How to Create a Profile Using Entitlement Analysis

IdentityIQ supports the creation of roles based on the mining of entitlements within the enterprise. These roles typically model the IT privileges required to perform a specific function within an application or other target system. Using a configurable algorithm, IdentityIQ searches foraccess patterns to determine logical groupings of entitlements.

Entitlement analysis enables you to search for entitlements based on specific application and identity information. This feature enables you to create meaningful profiles without having to remember every entitlement on every application, or be familiar with the access assigned to each employee in your enterprise.

Entitlement mining also enables you to analyze the entitlement information collected to further refine the profiles you are creating before saving.

Overview

Creating a profile using entitlement analysis actually involves three distinct phases:

  • Search for entitlements

  • Analyze the search results

  • Save the profile

  1. Access the Create Profile from Entitlement Analysis panel.

  2. Click Create in the Profiles panel of the Role Editor and select New Profile From Entitlement. Profiles can only be added within a role. See How to Create or Edit a Profile.

  3. Select the application on which to search for entitlements.

  4. Optional: Narrow your entitlement search using the Identity Attribute fields.
    The Identity Attribute fields displayed are dependent on the identity attributes defined during configuration.

  5. Click Search to begin the role analysis based on the specified criteria.

The search returns the following information:

Note: The entitlement analysis search only returns those entitlements based on account or group attributes, not those based on permissions.

Attribute

The criteria used to define this search. For example, Application, Last Name, or Manager.

Filter Type

The type of filter applied to the search criteria. For example, Equal or Like.

Value

The value entered in the search field.

Only show percentages above:

Use the slider to limit the results displayed in the table based on the percentage of the population to which the results apply.

For example, if you are only interested in entitlements that apply to at least forty percent (40%) of the population searched, click the slider and move it to that percentage, or type the percentage in the field to the right.

Click a value to display a list of all identities to whom that entitlement is assigned.

Name

The name of the attribute from which this entitlement was derived. Attributes used to define entitlements are specified during configuration.

Value

The value assigned to the attribute. Click a value to expand a list of users to whom the entitlement is assigned.

Percent of Population

The number of identities assigned to that value of that attribute on this application expressed as a percentage of all identities that have an account on the application.

Use these results to analyze the entitlements that exist within your enterprise. The Group and Analyze feature enables you to group entitlements within an application and generate results based on that group. This feature enables you to see how assigning multiple entitlements to a profile can impact access within the application.

To group and analyze, select multiple entitlements and click Group and Analyze. The results are displayed below the entitlements table. Click a group to see the details for the entitlements within. You can perform analysis multiple times on entitlements or on the groups created.

When you are satisfied with the information you have mined and analyzed, click Create Profile. You must enter an name for the new profile, optionally a description, and click Save to return to the Role Editor.

Additional Information

From the Role Editor, you can add additional profiles, edit the role, or save the role and return to the Role Viewer. See Role Editor Page.