29.1 Understanding Analytics and Role Mining Settings

Identity Governance provides access to the Analytics and Role Mining Settings menu based on your authorization. Authorized users can use these settings to enable and disable decision support, configure business role mining settings, create custom metrics, and collect and schedule metrics collection.

29.1.1 Understanding Role Mining Settings

Roles in governance systems enable administrators to simplify security administration on systems and applications, by encapsulating popular sets of entitlements and assigning them as packages, rather than individually, to users. Identity Governance uses attributes specified in Configuration > Analytics and Role Mining Settings to provide recommendations for creating business roles. If the specifications do not meet certain conditions administrators may not see any recommendations when mining for roles. Only a Global, Data, or Business Roles Administrator can configure the role mining settings.

When specifying attributes make sure that:

  • Specified attributes have values. User attributes with zero strength will not be displayed in the directed mining recommended attribute bar graph or visual attribute map.

In addition, in order for visual role mining to render recommendations make sure that:

  • At least two attributes are selected. For example, “Title” and “Department”.

  • Selected attributes share commonality. For example, departments A, B, and C have users with the same titles, such as Administrative Assistant and Department Lead.

NOTE:After customizing attributes, select Business Role Mining metrics and collect metrics to refresh data.

29.1.2 Understanding Metrics

Identity Governance tracks key risk indicators so that administrators can monitor these risk factors in your governance system and make improvements based on the collected metrics. The key risk factors or facts extracted and collected from various data sources are stored in fact tables that are then used to calculate metrics and the results (metric tables) are published to the default or administrator-specified database. Administrators can also download all metric results in CSV format.

Identity Governance default metrics analyze common risk factors and enable you to find answers for questions like how many average number of users are in an account, how many accounts are unmapped, and what proportion of your entitlements are assigned by policies versus assigned directly. In addition, authorized administrators can create custom metrics, using SQL statements and insight queries, to adjust metric calculations based on your business needs. For example, you can create a custom metric for calculating how many role policies are active.

Administrators cannot edit the default metrics but can view associated description and metric columns by selecting the metric name. The default schedule for all metric calculations is 24 hrs. Administrators can change the metric calculation schedule and set a start date for metric calculations by selecting Actions > Set collection schedule. Though Identity Governance allows administrators to schedule the collection of metrics, collections might be delayed because Identity Governance manages the number collections running concurrently to optimize performance. Some collections scheduled to run might be delayed until other collections have completed. Identity Governance also delays scheduled calculations after initial startup of the Identity Governance server.

Administrators can control how many metric collection can be collected simultaneously by using the Identity Governance Configuration Utility to configure com.netiq.iac.fact.collection.thread.pool.size. Currently, if an administrator chooses to run more than five metric collection then the first five collections will run simultaneously and the other collections will be queued and will run after the previous one finishes calculations. We recommend that administrators override the default 5 setting to a lower number if they observe metric collections impacting the system adversely. For more information about the Configuration Utility, see Using the Identity Governance Configuration Utility in the Identity Governance 3.7 Installation and Configuration Guide.

29.1.3 Understanding Supported Storages and Data Types

You can store metrics data in Identity Governance databases, Vertica, Oracle, PostgreSQL, Microsoft SQL Server (MS SQL), or Kafka. Identity Governance enables you to select generic data types and translates them to a specific data type based on the type of storage as shown in the table below.

NOTE:Identity Governance publishes facts to Kafka as JSON strings.

Data Type

Read from igops as

Published to Vertica as

Published to IG PostgreSQL as

Published to IG Oracle as

Published to IG MS SQL as

Boolean

BOOLEAN

BOOLEAN

boolean

number

bit

Long

INTEGER

INTEGER

integer

number

integer

Float

FLOAT

FLOAT

float

float

float

String

STRING

LONG VARCHAR

text

nclob

nvarchar(max)

Date

TIMESTAMP

TIMESTAMP WITH TIME ZONE

TIMESTAMP WITH TIME ZONE

TIMESTAMP WITH TIME ZONE

TIMESTAMP WITH TIME ZONE