30.1 Understanding Analytics and Role Mining Settings

Identity Governance provides access to the Analytics and Role Mining Settings menu based on your authorization. Authorized users can use these settings to enable and disable decision support, configure business role mining settings, create custom metrics, and collect and schedule metrics collection.

30.1.1 Understanding Role Mining Settings

Roles in governance systems enable administrators to simplify security administration on systems and applications, by encapsulating popular sets of entitlements and assigning them as packages, rather than individually, to users. Identity Governance uses attributes specified in Configuration > Analytics and Role Mining Settings to provide recommendations for creating business roles. If the specifications do not meet certain conditions administrators may not see any recommendations when mining for roles. Only a Customer, Data, or Business Roles Administrator can configure the role mining settings.

When specifying attributes make sure that:

  • Specified attributes have values. User attributes with zero strength will not be displayed in the directed mining recommended attribute bar graph or visual attribute map.

In addition, in order for visual role mining to render recommendations make sure that:

  • At least two attributes are selected. For example, “Title” and “Department”.

  • Selected attributes share commonality. For example, departments A, B, and C have users with the same titles, such as Administrative Assistant and Department Lead.

NOTE:After customizing attributes, select Business Role Mining metrics and collect metrics to refresh data.

30.1.2 Understanding Metrics

Identity Governance tracks activities and key risk indicators so that authorized administrators can monitor activities and risk factors in your governance system and make improvements based on the collected metrics. The activities and key risk factors or facts extracted and collected from various data sources and user and entity events are stored in fact tables that are then used to calculate metrics and the results (metric tables) are published to the default or administrator-specified database.

Identity Governance default metrics analyze common risk factors and enable you to find answers for questions like how many average number of users are in an account, how many accounts are unmapped, and what proportion of your entitlements are assigned by policies versus assigned directly. Administrators cannot edit the default metrics but can view associated description and metric columns by selecting the metric name.

In addition to default metrics, authorized administrators can create custom metrics, using SQL statements and insight queries, to adjust metric calculations based on your business needs. For example, you can create a custom metric for calculating how many role policies are active. You can download custom metric definitions and import them.

Administrators can also download all metric results. You must collect metrics before downloading the results. All available metric results are not downloadable. You cannot download metrics if they were collected from a remote database. Role mining metrics are also not downloadable as they are only for use by internal processes.

The default schedule for all metric calculations is 24 hrs. Administrators can change the metric calculation schedule and set a start date for metric calculations by selecting Actions > Set collection schedule. Though Identity Governance allows administrators to schedule the collection of metrics, collections might be delayed because Identity Governance manages the number collections running concurrently to optimize performance. Some collections scheduled to run might be delayed until other collections have completed. Identity Governance also delays scheduled calculations after initial startup of the Identity Governance server.

30.1.3 Understanding Supported Storages and Data Types

You can store metrics data in Identity Governance databases, Vertica, Oracle, PostgreSQL, Microsoft SQL Server (MS SQL), or Kafka. Identity Governance enables you to select generic data types and translates them to a specific data type based on the type of storage as shown in the table below.

NOTE:Identity Governance publishes facts to Kafka as JSON strings.

Data Type

Read from igops as

Published to Vertica as

Published to IG PostgreSQL as

Published to IG Oracle as

Published to IG MS SQL as

Boolean

BOOLEAN

BOOLEAN

boolean

number

bit

Long

INTEGER

INTEGER

integer

number

integer

Float

FLOAT

FLOAT

float

float

float

String

STRING

LONG VARCHAR

text

nclob

nvarchar(max)

Date

TIMESTAMP

TIMESTAMP WITH TIME ZONE

TIMESTAMP WITH TIME ZONE

TIMESTAMP WITH TIME ZONE

TIMESTAMP WITH TIME ZONE