Entitlement Analysis
IdentityIQ supports the creation of roles based on the mining of entitlements within the enterprise. These roles typically model the IT privileges required to perform a specific function within an application or other target system. Using a configurable algorithm, IdentityIQ searches for access patterns to determine logical groupings of entitlements.
Entitlement analysis enables you to search for entitlements based on specific application and identity information or by populations defined within your deployment of IdentityIQ. This feature enables you to create meaningful roles without having to remember every entitlement on every application or be familiar with the access assigned to each employee in your enterprise.
Entitlement Analysis also enables you to analyze the entitlement information collected to further refine the roles you are creating before saving.
Performing Entitlement Analysis involves three distinct phases:
- Searching for entitlements
- Analyze the search results
- Creating roles
Search for Entitlements
-
Access the Entitlement Analysis tab from the Role Management page.
-
Select the applications on which to search for entitlements.
Enter the first letters of an application name to display a suggestion list, or click the arrow to the right of the field to display a list of all the applications to which you have access. -
Optional: Narrow your entitlement search using the Identity Attribute fields or a list of populations.
Use the Search by Attribute or Search by Populations radio buttons to switch between the options.
The Identity Attribute fields displayed are dependent on the identity attributes defined during configuration. Populations are defined from the Advanced Analytics, Identity Search Results page. -
Click Search to begin the entitlement mining based on the specified criteria.
Analyze the Search Results
The search returns the following information:
Note: The search only returns those entitlements based on account or group attributes, not those based on permissions.
|
Column |
Description |
|
Search Parameters: |
|
|
Attribute |
The criteria used to define this search. For example, Application, Last Name, Population, or Manager. |
|
Filter Type |
The type of filter applied to the search criteria. For example, Equal or Like. |
|
Value |
The value entered in the search field. |
|
Only show percentages above: |
|
|
Entitlement Information:
|
|
|
Name |
The name of the attribute from which this entitlement was derived. Attributes used to define entitlements are specified during configuration. |
|
Value |
The value assigned to the attribute. Click a value to expand a list of users to whom the entitlement is assigned. |
|
Percent of Population |
The number of identities assigned to that value of that attribute on this application expressed as a percentage of all identities that have an account on the application. |
Use the results to analyze the entitlements that exist within your enterprise. The Group and Analyze feature enables you to group entitlements within an application and generate results based on that group. This feature enables you to see how assigning multiple entitlements to a role can impact access within the application.
To group and analyze, select multiple entitlements and click Group and Analyze. The results are displayed below the entitlements table. Click a group to see the details for the entitlements within. You can perform analysis multiple times on entitlements or on the groups created.
Save the Profile
When you are satisfied with the information you have mined and analyzed, click Create Role. You must enter an name for the new role, optionally a type and description, and click Save to return to the Role Viewer.