A Sensible Approach to Access Control in Configuration Management

[article]
Summary:
Access control in software development is part of the gate keeping function. Who should and should not have access to the project information and repository? In this article, Rich Bianchi discusses four factors to consider when setting up the access rights and access control rules for a project.

When we think of "access control," are talking about the privileges and permissions granted to those who might view or update project management software and other artifacts. Access to the software project's repository and its configuration warrants careful thought because it can have an impact on the overall success of the project. Access control in software development is part of the gate keeping function—who should and should not have access to the project project information and repository of source code and documentation. 

Here are four points of consideration when approaching access control for your software development and configuration management efforts:

1.  Treat Access Control As An Important Part of Your Project. 

There are many levels of knowledge and skill used in software development. Orchestrating whose knowledge to use, and when to use it, is effectively implemented by controlling access to the project through the permissions and privileges that you grant.

Too often, careful consideration of access control gets cursory attention.  It can and should be an instrumental part in holding back the curtain until the time is right on the project.

 Who has access, and who does not, should change as the project milestones change. Granting an end user full access to a project for its whole duration may be unwise.  Allowing certain developers access to a part of the project unrelated to them is also unwise.

The concept of least-privileges is one that is embraced by many in the development community.   Least privileges user account (LUA) refers to the smallest set of
privileges needed to perform the user's tasks.  It is a concept that Microsoft uses in its software development and is a key means of control.

You may establish demos for clients and end-users for them to see your progress along the way.  Depending on the client, you may be careful as to how often you offer
these demos and at what duration this access is allowed.

Think of access control as being fluid: it changes according to the needs of the project. Do not keep the privileges the same for the project's lifecycle. Change them according to the flexible review of what you need and insure that your project or configuration management software easily allows such flexibility.

One of the most cited reasons that enterprise-wide IT projects go astray is because they do not match up to the true needs of the end-users.  Those who access the project are part of a narrow group. 

By bringing end-users into the project to test-drive it early on and often, you strengthen their "buy-in".  This enables you to plan and develop a quality product.

Also, bring in the middle managers, the shop floor personnel, and whoever else might have a good idea of what is needed and be able to provide meaningful feedback during the process, so the end result of the software development results in a very quality
product.

Allow them to log in and have a look, and capture their feedback for your own good. Choose project management software that is user-friendly and easy to peek into the project and leave feedback.   Feedback at regular milestones can make the project rock!

2.  Access Control Is an Effective Means of Controlling the Software Development Process

In fact IEEE-Std-729-1983 tells us that software configuration management entails "controlling the change of these items [in the system] throughout their lifecycle.

Just as a sculptor keeps his masterpiece covered before it is unveiled to the public, so must development teams keep their projects selectively covered. Revealing too
much too soon has its security risks. Controlling how much you reveal is good practice and enables valuable feedback, as discussed earlier.  How many passwords to disseminate is a balancing act. Being too liberal with a password or, moreover, or giving it to the wrong person, can create a dangerous false perception of the project.

Often a precocious middle manager does not like the look or feel or your project at one particular point in its timeline. Often, they take too much out of context and cannot
visualize or grip the direction that the software's development is heading. Such misplaced or incorrect conception can be detrimental. Control the access. Do not let the access control you!

Some will be able to access via an Intranet. Some may be able to access the project via a
web-based entrance. Some may only see it on a stand-alone platform, while others may access it through a wireless connection. 

Take advantage of all the different means of access and insure that your project management software enables access control to be flexible from many different platforms.

3.  The Level of Access by the Configuration Management Team Should Vary By Role

While you may offer full access to developers and programmers, end-users and management should have a different level of access.  This level or degree to which they may access the project can be controlled by you.

The National Institutes of Standards and Technology (NIST) effectively used Role Based Access Control (RBAC). 

RBAC controls access to computer system networks based on the users' role in an organization, and automatically handles complexities introduced by organizational hierarchies and separation-of-duty requirements. Under this practice, a users' role and duty in the organization and ultimately in the project, are used as a basis for granting access.

NIST's experience in implementing this practice has served as a bellwether for the private sector to implement a similar practice. 

The Research Triangle Institute (RTI) conducted an economic impact study on NIST's  RBAC and found that their experience, practice and lessons learned were adopted by
software developers in the industry and has subsequently saved the U.S. industry an estimated $295 million because it could safely use this method of access control.

Controlling privilege by roles enables the users to be given   all the information they need and prevent them from going somewhere they should not or altering something that
they should not.

Therefore, it is not just about who, when, or where to grant accessibility, but also how much accessibility they should get.  Again, insure that your project management software has this ability.

4.  Track Access. 

There are many commercial software solutions available for configuration management. For example, IBM® Rational® ClearCase® Change Management Solution is one of these tools and aptly describes their utility by stating that " solutions can help you improve productivity, gain better visibility into projects and processes, manage distributed organizations, and provide audit trails and traceability across the software lifecycle for fast delivery of high-quality software.   

For example, my own firm's product, Alexsys Team® 2 software system, works under the same principle for the team environment. 

It is a useful tool for team players to  recording and assign responsibilities to boost team productivity.

With adequate project control, a successful project completion is that much more achievable.   Implement your tracking and control plan and you will put yourself well ahead of the lion's share of software developers who never gave it too much thought from a strategic perspective.

Software development, in many ways, can be a high-stakes endeavor, and many large-scale development projects do not make it to fruition for many reasons. 

The project leader knows that the right mix of people with privilege to access the project is central to its success.  Project managers should welcome an approach to access control that monitors who can come into the software project, when they can come in, how long they can come in for, and what they can do once they do come in. 

Embrace it fully and use access control to your advantage.


Rich Bianchi is the president of Alexsys Corporation (visit http://www.alexcorp.com), based in Stoneham, Massachusetts.  Alexsys' Team Pro software manages complex projects. Alexsys Corporation is an innovator in software solutions designed to automate the management of tasks and business processes
associated with any kind of organization. Alexsys Corporation's solutions have been deployed by hundreds of organizations of all sizes around the world, including leading Fortune 50 companies in the petroleum, financial services and telecommunications industries as well as large government agencies. 

About the author

CMCrossroads is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.