16.5 Creating Technical Roles

To create technical roles you must have Customer, Global Administrator, or Technical Roles Administrator authorization and you must have collected metrics. You can create technical roles either manually or using role mining analytics. Additionally, the Business Role Administrator can generate technical roles when creating business role candidates.

When using role mining analytics, Identity Governance automatically groups permissions and presents them as role candidates. You must promote role candidates as roles before they can be activated.

When you are creating technical roles manually, an understanding of what permissions you want to assign to the technical role is helpful. You cannot activate a technical role until you have added permissions to the technical role.

To create a technical role:

  1. Log in as a Customer, Global, or Technical Roles Administrator.

  2. Under Catalog, select Roles.

  3. Click the Mining tab.

    If

    Then

    You want to use direct role mining calculations and create more than one technical roles

    • Select Automatic Suggestions.

    • Save the default options, or specify options, and save.

    • Select one or more items from the list and click Create Roles.

      NOTE:Suggestions are sorted by the number of users multiplied by the number of permissions. For example, if there are five users who match the role mining options and who hold four permissions in common, they will be listed first, followed by a suggestion with four users who hold four permissions in common.

    You want to use the user access map to create a role candidate

    • Select Visual Role Mining.

    • Click the map and drag to select an area.

    • Click View Candidate.

    • (Optional) Click more to add a description, owner, risk, cost, or category.

    • (Optional) Click + to add permissions, or click Remove next to a permission to remove permissions.

    • Estimate the impact.

    • Click Create candidate.

  4. On the Roles page, click the mined role.

  5. (Optional) Edit the role name, description, owner, risk, cost, or category.

  6. Estimate the impact by viewing the list of associated users and analyzing SoD violations if SoD policies had been previously defined.

  7. (Optional) Add or remove permissions based on the estimated impact and save the changes.

    When you add a permission to a role, the dialog displays all application permissions in Identity Governance. You can quickly sort or filter permissions by name, description, or application. You can also click the filter icon and use the expression builder to add additional criteria to the search and limit the displayed permissions further. You can save and reuse the filters that you have defined. For more information about filters, see Section 11.4.3, Using Advanced Filters for Searches.

  8. Select Yes to promote the role candidate.

    You must promote a role candidate before you can activate and publish it as a role. Instead of individually promoting a role, you can choose to promote multiple role candidates using the Actions menu.

  9. Alternately, on the Roles page, select + to create a role manually.

  10. Provide the required information.

  11. (Optional) Select + next to Permissions and select the permissions to include in the role, and then select Add.

  12. (Conditional) If permissions have been added to the technical role, estimate impact and edit role if needed.

  13. Save your settings.

  14. Click the gear icon to customize column display as needed by selecting columns such as number of assigned users, number of users with all permissions, number of permissions, number of business roles, and number of SoDs.

  15. (Optional) Select a role, multiple roles, or all roles and use Actions menu to add and remove categories, assign owners, promote or delete candidates, activate or deactivate roles, and download definitions.