17.3 Defining Business Roles

To use business roles, you must create a business role and define a membership policy and an authorization policy for the business role based on your business needs. You can create a business role either manually or use role mining analytics.

To define a business role:

  1. Log in to Identity Governance as a Customer, Global, or Business Roles Administrator.

  2. Under Policy, select Business Roles.

  3. Select the Mining tab if you want the system to recommend role candidates, and based on your selection auto-create membership expressions and authorize associated permissions, technical roles, and applications.

    NOTE:If you are confident about your data and want to define a membership expression manually, select + on the Business Roles page to create a new business role and then proceed to Step 12.

    If

    Then

    You are not sure about where to start, have a small catalog, and want Identity Governance to mine for roles based on attributes specified in the role mining settings in Configuration > Analytics and Role Mining Settings and automatically suggest role candidates.

    • Select Visual Role Mining.

    • Modify the maximum number of results to display for recommended attributes and the required minimum number of members for each role candidate.

    • Save the specified values to trigger the user catalog analysis.

    • (Optionally) Click the gear icon to change the specified values to optimize results and save the values.

    • Click an attribute node (circle) to select a role candidate.

      WARNING:You might not see any recommendations if the Settings > Minimum potential members value is set too high or when the role mining settings in Configuration > Analytics and Role Mining Settings do not meet the required conditions. For more information, see Configuring Analytics and Role Mining Settings.

    • Select the Mining Results tab.

    You do not know where to start, have large and complex data to mine, want Identity Governance to mine the data based on the attributes specified in the role mining settings in Configuration > Analytics and Role Mining Settings, and want to include minimum occurrences of attributes as mining criteria without specifying any user attributes.

    • Select Automated Role Mining.

    • Modify the minimum number of attributes, minimum number of occurrences, and maximum results.

    • Modify the coverage criteria.

      NOTE:Identity Governance uses the permission, technical role, and application coverage fields to determine which authorizations are auto-populated in the business role candidate. For example, if permission coverage is at 50% then 50% of the members must hold a permission for Identity Governance to add it as an authorization in the candidate. If it is 100%, then all members must hold the permission for Identity Governance to add it as an authorization.

    • Save the specified values to trigger the user catalog analysis.

    • (Optionally) Click the gear icon to change values to optimize results and save the values to refresh the candidate suggestions.

    You want to direct the mining by specifying user attributes from the catalog.

    NOTE:When using this role mining option, you are not constrained to use only the attributes included in the role mining settings in Configuration > Analytics and Role Mining Settings.

    • Select Directed Role Mining.

    • Specify the user attributes by entering the user attribute names or by searching and selecting the attributes based on the strength of the recommendation.

    • Specify a minimum number of times the attribute value must occur across users or the percentage of all users who must have the attribute value.

    • Specify additional coverage criteria.

    • Save the specified values to trigger the user catalog analysis.

    • (Optional) Click the gear icon to adjust the values to optimize results, and save the values to refresh the candidate suggestions.

  4. Select one or more items from the Role Candidates list.

  5. Click Create Candidates.

  6. Select Create separate candidates for each criteria or Create a single business role candidate. If you select the latter, specify a name for the business role.

  7. (Optional) Select Create associated technical roles for common permissions to generate the technical roles with users who have the same permissions.

  8. (Optional) Select Group permissions added to technical roles by application to create application-specific technical roles.

  9. (Optional) Select Create business role hierarchy, and then select the attributes by which to group values for each available level, to create role hierarchy when mining business roles.

    NOTE:The number of available levels is one less than the number of attributes you selected in Role Mining Options. For example, if you selected three attributes, you would be able to group the roles for up to two levels.

  10. On the Role tab, click the newly generated inactive role to view the role description.

  11. Click Edit.

    NOTE:Identity Governance creates the role candidate in a pending state and administrators must promote it before anyone can approve the role candidate or publish it as a role. Ensure that the membership criteria and authorizations are as you want them to be before publishing.

  12. Select Yes to promote the role candidate.

  13. Specify the following information to create the business role:

    Name and Description

    Modify the auto-generated name to a unique name and edit the description for the business role.

    Grace period

    Specify a grace period. A grace period specifies the number of days that you want Identity Governance to consider the user as a member of the role when it detects that the member no longer meets the membership policy requirements.

    Risk

    Specify the importance of the business role in terms of limited access and security.

    For example, you might want to review access to business roles with a high risk more often than business roles with a mild risk.

    Included Membership

    Optionally, specify business roles whose membership criteria, users, and groups you want to include in the new business role. When combining the included roles, Identity Governance includes only published roles membership and eliminates duplicates. For example, you can include BR1 and BR2 in the membership of BR3. Then, role BR3 becomes the union of BR1 and BR2 along with any membership criteria specified for BR3.

    NOTE:Excluded members of the including role take precedence over inclusion of included business role members. For example, when BR3 includes BR1, and BR1 has a member User A, and BR3 excludes User A then Identity Governance also excludes the user.

    Also, note that Identity Governance does not allow circular inclusions. For example, you:

    • Cannot include BR1 in BR1 (self inclusion)

    • Cannot include BR2 in BR1 then include BR1 in BR2

    • Cannot include BR2 in BR1 and BR3 in BR2 and then include BR1 in BR3

    Membership expressions

    Membership expressions are criteria that specify a set of users that are considered members of the business role. Identity Governance converts your specified criteria to create SQL SELECT statements to find the users that match the criteria. When you use the role mining feature, Identity Governance provides recommendations for role candidates based on your data and auto-generates the membership expressions when you create a role candidate. To optimize specific SELECT statements, follow query optimization principles such as creating indexes for attributes you are going to query on. To optimize specific SELECT statements that might not be performing as expected, contact your database administrator. To set effective dates for authorizations, click the calendar icon at the top of the membership expression menu section.

    HINT:When adding date attributes such as start date to membership expression, you can specify a date using the calendar date picker or use the date formula. For example, if you want to automatically make new employees a member of a business roles two days before their start date, use the date formula.

    Include and Exclude Users and Groups

    Optionally, define specific users and groups that you want to include in the business role that might not match any membership expression. You can also specify users and groups to exclude from the business role who would otherwise match membership expressions. For example, you can have a membership expression that matches all managers in engineering, but you do not want John Smith or managers in the CTO group even if they match that criteria. You can also define a time period for when these inclusions or exclusions are valid.

    NOTE:Excluding a user or group takes precedence over including them. For example, suppose you include the Sales group and exclude the Contractors group. Then, Identity Governance would exclude a user who belongs to both of those groups because exclusion takes precedence over inclusion.

  14. Select the Authorizations tab, then define the following:

    Permissions

    Identity Governance might preauthorize permissions when you mine for roles or you might need to define them. Select permissions from the entire catalog or from a list of permissions held by the business role members. Specify whether the permission is mandatory or optional. Specify whether Identity Governance should automatically grant or revoke permissions. If needed, select the calendar control to set an authorization period for when Identity Governance authorizes these permissions for users in the business role.

    If an authorized permission comes from an Identity Manager application and is an Identity Manager role (parent) that contains other Identity Manager roles and Identity Manager resources (children), there will be an option to also authorize the contained permissions (the default is to not authorize contained permissions). You can view the hierarchy of contained permissions by clicking show.

    NOTE:If you specify auto-grant or auto-revoke on this kind of permission, the selected option does not apply to any of the contained permissions. This is because if you grant or revoke a permission that is an Identity Manager role that contains other contained Identity Manager roles and Identity Manager resources, the Identity Manager system automatically grants or revokes any contained Identity Manager roles and resources.

    Technical Role

    Identity Governance might preauthorize technical roles when you mine for roles or you might need to define them. The technical role acts as a grouping for the permissions. If all of the appropriate permissions are included in a technical role, you can add the technical role instead of the individual permissions. If needed, select technical roles from the entire catalog or from a list of technical roles held by the business role members. Determine whether the technical role is mandatory or optional. Specify whether Identity Governance should automatically grant or revoke the technical role authorization. If needed, select the calendar control to set an authorization period for when the permissions in the technical role are valid for the business role.

    Permissions contained in a technical role might come from an Identity Manager application and might be an Identity Manager role that contains other Identity Manager roles and Identity Manager resources. For this reason, technical roles have two options for authorizing contained permissions. You can opt to only authorize the permissions that are explicitly specified in the technical role, or you can opt to authorize the permissions contained in the technical role and any permissions that are contained in those permissions. The second option applies only to permissions that are Identity Manager roles that contain other Identity Manager roles or Identity Manager resources. You can view the hierarchy of all contained permissions that Identity Governance authorizes by clicking show.

    NOTE:If you specify auto-grant or auto-revoke on a technical role, the selected option applies only to the permissions explicitly specified in the technical role. It does not apply to any of the permissions that those permissions might contain.

    Applications

    Identity Governance might preauthorize applications when you mine for roles or you might need to define them. If needed, define which applications the members of the business role are authorized to hold. This means Identity Governance can create accounts for the members of the business role in the listed applications. Select applications from the entire catalog or from a list of applications held by the business role members. Specify whether Identity Governance should or should not automatically grant or revoke the application authorization. If needed, select the calendar control to set an authorization period for when the members of the business role have access to the application.

    NOTE:Applications must have an account collector to allow you to specify automatic grant or revoke.

    For more information about authorizing permissions, technical roles, and applications, see Section 17.5, Adding Authorizations to a Business Role.

  15. Select the Owners and Administration tab to assign the following:

    • Role owner

    • Role manager

    • Fulfiller

    • Categories

    • Approval Policy

    If you do not make selections on this tab, Identity Governance makes default assignments for the owner and fulfiller and assigns a default approval policy to the business role.

  16. (Optional) On the Membership tab, select View Membership to view the list of business role members.

    NOTE:During migration or upgrades, you must always run publication to refresh the list of business role members. For more information about publishing data sources, see Section 8.0, Publishing the Collected Data.

  17. Under What-if Scenarios, select Estimate Publish Impact and Analyze SoD Violations to respectively view types of changes and SoD violations information.

  18. (Conditional) Resolve SoD violations or edit the business role definition to resolve any issues. For more information about SoD violations, see Approving and Resolving an SoD Violation.

  19. Select Save to save your modifications to the mined business role definition.

    NOTE:When editing an existing business role, the Owners and Administration tab has a separate Save button, which allows you to change these items independent of other items pertaining to the business role.

After you have created the business role and assigned owners and administrators, the business role is ready for approval or is ready to be published depending on your approval policy. The approval policy allows you to have people review the business role and approve or request changes to the business role. For more information, see Section 17.6, Adding a Business Role Approval Policy.

To detect users that meet the business role criteria in reviews or in the catalog, you must publish the business role. For more information, see Section 17.7, Publishing or Deactivating Business Roles.