Role Mining
Role Mining is used to create roles based on specified criteria in an existing enterprise. IdentityIQ separates role mining into the following categories:
The IT Role Mining panel generates roles in bulk. The population of identities from which to mine can be restricted by IPOP or by String, boolean, or integer attributes (multi-valued are not supported at this time).
The entitlements from which roles are generated are defined on a by-application basis. When an application is added to the mining analysis, all of its entitlements are added to a box to the right. Users can prevent the entitlements from being considered in the analysis by clicking the X next to them.
The population size is restricted by the defined identity population as well as the applications under consideration. The current population size is presented along with a warning that mining details are not available for large populations.
You can restrict the roles that are generated by specifying a minimum number of identities and entitlements per role.
Select IT Role Mining or Business Role Mining from the Create New drop-down list to create and launch a new role mining task. Alternatively, you can select an existing template from the Role Mining Template panel and use the predefined criteria in your role mining task.
Note: Names are required when creating role mining templates. When you edit an existing template, you are given the choice to either change the existing template or create a new template. If you create a new template you are require to give it a new name.
Types of Role Mining Activities
Roles can be mined either by performing a Role Mining process or by running an Entitlement Analysis . Both options are found on the Role Management page. These two options are similar in some ways:
-
Both allow the administrator to specify one or more applications whose entitlements will be evaluated as well as a set of identity attributes that can be used to filter the set of Identities that should be examined.
-
Both only return entitlements held by at least one identity in the examined set. This is useful for constraining the role modeling activities to manageable sets by looking at users who are likely to share common sets of entitlements that should be configured as IT roles (e.g. users in the Accounting department or the Austin location).
They each also offer unique features in role creation that make them separately suited to different types of role creation needs.
IT Role Mining is designed to highlight Identities' entitlement commonalities. It returns every set of entitlements on the selected applications that are all held by one or more Identities. It does not return subsets (e.g. if several identities hold entitlements A, B, and C but none hold A and B without C, ABC will be a returned set but AB will not be a returned set of its own).
Entitlement Analysis is designed to allow maximum flexibility in grouping entitlements into roles by returning each entitlement separately and allowing the administrator to group them in as many combinations as are desired. Entitlement Analysis even allows the creation of roles that represent sets of entitlements no one user currently holds, while IT Role Mining does not. (Using the example scenario above, entitlement analysis supports the creation of a role containing entitlements A and B only while IT Role Mining does not.) However, Entitlement Analysis does not show the existing connections between entitlements as well as IT Role Mining does. See Entitlement Analysis .
IT Role Mining
IT Role Mining creates roles based on the mining of entitlements within the enterprise. These roles typically model the IT privileges required to perform a specific function within an application or other target system. Using a configurable algorithm, IdentityIQ searches for access patterns to determine logical groupings of entitlements.
The mining task generates or updates a single IT role with entitlements that are mined from a user population specified by groups, applications, or an identity filter. A threshold percentage limits the entitlements that are added to those held by a percentage of the population that exceeds the threshold.
Create New IT Role Using Role Mining
Use the Create New dropdown list at the top right corner of the page and select IT Role Mining. Input your mining criteria in the IT Role Mining panel.
Owner
Enter a valid user or workgroup. Typing the first few letters of a name displays a list of all of the user and workgroup names in the system containing that letter combination. You can select from the displayed list.
Identities to Mine
Search By Attributes – input the attribute data to target specific identity criteria used in the role mining task.
Search By Population – select a population on which the role mining task is run.
Note: Selecting a population automatically filters the applications to those included in the selected population.
Applications to Mine
Specify the application(s) on which to focus the mining task.
Entitlements to Exclude
Select any entitlements that are associated with the application to exclude in the role mining task. All other entitlements are used as part of the role mining criteria.
The size of the population to be mined is currently X identities
The variable value of the total number of identities used in the role mining task based on the current mining criteria.
Minimum Identities per Role
Specify the minimum number of Identities, who meet the role mining criteria, that are required to create this role.
Minimum Entitlements per Role
Specify the minimum number of entitlements, which meet the role mining criteria, that are required to create this role.
Maximum Groups to Mine
Note: The role mining task fails if the number of candidate roles discovered exceeds the number specified in this field.
Specify the maximum number of groups (candidate roles), which can be generated using this role mining criteria.
Once you have entered your criteria, click Save to save your selections as an IT Role Mining template. Click Save and Execute to save the template and run the role mining task. Enter the name of your role mining template then click OK.
Use An Existing IT Role Mining Template
Note: Names are required when creating role mining templates. When you edit an existing template, you are given the choice to either change the existing template or create a new template. If you create a new template you are require to give it a new name.
Use or edit an existing IT Role Mining template to generate a role based on previous criteria by clicking a template name in the Role Mining Templates panel on the Role Mining tab.
Click View Latest Mining Results to view the results of the most recent mining task for this template.
Any changes to the template are saved for this template unless the template name is changed. Once you have entered your criteria, click Save to save your selections, or click Save and Execute to save the template and run the role mining task. Executed mining tasks appear on the Role Mining Results tab.
Business Role Mining
Business role mining within IdentityIQ facilitates the creation of organizational groupings based on identity attributes – for example, department, cost center, or job title. The business role mining supports multiple configuration options to assist users in generating new roles. The criteria used to generate the business role can be saved as a template for future use. After the mining task is completed, the new roles are added to the Role Viewer where they can be modified as necessary.
The Business Role Mining panel generates roles from identity attributes and entitlements. The generated roles are either organized into a hierarchy based on identity attributes of the users from which the roles are mined or they are generated in a flattened manner. From there they are moved into either an existing container role or one that was newly created.
Entitlement mining is optionally performed on the generated business roles. These entitlements are either directly attached to those business roles or place in newly created IT roles that are then added to the business roles' Permits or Requires lists.
Once you have entered your criteria, click Save to save your selections as a Business Role Mining template, or click Save and Execute to save the template and run the role mining task. Enter the name of your role mining template then click OK. When the task is launched a success message dialog is displayed.
If you perform role mining on the same role consecutive times, the process does not modify owner, assigned scope, description, type, selector, or the disabled attributes on consecutive runs. Sub-roles can be added on consecutive runs, but not removed. Mining for entitlements does not change. The process mines and associates entitlements. If a role is enabled and mining is run again, the role remains enabled, and entitlements can be granted with no approval process. If a role is disabled before the repeated mining is run, the role remains disabled.
To review the results of the mining task, click View Latest Mining Results. See Role Mining Results.
The roles generated by the mining task are displayed on the Role Viewer tab.
Note: Roles created through business role mining are disabled by default.
Once the roles are created and active they can be used just like any other roles.
To clear the role mining form, click Reset Mining Form.
General Settings
Name
The name of the business role mining routine. The name created here is used to identify the settings used in the event the same role mining routine is reused in the future.
Compute Population Statistics
Compute statistics for the mined roles and display them in the task result.
Perform Analysis Only (no roles are generated)
Perform the role mining for analysis purpose only. No roles are generated when this mining is complete.
See the results of the task on the Task Results tab of the Tasks page.
Hierarchical Settings
Generate a New Root Container Role
Generate a container for all newly-generated roles based on the scoping attribute. If selected, a dropdown appears for the type of root container role to generate. For example, if roles are mined based on the Department attribute and you specify the type of root container as Organizational, then an Organizational container is created for each of the Department roles that are mined.
Use this option when you want to organize roles into separate containers based on the scoping attribute, rather than using one container for all generated roles.
Specify an Existing Root Container Role
Select an existing role into which all the newly generated roles should be place.
Generate a Role Hierarchy from the Identity Mining Attributes
Generate a role hierarchy. Each attribute generates its own level in the hierarchy, and that level contains the roles whose names match the values for that given attribute.
Ordered Identity Mining Attributes
Arrange the list of attributes used to order the hierarchy of the generated roles. Users are assigned the role based on this list's ordering. For example if the list order is 1. Region, 2. Location, 3. Department then all users in the same department for a given location in a given region are assigned that role.
Role Settings
Type of Business Roles to Generate
This option is hidden when the Perform Analysis Only is selected on the business role mining page.
Type of role generated by the task.
Owner
Note: This option is hidden when the Perform Analysis Only is selected on the business role mining page.
Enter a valid user. Typing the first few letters of a name displays a list of all of the user names in the system containing that letter combination. You can select from the displayed list.
Minimum Number of Users per Role
Minimum number of users who must meet the mining criteria before a role is generated.
Naming Algorithm
Note: This option is hidden when the Perform Analysis Only is selected on the business role mining page.
The Filter-Based naming algorithm concatenates all the attributes, separated by periods, to generate role names. The Generic UID naming algorithm generates random role names.
Prefix to Apply to Generated Role Names
Note: This option is hidden when the Perform Analysis Only is selected on the business role mining page.
Prefix to add to the generated role names.
IT Settings
Mine for Entitlements on Generated Business Roles
Mine for entitlements as part of this task.
Attach Mined Profiles directly to Business Functional Roles
Attach mined profiles directly to the generated roles. If this option is not selected new IT roles are created to hold the entitlements and these IT roles are added to the generated roles' Permits or Requires list based on the selection below.
Type of IT Roles to Generate
Type of role that is generated to hold the entitlements.
Business Roles' Relationship to Mined IT Roles
Determines if the newly created IT roles are added to the generated roles' Permits or Requires list.
Entitlement Source Applications
Applications to mine for entitlements.
Percentage Threshold for Inclusion of an Entitlement
Specify the minimum inclusion threshold that an entitlement must meet before it is included in the role.
Use An Existing Business Role Mining Template
Note: Names are required when creating role mining templates. When you edit an existing template, you are given the choice to either change the existing template or create a new template. If you create a new template you are require to give it a new name.
Use or edit an existing Business Role Mining template to generate a role based on previous criteria by clicking a template name in the Role Mining Templates panel on the Role Mining tab.
Click View Latest Mining Results to view the results of the most recent mining task for this template.
Any changes to the template are saved for this template unless the template name is changed. Once you have entered your criteria, click Save to save your selections, or click Save and Execute to save the template and run the role mining task. Executed mining tasks appear on the Role Mining Results tab.
Organizational Roles as Container Roles in Role Mining
Roles created through business and IT role mining activities are automatically generated in "container" organizational roles by the mining operations. Container roles are a useful way to organize these system-generated roles, either temporarily before they are reassigned to organizational units representing a different structure or permanently as a place where the generated roles can be tracked and maintained by an administrator. IT roles are frequently left in these container organizational roles, even if mined business roles are moved to a different structure.
The placements of roles in organizational roles do not affect IdentityIQ's usage of them; the structure just needs to be clear to the administrators who will navigate through it to manage the roles.