Role Mining
Role Mining is used to create roles based on specified criteria in an existing enterprise. IdentityIQ separates role mining into the following categories:
-
IT Role Mining
-
Business Role Mining
The IT Role Mining panel generates roles in bulk. The population of identities from which to mine can be restricted by IPOP or by String, boolean, or integer attributes (multi-valued are not supported at this time).
The entitlements from which roles are generated are defined on a by-application basis. When an application is added to the mining analysis, all of its entitlements are added to a box to the right. Users can prevent the entitlements from being considered in the analysis by clicking the X next to them.
The population size is restricted by the defined identity population as well as the applications under consideration. The current population size is presented along with a warning that mining details are not available for large populations.
You can restrict the roles that are generated by specifying a minimum number of identities and entitlements per role.
Select IT Role Mining or Business Role Mining from the Create New drop-down list to create and launch a new role mining task. Alternatively, you can select an existing template from the Role Mining Template panel and use the predefined criteria in your role mining task.
Note
Names are required when creating role mining templates. When you edit an existing template, you are given the choice to either change the existing template or create a new template. If you create a new template you are require to give it a new name.
Types of Role Mining Activities
Roles can be mined either by performing a Role Mining process or by running an Entitlement Analysis . Both options are found on the Role Management page. These two options are similar in some ways:
-
Both allow the administrator to specify one or more applications whose entitlements will be evaluated as well as a set of identity attributes that can be used to filter the set of Identities that should be examined.
-
Both only return entitlements held by at least one identity in the examined set. This is useful for constraining the role modeling activities to manageable sets by looking at users who are likely to share common sets of entitlements that should be configured as IT roles (e.g. users in the Accounting department or the Austin location).
They each also offer unique features in role creation that make them separately suited to different types of role creation needs.
IT Role Mining is designed to highlight Identities' entitlement commonalities. It returns every set of entitlements on the selected applications that are all held by one or more Identities. It does not return subsets (e.g. if several identities hold entitlements A, B, and C but none hold A and B without C, ABC will be a returned set but AB will not be a returned set of its own).
Entitlement Analysis is designed to allow maximum flexibility in grouping entitlements into roles by returning each entitlement separately and allowing the administrator to group them in as many combinations as are desired. Entitlement Analysis even allows the creation of roles that represent sets of entitlements no one user currently holds, while IT Role Mining does not. (Using the example scenario above, entitlement analysis supports the creation of a role containing entitlements A and B only while IT Role Mining does not.) However, Entitlement Analysis does not show the existing connections between entitlements as well as IT Role Mining does. See Entitlement Analysis .
IT Role Mining
IT Role Mining creates roles based on the mining of entitlements within the enterprise. These roles typically model the IT privileges required to perform a specific function within an application or other target system. Using a configurable algorithm, IdentityIQ searches for access patterns to determine logical groupings of entitlements.
The mining task generates or updates a single IT role with entitlements that are mined from a user population specified by groups, applications, or an identity filter. A threshold percentage limits the entitlements that are added to those held by a percentage of the population that exceeds the threshold.
Create New IT Role Using Role Mining**
Use the Create New dropdown list at the top right corner of the page and select IT Role Mining. Input your mining criteria in the IT Role Mining panel.
Owner - Enter a valid user or workgroup. Typing the first few letters of a name displays a list of all of the user and workgroup names in the system containing that letter combination. You can select from the displayed list.
Identities to Mine - Search By Attributes – input the attribute data to target specific identity criteria used in the role mining task.
Search By Population – select a population on which the role mining task is run.
Note
Selecting a population automatically filters the applications to those included in the selected population.
Applications to Mine - Specify the application(s) on which to focus the mining task.
Entitlements to Exclude - Select any entitlements that are associated with the application to exclude in the role mining task. All other entitlements are used as part of the role mining criteria.
The size of the population to be mined is currently X identities - The variable value of the total number of identities used in the role mining task based on the current mining criteria.
Minimum Identities per Role - Specify the minimum number of Identities, who meet the role mining criteria, that are required to create this role.
Minimum Entitlements per Role - Specify the minimum number of entitlements, which meet the role mining criteria, that are required to create this role.
Maximum Groups to Mine
Note
The role mining task fails if the number of candidate roles discovered exceeds the number specified in this field.
Specify the maximum number of groups (candidate roles), which can be generated using this role mining criteria.
Once you have entered your criteria, click Save to save your selections as an IT Role Mining template. Click Save and Execute to save the template and run the role mining task. Enter the name of your role mining template then click OK.
Use An Existing IT Role Mining Template
Note
Names are required when creating role mining templates. When you edit an existing template, you are given the choice to either change the existing template or create a new template. If you create a new template you are require to give it a new name.
Use or edit an existing IT Role Mining template to generate a role based on previous criteria by clicking a template name in the Role Mining Templates panel on the Role Mining tab.
Click View Latest Mining Results to view the results of the most recent mining task for this template.
Any changes to the template are saved for this template unless the template name is changed. Once you have entered your criteria, click Save to save your selections, or click Save and Execute to save the template and run the role mining task. Executed mining tasks appear on the Role Mining Results tab.
Business Role Mining
Business role mining within IdentityIQ facilitates the creation of organizational groupings based on identity attributes – for example, department, cost center, or job title. The business role mining supports multiple configuration options to assist users in generating new roles. The criteria used to generate the business role can be saved as a template for future use. After the mining task is completed, the new roles are added to the Role Viewer where they can be modified as necessary.
The Business Role Mining panel generates roles from identity attributes and entitlements. The generated roles are either organized into a hierarchy based on identity attributes of the users from which the roles are mined or they are generated in a flattened manner. From there they are moved into either an existing container role or one that was newly created.
Entitlement mining is optionally performed on the generated business roles. These entitlements are either directly attached to those business roles or place in newly created IT roles that are then added to the business roles' Permits or Requires lists.
Once you have entered your criteria, click Save to save your selections as a Business Role Mining template, or click Save and Execute to save the template and run the role mining task. Enter the name of your role mining template then click OK. When the task is launched a success message dialog is displayed.
If you perform role mining on the same role consecutive times, the process does not modify owner, assigned scope, description, type, selector, or the disabled attributes on consecutive runs. Sub-roles can be added on consecutive runs, but not removed. Mining for entitlements does not change. The process mines and associates entitlements. If a role is enabled and mining is run again, the role remains enabled, and entitlements can be granted with no approval process. If a role is disabled before the repeated mining is run, the role remains disabled.
To review the results of the mining task, click View Latest Mining Results. See Role Mining Results.
The roles generated by the mining task are displayed on the Role Viewer tab.
Note
Roles created through business role mining are disabled by default.
Once the roles are created and active they can be used just like any other roles.
To clear the role mining form, click Reset Mining Form.
General Settings
Name - The name of the business role mining routine. The name created here is used to identify the settings used in the event the same role mining routine is reused in the future.
Compute Population Statistics - Compute statistics for the mined roles and display them in the task result.
**Perform Analysis Only (no roles are generated)*- Perform the role mining for analysis purpose only. No roles are generated when this mining is complete.
See the results of the task on the Task Results tab of the Tasks page.
Hierarchical Settings
Generate a New Root Container Role - Generate a container for all newly-generated roles based on the scoping attribute. If selected, a dropdown appears for the type of root container role to generate. For example, if roles are mined based on the Department attribute and you specify the type of root container as Organizational, then an Organizational container is created for each of the Department roles that are mined.
Use this option when you want to organize roles into separate containers based on the scoping attribute, rather than using one container for all generated roles.
Specify an Existing Root Container Role - Select an existing role into which all the newly generated roles should be place.
Generate a Role Hierarchy from the Identity Mining Attributes - Generate a role hierarchy. Each attribute generates its own level in the hierarchy, and that level contains the roles whose names match the values for that given attribute.
Ordered Identity Mining Attributes - Arrange the list of attributes used to order the hierarchy of the generated roles. Users are assigned the role based on this list's ordering. For example if the list order is 1. Region, 2. Location, 3. Department then all users in the same department for a given location in a given region are assigned that role.
Role Settings
Type of Business Roles to Generate - Type of role generated by the task.
Note
This option is hidden when the Perform Analysis Only is selected on the business role mining page.
Owner - Enter a valid user. Typing the first few letters of a name displays a list of all of the user names in the system containing that letter combination. You can select from the displayed list.
Note
This option is hidden when the Perform Analysis Only is selected on the business role mining page.
Minimum Number of Users per Role - Minimum number of users who must meet the mining criteria before a role is generated.
Naming Algorithm
Note
This option is hidden when the Perform Analysis Only is selected on the business role mining page.
The Filter-Based naming algorithm concatenates all the attributes, separated by periods, to generate role names. The Generic UID naming algorithm generates random role names.
Prefix to Apply to Generated Role Names
Note
This option is hidden when the Perform Analysis Only is selected on the business role mining page.
Prefix to add to the generated role names.
IT Settings
Mine for Entitlements on Generated Business Roles
Mine for entitlements as part of this task.
Attach Mined Profiles directly to Business Functional Roles
Attach mined profiles directly to the generated roles. If this option is not selected new IT roles are created to hold the entitlements and these IT roles are added to the generated roles' Permits or Requires list based on the selection below.
Type of IT Roles to Generate
Type of role that is generated to hold the entitlements.
Business Roles' Relationship to Mined IT Roles
Determines if the newly created IT roles are added to the generated roles' Permits or Requires list.
Entitlement Source Applications
Applications to mine for entitlements.
Percentage Threshold for Inclusion of an Entitlement
Specify the minimum inclusion threshold that an entitlement must meet before it is included in the role.
Use An Existing Business Role Mining Template
Note
Names are required when creating role mining templates. When you edit an existing template, you are given the choice to either change the existing template or create a new template. If you create a new template you are require to give it a new name.
Use or edit an existing Business Role Mining template to generate a role based on previous criteria by clicking a template name in the Role Mining Templates panel on the Role Mining tab.
Click View Latest Mining Results to view the results of the most recent mining task for this template.
Any changes to the template are saved for this template unless the template name is changed. Once you have entered your criteria, click Save to save your selections, or click Save and Execute to save the template and run the role mining task. Executed mining tasks appear on the Role Mining Results tab.
Organizational Roles as Container Roles in Role Mining
Roles created through business and IT role mining activities are automatically generated in "container" organizational roles by the mining operations. Container roles are a useful way to organize these system-generated roles, either temporarily before they are reassigned to organizational units representing a different structure or permanently as a place where the generated roles can be tracked and maintained by an administrator. IT roles are frequently left in these container organizational roles, even if mined business roles are moved to a different structure.
The placements of roles in organizational roles do not affect IdentityIQ's usage of them; the structure just needs to be clear to the administrators who will navigate through it to manage the roles.
Role Mining Results
The Role Mining Results tab displays a table containing information about the role mining tasks run in IdentityIQ. Use the filtering tools to narrow down the viewable results by name, start / end date and result. Click a line item in the table to view the details of the mining result.
Right-click a line item to open a sub-menu with different options depending on the role mining type. Business Role mining sub-menu options include View Results and Delete. IT Role Mining sub-menu options include View Results, Export to CSV, and Delete.
| Field Name | Description |
|---|---|
| Name | The name of the role mining template used for the task. |
| Date Complete | The date the role mining task completed. |
| Result | The result of the role mining task. Note: Click the refresh button at the bottom of the panel if the task status is Pending. Right-click the task and select Delete to remove it from the Role Mining Results tab. |
| Owner | The identity named as owner of the role mining template. |
| Type | The type of role mining task. |
Viewing the information and actions available on the role mining result details varies depending on the role mining type.
IT Role Mining Results Details
The IT Role Mining Results Details page displays a table containing a visual representation of the available unique roles generated based on the criteria used in the role mining task. Click a line item to highlight that row. Right-click the row to bring up a sub-menu from which you can select either View Group Summary, Create Role, or View Population. Click View List of Mining Results to return to the previous page.
Group Summary
The Group Summary window displays a quick view of the application and entitlements which make up that group.
Create Role
The Create Role window displays information about the role and its entitlements which were generated by the role mining task. Additional changes can be made here prior to committing to the role creation.
| Field Name | Description |
|---|---|
| Name | Input the name of the role being created. |
| Owner | The owner of the role being created. |
| Scope | Select a scope from the dropdown list. Only scopes that you control are displayed in the list. Scope is used to determine the objects to which a user has access. If scoping is active, identities can only see objects that they created or that are within the scopes they control. |
| Container Role | Select a container role from the drop down list in which to have the created role placed. |
| Description | Enter a brief description of the role. |
| Direct Entitlements | Displays the entitlements that were mined as a result of the role mining criteria entered. Click the X icon to remove any entitlements. Note: No entitlements can be added. Entitlements can only be removed from the list. At least one entitlement must be included to successfully create a role. |
| Inherited Roles | Select from the dropdown list the roles, if any, in which this role is a member. |
| Entitlements from Inherited Roles | Displays the entitlements included in the inherited role. Click the X icon to remove any entitlements. |
Click Save to complete the role creation or Cancel to close the window. The new role is available on the Role Viewer tab.
View Population
The View Population window displays information about the identities in IdentityIQ which match the criteria used by the role mining task. The information displayed in this table is defined when IdentityIQ is configured for your enterprise. By default the table displays Name, First Name, Last Name and Manager. Use the dropdown list at the top of the window to filter the results to display identities that match the criteria exclusively or those that match but have additional entitlements.
Business Role Mining Results Details
Click a Business Role Mining type line item to open the Latest Mining Results window for that mining task. The window displays detailed information on the roles generated based on the criteria used in the role mining task.
| Field Name | Description |
|---|---|
| Details | |
| Name | The name of the role which was created. |
| Type | The type of the role which was created. |
| Description | A brief description of the role which was created. |
| Status | Current status of the role mining task. |
| Started By | Displays the name of the person that launched the role mining task. |
| Started | Displays the date and time on which the mining task was started. |
| Completed | Displays the date and time on which the mining task was completed. |
| Business Role Mining Attributes | |
| Attribute | Displays information regarding the following topics: Identity Mining attributes – attributes selected in the mining criteria. Roles mined – total number of roles mined based on the provided mining criteria. Roles updated – number of roles updated as a result of the latest mining task. Coverage of mined roles – displays the percentage of comparative roles used in the mining task based off of the mining criteria. |