30.1 Understanding Analytics and Role Mining Settings

Roles in governance systems enable administrators to simplify security administration on systems and applications, by encapsulating popular sets of entitlements and assigning them as packages, rather than individually, to users. Identity Governance uses attributes specified in Configuration > Analytics and Role Mining Settings to provide recommendations for creating business roles. If the specifications do not meet certain conditions administrators may not see any recommendations when mining for roles. Only a Customer, Data, or Business Roles Administrator can configure the role mining settings.

When specifying attributes make sure that:

In addition, in order for visual role mining to render recommendations make sure that:

Identity Governance tracks activities and key risk indicators so that authorized administrators can monitor activities and risk factors in your governance system and make improvements based on the collected metrics. The activities and key risk factors or facts extracted and collected from various data sources and user and entity events are stored in fact tables that are then used to calculate metrics and the results (metric tables) are published to the default or administrator-specified database.

Identity Governance default metrics analyze common risk factors and enable you to find answers for questions like how many average number of users are in an account, how many accounts are unmapped, and what proportion of your entitlements are assigned by policies versus assigned directly. Administrators cannot edit the default metrics but can view associated description and metric columns by selecting the metric name.

In addition to default metrics, authorized administrators can create custom metrics, using SQL statements and insight queries, to adjust metric calculations based on your business needs. For example, you can create a custom metric for calculating how many role policies are active. You can download custom metric definitions and import them.

Administrators can also download all metric results. You must collect metrics before downloading the results. All available metric results are not downloadable. You cannot download metrics if they were collected from a remote database. Role mining metrics are also not downloadable as they are only for use by internal processes.

The default schedule for all metric calculations is 24 hrs. Administrators can change the metric calculation schedule and set a start date for metric calculations by selecting Actions > Set collection schedule. Though Identity Governance allows administrators to schedule the collection of metrics, collections might be delayed because Identity Governance manages the number collections running concurrently to optimize performance. Some collections scheduled to run might be delayed until other collections have completed. Identity Governance also delays scheduled calculations after initial startup of the Identity Governance server.

You can store metrics data in Identity Governance databases, Vertica, Oracle, PostgreSQL, Microsoft SQL Server (MS SQL), or Kafka. Identity Governance enables you to select generic data types and translates them to a specific data type based on the type of storage as shown in the table below.