Technical role mining is the process of discovering and analyzing business data to logically group permissions to simplify the review process, or allow grouping of related permissions under one technical role candidate. Identity Governance uses advanced analytics to mine business data and to identify role candidates. Customer, Global or Technical Roles Administrators can use role mining to create technical roles with common permissions. Identity Governance uses the following two approaches to identify technical role candidates.
Enables administrators to direct the mining calculations by specifying the minimum number of permissions that a specified number of users should have in common, the coverage percentage, the maximum number of role suggestions, and other role mining options.
Enables administrators to select role candidates from a visual representation of the distribution of users based on permissions. Administrators can click within the user access map and drag to select permissions within an area on the map, then view technical role candidates.
The resulting list of technical role candidates allows administrators to determine if the potential candidates duplicate existing technical roles. Administrators can then choose not to create those candidates. To create a role candidate, administrators select one or more potential candidates from the list. Administrators can edit and save role candidates, but they must promote candidates before they can activate them as roles.
Table 18-1 helps you determine the type of role mining to use.
Table 18-1 Determining Which Role Mining Approach to Use
|
If |
Then |
|---|---|
|
You want to use user and permission relationships to automatically identify potential candidates and create more than one technical role |
Select Automatic Suggestions, which allows you to:
Suggestions are sorted by the number of users multiplied by the number of permissions. For example, if five users match the role mining options and hold four permissions in common, Identity Governance lists them first, followed by a suggestion with four users who hold four permissions in common. |
|
You want to use the user access map to create a role candidate |
Select Visual Role Mining, which allows you to:
|
You can also generate technical role candidates when you use mining to create a business role. For more information about business roles, see Section 19.0, Creating and Managing Business Roles.
Identity Governance performs role mining as a background process. If you navigate from the role mining page, role mining will continue. When you return to the role mining page, click Load Previous Suggestions to list the mining suggestions, then create the technical role candidates. The generated role mining suggestions are available for 96 hours. You can adjust the mining retention interval by selecting Configuration > Analytics and Role Mining Settings.
HINT:If you have a large catalog of users and technical roles, data mining performance might be very slow and eventually fail. Use the Configuration Utility console mode commands set-property com.netiq.iac.analytics.roles.technical.MaxPermSize 10000 and set-property com.netiq.iac.analytics.roles.technical.MaxUserSize 10000 to change the size to 10000 and improve data mining performance. For more information about the utility procedures, see Using the Identity Governance Configuration Utility
in the Identity Governance 4.2 Installation and Configuration Guide.