Role Modeling

Role mining enables you to create new roles within IdentityIQ by analyzing data within the system using pattern-matching algorithms. IdentityIQ supports role mining to create both business and IT roles. Business roles typically model how users are grouped by business function, including functional hierarchies, project teams, or geographic location. IT roles typically model how application entitlements (or permissions) are logically grouped for streamlined access. See Role Mining for more information.

Within IdentityIQ, business role mining facilitates the creation of organizational groupings based on identity attributes – for example department, cost center or job title. The business role mining supports multiple configuration options to assist users in generating new roles. After the mining task is completed, the new roles are added to the Role Viewer where they can be modified as necessary. See Business Role Mining for more information.

IdentityIQ also supports the creation of roles based on the mining of entitlements within the enterprise. These roles typically model the IT privileges required to perform a specific function within an application or other target system. Using a configurable algorithm, IdentityIQ searches for access patterns to determine logical groupings of entitlements. See Entitlement Analysis for more information.

When you define roles based on entitlements from the applications being monitored by IdentityIQ, the aggregation and correlation process discovers the entitlements, matches them to the roles you defined, and assigns those roles to the users who have those entitlements. If you create a hierarchical structure of roles using the inheritance function of the Role Viewer, users are assigned the lowest level role discovered during aggregation. For example, if role A is a member of role B, and role B is a member of role C, and an identity is discovered that is assigned all of the entitlements that defined roles C, B, and A, they are assign role A. Assigning the lowest level role enables operations such as certifications to be performed on one role instead of on each entitlement assigned to the user.

Role type is used to configure roles to perform different functions within your business model. For example, type might be used to control inheritance or automatic assignment of roles. Role types are configured on the System Setup page.

Role management also uses the concept of permissions to enable you to grant users permission to certain roles without assigning them the role or incorporating it in their role hierarchy. For example, while a non-IT user with a business-type role might need access to the entitlements contained within an IT-type role, they probably do not need to have that role assigned to them or included as part of their hierarchal role structure.

Role archiving enables you to store versions of roles that have changed over time. This function enables you to rollback to previous versions of the role if necessary. If roll approval is required in your enterprise, role rollbacks also require approval. Role archiving is controlled through business processes and is enabled during the configuration of the IdentityIQ product.

Role activation events enable you to use business processes to automatically activate or deactivate roles based on dates you configure for the role. Role activation business processes can be configured to automatically refresh identities to include or exclude the impacted roles.

Granting IdentityIQ user rights enables you to associate specific IdentityIQ capabilities and scopes to roles. Those capabilities and scopes are then granted to identities when they are assigned the role and the Identity Cube Refresh task is run with the Provision assigned roles option selected. By default this function is disabled in IdentityIQ and must be turned on during the deployment and configuration process.