal with a password or, moreover, or giving it to the wrong person, can create a dangerous false perception of the project.

Often a precocious middle manager does not like the look or feel or your project at one particular point in its timeline. Often, they take too much out of context and cannot visualize or grip the direction that the software's development is heading. Such misplaced or incorrect conception can be detrimental. Control the access. Do not let the access control you!

Some will be able to access via an Intranet. Some may be able to access the project via a web-based entrance. Some may only see it on a stand-alone platform, while others may access it through a wireless connection. 

Take advantage of all the different means of access and insure that your project management software enables access control to be flexible from many different platforms.

3.  The Level of Access by the Configuration Management Team Should Vary By Role
While you may offer full access to developers and programmers, end-users and management should have a different level of access.  This level or degree to which they may access the project can be controlled by you.

The National Institutes of Standards and Technology (NIST) effectively used Role Based Access Control (RBAC). 

RBAC controls access to computer system networks based on the users' role in an organization, and automatically handles complexities introduced by organizational hierarchies and separation-of-duty requirements. Under this practice, a users' role and duty in the organization and ultimately in the project, are used as a basis for granting access.

NIST's experience in implementing this practice has served as a bellwether for the private sector to implement a similar practice. 

The Research Triangle Institute (RTI) conducted an economic impact study on NIST's  RBAC and found that their experience, practice and lessons learned were adopted by software developers in the industry and has subsequently saved the U.S. industry an estimated $295 million because it could safely use this method of access control.

Controlling privilege by roles enables the users to be given   all the information they need and prevent them from going somewhere they should not or altering something that they should not.

Therefore, it is not just about who, when, or where to grant accessibility, but also how much accessibility they should get.  Again, insure that your project management software has this ability.

4.  Track Access.
There are many commercial software solutions available for configuration management. For example, IBM® Rational® ClearCase® Change Management Solution is one of these tools and aptly describes their utility by stating that " solutions can help you improve productivity, gain better visibility into projects and processes, manage distributed organizations, and provide audit trails and traceability across the software lifecycle for fast delivery of high-quality software.   

For example, my own firm's product, Alexsys Team® 2 software system, works under the same principle for the team environment. 

It is a useful tool for team players to  recording and assign responsibilities to boost team productivity.

With adequate project control, a successful project completion is that much more achievable.   Implement your tracking and control plan and you will put yourself well ahead of the lion's share of software developers who never gave it too much thought from a strategic perspective.

Software development, in many ways, can be a high-stakes endeavor, and many large-scale development projects do not make it to fruition for many reasons. 

The project leader knows that the right mix of people with privilege to access the project is central to its success.  Project managers should welcome an approach to access control that monitors who can come into the software project, when they can come in, how long they can come in for, and what they can do once they do come in. 

Embrace it fully and use access control to your advantage.

Rich Bianchi is the president of Alexsys Corporation (visit http://www.alexcorp.com), based in Stoneham, Massachusetts.  Alexsys' Team Pro software manages complex projects.  It is used by software development teams. Alexsys Corporation is an innovator in software solutions designed to automate the management of tasks and business processes associated with any kind of organization. Alexsys Corporation's solutions have been deployed by hundreds of organizations of all sizes around the world, including leading Fortune 50 companies in the petroleum, financial services and telecommunications industries as well as large government agencies. For more information visit: http://www.alexcorp.com.

 

Trackback(0)
Comments (1)add comment
feedSubscribe to this comment's feed
0
Lim: ...
Good Article. I apprecaite that.
It summarized why access control is necessarry in an easy way to understand

From Lim
Samsung Electronics, South Korea.
1

April 12, 2007
Votes: +0

Write comment
smaller | bigger

security image
Write the displayed characters


busy
 
< Prev   Next >
[ Back ]
If you already have an account on CM Crossroads, Login Now. If you do not, register using the link below...

NOTE: Once you register you will need to activate your account by clicking the link sent to you by email.

Video Spotlight

Accurev

Sponsored Links

Aldon - Automate the Agile process