17.4 Understanding Technical Role Mining

Technical role mining is the process of discovering and analyzing business data to logically group permissions to simplify the review process, or allow grouping of related permissions under one technical role candidate. Identity Governance uses advanced analytics to mine business data and to identify role candidates. Customer, Global or Technical Roles Administrators can use role mining to create technical roles with common permissions. Identity Governance uses the following two approaches to identify technical role candidates.

Automatic Suggestions

Enables administrators to direct the mining calculations by specifying the minimum number of permissions that a specified number of users should have in common, the coverage percentage, the maximum number of role suggestions, and other role mining options.

Visual Role Mining

Enables administrators to select role candidates from a visual representation of the distribution of users based on permissions. Administrators can click within the user access map and drag to select permissions within an area on the map, then view technical role candidates.

The resulting list of technical role candidates allows administrators to determine if the potential candidates duplicate existing technical roles. Administrators can then choose not to create those candidates. To create a role candidate, administrators select one or more potential candidates from the list. Administrators can edit and save role candidates, but they must promote candidates before they can activate them as roles.

Table 17-1 helps you determine the type of role mining to use.

Table 17-1 Determining Which Role Mining Approach to Use



You want to use user and permission relationships to automatically identify potential candidates and create more than one technical role

Select Automatic Suggestions, which allows you to:

  • Either save the default mining options, or specify options for your organization.

  • Select one or more items from the resulting list to create technical role candidates.

    NOTE:Automatic role mining identifies the potential role candidates that match permissions for existing technical roles, which allows you to choose not to create a role candidate and avoid duplicating a technical role.

Suggestions are sorted by the number of users multiplied by the number of permissions. For example, if five users match the role mining options and hold four permissions in common, Identity Governance lists them first, followed by a suggestion with four users who hold four permissions in common.

You want to use the user access map to create a role candidate

Select Visual Role Mining, which allows you to:

  • Click the map and drag to select an area that contains permissions you want the technical role to include.

  • View potential technical role candidates.

  • Estimate the users included in the role.

  • Analyze possible SoD violations.

You can also generate technical role candidates when you use mining to create a business role. For more information about business roles, see Section 18.0, Creating and Managing Business Roles.

Identity Governance performs role mining as a background process. If you navigate from the role mining page, role mining will continue. When you return to the role mining page, click Load Previous Suggestions to list the mining suggestions, then create the technical role candidates. The generated role mining suggestions are available for 96 hours. You can adjust the mining retention interval by selecting Configuration > Analytics and Role Mining Settings.

HINT:If you have a large catalog of users and technical roles, data mining performance might be very slow and eventually fail. To improve performance for technical role mining, limit the analysis to a specific set of permissions or permissions held by a specific set of users or contact your SaaS Operations Administrator to adjust properties for role mining.