17.4 Understanding Technical Role Mining
Technical role mining is the process of discovering and analyzing business data to logically group permissions to simplify the review process or allow grouping of related permissions under one technical role candidate. A technical role candidate is a set of permissions and users that can be promoted to a technical role. Identity Governance uses advanced analytics to mine business data and to identify role candidates. Customer, Global or Technical Roles Administrators can use role mining to create technical roles with common permissions after collecting related metrics.
Identity Governance uses the following two approaches to identify technical role candidates.
- Automatic Suggestions
-
Enables administrators to direct the mining calculations by specifying the minimum number of permissions that a specified number of users should have in common, the coverage percentage, the maximum number of role suggestions, and other role mining options.
For more information about Automatic Suggestions criteria and computation, see Section 17.4.1, Understanding Automatic Suggestions Mining Approach.
- Visual Role Mining
-
Enables administrators to select role candidates from a visual representation of the distribution of users based on permissions. The map displays several clusters that can be potential technical role candidates. Administrators can click within the user access map and drag to select permissions within an area on the map, then view technical role candidates.
With both these approaches, you can edit and save role candidates. You must also promote candidates before you can activate them as roles. You can also generate technical role candidates when you use mining to create a business role. For more information about business roles, see Section 18.0, Creating and Managing Business Roles.
Identity Governance performs role mining as a background process. If you navigate from the role mining page, role mining will continue. When you return to the role mining page, click to list the mining suggestions, then create the technical role candidates. The generated role mining suggestions are available for 96 hours. You can adjust the mining retention interval by selecting > .
HINT:If you have a large catalog of users and technical roles, data mining performance might be very slow and eventually fail. To improve performance for technical role mining, limit the analysis to a specific set of permissions or permissions held by a specific set of users or contact your SaaS Operations Administrator to adjust properties for role mining.
17.4.1 Understanding Automatic Suggestions Mining Approach
When Identity Governance collects technical role related metric, it stores the permission-assignment map in the database to display automatic suggestions. The metric results are in a compressed format in the database where rows are permissions and columns are users holding permissions.
The database binary matrix includes all users who hold at least one of the permissions and all permissions which are held by at least one user. The number of included users and the number of permissions in this matrix are based on com.netiq.iac.analytics.roles.technical.MaxUserSize and com.netiq.iac.analytics.roles.technical.MaxPermSize configuration properties respectively. Identity Governance updates this data based on the metrics schedule.
The metrics results (permission-assignment map) include several clusters that can be potential technical role candidates. The map is like the visual representation displayed when you choose the Visual Role Mining approach. Identity Governance further analyzes these clusters, isolates (permission-user pairs), and sorts them by the rectangle area (number permissions multiplied by the number of users). During this process, the matrix is transposed repeatedly, and rows are moved based on similarity and similar rows are kept together until the top matching candidates are found.
When you select and save the default criteria or specify criteria, Identity Governance applies the criteria as boundary conditions and removes the rows and columns that do not meet the specified criteria. It also removes any empty rows and columns that are created after applying criteria, then creates clusters of permission-user pairs and displays the top matching suggestions based on and weighted rank. The result is a set of rectangles (technical role suggestions) where the number of rectangles is equal to your specified number of candidates to show. For example, if you had requested 5 candidates, and 8 clusters are found, only the top 5 will be displayed.
Find next a simple example of the role mining settings and corresponding permission-assignment map and results.
-
: Display Name equals one of ['Armando Colaco', 'Franke Drake', 'Henry Morgan', 'Leon Lavalette', 'James Ross', 'Lisa Haagensen" or 'Camille Pissaro']
-
: 5
-
: 3
-
: 3
-
: 0%
Based on these specified criteria, Identity Governance finds 4 candidates corresponding to the biggest clusters on the permission-assignment map.
Figure 17-2 Permission-Assignment Map
Figure 17-3 Results
Identity Governance ranks the role mining suggestions by the number of permissions multiplied by the number of users. In the above example, 5 users match the role mining criteria and hold 4 permissions in common (total twenty), Identity Governance lists them first as it has the most number of users and the highest total of permissions multiplied by users. The following candidates have 4 users who hold 5 permissions in common (total twenty), 6 permissions held by 3 users (total 18), then 3 permissions held by 4 users (total twelve).
After collecting metrics and selecting , you may start mining after only entering the description, and without entering any criteria. When criteria are not specified, Identity Governance generates the suggestions using the following default values:
-
: 25
-
: 5
-
: 5
-
: 15%
To generate more specific technical role suggestions, you can also:
-
Change the maximum number of suggestions to display.
NOTE:Identity Governance can display maximum thousand suggestions. Each suggestion includes a different set of users and permissions.
-
Filter permissions by users and filter permissions settings using advanced filters to limit permissions used in a technical role using user and permission attributes respectively. Note that when you filter permissions by users, Identity Governance finds permissions that satisfy all your criteria. Therefore, all permissions held by your specified users might not be included in the suggested role candidates. You might want to increase the number of candidates to get more common permissions. This does not mean that all permissions held in common by your specified users will be found.
-
Search and select specific users and permissions to exclude from the calculation of suggested technical roles.
-
Specify minimum number of users that must hold the permissions to be included in the suggested role.
-
Specify minimum number of permissions that the suggested role should include.
-
Specify percentage of users that must hold a permission for the permission to be included in the calculation of roles. For example, if you specify permission coverage is ten percent for permissions held by hundred users, then at least ten users should hold the permission to be included in the suggestion.