My Iceberg colleague Zhao Tian has written a paper about access control in RSA Archer to kick off our new "GRC Best Practices" series. Here's an excerpt:
"Access control in RSA Archer is usually aligned closely with the organization’s business hierarchy, allowing authorized users in various business groups access to the required data depending on their role and responsibilities. A simple example would be a Vancouver-region regulation compliance report, which should only be accessed by authorized people in Canada, while people from China in the same organization should not have access this report.
One challenge occurs if an organization has a very complex business hierarchy. It’s not uncommon for large companies to have hundreds of business units across the world, with overlapping responsibilities. In Archer, while it’s technically possible to create several hundred groups to accommodate each business unit, I don’t recommend it! Archer group assignment access is usually only given to the system administrator and the effort to maintain the group structure / user assignment is huge for one administrator to manage.
In this document, I recommend a more reliable and scalable option for implementing an enterprise-wide access control model to meet this complex requirement and keep the effort to maintain it as low as possible."