To create technical roles you must have a Customer, Global, or Technical Roles Administrator authorization, and you must have collected metrics. You can create technical roles either manually or using role mining analytics. Additionally, the Business Role Administrator can generate technical roles when creating business role candidates.
When using role mining analytics, Identity Governance automatically groups permissions and presents them as technical role candidates. You must promote role candidates as roles before you can activate the technical role.
When you are creating technical roles manually, an understanding of what permissions you want to assign to the technical role is helpful. You cannot activate a technical role until you have added permissions to the technical role.
Identity Governance uses advanced analytics to mine business data and identify role candidates. Technical role mining is the process of discovering and analyzing business data to logically group permissions to simplify the review process, or allow grouping of related permissions under one technical role candidate. Customer, Global or Technical Roles administrators can use role mining to create technical roles with common permissions. Identity Governance uses the following two approaches to identify technical role candidates.
Identity Governance allows you to use one of two role mining methods to create technical roles.
To create a technical role using role mining:
Log in as a Customer or Technical Roles Administrator.
Under Catalog, select Roles.
Click the Mining tab.
Select a role mining approach. (See Table 17-1 to determine which role mining approach to use.)
(Conditional) If you choose Automatic Suggestions:
Click Generate New Suggestions.
NOTE:If you already generated new suggestions, you can click Load Previous Suggestions, then skip to Step 5.f. Only saved suggestions still within the specified retention interval appear.
Provide a description that lists the attributes you want to use for role mining, or that specifies the purpose for the role.
(Optional) Specify role mining options relevant to the technical role you want to create.
Click Start.
Click Load next to the mining suggestion you want to use to load potential role candidates.
Select one or more potential candidates from the Mining Suggestions, then select Actions > Create Candidates.
In the Create Role Candidates dialog box, type a name for the technical role candidate, then click Create Candidates.
(Conditional) If you choose Visual Role Mining:
Use your mouse to select an area containing the permissions you want the technical role to contain.
Click View Candidate.
Type a name for the technical role you want to create.
Click Estimate Users to see how many users have the specified permissions
NOTE:You can click the highlighted number to view a list of users with the specified permissions.
Click Analyze SoD Violations to view potential separation of duties policies that would be violated if users held the permissions contained in this technical role.
NOTE:The Potential SoDs Violated window displays the names of the SoD policies potentially violated and the number of users affected. Click the SoD policy name or the highlighted number for details.
Click Create Candidate.
Click the Roles tab, then select the mined role candidates.
Select Actions > Promote Candidates, then click Promote.
(Optional) Click the promoted role to edit the role name, description, owner, risk, cost, or category.
(Optional) Estimate the impact by viewing the list of associated users and analyzing SoD violations if SoD policies were previously defined.
(Optional) Add or remove permissions based on the estimated impact and save the changes.
NOTE:When you add permissions to a role, the dialog displays all application permissions in Identity Governance. You can quickly sort or filter permissions by name, description, or application. You can also click the filter icon and use the expression builder to add additional criteria to the search and limit the displayed permissions further. You can save and reuse the filters that you have defined. For more information about filters, see Section 12.4.3, Using Advanced Filters for Searches.
Click the gear icon to customize which columns display on the screen.
After you promote a role, you can use the Actions menu to add and remove categories, assign owners, promote or delete candidates, activate or deactivate roles, and download definitions. Note that roles which has reference to any business roles, SOD, access request, or approval policy cannot be deactivated. You must activate a technical role to allow Identity Governance to identify the users that hold permissions specified in the role.
To define a technical role manually, you must define parameters, including permissions, owners, risk, cost, or category, for the role.
To create a technical role manually:
Log in as a Customer or Technical Roles Administrator.
Under Catalog, select Roles.
Click the plus sign (+) to create a technical role.
Provide values for any of the following fields:
Name of the technical role (Required)
Description of the technical role
Owner(s)
Risk level configuration
Risk level
Cost
Categories
(Optional) Next to Permissions, click the plus sign (+), select the permissions to include in the role, then click Add.
Click Estimate Users to see how many users have the specified permissions
NOTE:You can click the highlighted number to view a list of users with the specified permissions.
Click Analyze SoD Violations to see potential separation of duties policies that would be violated if users held the permissions contained in this technical role.
NOTE:The Potential SoDs Violated window displays the names of the SoD policies potentially violated and the number of users affected. Click the SoD policy name or the highlighted number for details.
(Optional) Remove permissions to resolve potential SoD violations.
Click Save.
On the Roles tab, select the technical role you created.
Select Actions > Promote Candidates, then click Promote.
Click the gear icon to customize which columns display on the screen.
After you promote a role, you can use the Actions menu to add and remove categories, assign owners, promote or delete candidates, download definitions, and activate or deactivate roles. Note that roles which has reference to any business roles, SOD, access request, or approval policy cannot be deactivated. You must activate a technical role to allow Identity Governance to identify the users that hold permissions specified in the role.