Technical role mining is the process of discovering and analyzing business data to logically group permissions to simplify the review process or allow grouping of related permissions under one technical role candidate. A technical role candidate is a set of permissions and users that can be promoted to a technical role. Identity Governance uses advanced analytics to mine business data and to identify role candidates. Customer, Global or Technical Roles Administrators can use role mining to create technical roles with common permissions after collecting related metrics.
Identity Governance uses the following two approaches to identify technical role candidates.
Enables administrators to direct the mining calculations by specifying the minimum number of permissions that a specified number of users should have in common, the coverage percentage, the maximum number of role suggestions, and other role mining options.
For more information about Automatic Suggestions criteria and computation, see Section 18.4.1, Understanding Automatic Suggestions Mining Approach.
Enables administrators to select role candidates from a visual representation of the distribution of users based on permissions. The map displays several clusters that can be potential technical role candidates. Administrators can click within the user access map and drag to select permissions within an area on the map, then view technical role candidates.
With both these approaches, you can edit and save role candidates. You must also promote candidates before you can activate them as roles. You can also generate technical role candidates when you use mining to create a business role. For more information about business roles, see Section 19.0, Creating and Managing Business Roles.
Identity Governance performs role mining as a background process. If you navigate from the role mining page, role mining will continue. When you return to the role mining page, click Load Previous Suggestions to list the mining suggestions, then create the technical role candidates. The generated role mining suggestions are available for 96 hours. You can adjust the mining retention interval by selecting Configuration > Analytics and Role Mining Settings.
HINT:If you have a large catalog of users and technical roles, data mining performance might be very slow and eventually fail. Use the Configuration Utility console mode commands set-property com.netiq.iac.analytics.roles.technical.MaxPermSize 10000 and set-property com.netiq.iac.analytics.roles.technical.MaxUserSize 10000 to change the size to 10000 and improve data mining performance. For more information about the utility procedures, see Using the Identity Governance Configuration Utility
in the Identity Governance 4.3.1 Installation and Configuration Guide.
When Identity Governance collects technical role related User to permission assignments metric, it stores the permission-assignment map in the database to display automatic suggestions. The metric results are in a compressed format in the database where rows are permissions and columns are users holding permissions.
The database binary matrix includes all users who hold at least one of the permissions and all permissions which are held by at least one user. The number of included users and the number of permissions in this matrix are based on com.netiq.iac.analytics.roles.technical.MaxUserSize and com.netiq.iac.analytics.roles.technical.MaxPermSize configuration properties respectively. Identity Governance updates this data based on the metrics schedule.
The metrics results (permission-assignment map) include several clusters that can be potential technical role candidates. The map is like the visual representation displayed when you choose the Visual Role Mining approach. Identity Governance further analyzes these clusters, isolates (permission-user pairs), and sorts them by the rectangle area (number permissions multiplied by the number of users). During this process, the matrix is transposed repeatedly, and rows are moved based on similarity and similar rows are kept together until the top matching candidates are found.
When you select Automatic Suggestions and save the default criteria or specify criteria, Identity Governance applies the criteria as boundary conditions and removes the rows and columns that do not meet the specified criteria. It also removes any empty rows and columns that are created after applying criteria, then creates clusters of permission-user pairs and displays the top matching suggestions based on Number of candidates to show and weighted rank. The result is a set of rectangles (technical role suggestions) where the number of rectangles is equal to your specified number of candidates to show. For example, if you had requested 5 candidates, and 8 clusters are found, only the top 5 will be displayed.
Find next a simple example of the role mining settings and corresponding permission-assignment map and results.
Filter permissions by users: Display Name equals one of ['Armando Colaco', 'Franke Drake', 'Henry Morgan', 'Leon Lavalette', 'James Ross', 'Lisa Haagensen" or 'Camille Pissaro']
Number of candidates to show: 5
Minimum number of permissions: 3
Minimum number of users: 3
Permission coverage: 0%
Based on these specified criteria, Identity Governance finds 4 candidates corresponding to the biggest clusters on the permission-assignment map.
Figure 18-2 Permission-Assignment Map
Figure 18-3 Results
Identity Governance ranks the role mining suggestions by the number of permissions multiplied by the number of users. In the above example, 5 users match the role mining criteria and hold 4 permissions in common (total twenty), Identity Governance lists them first as it has the most number of users and the highest total of permissions multiplied by users. The following candidates have 4 users who hold 5 permissions in common (total twenty), 6 permissions held by 3 users (total 18), then 3 permissions held by 4 users (total twelve).
After collecting metrics and selecting Automatic Suggestions, you may start mining after only entering the description, and without entering any criteria. When criteria are not specified, Identity Governance generates the suggestions using the following default values:
Number of candidates to show: 25
Minimum number of permissions: 5
Minimum number of users: 5
Permission coverage: 15%
To generate more specific technical role suggestions, you can also:
Change the maximum number of suggestions to display.
NOTE:Identity Governance can display maximum thousand suggestions. Each suggestion includes a different set of users and permissions.
Filter permissions by users and filter permissions settings using advanced filters to limit permissions used in a technical role using user and permission attributes respectively. Note that when you filter permissions by users, Identity Governance finds permissions that satisfy all your criteria. Therefore, all permissions held by your specified users might not be included in the suggested role candidates. You might want to increase the number of candidates to get more common permissions. This does not mean that all permissions held in common by your specified users will be found.
Search and select specific users and permissions to exclude from the calculation of suggested technical roles.
Specify minimum number of users that must hold the permissions to be included in the suggested role.
Specify minimum number of permissions that the suggested role should include.
Specify percentage of users that must hold a permission for the permission to be included in the calculation of roles. For example, if you specify permission coverage is ten percent for permissions held by hundred users, then at least ten users should hold the permission to be included in the suggestion.
Use Table 18-1 to determine the type of role mining to select.
Table 18-1 Determining Which Role Mining Approach to Use
If |
Then |
---|---|
You want to use user and permission relationships to automatically identify potential candidates and create more than one technical role |
Select Automatic Suggestions NOTE:Automatic role mining identifies potential role candidates and allows you to choose a role candidate instead of creating one, thereby avoid duplicating a technical role. |
You want to use the user access map to create a role candidate, add or remove permissions, estimate users, and analyze SoD violations |
Select Visual Role Mining |